The Besom does not have a Data Protection Officer for the entire National organisation but each Besom will have one or more data managers. The Data Manager is a trusted and trained individual who is responsible for local data protection.
Network security
Besom does not have it’s own network, electronic data is held on trusted user’s own machines in their homes or in some cases in a Besom office location. They use public networks to access the internet.
Physical security
Users should take measures to ensure that paper notebooks or electronic equipment that hold Besom personal data files are reasonably secure. If such devices are portable then extra care is required to prevent theft and to secure sensitive data stored on the device. Back-up devices should be kept in a safe place and ideally locked away when not in use. They should not be left around in open view where they might be picked up, borrowed or used for other purposes by other users.
Paper copies of files, e.g. delivery schedules, should be returned to the data manager for secure storage or secure disposal at the end of an activity.
Access controls
The data manager should only release sensitive electronic data to trusted users who have read the Security Policy and have been trained in how to secure data by encryption and password protection. Users must appreciate the potential risks to clients and the organisation.
Data managers should think carefully about what information to release to Besom volunteers and only release that which is necessary for the delivery of a given activity.
Secure configuration
Data files or folders containing sensitive personal data, when held on portable devices, must be encrypted with a strong password. Computers or other electronic devices holding such data should themselves require a security logon with a suitably strong password or security lock. Desktop computers should have a security logon with a suitably strong password and personal data files should also be password protected (minimum requirement) or preferably encrypted. Try to avoid writing down passwords but if written down they should be kept securely, ideally locked away, and in a location separate from any backup device that may be accessed using such passwords.
Email & internet use
File sharing of sensitive personal data over the internet or via email should only take place between trusted users within the organisation. Where files are shared on email or via internet file storage like Dropbox or iCloud then all such files should be encrypted with a strong password.
Avoid automatic backup to internet storage facilities, unless files are suitably encrypted, so that you maintain control of protection of sensitive data.
Never share passwords by email or text.
Never send sensitive personal data of vulnerable clients openly by email.
Use BCC when sending group emails to protect privacy of email addresses.
For the purpose of keeping statistical records or sharing activities inside or outside of the organisation in the form of – for example blogs, newsletters or reports to the Charity Commission, all personal data must be anonymized. Anonymization should not only change names but also not give sufficient data for any individual to be recognised.
Data storage and maintenance
Data needs not only to be stored securely but also maintained and kept accurate. Where there are multiple copies of a file or database a master copy should be retained by the data manager. This copy should be kept up to date and changes/corrections made on other copies must be reported to the data manager. Old copies should be regularly deleted and then permanently deleted from Trash.
Data about individual clients should not be kept for longer than it is required. This might reasonably be 5 years to allow for follow up contact or further projects. After this period data will be deleted or anonymized to allow for statistical recording of projects and deliveries.
Data controllers (clients, volunteers, donors, church contacts and care professionals) have the right to request their data to be viewed, corrected, sent to them in a suitable electronic format or deleted. There is no charge for this service, unless it is manifestly unfounded or excessive, and data managers must comply with the written request within 30 days (see the Privacy notice).
Security breach/incident management
Any breach or potential breach of security should be reported to the data manager. In the result of a serious breach which could result in sensitive data regarding a vulnerable individual being made available to someone who could misuse this to cause harm, e.g. a person seeking a vulnerable person in a refuge, the Care Professional responsible for the vulnerable person’s care must be contacted to advise them of the breach. Take measures to contain the breach, e.g. change passwords, and review security arrangements.
Loss of data that is suitably encrypted however should not present a serious breach.
The Data Manager and/or Core Team will review all data breaches and change policies as appropriate.
All data breaches should be reported upward through the Besom organisation so that policies and actions can be reviewed and lessons learnt at local and national level.
Training
Trusted data users should be trained in data protection before given access to sensitive data in electronic forms. Volunteers involved in delivering goods and services should be told and regularly reminded of the importance on maintaining data security and the importance of returning scheduling forms back to data managers especially where vulnerable clients are involved. Trustees should encourage a security aware culture amongst volunteers.
Review
This policy and the associated risks will be reviewed annually by the Core Team.