Information Security Policy

Information Security Policy

  1. Introduction
    • We are committed to the highest standards of document and information management and security and treat confidentiality and data security extremely seriously.
    • We take seriously our obligations under the EU General Data Protection Regulation 2018 (GDPR) and all other relevant regulation and legislation.
    • The purpose of this policy is to:
      • protect against potential breaches of confidentiality and failures of integrity or availability of information
      • ensure our information assets and IT facilities are protected against damage, loss or misuse
      • support our Data Protection Policy (incorporated into our Data Protection Notice) in ensuring all staff are aware of and comply with UK law and our own procedures applying to the processing of data
      • increase awareness and understanding in the charity of the requirements for information security and the responsibility of staff to protect information they handle
  1. Responsibility
    • The Secretary has overall responsibility for information management and security issues in the company.
    • Every member of staff is responsible for ensuring information held is accurate and kept confidential and that the terms of this policy are adhered to.
    • The Secretary will review security on a regular basis at Trustee Meetings and is responsible for keeping staff aware of the need to download and install any necessary software, security patches or system updates.
    • The Secretary will review this policy at least annually to ensure it remains fit for purpose and compliant with the applicable legislation.
  2. Legal responsibilities
    • GDPR 2018 imposes requirements that:
      • we only hold data with consent of the person to whom the data relates (or as otherwise defined in the regulations)
      • we keep that data confidential
      • we use it only for authorised purpose(s)
      • any data we hold is:
        • adequate
        • relevant
        • not excessive
        • accurate, and
        • up-to-date
      • we do not keep data for longer than is necessary (see also the company information handling policy)
  3. Our procedures
    • Information management
      • Records and information are owned by the charity and not by any individual or team.
      • Keeping accurate and up-to-date records is an integral part of all business activities
      • Complete and accurate records must be securely stored in the appropriate locations and be easily identifiable and accessible to those who need to see them.
      • Information will be held only as long as is required, and disposed of in accordance with our Data Retention policy.
      • All staff must ensure that any information and data gathered is accurate and, where appropriate, kept up-to-date.
    • Computers and IT
      • Computers must be password protected. Passwords should not be written down or given to others.
      • Computers and other devices should be locked when not in use to minimise the risk of accidental data loss or disclosure.
      • The use of memory sticks and other removable media is prohibited. No confidential information is to be copied onto floppy disk, removable hard drive, CD or DVD or memory stick/thumb drive without the express permission of the Secretary and even then it must be encrypted.
      • Data copied to any of these devices should be deleted as soon as possible and stored on our computer network in order for it to be backed up.
    • Backup of data
      • All electronic data must be securely backed up at the end of each working day.
      • Any physical backup media must be encrypted.
  4. Reporting breaches
    • All members of staff have an obligation to report actual or potential data protection compliance failures. This allows us to:
      • investigate the failure and take remedial steps if necessary
      • maintain a register of compliance failures
      • notify the ICO of serious compliance failures
    • Refer to our Data Protection Breach Plan for our reporting procedure.
  5. Training
    • All staff will receive training on this policy. New joiners will receive training as part of the induction process. Further training will be provided at least every 2 years or whenever there is a substantial change in the law or our policy and procedure.
    • Training is provided at Trustee Meetings and/or by electronic means.
  6. Monitoring
    • Everyone must observe this policy. The Secretary has overall responsibility for this policy. They will monitor it regularly to make sure it is being adhered to.
  7. Consequences of failing to comply
    • We take compliance with this policy very seriously.
    • Failure to comply puts both you and the charity at risk.
  8. Questions

9.1          If you have any questions or concerns about anything in this policy, do not hesitate to contact the Secretary by email.