Northwood Nursing and Care Services Ltd
General Data Protection Regulations (GDPR) policy PP0016
Rev NA 25.05.2018
Northwood Nursing and Care Services Ltd. (NNCS) “the Company” is a Data Controller and Processor for the purposes of the EU General Data Protection Regulation (GDPR) which come into effect as of 25th May 2018. The GDPR describes how organisations including the company must collect, handle and store personal information. The Company collects and uses certain types of personal information about the following categories of individuals (“data subjects”):
- Customers/Clients/Service Users (“SU”)
- Prospects i.e. data subjects potentially interested in the Company and its products and services.
- Other individuals who come into contact with the Company.
The Company will process this personal information in the following ways:
- to use SU contact information (i.e. name, address, email address, telephone number) to communicate with the SU regarding the NNCS services that the SU requires.
- to use medical information from the SU to ensure NNCS employees and/or contractors understand the medical conditions that dictate the care that the SU needs from NNCS.
- to contact interested parties regarding the organisation’s services.
- to research the performance of the organisation’s services.
- to allocate the organisation’s resources to stakeholders according to their relevant needs.
- to process financial transactions related to the organisation’s services.
- to allow the completion of marketing material e.g. with images/photographs.
- to ensure company building security e.g. via CCTV.
- to comply with statutory and contractual obligations relating to employment.
- to comply with other statutory and legal obligations.
This policy is intended to ensure that personal information is dealt with properly and securely and in accordance with the EU General Data Protection Regulation (the “GDPR”) and other related legislation. It will apply to information regardless of the way it is used or recorded and applies for as long as the information is held.
The GDPR applies to all computerised data and manual files if they come within the definition of a filing system. Broadly speaking, a filing system is one where the data is structured in some way that it is searchable based on specific criteria (so you would be able to use something like the individual’s name to find their information), and if this is the case, it does not matter whether the information is located in a different physical location.
This policy will be updated as necessary to reflect best practice, or amendments made to the GDPR and guidance from the supervisory authorities, and shall be reviewed every year.
WHAT IS PERSONAL DATA?
‘Personal data’ is information that identifies an individual and includes information that would identify an individual to the person to whom it is disclosed because of any special knowledge that they have or can obtain. A sub-set of personal data is known as ‘special category personal data’. This special category data is information that relates to:
- race or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- physical or mental health
- an individual’s sex life or sexual orientation
- genetic or biometric data for the purpose of uniquely identifying a natural person.
Special Category information is given special protection, and additional safeguards apply if this information is to be collected and used. Information relating to criminal convictions shall only be held and processed where there is legal authority to do so.
WHAT ARE THE DATA PROTECTION PRINCIPLES?
The data protection principles as laid down in the GDPR are followed at all times:
- personal data shall be processed fairly, lawfully and in a transparent manner, and processing shall not be lawful unless one of the processing conditions can be met:
- personal data shall be collected for specific, explicit, and legitimate purposes, and shall not be further processed in a manner incompatible with those purposes
- personal data shall be adequate, relevant, and limited to what is necessary for the purpose(s) for which it is being processed
- personal data shall be accurate and, where necessary, kept up to date
- personal data processed for any purpose(s) shall not be kept for longer than is necessary for that purpose/those purposes
- personal data shall be processed in such a way that ensures appropriate security of the data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.
In addition to this, the Company is committed to ensuring that at all times, anyone dealing with personal data shall be mindful of the individual’s rights under the law (as explained in more detail below).
The Company is committed to complying with the principles of GDPR at all times. This means that the Company will:
- inform individuals as to the purpose of collecting any information from them, as and when we ask for it
- be responsible for checking the quality and accuracy of the information
- regularly review the records held to ensure that information is not held longer than is necessary, and that it has been held in accordance with the Records Retention Policy.
- ensure that when information is authorised for disposal it is done appropriately.
- ensure appropriate security measures to safeguard personal information whether it is held in paper files or on our computer system and follow the relevant security policy requirements at all times.
- share personal information with others only when it is necessary and legally appropriate to do so.
- set out clear procedures for responding to requests for access to personal information known as subject access requests.
- report any breaches of the GDPR in accordance with the procedure (see below).
