Ryedale District Council

Data Protection

Regulations to cover the collecting, storing, processing and distribution of personal data

 
In order to provide members of the public with a service, the Council very often needs to obtain personal information about its citizens. We must be very careful how we handle such ‘personal data’ as we have a legal obligation to treat this information in a specific way.
 
We welcomed the Freedom of Information Act 2000 (FoIA) which supports a culture of openness and accountability, leading to a better public understanding of how the Council carries out its duties, the reasons for the decisions it makes and how it spends public money.
 
Ryedale District Council has a Data Protection Officer (DPO) to oversee the implementation of Data Protection legislation and who is responsible for all data protection enquiries.

Data Protection and Information Management Framework

Introduction

Public authorities rely on the collection of an ever-increasing amount of information to inform their strategies and plans to provide community and regulatory services.

The Council is no different in this respect and must have in place an effective framework for collecting, accessing, storing, sharing and deleting the information.

Moreover the Council needs to be open in the way it does its business, in particular in how it delivers local services to local people and in how it makes decisions. The councils of today must be in a position to provide easily accessible and understandable information about their services and the decisions they make.

Over the past few years all public authorities have been making increasing use of advancing technology: computing equipment in general, the Web, mobile phones, touch screens and social media. Through making better use of these new technologies and more effective ways of working, this framework sets out how the Council will manage the information that it has to best ensure that the Council is effective in providing services that its citizens want and protecting the information whilst complying with its statutory and regulatory responsibilities.

[Back to top]

Data Protection

In order to provide members of the public with a service, we very often need to obtain personal information about them. We must be very careful how we handle such 'personal data'.

What counts as personal data?

  • Any information held by the Council about a living individual, where we can identify that individual.
  • A name and address, or information attached to a reference number that we can use to look someone up are both personal data; so is a company email address, if it includes the person's name. It does not matter where the data is kept – on a software system, in a manual file about someone, or as part of an email, a mailing list, or a hand-written note about a telephone call – if it identifies an individual, it is personal data

On the other hand, anonymous statistics do not identify anyone and so they are not personal data. Nor is information about a property (rather than a person living there), because it is not about an individual.

2.1 Collecting personal data

When asking members of the public for personal information make sure that:

  • They understand why we need the information and how we are going to use it
  • They know whether they have a choice about giving us the information
  • They are told if we intend to share the information with someone else (such as a housing association) – and whether they can say no

When designing a form that asks for personal information, make sure it includes these points.

2.2 Handling personal data

If you have to handle personal data:

  • keep it secure – do not leave it lying around
  • make sure nobody has access to it who shouldn't – including other officers
  • do not disclose it to anyone else unless you know it is authorised – if in doubt, ask
  • do not keep it for longer than is necessary

2.3 Talking to data subjects

A data subject is the person who can be identified from the personal data.

When discussing personal data:

  • make sure you are talking to the data subject, or
  • only discuss with someone else if they have written authority from the data subject

On the other hand, it may be possible to help without actually mentioning any personal data, or by offering to send the personal data to the data subject by post.

2.4 Data subjects' rights

With certain exceptions, data subjects have the following rights:

  • to be told whether the Council holds any personal data about them
  • to be told what that personal data is and how it is used
  • to have any inaccurate data corrected

2.5 Data subjects' requests

Where a data subject makes a request about what personal data we hold:

  • if the request is verbal, ask them to put the request in writing (which is what the Data Protection Act requires)
  • watch out for written requests - they do not have to mention the Data Protection Act
  • pass all written requests to your section's information officer, who will ensure that the request is put onto the system
  • do not delay - the Council must respond within the statutory time limits

2.6 Enforcement

  • make sure you know what your section's rules are - and follow them
  • if you follow the rules to the best of your ability, you will be safe

But if you disregard the rules, or deliberately flout them:

  • the Council could be fined
  • you will be liable to disciplinary action
  • in a bad case, you personally could be prosecuted

Golden Rule
Treat other people's personal data the way you would like yours to be treated

For further information contact the Council's Data Protection Officer.

Appendix 1 - Summary of the Data Protection Principles

The rules that everyone has to follow who is responsible for using data are called 'data protection principles'. They must make sure the information is:

  • used fairly and lawfully
  • used for limited, specifically stated purposes
  • used in a way that is adequate, relevant and not excessive
  • accurate
  • kept for no longer than is absolutely necessary
  • handled according to people's data protection rights
  • kept safe and secure
  • not transferred outside the UK without adequate protection

[Back to top]

Information Security Overview

Introduction

In order to ensure the continued delivery of services to our customers, we are making ever increasing use of Information and Communication Technology (ICT) and customer information held by the Council and other public sector organisations.

