Data Security Policy for Lamb Building Chambers
In order to meet the requirements of the General Data Protection Regulation, we are obliged to have in place a framework designed to ensure the security of all personal data during collection, processing and disposal. We are committed to complying with relevant data protection legislation.
Scope of the Policy
This policy relates to the retention and storage of all personal data held in hard copy, i.e. on paper, or on physical devices, e.g. USBs, CDs, DVDs, tablets and Smartphones, and the retention and use of electronic data.
This policy applies to all use of information and information technology on our premises, even if we do not own the equipment, to all information technology provided by the business wherever it is used, including by employees working away from our premises, and to all external access to our information technology from wherever this is initiated, including by employees working away from our premises.
This policy applies to all employees, including temporary and casual employees, and agency staff.
Keeping Personal Information Secure
All personal data, whether in hard copy or stored on a USB, CD, DVD, or other physical device, must be kept in a secure environment with controlled access. The level of security applied should be agreed after a basic risk assessment has been carried out as provided for at 5 below. Appropriate secure environments include:
- locked metal cabinets with access to keys limited to authorised personnel only;
- locked drawers in a desk (or other storage area) with access to keys limited to authorised personnel only; and
- locked rooms accessed by key and/or coded door lock where access to keys and/or codes is limited to authorised personnel only.
All staff must receive appropriate, specific induction on data security in general and specific data security requirements in their area of business.
Where access to personal data is required on a frequent basis, and therefore maintaining locked drawers or cabinets at all times is impractical, steps must be taken to ensure authorised personnel are in attendance at all times when the data is in an unlocked environment.
Files containing personal data must never be left unattended while removed from their normal locked storage area. Staff must therefore adopt a clear desk policy, in relation to files and documents containing personal information, at all times when they are out of their offices or away from their work area.
Access to Personal Data
Managers must designate the individual members of staff who, by nature of the post, have been identified as requiring legitimate access to personal data in the course of their duties.
In addition, the designated purposes for which access to personal data will be permitted must also be defined. For some business areas, this will be clear from the function of the business area, e.g. Human Resources. However, in other cases this will require to be specifically defined.
From time to time all staff will have access to personal data about other members of staff or customers and confidentiality must be observed by all staff at all times. When temporary staff are employed in posts which involve access to and processing of personal data, confidentiality agreements should be included within the Terms and Conditions of Employment.
Where a file containing personal data is removed in response to a legitimate request by another authorised member of staff, this must be subject to a strict signing out and return procedure, which is the responsibility of the person holding the file.
The Manager of the relevant area will be expected to designate a member of staff with responsibility for overseeing arrangements for the removal and return of records.
The occasions when personal information is photocopied should be kept to a minimum. Where this is necessary, the provider of the information is responsible for ensuring all copies are returned once the task in question has been completed and subsequently disposed of in accordance with our Retention and Disposal Policy.
Where employees are required to take manual personal data home with them, appropriate security precautions must be taken to guard against theft, loss or inappropriate access. This will include securing data in a locked briefcase, never leaving data unattended in a public place and ensuring that all reasonable precautions are taken to secure data at home and whilst in transit. When working from home staff are required to use secure remote access to electronic records containing personal data and should not copy such records to a home PC.
A data protection/security risk assessment will be carried out as appropriate by business area managers or by an individual designated by them.
The purpose of the assessment is to establish the potential risks for unauthorised access to personal data and to define appropriate actions to eliminate, or at least mitigate, the risk of unauthorised access.
Managers will be expected to consult the Data Protection Officer on steps planned to address any potential risks identified.
Arrangements must be in place to ensure the security of all personal data which may be transferred to, or processed by, a third party.
In advance of any external transfer of personal data, staff should consider whether such a transfer is authorised under any relevant data sharing agreement, or is otherwise required by or permitted under the General Data Protection Regulation. The purpose, fairness and transparency of any transfer must always be considered and staff must ensure that they have consulted the Data Protection Officer prior to any such external data sharing.
Where external data sharing has been considered necessary or is permitted, the appropriate security precautions should be taken to minimise the risks of loss of data and/or accidental third-party disclosure.
All communications should be marked strictly private and confidential and addressed to a named individual.
Physical devices containing personal data, e.g. USBs, CDs, DVDs, should encrypted before being removed from our premises.
The most appropriate secure method of sending the information must be considered, e.g. hand delivery, registered or recorded delivery, courier, encrypted or secure electronic transfers.
Personal data will be retained only for the designated periods in our Retention and Disposal Policy. The Data Protection Officer will provide further advice and guidance on request. All personal data must be disposed of securely and safely in accordance with the Retention and Disposal Policy
The electronic storage of personal data requires certain minimum levels of security.
All personal computers/devices used for work must be protected by up to date anti-virus and anti-spyware software, subjected to regular virus scans, and protected by a firewall appropriate for the computer used.
The operating software must be checked regularly to ensure that the latest security updates are downloaded. Access to all computers must be password protected. Particular care must be taken to avoid potential infection by malware, e.g. by downloading software other than from trusted sources.
Work-in-progress should be regularly backed up, and back-up media should be locked away securely.
Computers used for working on personal data at home should be protected from unauthorised and unrestricted access by third parties, including family members. Where practicable, the ideal is a computer used only for work. The use of removable storage media (such as memory sticks, CD-ROMs, removable hard disk drives and PDAs) is prohibited without the express authorisation of the Data Protection Officer/IT Manager, and only in particular circumstances
Laptop computers must be encrypted to such standards as may be approved by the IT manager.