You have the right to:
- ask for access to your personal information.
- ask for rectification of the information we hold about you.
- ask for the erasure of information about you.
- ask for our processing of your personal information to be restricted.
- receive your data in a form allowing you to transit it to another data controller (portability).
- object to us processing your information.
- If you want to use your rights, for example, by requesting a copy of the information which we hold about you, please contact our Data Privacy & Protection (GDPR) Coordinator.
If at any time you are not happy with how we are processing your personal information then you may raise the issue with the Data Privacy & Protection (GDPR) Coordinator and if you are not happy with the outcome you may raise a complaint with the Information Commissioner’s Office at Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.
WHAT WE DO FOR BREACHES OF ANY REQUIREMENT OF THE GDPR
- Any and all breaches of the DPA, including a breach of any of the data protection principles shall be reported as soon as it is discovered, to the Data Privacy & Protection (GDPR) Coordinator.
- Once notified, the Data Privacy & Protection (GDPR) Coordinator shall assess with the help of management:
- the extent of the breach
- the risks to the data subjects as a consequence of the breach.
- any security measures in place that will protect the information.
- any measures that can be taken immediately to mitigate the risk to the individuals.
- Unless the Data Privacy & Protection (GDPR) Coordinator with the help of management conclude that there is unlikely to be any risk to individuals from the breach, it must be notified to the Information Commissioner’s Office within 72 hours of the breach having come to the attention of the Company, unless a delay can be justified.
- The Information Commissioner shall be told:
- details of the breach, including the volume of data at risk, and the number and categories of data subjects.
- the contact point for any enquiries (which shall usually be the Data Privacy & Protection (GDPR) Coordinator).
- the likely consequences of the breach.
- measures proposed or already taken to address the breach.
- If the breach is likely to result in an elevated risk to the rights and freedoms of the affected individuals then the Data Privacy & Protection (GDPR) Coordinator with the help of management shall notify data subjects of the breach without undue delay unless the data would be unintelligible to those not authorised to access it, or measures have been taken to mitigate any risk to the affected individuals. Data subjects shall be told:
- the nature of the breach;
- who to contact with any questions;
- measures taken to mitigate any risks.
- The Data Privacy & Protection (GDPR) Coordinator with the help of management shall then be responsible for instigating an investigation into the breach, including how it happened, and whether it could have been prevented. Any recommendations for further training or a change in procedure shall be reviewed by senior management and a decision made about implementation of those recommendations.
DO WE DISCLOSE PERSONAL DATA?
The following list includes the most usual reasons that the Company will authorise disclosure of personal data to a third party:
- to give a confidential reference relating to a current or former employee or volunteer.
- for the prevention or detection of crime.
- for the assessment of any tax or duty.
- where it is necessary to exercise a right or obligation conferred or imposed by law upon us (other than an obligation imposed by contract).
- for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings).
- for the purpose of obtaining legal advice.
- for research, historical and statistical purposes (so long as this neither supports decisions in relation to individuals, nor causes substantial damage or distress).
The Company may receive requests from third parties (i.e. those other than the data subject, the Company, and its employees) to disclose personal data it holds about individuals. This information will not generally be disclosed unless one of the specific exemptions under the GDPR which allow disclosure applies, or where disclosure is necessary for the legitimate interests of the third party concerned or the Company.
All requests for the disclosure of personal data must be sent to our Data Privacy & Protection (GDPR) Coordinator, who will review with management and decide whether to make the disclosure, ensuring that reasonable steps are taken to verify the identity of the requesting third party before making any disclosure.
CONDITIONS FOR PROCESSING IN THE FIRST DATA PROTECTION PRINCIPLE?
- The individual has given consent that is specific to the particular type of processing activity, and that consent is informed. unambiguous and freely given.
- The processing is necessary for the performance of a contract, to which the individual is a party, or is necessary for the purpose of taking steps with regard to entering into a contract with the individual, at their request.
- The processing is necessary for the performance of a legal obligation to which we are subject.
- The processing is necessary to protect the vital interests of the individual or another.
- The processing is necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in us.