The information that we hold, process, maintain and share with other public sector organisations is an important asset that, like other important business assets, needs to be suitably protected.

In order to build public confidence and ensure that we comply with relevant statutory legislation, it is vital that we maintain the highest standards of information security. As such, a number of policies are in place to maintain these high standards of information security.

A PDF document to download is available at the foot of this page, which contains a policy statement and the key message for each of the Information Security Policies developed by the Council.

[Back to top]

Email

3.1 Policy Statement

Ryedale District Council will ensure all users of Council email facilities are aware of the acceptable use of such facilities.

3.2 Purpose of this policy

The objective of this Policy is to direct all users of Council email facilities by:

  • providing guidance on expected working practice
  • highlighting issues affecting the use of email
  • informing users about the acceptable use of ICT facilities in relation to emails
  • describing the standards which users must maintain
  • stating the actions which may be taken to monitor the effectiveness of this policy
  • warning users about the consequences of inappropriate use of the email service.

The Policy establishes a framework within which users of Council email facilities can apply self-regulation to their use of email as a communication and recording tool.

The Council also has a legal responsibility with regard to acceptable use of email and, among others, must comply with the following legal statutes:

  • Sexual Offences Act 2003
  • EU Privacy and Monitoring Directive
  • Regulation of Investigatory Powers Act 2000
  • Human Rights Act 1998
  • Freedom of Information Act 2000
  • Data Protection Act 1998
  • Computer Misuse Act 1990
  • Copyright, Design and Patents Act 1988

3.2.1 When and to whom does this policy apply?

This policy covers all email systems and facilities provided through the Council's network infrastructure and all stand-alone and portable computer devices. All email prepared and sent from Council email addresses or mailboxes for the purpose of conducting and supporting official business and any non-work email sent using Council ICT facilities is subject to this policy.

This policy applies to but is not limited to, all Councillors, Committees, Departments, Partners, Employees of the Council, contractual third parties and agents of the Council who have access to the Council's Internet service and/or ICT equipment.

The use of email facilities will be permitted only by staff that have been specifically designated as authorised users for that purpose, received appropriate training and have confirmed in writing that they accept and agree to abide by the terms of this policy. Please refer to the IT Access Policy for information on how to request a corporate or secure corporate GCSx email account.

Unauthorised use may be regarded as a disciplinary offence.

3.2.2 Why is this policy relevant?

Non-compliance with this policy could have a significant effect on the efficient operation of the Council and may result in financial loss and an inability to provide necessary services to our customers. You may also be breaking the law.

3.3 Scope

This policy covers all email systems and facilities that are provided by the Council for the purpose of conducting and supporting official business activity through the Councils network infrastructure and all stand alone and portable computer devices.

This policy is intended for all Councillors, Committees, Departments, Partners, Employees of the Council, contractual third parties and agents of the Council who have been designated as authorised users of email facilities.

The use of email facilities will be permitted only by staff that have been specifically designated as authorised users for that purpose, received appropriate training and have confirmed in writing that they accept and agree to abide by the terms of this policy.

The policy also applies where appropriate to the internal Microsoft Exchange e-mail facility which may be accessed by many staff who are not authorised Internet and e-mail users.

The use of email facilities by staff that have not been authorised for that purpose will be regarded as a disciplinary offence.

3.4 Definition

All email prepared and sent from Council email addresses or mailboxes, and any non-work email sent using  Council ICT facilities is subject to this policy.

3.5 Risks

Ryedale District Council recognises that there are risks associated with users accessing and handling information in order to conduct official Council business.

This policy aims to mitigate the following risks:

  • the non-reporting of information security incidents,
  • inadequate destruction of data,
  • the loss of direct control of user access to information systems and facilities,
  • sending email messages which are not appropriate to recipients, in particularly emails sent
  • to large numbers of recipients;
  • knowingly burdening the E-mail system with non-business critical data especially involving
  • the transmission of large data files and/or large attachments;

along with others not listed.

Non-compliance with this policy could have a significant effect on the efficient operation of the Council and may result in financial loss and an inability to provide necessary services to our customers.

3.6 Applying the policy

3.6.1 Email as records

Employees of the Council, Council Members and all other users must not use any other email accounts to conduct or support official Council business. All emails that represent aspects of Council business or Council administrative arrangements are the property of the Council and not of any individual user.

Emails held on Council equipment are considered to be part of the corporate record and email also provides a record of users' activities.