All incidents where the security of personal data or IT systems has been compromised or where there have been any suspected security weaknesses or threats must be reported immediately to the Data Protection Office. The Data Protection Officer will decide in the particular circumstances of the breach whether it is serious enough to inform the Information Commissioner’s Office.
Any breach of security policies and procedures by a member of staff will be dealt with through the relevant formal disciplinary processes.
Business Continuity and Disaster Recovery
All IT systems have been subject to a formal risk assessment exercise to determine their level of criticality to the organisation and to determine where and at what level business continuity planning is needed. The business has also developed guidance on its vital manual records and the appropriate business continuity measures to be adopted for all electronic and manual data. Designated control measures ensure that manual personal data is kept in an appropriately secure environment where risk of Joss or damage is minimised.
Appropriate arrangements must be made for manual records which are classed as ‘vital records’, including fire-proof storage, off-site storage and backing up in electronic form e.g. by scanning. However, as electronic copies of such records may not provide the same evidential weight as the original document, the Manager with responsibility for such records must consider which arrangements are appropriate and seek advice as necessary from the Data Protection Officer.
Good Practice Guidelines General
The following points represent good practice:
- Always log off, or lock a workstation before leaving it. This is to ensure that no one else can access your information or has the opportunity to use your workstation without identifying themselves, e.g. to send an abusive email in your name.
- When confidential work is being carried out ensure no one else can read the screen.
- Protect equipment from physical theft. This is vitally important for portable equipment.
- Ensure that all data is backed up regularly and copies kept in a separate secure location. Liaise with the IT Department lf you require assistance.
- Respect the legal protections for information and software provided under copyright and licenses. Never copy electronic information or computer programmes unless specifically authorised in writing. Never run or install software without a valid licence.
- All PCs should be patched with the latest security critical and up to date patches.
- All data storage devices including laptops, USB sticks, CD’s, DVD’s that are brought in to the business must be checked for viruses on every occasion before use.
- All workstations connected to our network, whether owned by us or not, shall be continually running approved virus-scanning software with a current virus database.
- Never introduce malicious programs into our network or servers (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.) by any means.
Email and Internet Use
- Always check the address line before sending a message and check it is being sent to the correct person.
- Never represent yourself as another person or persons.
- Delete electronic mail messages when they are no longer required.
- Do not make comments or express views that could be regarded by others as offensive or libellous.
- Personal private emails must be saved in a separate folder from work related emails. Clearly mark all emails that are of a personal nature as “personal”.
- Personal/private postings to blogs, newsgroups or similar which mention our business must contain a disclaimer stating that the opinions expressed are strictly personal and not necessarily those of our business.
- Do not open e-mail attachments received from unknown senders as these may contain viruses, e-mail bombs, Trojan horse code or some other form of Malware.
- Do not forward electronic mail messages to other individuals or groups that have been sent to you containing personal data (as defined by the General Data Protection Regulation) without the permission of the originator.
- All workstations must be protected with a password.
- Authorised users are responsible for the security of their passwords and user accounts. Passwords must be kept secure and never shared with anyone else.
- Passwords should never be displayed on screens.
- If at anytime you think someone may have discovered your password you must immediately change it or request that it is changed.
- Passwords should never be “remembered” on the computer but entered by the user on all occasions.
- Access to all computers must be password protected.
- Particular care must be taken to avoid potential infection by malware, e.g. by downloading software other than from trusted sources.
- Work-in-progress should be regularly backed up, and back-up media should be locked away securely.
- Computers used for working on personal data at home should be protected from unauthorised and unrestricted access by third parties, including family members. Where practicable, the ideal is a computer used only for work.
- Storage mediums and devices such as USBs, external hard drives, flash cards and any other portable drives carry considerable risks in transporting, storing or transferring confidential business information. Therefore the use of removable storage media is prohibited without the express authorisation of the Data Protection Officer, and encryption should always be used.
- The organisation maintains a log of all computers and devices used for storing or working on personal data.
- You have suitable encryption software installed for the storage and transportation of business information.
- Business information should not be stored or transported using a mobile device unless there is a clear business need to do so and should be retained only temporarily to fulfil that need. The information should then be adequately deleted and unrecoverable from that device.
- If the device is to be used to handle data provided by a third party it is the device owner’s responsibility to ensure any security or data handling requirements by that organisation are met.
- Users must ensure they mitigate the risks associated with the environment in which they may be working.
- Should the loss, theft or misplacing of any such device occur the Senior Clerk should be immediately informed with as much detail as possible regarding the device, the data it held and whether the loss had been reported to any relevant authorities.
- If you access e-mails from your mobile telephone or Smartphone, you must ensure that the device is suitably password protected and encrypted.
- Computers or devices should not be placed so that their screens can be overlooked, especially when working in co-working areas or public places.
- Extreme care should be taken to ensure that laptops, removable devices, and removable storage media containing personal data are not lost or stolen. In particular, such laptops and other removable devices should never be left unattended in public places or left in a car overnight;
This document contains material that is distributed under licence from OMG Software Ltd. No reproduction or distribution of this material is allowed outside of your organisation without the permission of OMG Software Ltd.