- The processing is necessary for a legitimate interest of the Company or that of a third party, except where this interest is overridden by the rights and freedoms of the individual concerned.
OUR PARTNER DATA PROCESSOR AGREEMENTS WITH PARTNERS
- Be in writing.
- Contain the following information on the processing: its subject matter and duration; the nature and purpose of the processing. the type of personal data; the categories of individuals who are the data subjects.
- Expressly state that the Processor can only act on your instructions as the Controller.
- Require the Processor to impose a duty of confidentiality on relevant staff.
- Require the Processor to implement relevant security measures to protect the data. NB We will specify what those measures are, and what we impose will depend upon the type and sensitivity of the information.
- Require the Processor to seek your prior written permission as Controller to engage a sub-contractor.
- Require the Processor to make all necessary arrangements to ensure that as the Controller you can respect the rights of the individuals under data protection law. As an example, The Processor must be required to make available any personal data should an individual make a Subject Access Request; must be able to delete or rectify data if necessary and must enable data portability where applicable.
- Require the Data Processor to have in place the necessary means of assisting you as the Controller to meet your obligations under data protection law. This includes ensuring security of data, co-operating in relation to your notification of breaches to the Information Commissioner’s Office and data subjects, and with preparation of data protection impact assessments
- Require the Processor to assist you as the Controller in meeting any obligations imposed by the Information Commissioner’s Office, by allowing access to information, and details of activities and systems if and when required.
- Require the Processor to delete or return the data at the end of the contract. The choice of whether the data is returned or deleted is our decision as the Controller.
- Require the Processor to provide us with all necessary information regarding processing activities to demonstrate compliance – including security measures taken, disclosures made, what has been done to the information plus anything else we need to know as Controller to allow the processing to be audited.
- Provide that any legal requirements that the Processor is subject to which may require the disclosure of the personal data (such as Freedom of Information) should be notified to you as the Controller in advance, where possible.
- Be governed by law of England and Wales failing which other EU or member state law.
NB: The GDPR refers to the possible development of standard clauses covering the compliance matters listed above. The position will therefore be monitored.
OUR DOCUMENT RETENTION POLICY
The main aim of this policy is to enable Northwood Nursing and Care Services Ltd. to manage our records effectively and in compliance with data protection and other regulation. As an organisation we collect, hold, store and create significant amounts of data and information and this policy provides a framework of retention and disposal of categories of information and documents.
Northwood Nursing and Care Services Ltd. is committed to the principles of data protection including the principle that information is only to be retained for as long as necessary for the purpose concerned. The table below sets out the main categories of information that we hold, the length of time that we intend to hold them, and the reason for this.
This policy sets out the destruction procedure for documents at the end of their retention period. The Data Privacy & Protection (GDPR) Coordinator shall be responsible for ensuring that this is carried out appropriately, and any questions regarding this policy should be referred to them. If a document or information is reaching the end of its stated retention period, but you are of the view that it should be kept longer, please refer to the Data Privacy & Protection (GDPR) Coordinator, who will confer with management and decide as to whether it should be kept, for how long, and note the new time limit and reasons for extension.
DELETION OF DOCUMENTS
When a document is at the end of its retention period, it should be dealt with in accordance with this policy.
This should be made available for collection in the confidential waste bins or sacks located around the office or shredded. Anything that contains personal information should be treated as confidential. Where deleting electronically, please refer to the Data Privacy & Protection (GDPR) Coordinator to ensure that this is carried out effectively.
Other documentation can be deleted or placed in recycling bins where appropriate.
Certain information may be automatically archived by the computer systems. Should you want to retrieve any information, or prevent this happening in a particular circumstance, please contact the Data Privacy & Protection (GDPR) Coordinator.
Much of the retention and deletion of documents may be automatic, but when faced with a decision about an individual document, you should ask yourself the following:
- Has the information come to the end of its useful life?
- Is there a legal requirement to keep this information or document for a set period?
- Would the information be likely to be needed in the case of any legal proceedings?
- Is the information contentious, does it relate to an incident that could potentially give rise to proceedings?
- Would the document be useful for the organisation as a precedent, learning document, or for performance management processes?
- Is the document of historic or statistical significance?