The legal status of an email message is similar to any other form of written communication. Consequently, any email message sent from a facility provided to conduct or support official Council business should be considered to be an official communication from the Council. In order to ensure that the Council is protected adequately from misuse of e-mail, the following controls will be exercised:

  1. It is a condition of acceptance of this policy that users comply with the instructions given during the email training sessions.
  2. All official external e-mail must carry the following disclaimer:

"This Email, and any attachments, may contain Protected or Restricted information and is intended solely for the individual to whom it is addressed. It may contain sensitive or protectively marked material and should be handled accordingly. If this Email has been misdirected, please notify the author immediately. If you are not the intended recipient you must not disclose, distribute, copy, print or rely on any of the information contained in it or attached, and all copies must be deleted immediately. Whilst we take reasonable steps to try to identify any software viruses, any attachments to this Email may nevertheless contain viruses which our anti-virus software has failed to identify. You should therefore carry out your own anti-virus checks before opening any documents. Ryedale District Council will not accept any liability for damage caused by computer viruses emanating from any attachment or other document supplied with this e-mail. All GCSx traffic may be subject to recording and / or monitoring in accordance with relevant legislation."

3.6.2 Email Signature

All staff should follow this email signature format to comply with corporate branding and readability guidelines and to reduce unnecessary load on email servers.

For many users, the default display for emails is text-only. This means that images and graphics will not be displayed. Therefore, you should not include graphics (including the Council logo) in your email signatures.

The standardised email signature, below, provides a consistent brand across the council and ensures signatures can be viewed by all with, or without, rich text editors.

The Council standard email signature should appear as follows:

Name: Bold, Black, Arial, 10pt. font;
Job title: regular, black, Arial, 10pt. font;
Postal address;
Telephone number (including STD code) and extension;
Fax number (optional);
Email address: all lower case;
Website address;

Please be aware that deletion of email from individual accounts does not result in permanent deletion from the Council's ICT systems or from other users' mail boxes.

3.6.3 Email as a form of communication

Email is designed to be an open and transparent method of communicating. However, it cannot be guaranteed that the message will be received or read, nor that the content will be understood in the way that the sender of the email intended. It is therefore the responsibility of the person sending an email to decide whether email is the most appropriate method for conveying time-critical or PROTECT or RESTRICTED information or of communicating in the particular circumstances.

All emails sent to conduct or support official Ryedale District Council business must comply with corporate communications standards.

The legal status of an email message is similar to any other form of written communication and email must not be considered to be any less formal than memo's or letters which are sent out from a particular service or the authority. All users should consider, before sending an email, how they would feel if the message was read out in court, as email messages may have to be disclosed in litigation. When sending external email, care should be taken not to contain any material which would reflect poorly on the Council's reputation or its relationship with customers, clients or business partners.

It should also be noted that email and attachments may need to be disclosed under the Data Protection Act 1998 or the Freedom of Information Act 2000. Further information regarding this can be obtained from the Data Protection Officer (the Democratic Services Manager) or the Freedom of Information Officer (the Council Solicitor).

Under no circumstances should users communicate material (either internally or externally), which is, for example, defamatory, obscene, or does not comply with the Council's Equal Opportunities Policy or which could reasonably be anticipated to be considered inappropriate. Any user who is unclear about the appropriateness of any material, should consult their line manager prior to commencing any associated activity or process.

Users receiving offensive or sexually explicit mail (internal and external) should inform their line manager immediately. Such material may, for example, not be identifiable until an email is opened and in such cases, steps will be taken appropriate to the individual circumstances.

ICT facilities provided by the Council for email should not be used:

  • for the transmission of unsolicited commercial or advertising material, chain letters, or other junk-mail of any kind, to other organisations or internally;
  • for the unauthorised transmission to a third party of PROTECT or RESTRICTED material concerning the activities of the Council;
  • for the transmission of material such that this infringes the copyright of another person, including intellectual property rights;
  • for activities that unreasonably waste staff effort or use networked resources or activities that unreasonably serve to deny the service to other users;
  • for activities that corrupt or destroy other users' data;
  • for activities that disrupt the work of other users;
  • for the creation or transmission of any offensive, obscene or indecent images, data, or other material, or any data capable of being resolved into obscene or indecent images or material;
  • for the creation or transmission of material which is designed or likely to cause annoyance, inconvenience or needless anxiety;
  • for the creation or transmission of material that is abusive or threatening to others, or serves to harass or bully others;
  • for the creation or transmission of material that either discriminates or encourages discrimination on racial or ethnic grounds, or on grounds of gender, sexual orientation, marital status, disability, political or religious beliefs;
  • for the creation or transmission of defamatory material;
  • for the creation or transmission of material that includes false claims of a deceptive nature;
  • for activities which violate the privacy of other users;
  • for unfairly criticising individuals, including copy distribution to other individuals;
  • for publishing to others the text of messages written on a one-to-one basis, without the prior express consent of the author;
  • for the creation or transmission of anonymous messages - i.e. without clear identification of the sender(this may be by use of group email addresses or by proxy access to another person's mailbox);
  • for the creation or transmission of material which brings the Council into disrepute;
  • for any form of illegal activity which will lead to criminal and disciplinary action;
  • for the transmission or creation of illegal material;
  • to impersonate any other person or amend messages received;
  • in the pursuit of private business;
  • for the creation or transmission of material containing derogatory, insulting or aggressive remarks; or

