Information handling policy

Handling, storing and transferring information

You must:

  • adopt a clear desk and clear screen policy in accordance with the Physical security policy.
  • store information securely when not in use, for example under lock and key. This applies particularly to sensitive information
  • ensure information is protected to prevent unauthorised access
  • only remove information from official premises when necessary. When doing so you must ensure it remains accounted for and always protected in line with the requirements of this policy
  • collect printed material from printers as soon as possible
  • use secure printing when the facility is available. This requires you to be physically present at the printer to receive the prints
  • encrypt information that you store on portable ICT devices:
    • laptops
    • smartphones
    • removable media, for example:
      • CDs
      • USB
  • only store ICT, removable media or hard copy information in an unoccupied vehicle if it is secured out of sight in the locked boot of the vehicle and only if the alternative option is less secure. For example when entering a service users home
  • exercise discretion when discussing council business in public or by telephone
  • avoid being overlooked when working

Before you distribute sensitive information ensure it is the minimum necessary to achieve your aim. For example, only share personal data with those who have a defined business need to see it. You must redact documents to remove unnecessary sensitive information.

When redacting information you must ensure it prevents accidental disclosure of data. You must carry out quality assurance checks before releasing the document to ensure redaction is successful.

You must never:

  • store passwords with an ICT device
  • store ICT devices in a vehicle overnight

Transferring information

By post or courier:

  • consider using a ‘signed for service’ when sending individual mail items containing particularly sensitive information. Your decision should be informed by the additional cost of such a service versus the additional security benefits it provides, for example an audit trail
  • you must use a reputable tracking service for bulk transfer of sensitive information via post to a named individual
  • packaging must be robust to prevent damage

You must not transfer data using removable media. If no secure alternative exists you must:

  • use a reputable tracked service to a named individual
  • encrypt removable media using AES 256 encryption
  • communicate passwords separately and do not include them with the removable media.  You must use a different communication method when providing the password.

The receiving party must confirm by email, before the transfer takes place, that:

  • they are ready for the transfer 
  • the recipient address is correct
  • a further email must be sent confirming when the recipient has received, intact, the data

The receiving party must confirm when they have received the removable media and that it is intact. 

Facsimile

You must not use facsimiles (fax) to transmit sensitive information unless:

  • exceptional circumstances exist, and
  • a more secure option of transmission is not available

You must use sound judgement and actions must be justified.

Where a decision has been made to use fax you must:

  • check and confirm the dialled number carefully
  • confirm with the intended recipient that the receiving fax machine is:
    • located in a secure area or,
    • that the intended recipient is waiting by the fax machine to receive the transmission
  • obtain confirmation that the fax has been received
  • include a fax header which includes:
    • the number of pages transmitted
    • the name of the intended recipient

By electronic means:

  • electronic transfer of council information must occur in a secure manner
  • you must encrypt email traffic when emailing sensitive information
  • staff must check and confirm the email address of the recipient is the intended one before sending
  • password protect attachments which contain personal data or other sensitive information to mitigate the risk of sending an email to an incorrect recipient