Northwood Nursing and Care Services Ltd. is committed to protecting and respecting the privacy of its workforce. For the purposes of Data Protection legislation, the Company is the Data Controller as well as a Processor in certain circumstances. This means it is in charge of personal information about you. The Data Protection & Privacy (GDPR) Coordinator for the Company is listed on an insert in this document with their contact details.
How we use your information
We process personal data relating to those we employ or engage to work at the Company. This is for employment purposes to assist in the running of the Company and to enable individuals to be paid. This personal data includes identifiers such as names and national insurance numbers, employment contracts and remuneration details, qualifications and absence information. It may also include sensitive personal data such as ethnic group, medical information and trade union membership, where this information has been shared with the Company.
During the recruitment process we may receive information about you from a previous employer or an educational establishment which you have previously attended. You will know about this because you will have supplied us with the relevant contact details.
Collecting and using your information in this way is lawful because:
- As an employee, worker or contractor, you have obligations under your employment contract to provide the organisation with data. In particular, you are required to report absences from work and information about disciplinary or other matters.
- You may also have to provide the organisation with data in order to exercise your statutory rights, such as in relation to statutory leave entitlements. Failing to provide the data may mean that you are unable to exercise your statutory rights. Contact details, your right to work in the UK, and payment details etc., have to be provided to enable the organisation to enter a contract of employment with you. If you do not provide other information, this will hinder our ability to administer the rights and obligations arising from our employment relationship effectively.
How we share your information with third parties
- We will not share information about you with third parties without your consent unless the law allows us to. We may be required, by law, to pass on some of the personal data which we collect to our local authority and relevant regulators.
- We may disclose details about you including national insurance number and absence information to a payroll provider to enable payments.
- We may disclose details about you to our HR provider for the purposes of HR management.
- We share your identity and pay information with HMRC in conjunction with your legal obligation to pay income tax and make national insurance contributions.
- If you have decided to become part of a salary sacrifice scheme such as that for child care vouchers, we share your details with the provider to the extent necessary for them to provide the vouchers to you.
- We may share your details with a pension provider in order to make sure that you pay the correct amount and maintain your entitlement to a pension.
Our disclosures to third parties are lawful because one of the following reasons applies:
- The processing is necessary for the performance of your employment contract.
- The processing is necessary for the performance of a legal obligation to which the Company is subject.
- The processing is necessary to protect the vital interests of others.
- The processing is necessary for the performance of our business function which is a function in the public interest.
How long we keep your personal information
We only keep your information for as long as we need it or for as long as we are required by law to keep it. Full details are given in our Records Retention Policy.
SECURITY OF PERSONAL DATA
The Company will take reasonable steps to ensure that members of staff and volunteers will only have access to personal data where it is necessary for them to carry out their duties. All staff and volunteers will be made aware of this Policy and their duties under the GDPR. The Company will take all reasonable steps to ensure that all personal information is held securely and is not accessible to unauthorised persons.
For further details as regards security of IT systems, please refer to the ICT Policy.
The need for a policy
All the Company’s information communication technology (ICT) facilities and information resources remain the property of the Company and not of particular individuals, teams or departments. By following this policy, we will help ensure that ICT facilities are used:
- Legally; securely; without undermining the Company; effectively; in a spirit of cooperation, trust and consideration for others, so that they remain available.
The policy relates to all ICT facilities and services provided by the Company, although special emphasis is placed on email and the internet. All employees, volunteers and any other users of our IT are expected to adhere to the policy.
Deliberate and serious breach of the policy statements in this section may lead to the Company taking disciplinary measures in accordance with our relevant policy. The Company accepts that ICT – especially the internet and email system – is a valuable business tool. However, misuse of this facility can have a negative impact upon employee and volunteer effectiveness as well as the productivity and the reputation of the organisation.
In addition, all of the Company’s phone, internet and email related resources are provided for business purposes. Therefore, the organisation maintains the right to monitor the volume of internet and network traffic, together with the email systems. The specific content of any transactions will not be monitored unless there is a suspicion of improper use.