When using email facilities provided by the Council for email, users should:

  • seek confirmation of receipt of outgoing important emails;
  • store copies of important emails sent and received;
  • include the senders' name, job title and Service Unit; (where applicable) and
  • always check that the email content can not be misconstrued in anyway before sending it.

It is forbidden to use another person's account/password/user id to send or receive emails.

3.6.4 Junk mail (Spam)

There may be instances where a user will receive unsolicited mass junk email or spam. It is advised that users delete such messages without reading them. Do not reply to the email. Even to attempt to remove the email address from the distribution list can confirm the existence of an address following a speculative email. Confirming that the email address is genuine can lead to your receiving even more spam.

Before giving your email address to a third party, for instance by entering it in a website, consider carefully the possible consequences of that address being passed (possibly sold on) to an unknown third party, and whether the benefits outweigh the potential problems.

Chain letter emails (those which request you forward the message to one or more additional recipients who are unknown to the original sender) must not be forwarded using Ryedale District Council systems or facilities.

3.6.5 Mail box size

In order to ensure that the systems enabling email are available and perform to their optimum, users should endeavour to avoid sending unnecessary messages. In particular, the use of the "global list" of email addressees is discouraged.

Users are provided with a limited mail box size to minimize problems with application performance. Email users should manage their email accounts to remain within the mailbox limit, ensuring that items are filed or deleted as appropriate to avoid deterioration in application performance.

3.6.6 Monitoring of email usage

Whilst respecting the privacy of authorised users, Ryedale District Council maintains its legal right, in accordance with the Regulation of Investigatory Powers Act 2000, to monitor and audit the use of email by authorised users to ensure adherence to this Policy. Any such interception or monitoring will be carried out in accordance with the provisions of that Act and any other policy which may apply]. Users should be aware that deletion of e-mail from individual accounts does not necessarily result in permanent deletion from the Council's ICT systems.

All users should be aware that email usage is monitored and recorded centrally. The monitoring of email (outgoing and incoming) traffic will be undertaken so that Ryedale District Council can:

  • plan and manage its resources effectively
  • ensure that users act only in accordance with policies and procedures
  • ensure that standards are maintained
  • prevent and detect any crime
  • investigate any unauthorised use

Monitoring of content will only be undertaken by staff specifically authorised for that purpose in accordance with the Council's Communications and Operation Management Policy. These arrangements will be applied to all users and may include checking the contents of email messages for the purpose of:

  • establishing the existence of facts relevant to the business, client, supplier and related matters
  • ascertaining or demonstrating standards which ought to be achieved by those using the facilities
  • preventing or detecting crime
  • investigating or detecting unauthorised use of email facilities
  • ensuring effective operation of email facilities
  • determining if communications are relevant to the business

Where a manager suspects that the email facilities are being abused by a user, they should contact the IT Infrastructure Manager. Designated staff in ICT Support and Internal Audit can investigate and provide evidence and audit trails of access to systems. The ICT Service will also comply with any legitimate requests from authorised bodies under the Regulation of Investigatory Powers legislation for this information.

Email is also subject to automatic filtering, with the aim of preventing access to offensive or illegal material. The Council may also block the sending and receipt of emails to/from specific email addresses if deemed necessary.

3.6.7 Protective marking of messages

When creating an email, the information contained within it must be assessed and classified by the owner according to the content, when appropriate. It is advisable that all emails are protectively marked in accordance with the HMG Security Policy Framework (SPF). The marking classification will determine how the email and the information contained within it, should be protected and who should be allowed access to it. Further guidance on this area can be provided on request.

The SPF requires information to be protectively marked into one of 6 classifications. The way the document is handled, published, moved and stored will be dependant on this scheme.

The classifications are:

  • Unclassified
  • PROTECT
  • RESTRICTED
  • CONFIDENTIAL
  • SECRET
  • TOP SECRET

Information up to RESTRICTED sent via GCSx must be marked appropriately using the SPF guidance.

