CONTENTS:
1. Purpose;
2. Principles;
3. Advice and Assistance;
4. Responsibilities;
5. Incident Management;
6. Data Administration;
7. Security;
8. Use of Removable Media;
9. Faulty or Unneeded Storage Devices;
10. Breach Procedures;
11. Review and Revision;
12. Employee Guide in Brief.
1) PURPOSE:
1.1. This policy supports the controlled storage and transfer of information by Councillors and all employees, temporary staff and agents (contractors, consultants and others working on behalf of the Council) who have access to and use of computing equipment that is owned or leased by the Blaengwrach Community Council;
1.2. Information is used throughout the Council and is sometimes shared with external organisations and applicants. The use of removable media may result in the loss of the ability to access information, or interference with the integrity of information, which could have a significant effect on the efficient operation of the Council and may result in financial loss and an inability to provide services to the public;
1.3. It is therefore essential for the continued operation of the Council that the availability, integrity and confidentiality of all storage devices are maintained at a level which is appropriate to the Council`s needs;
1.4. The aims of the policy are to ensure that the use of removable storage devices is accomplished with due regard to:
1.4.1. Enabling the correct data to be made available where it is required;
1.4.2. Maintaining the integrity of the data;
1.4.3. Preventing unintended consequences to the stability of the computer network;
1.4.4. Building confidence and trust in data that is being shared between systems;
1.4.5. Maintaining high standards of care towards data and information about individual members of the community, staff, Community Councillors or information that is exempt from disclosure;
1.4.6. Compliance with legislation, policies or good practice requirements;
2) PRINCIPLES:
2.1. This policy sets out the principles that will be adopted by the Council in order for material to be safely stored on removable media so that the risk of loss or corruption of work data is low;
2.2. Removable media includes but is not limited to:
USB memory sticks, memory cards, portable memory devices, CD/DVDs, diskettes and any other device that transfers data between systems, or stores electronic data separately from email or other applications;
2.3. Any person who intends to store Council data on removable media must abide by this policy. This requirement devolves to Community Councillors, employees of the Council and any agents of the Council, who may be held personally liable for any breach of the requirements of this policy;
2.4. Failure to comply with this policy could result in disciplinary action;
3) ADVICE AND ASSISTANCE:
3.1. The Clerk will ensure that everyone that is authorised to access Council information systems is aware of their obligations arising from this policy;
3.2. A competent person should be consulted over any hardware systems issues. Advice and guidance on using software packages should also be sought from a competent person;
4) RESPONSIBILITIES:
4.1. The Clerk is responsible for enforcing this policy and for having arrangements in place to identify the location of all data used in connection with Council business;
4.2. Users of removable media must have adequate Records Management/Information Security training so that the relevant policies are implemented;
5) INCIDENT MANAGEMENT:
5.1. It is the duty of all employees, Community Councillors and agents of the Council to not allow storage media to be compromised in any way whilst in their care or under their control. There must be immediate reporting of any misuse or irresponsible actions that affect work data or information, any loss of material, or actual, or suspected breaches in information security to the Clerk;
5.2. It is the duty of all Community Councillors and/or employees to report any actual or suspected breaches in information security to the Clerk;
6) DATA ADMINISTRATION:
6.1. Removable media should not be the only place where data created or obtained for work purposes is held, as data that is only held in one place and in one format is at much higher risk of being unavailable through loss, destruction or malfunction of equipment, than data which is routinely backed up;
6.2. Where removable media is used to transfer material between systems then copies of the data should also remain on the source system or computer, until the data is successfully transferred to another computer or system;
6.3. Where there is a business requirement to distribute information to third parties, then removable media must only be used when the file cannot be sent or is too large to be sent by email or other secure electronic means;
6.4. Transferring material to removable media is a snapshot of the data at the time it was saved to the media. Adequate labelling must be undertaken so as to easily identify the version of the data, as well as its content;
6.5. Files must be deleted from removable media, or the removable media destroyed, when the operational use of the material has been completed. The Council`s retention and disposition schedule must be implemented by Community Councillors, employees, contractors and agents for all removable media;
7) SECURITY:
7.1. All storage media must be kept in an appropriately secure and safe environment that avoids physical risk, loss or electrical corruption of the business asset. Due to their small size there is a high risk of the removable media being mislaid, lost or damaged. Therefore, special care is required to physically protect the device and the data. Anyone using removable media to transfer data must consider the most appropriate way to transport the device and be able to demonstrate that they took reasonable care to avoid damage or loss;
7.2. Virus infections must be prevented from damaging the Council`s network and computers. Virus and malware checking software approved by the Council, must be operational on both the machine from which the data is being taken and the machine on which the data is to be loaded. The data must be scanned by the virus checking software, before the media is loaded on to the receiving machine;
7.3. Any memory stick used in connection with Council equipment or to store Council material should usually be Council owned. However work related data from external sources can be transferred to the Council network using memory sticks that are from trusted sources and have been checked using current anti-virus software;
7.4. The Council will not provide support or administrator access for any non-Council memory stick;
8) USE of REMOVABLE MEDIA:
8.1. Care must be taken over what data or information is transferred onto removable media. Only the data that is authorised and necessary to be transferred should be saved on to the device;
8.2. Council material belongs to the Council and any equipment on which it is held should be under the control of the Council and not available to be used for other purposes that may compromise the data;
8.3. All data transferred to removable media should be in accordance with an agreed process established by the Council so that material can be traced;
8.4. the person arranging the transfer of data must be authorised to make use of, or process that particular data;
8.5. Whilst in transit or storage the data must be given appropriate security according to the type of data and its sensitivity;
8.6. Encryption must be applied to the data file unless there is no risk to the Council, other organisations or individuals from the data being lost whilst in transit or storage. If encryption is not available then password control must be applied if removable media must be used for the business purpose;
9) FAULTY or UNNEEDED STORAGE DEVICES:
9.1. Damaged or faulty media must not be used. The Clerk must be consulted over any damaged equipment, peripherals or media;
9.2. All unneeded or faulty storage devices must be dealt with securely to remove the data before reallocating or disposing of the device;
10) BREACH PROCEDURES:
10.1. Staff who do not adhere to this policy will be dealt with through the Council`s disciplinary process and Community Councillors who do not adhere to this policy will be dealt with through the Community Councillors Code of Conduct;
10.2. Where external service providers, agents or contractors breach this policy, this should be addressed through contract arrangements;
110 REVIEW and REVISION:
11.1. This policy will be reviewed annually by the Council and revised according to developments/changes in legislation, guidance, accepted good practice and operational use;
12) EMPLOYEE`S GUIDE IN BRIF:
12.1. Data and information are valuable and must be protected;
12.2. Only transfer data on to removable media, if you have authority to do so;
12.3. All transfer arrangements carry a risk to the data;
12.4. Run the virus checking programme on the removable media each time it is connected to a computer;
12.5. Only use approved products for Council data;
12.6. Activate encryption on removable media whenever it is available and password protection if not available;
12.7. Data should be available for automatic back up and not solely saved to removable media;
12.8. Delete files from removable media, or destroy the media, after the material has been used for its purpose.
THIS POLCY WAS DRAWN UP ON 13th September 2018 and ADOPTED BY THE COUNCIL ON 16th September 2018.