As a user of the Company’s equipment and services, you are responsible for your activity. Please adhere to the following:
- Do not disclose personal system passwords or other security details to other employees, [volunteers] or external agents, and do not use anyone else's log-in; this compromises the security of the Company If someone else gets to know your password, ensure that you change it or ask your manager who can change it for you.
- If you intend to leave your computer or workstation unattended for any reason, you should lock the screen to prevent unauthorised access. If you fail to do this, you will be responsible for any misuse of it while you are away. Logging off is especially important where members of the public have access to the screen in your absence.
- Any pen drives or other storage devices used on the Company’s network should be secure and only those that are the property of the Company should be used.
- If you are recording or obtaining information about individuals, make sure you are not breaking data protection legislation, and are compliant at all times with the Company’s Data Protection Policy. When you are on the internet and using email, make sure your actions are in the interest (and spirit) of the Company and do not leave the Company open to legal action (for example libel) or reputational damage. Avoid trading insults over the internet.
- Do not attempt to gain unauthorised access to information or facilities. The Computer Misuse Act 1990 makes it a criminal offence to obtain unauthorised access to any computer (including workstations and PCs) or to modify its contents. If you do not have access to information or resources you feel you need, inform your manager.
Use of Email
When to use email:
- Use email in preference to paper to reach people quickly (saving time on photocopying / distribution) and to help reduce paper use.
- Use the phone for urgent messages (email is a good backup in such instances). Use of email by employees and volunteers of the Company is permitted and encouraged, where such use supports the goals and objectives of the Company.
- However, the Company has a policy for the use of email whereby employees and volunteers must ensure that they:
- comply with current legislation; use email in an acceptable way; do not create unnecessary business risk to the Company by their misuse of the internet.
- Sending confidential information to external locations without appropriate safeguards in place. See below for more details.
- Distributing, disseminating or storing images, text or materials that might be considered indecent, pornographic, obscene or illegal.
- Distributing, disseminating or storing images, text or materials that might be considered discriminatory, offensive or abusive, constitutes a personal attack, is sexist or racist, or might be considered as harassment or bullying.
- Using copyrighted information in a way that violates the copyright.
- Breaking into the Company’s or another organisation’s system, or unauthorised use of a password / mailbox.
- Broadcasting unsolicited personal views on social, political, religious or other non-business-related matters.
- Undertaking deliberate activities that waste employees’ or volunteers’ effort or networked resources.
- Deliberately or recklessly introducing any form of computer virus or malware into the corporate network.
Always exercise caution when committing confidential information to email since the confidentiality of such material cannot be guaranteed. The Company reserves the right to monitor electronic communications in accordance with applicable laws and policies. The right to monitor communications includes messages sent or received by system users (employees, volunteers contractors and temporary employees) within and outside the system as well as deleted messages. See below for more detail.
General points on email use:
- When publishing or transmitting information externally be aware that you are representing the Company and could be seen as speaking on the Company's behalf. Make it clear when opinions are personal. If in doubt, consult your line manager;
- Check your inbox at regular intervals during the working day. Consider keeping your inbox fairly empty so that it just contains items requiring your action. Try to decide what to do with each email as you read it (e.g. delete it, reply to it, save the whole email in a folder, or extract just the useful information and save it somewhere logical)
- Keep electronic files of electronic correspondence, only retaining what you need to. Do not print it off and keep paper files unless absolutely necessary;
- Treat others with respect and in a way in which you would expect to be treated yourself (e.g. do not send unconstructive feedback, argue, or invite colleagues to make public their displeasure at the actions / decisions of a colleague).
- Do not forward emails warning about viruses as they are often hoaxes. If in doubt, check with your manager.
- Do not open an email unless you have a reasonably good expectation of what it contains, and do not download files unless they are from a trusted source. Look and check the email address of the sender to check if it is similar but different to what you expect e.g email@example.com instead of firstname.lastname@example.org as this is a common trick used. Alert your company’s IT Support and your manager if you are sent anything like this unexpectedly - this is one of the most effective means of protecting the Company against email virus attacks. Do not forward such an email unless told to do so by your manager.
- Email signatures: Keep these short e.g. include your name, title, phone / fax number(s) and website address.
Use of the Internet
- Use of the Internet by employees and volunteers is permitted and encouraged where such use supports the goals and objectives of the Company.
