Handling Personal Information
Why should we care about handling personal information safely?
We collect and use a wide range of information about people in order to deliver our services. These individuals include our customers, clients and employees, and the information we hold about them is their personal data.
If we fail to take adequate care of the personal data we deal with and it is lost, stolen, disclosed to the wrong people or otherwise misused, this could have a serious impact on the individuals concerned ranging from distress to actual physical harm. Personal information is a valuable asset, but also a liability if we handle it incorrectly.
This guidance and the full policy and procedure (available to download below) is therefore designed to ensure that personal information is handled securely. In particular, this looks at the way personal data is stored and transferred to assist us with complying with our legal obligations under the General Data Protection Regulation.
For more information on the requirements of Data Protection legislation, please visit our Data Protection page.
Personal information should only be kept on portable devices or removable media when it is absolutely necessary to do so. In other words, please avoid using them to store personal data.
The term ‘portable devices’ includes (but is not limited to):
- Laptop and tablet computers
‘Removable media’ refers to items such as:
- USB memory sticks/storage devices
- SD cards
- CD-Roms and DVDs
A member of staff has to work from another office for part of the week and needs to refer to client records that are kept in a folder on the Council File Plan, which she can access. However, she downloads the information on to a memory stick, but on the way to the other premises, it falls out of her bag and is lost.
She could have obtained the information she needed by simply accessing the folder on the Council File Plan via a computer at the other office. So her use of the memory stick was not necessary and created a security breach. Council smartphones should be kept on your person or locked away if not being used and never left unattended such as on desks or in vehicles.
You should also get permission from a senior manager before downloading any quantity of personal data on to a removable medium such as a memory stick and it must always be encrypted.
If you use any of the above devices or media, please also ensure that you read and understand the our Portable Device Usage Policy.
Personal Information must be kept out of view when it is not being used. This means files and papers should be put away in locked cupboards, cabinets or drawers when you have finished with them. This is often referred to as a ‘clear desk policy’.
You should make sure that you have a password protected screensaver activated on your PC, set at 5 minutes or less. This ensures that if you leave your desk and are away from longer that anticipated, your PC will be locked and secure.
Take care not to leave printed material, original documents or copies in printers/photocopiers/scanners.
Ensure that no personal data is left in public areas or is visible through office windows – personal information should be kept out of view of unauthorised persons at all times. Notice boards should be used only for non-personal information.
The Council’s policy is that personal information should not be taken out of office premises unless it is absolutely necessary to do so and only when you have the permission of your line manager. There are of course many situations where you will have to take personal data out of the office and provided that proper care is taken, this needn’t be a problem.
So when taking any personal information out of office premises, it must be kept secure, and never left unattended where it could be accessed by people who shouldn’t see it, such as within vehicles.
Files should also be carried safely, such as in a briefcase, to avoid papers being lost. Staff should never carry loose papers containing personal information outside of Council premises.
Where files or paper records are taken to your home, you should get permission from your line manager beforehand. As this will inevitably mean keeping files at home overnight, your line manager is also responsible for ensuring that you have a suitable working environment, which includes having means to securely store papers, such as a lockable drawer or cabinet.
Also, paper records must not be kept in the home for longer than necessary and must be returned to the office premises at the earliest opportunity. It is important that family members or any other unauthorised persons must not be allowed to access personal information which is taken home.
When you work from home, personal information must not be processed on IT equipment that isn’t owned by the Council.
A member of staff is working on a spreadsheet that includes employees’ names, national insurance numbers and pay details. She decides to finish it off at home and emails it from her work computer to her private email address. When she gets home, she saves a copy on to the desktop of her PC where any number of people could access it. This is not acceptable and is a security risk.
For guidance on how to access information securely from home, please contact the IT Helpdesk.
This means sending personal information from one place to another, either physically or electronically. Staff should follow the requirements set out in our Handling Personal Information Policy & Procedure when moving personal information within the Council as well as to government departments, other local authorities, external agencies/organisations and our customers and clients.
These would include cases where personal data is lost, stolen, either in electronic or paper format. Other examples would include emailing personal data to an unintended recipient or accidentally placing personal data on the Council’s website.
All such incidents must be dealt with in accordance with our Breach Reporting and Response Policy as follows:
- To ensure that they can be acted upon breaches should be reported by employees to their line manager immediately, or in any event within 12 hours of the breach being discovered;
- Within the same time limit, the breach must also be reported to the Breach Response Team via the central mailbox, firstname.lastname@example.org;
- Out of office hours, breaches must be reported via Careline on 0300 333 2222.
Failure to report, or delay in reporting, data security breaches can have potentially serious consequences for data subjects, staff, and other individuals.
Personal information should not be kept for longer than necessary and the we have produced Retention Guidelines for all of the records we hold.
Therefore, information should normally not be kept for longer than specified in these Retention Guidelines. Paper records containing personal information must be disposed of securely by shredding or by using a confidential waste service in accordance with the our Records Disposal Procedure.
It’s important that information to be destroyed is stored securely until it is shredded or collected by the provider of a confidential waste service.
Office A stores all their confidential waste in ordinary plastic bins in a room which can be accessed freely from other parts of the building. Once the bins are full, they put the papers in sacks which are kept in the corner of the room. Anyone walking into the office could therefore get hold of the information. Office B keeps all their confidential waste in secure, locked bins and sacks stored in a locked room. The information is therefore kept secure until it is finally disposed of.
Where a portable device or removable medium is used for the purpose of collecting personal information, the information must only be kept on it for as long as absolutely necessary. The information should be saved on the server at the earliest opportunity and completely deleted off the device.
Disposal of all ICT equipment must only be carried out by IT Services.
Page updated: 02/04/2019 15:16:12