Policy overview
This policy aims to ensure we maintain the confidentiality, integrity, and availability of information in accordance with its importance to us.
The policy supports effective and secure processing of information. This includes sharing across organisational and professional boundaries.
Scope
This policy applies to all our information in all formats including:
- hard copy information:
- files
- documents
- reports
- digital information:
- emails
- instant messaging
- electronic files
It applies to all aspects of information and data processing:
- creating
- collecting
- using
- storing
- handling
- disclosing
- disposing of
Information classification
We have adopted a single classification which recognises that all information has value.
The principles of the classification are drawn from the Government classification of OFFICIAL.
The single classification includes a wide range of information of differing value and sensitivity which we need to protect. The classification also recognises the need to operate within a legal framework.
Adopting a single classification with common key principles and controls which are understood, achievable, and based on commercial good practice supports the delivery of services in a multi-agency environment. Such an environment can present challenges because of a multitude of organisation specific schemes requiring handling conditions not fully understood by all parties.
Categories of sensitive information
While we have adopted a single classification some categories of information will attract additional safeguards because of its level of sensitivity.
You must take particular care when processing this type of information ensuring that it is subject to enhanced controls. Such information includes:
- personal data and data defined as special categories of personal data
- information that if compromised, amended, or made unavailable, would cause a negative impact on reputation, service delivery, finance, or people
You must consider the nature and context of the information you are working with. You must exercise good judgement to ensure that you always process our information appropriately.
General principles
You must respect the confidentiality, integrity and availability of information at all times. All information required to deliver services and conduct business has inherent value. It requires an appropriate degree of protection.
When processing information you must ensure it is subject to proportionate and reasonable controls:
- relative to the sensitivity of the information
- in a manner which reduces the risk of compromise or loss
You must process information in a manner which meets legal and regulatory requirements. This includes information received from, or exchanged with, external partners.
You must not access or attempt to access information unless you have a clear and authorised business need.
You must process personal data in accordance with our Data protection policy. This supports our obligations under current data protection legislation.
All staff must be subject to appropriate employment checks prior to handling information. This includes verification of identity.
All staff processing information must undertake annual information assurance training. They must be aware of their individual responsibilities.
You must not use private or personal devices to process our information unless you are using an authorised corporate solution, for example accessing Microsoft 365 web applications.
Handling, storing and transferring information
You must:
- adopt a clear desk and clear screen policy in accordance with the Physical security policy.
- store information securely when not in use, for example under lock and key. This applies particularly to sensitive information
- ensure information is protected to prevent unauthorised access
- only remove information from official premises when necessary. When doing so you must ensure it remains accounted for and always protected in line with the requirements of this policy
- collect printed material from printers as soon as possible
- use secure printing when the facility is available. This requires you to be physically present at the printer to receive the prints
- encrypt information that you store on portable ICT devices:
- laptops
- smartphones
- removable media, for example:
- CDs
- USB
- only store ICT, removable media or hard copy information in an unoccupied vehicle if it is secured out of sight in the locked boot of the vehicle and only if the alternative option is less secure. For example when entering a service users home
- exercise discretion when discussing council business in public or by telephone
- avoid being overlooked when working
Before you distribute sensitive information ensure it is the minimum necessary to achieve your aim. For example, only share personal data with those who have a defined business need to see it. You must redact documents to remove unnecessary sensitive information.
When redacting information you must ensure it prevents accidental disclosure of data. You must carry out quality assurance checks before releasing the document to ensure redaction is successful.
You must never:
- store passwords with an ICT device
- store ICT devices in a vehicle overnight
Transferring information
By post or courier:
- consider using a ‘signed for service’ when sending individual mail items containing particularly sensitive information. Your decision should be informed by the additional cost of such a service versus the additional security benefits it provides, for example an audit trail
- you must use a reputable tracking service for bulk transfer of sensitive information via post to a named individual
- packaging must be robust to prevent damage
You must not transfer data using removable media. If no secure alternative exists you must:
- use a reputable tracked service to a named individual
- encrypt removable media using AES 256 encryption
- communicate passwords separately and do not include them with the removable media. You must use a different communication method when providing the password.
The receiving party must confirm by email, before the transfer takes place, that:
- they are ready for the transfer
- the recipient address is correct
- a further email must be sent confirming when the recipient has received, intact, the data
The receiving party must confirm when they have received the removable media and that it is intact.
Facsimile
You must not use facsimiles (fax) to transmit sensitive information unless:
- exceptional circumstances exist, and
- a more secure option of transmission is not available
You must use sound judgement and actions must be justified.
Where a decision has been made to use fax you must:
- check and confirm the dialled number carefully
- confirm with the intended recipient that the receiving fax machine is:
- located in a secure area or,
- that the intended recipient is waiting by the fax machine to receive the transmission
- obtain confirmation that the fax has been received
- include a fax header which includes:
- the number of pages transmitted
- the name of the intended recipient
By electronic means:
- electronic transfer of council information must occur in a secure manner
- you must encrypt email traffic when emailing sensitive information
- staff must check and confirm the email address of the recipient is the intended one before sending
- password protect attachments which contain personal data or other sensitive information to mitigate the risk of sending an email to an incorrect recipient
Accommodation moves
Prior to accommodation moves you must make adequate provision for the security of information in line with this policy.
When accommodation is no longer required physical security measures must remain in place until all information has been removed.
You must ensure that hard copy information no longer required is securely destroyed.
The vacating team must complete a security sweep once accommodation has been vacated to ensure information does not remain.
Information sharing and disclosure
Information sharing
Before sharing information, particularly sensitive information or personal data, you must:
- be satisfied that the request has come from a legitimate source
- if necessary, have taken steps to validate the authenticity of the request
- ensure you are clear on the purpose for which the information is being requested
- ensure you are clear on what is being requested
- where personal data is requested, ensure you have a legal gateway that allows the council to share it
- be satisfied that the request is reasonable and fair, and it is clear why sharing is necessary in relation to the stated purpose
- take reasonable care to avoid oversharing
You may need to document common rules within an information sharing agreement when:
- personal data is being shared to the same partner organisation for an established, repeatable, and agreed purpose
- the sharing normally consists of the same data sets
This must clearly describe both the legal and practical requirements involved.
When personal data is being provided to a supplier or contracted service you must ensure that the sharing is secure and documented within the relevant contract.
Sharing must occur using corporately authorised solutions.
Information disclosure
When receiving a request to disclose information, you must consider:
- the principles of openness and transparency
- the relevant information legislation
The following requests must be sent to the customer information team:
- requests for disclosure under the Freedom of Information Act or Environmental Information Regulations
- requests by individuals for copies of the personal data we hold about them. This is known as a subject access request under the General Data Protection Regulation
Destroying information
You must destroy hard copy information securely when no longer required. You can achieve this by:
- using a crosscut shredder
- using a confidential waste service such as the councils "blue bin" service
You must always control access to information until it is securely destroyed.
You must not place hard copy information in open waste bins or waste skips.
You must securely delete digital information from hardware and media when no longer required.
You must consider several factors when destroying or sanitizing digital information including:
- the sensitivity of the data therein
- the type of hardware or media
- the potential re-use of the hardware
You should seek specialist advice from the service desk by telephone: 01522 555555.
Security incidents and further information
Security incidents
You must report all security incidents involving information in accordance with our Security incident reporting policy.
Further information
For further information regarding appropriate handing of council information email IA@lincolnshire.gov.uk.