- However, when using the Internet, employees and volunteers must ensure that they:
- comply with current legislation; use the internet in an acceptable way; do not create unnecessary business risk to the organisation by their misuse of the internet.
- In particular the following is deemed unacceptable use or behaviour by employees and volunteers (this list is non-exhaustive):
- Visiting internet sites that contain obscene, hateful, pornographic or other illegal material; Using the computer to perpetrate any form of fraud, or software, film or music piracy; Using the internet to send offensive or harassing material to other users or to send material that may be regarded as party political campaigning; Downloading commercial software or any copyrighted materials belonging to third parties, unless this download is covered or permitted under a commercial agreement or other such license; Hacking into unauthorised areas; Creating or transmitting defamatory material; Undertaking deliberate activities that waste employees’ effort or networked resources; Deliberately or recklessly introducing any form of computer virus into the Company’s network.
- Chat rooms / instant messaging (IM): The use of chat rooms and instant messaging is permitted for business use only. This use must have been agreed with your manager.
- Webmail: The use of webmail (e.g. Hotmail, msn, Google Mail) is not permitted in the Company unless previously agreed with your manager.
- Obscenities/pornography: Do not write, publish, look for, bookmark, access or download material that might be regarded as obscene or pornographic.
- Copyright: Take care to use software legally and in accordance with both the letter and spirit of relevant licensing and copyright agreements. Copying software for use outside these agreements is illegal and may result in criminal charges. Be aware of copyright law when using content, you have found on other organisation’s websites. The law is the same as it is for printed materials. Confidentiality: If you are dealing with personal, sensitive and/or confidential information, then you must ensure that extra care is taken to protect the information. If sending personal, sensitive and/or confidential information via email, then the following protocols should be used. If there is any doubt as to the information being sent or the appropriate level of protection required, please check with your manager. Personal, sensitive and/or confidential information should be contained in an attachment. In appropriate cases the attachment should be encrypted, and/or password protected; Any password or key must be sent separately. Before sending the email, verify the recipient by checking the address, and if appropriate, telephoning the recipient to check and inform them that the email will be sent. Do not refer to the information in the subject of the email.
The Company’s network
- Keep master copies of important data on the Company’s network server and not solely on your PC's local C: drive or portable disks. Not storing data on the Company’s network server means it will not be backed up and is therefore at risk.
- Ask for advice from your manager if you need to store, transmit or handle large quantities of data, particularly images or audio and video. These large files use up disk space very quickly and can bring the network to a standstill.
- Be considerate about storing personal files on the Company's network. Do not copy files that are accessible centrally into your personal directory unless you have good reason (i.e. you intend to amend them, or you need to reference them, and the central copies are to be changed or deleted) since this uses up disk space unnecessarily.
- If storing or transferring personal, sensitive, confidential or classified information using Removable Media you must first contact your manager for permission but…
- Always consider if an alternative solution already exists; Only use recommended removable media; Encrypt and password protect; Store all removable media securely; Removable media must be disposed of securely - check with your manager to get help.
Personal use of ICT facilities
Social Media: For the purposes of this policy, social media websites are web-based and mobile technologies which allow parties to communicate instantly with each other or to share data in a public forum. They include websites such as Facebook, Twitter, Google+ and LinkedIn. They also cover blogs and image sharing websites such as YouTube and Flickr. This is not an exhaustive list and you should be aware that this is a constantly changing area
Use of Social Media:
- Inappropriate comments on social media websites can cause damage to the reputation of the organisation if a person is recognised as being an employee or volunteer. It is, therefore, imperative that you are respectful of the organisation’s service as a whole including client/customers/service users, members, supporters, colleagues, partners and competitors.
- Employees and volunteers should not give the impression that they are representing, giving opinions or otherwise making statements on behalf of the Company unless appropriately authorised to do so. Personal opinions must be acknowledged as such and should not be represented in any way that might make them appear to be those of the organisation. Where appropriate, an explicit disclaimer should be included, for example: ‘These statements and opinions are my own and not those of [Name of Company].’
- Any communications that employees or volunteers make in a personal capacity must not: bring the Company into disrepute, for example by criticising clients, colleagues or partner organisations; breach the Company’s policy on confidentiality or any other relevant policy; breach copyright, for example by using someone else’s images or written content without permission; do anything which might be viewed as discriminatory against, or harassment towards, any individual, for example, by making offensive or derogatory comments relating to: age, disability, gender reassignment, race, religion or belief, sex, or sexual orientation; use social media to bully another individual; post images that are discriminatory or offensive (or links to such content).
- The Company maintains the right to monitor usage of social media sites where there is suspicion of improper use.
Other personal use
Any information contained within the Company in any form is for use by the employee or volunteer for the duration of their period of work and should not be used in any way other than for proper business purposes or transferred into any other format (e.g. loaded onto a memory stick / pen drive), unless necessary for business use, and with prior agreement of your manager].
Portable and Mobile ICT Equipment
This section covers items such as laptops, mobile devices and removable data storage devices provided by the Company. Further information below for when considering storing or transferring personal or sensitive data:
- Use of any portable and mobile ICT equipment must be authorised by your manager before use.
- All activities carried out on the Company’s systems and hardware will be monitored in accordance with the general policy.
- Employees and volunteers must ensure that all data belonging to the Company is stored on the Company’s network and not kept solely on a laptop. Any equipment where personal data is likely to be stored must be encrypted.
- Equipment must be kept physically secure in accordance with this policy to be covered for insurance purposes. When travelling by car, best practice is to place the laptop in the boot of the car before starting your journey.
- Synchronise all locally stored data, including diary entries, with the central organisation network server on a frequent basis.
- Ensure portable and mobile ICT equipment is made available as necessary for anti-virus updates and software installations, patches or upgrades.
- The installation of any applications or software packages must be authorised by your manager, fully licensed and only be carried out by an employee nominated by your manager.
- In areas where there are likely to be members of the general public, portable or mobile ICT equipment must not be left unattended and, wherever possible, must be kept out of sight.
- Portable equipment must be transported in a protective case if one is supplied.
- If remote access is required, you must contact your manager to set this up.
- You are responsible for all activity via your remote access facility.
- Laptops and mobile devices must have appropriate access protection, i.e. passwords and encryption and must not be left unattended in public places.
- To prevent unauthorised access to the Company’s systems, keep all dial-up access information such as telephone numbers, logon IDs and PINs confidential and do not disclose them to anyone.
Select PINs that are not easily guessed, e.g. do not use your house or telephone number and do not choose consecutive or repeated numbers.
- Avoid writing down or otherwise recording any network access information where possible. Any information that is written down must be kept in a secure place and disguised so that no other person is able to identify what it is.
- Protect the Company’s information and data at all times, including any printed material produced while using the remote access facility. Take particular care when access is from a non-office environment.
- Users of laptops and mobile devices are advised to check their car and home insurance policies for the level of cover in the event of equipment being stolen or damaged. Appropriate precautions should be taken to minimise risk of theft or damage.
- Care should be taken when working on laptops in public places (e.g. trains) that any employee or client details are not visible to other people.
You may find that you have access to electronic information about the activity of colleagues. Any such information must not be used by unauthorised individuals to monitor the activity of individual employees in any way (e.g. to monitor their working activity, working time, files accessed, internet sites accessed, reading of their email or private files etc.) without their prior knowledge. Exceptions are:
In the case of a specific allegation of misconduct, when your manager can authorise accessing of such information when investigating the allegation; When an employee cannot avoid accessing such information while fixing a problem, but this will only be carried out with the consent of the individual concerned.
Any users who place and pay for orders online using personal details do so at their own risk and the Company accepts no liability if details are fraudulently obtained whilst the user is using the Company’s equipment.
Care of equipment
Do not rearrange the way in which equipment is plugged in (computers, power supplies, phones, network cabling, modems etc.) without first contacting your manager.
All employees, volunteers, contractors and temporary employees who have been granted the right to use the Company’s ICT systems are required to sign this agreement confirming their understanding and acceptance of this policy.
If anyone has any concerns or questions in relation to this policy, they should contact Data Privacy & Protection (GDPR) Coordinator