You should refer to the Information Protection Policy and Government Manual of Protective Security (GMPS) Local Usage Guide – available in Appendix 1 - for full details on the application of information classification.

3.6.8 Security

Emails sent directly between ryedale.gov.uk addresses are held with the same network and are deemed to be secure. However, emails sent outside this closed network travel over the public communications network and are liable to interception or loss. There is a risk that copies of the email are left within the public communications system. Therefore, PROTECT and RESTRICTED material must not be sent via email outside a closed network, unless via the GCSx email facility.

All users who require access to GCSx email must read, understand and sign the GCSx Acceptable Usage Policy and Personal Commitment Statement.

3.6.9 Confidentiality

Users must make every effort to ensure that the confidentiality of email is appropriately maintained. There are also particular responsibilities under Data Protection legislation to maintain the confidentiality of personal data. If any user is unsure of whether they should pass on information, they should consult the Council's Data Protection Officer before doing so.

Users should be aware that a message is not deleted from the system until all recipients of the message and of any forwarded or attached copies have deleted their copies. Moreover, confidentiality cannot be assured when messages are sent over outside networks, such as the Internet, because of the insecure nature of most such networks and the number of people to whom the messages can be freely circulated without the knowledge of Ryedale District Council.

Care should be taken when addressing all emails, but particularly where they include PROTECT or RESTRICTED information, to prevent accidental transmission to unintended recipients. Particular care should be taken if the email client software auto-completes an email address as the user begins typing a name. Always check that the software has entered the correct address before you send the message.

The automatic forwarding of a GCSx email to a lower classification email address (i.e. a standard .gov.uk email) contradicts national guidelines and is therefore not acceptable.

Access to another user's email is strictly forbidden unless they have given their consent or their email needs to be accessed by their line manager for specific work purposes whilst they are absent. If this is the case, a written request to the IT Infrastructure Manager is required. This must be absolutely necessary and has to be carried out with regard to the rights and freedoms of the employee. Managers must only open emails which are relevant.

3.6.10 Virus receipt and transmission

Computer viruses are easily transmitted via email and internet downloads. Full use must therefore be made of the Council's anti-virus software. The Council will ensure that emails are virus-checked at the network boundary and at the host and where appropriate will use two functionally independent virus checkers.

Individual users must however still take due care and if any user is concerned that they have received or sent an infected message, they must contact the ICT Helpdesk immediately.

In particular, users:

  • must not transmit by email any file attachments which they know to be infected with a virus
  • must not download data or programs of any nature from unknown sources
  • must ensure that an effective anti-virus system is operating on any computer which they use to access Council facilities
  • must not forward virus warnings other than to the ICT Helpdesk
  • must not click on any un-trusted links in emails without seeking advice from the ICT Helpdesk
  • must report any suspicious content or attachments to the ICT Helpdesk

If a computer virus is transmitted to another organisation, the Council could be held liable if there has been negligence in allowing the virus to be transmitted. Users must therefore comply with this and other relevant Council policies, such as the Software Policy.

3.6.11 Personal Use

Occasional and reasonable personal use of the ICT facilities provided by the Council for email is permitted provided that such use takes place during unpaid hours and it is in adherence with this policy.
Officers sending a personal email should:
1. Include the word 'personal' in the subject field.
2. Start or sign off the email with the following statement:

"This email is personal. It is not authorised by or sent on behalf of Ryedale District Council, however, the Council has the right and does inspect emails sent from and to its computer system. This email is the sole responsibility of the sender."

3.7 Sanctions for non-compliance with this policy

If any user is found to have breached this policy, they may be subject to Ryedale District Council's disciplinary procedure. Serious breaches of this policy will normally be regarded as gross misconduct. Breaches of this policy may therefore result in disciplinary sanctions under the Council's Disciplinary Procedure up to and including dismissal. Any such breaches may also be criminal offences If a criminal offence is considered to have been committed, further action may be taken to assist in the prosecution of the offender(s), irrespective of any disciplinary action which may have been taken.

3.7.1 Further information and advice

If you do not understand the implications of this policy or how it may apply to you, seek advice from the ICT Helpdesk.

3.8 Policy governance

The following table identifies who within Ryedale District Council is Accountable, Responsible, Informed or Consulted with regards to this policy. The following definitions apply:

  • Responsible – the person(s) responsible for developing and implementing the policy.
  • Accountable – the person who has ultimate accountability and authority for the policy.
  • Consulted – the person(s) or groups to be consulted prior to final policy implementation or amendment.
  • Informed – the person(s) or groups to be informed after policy implementation or amendment.
  • Responsible IT Infrastructure Manager
  • Accountable Corporate Director (s.151)
  • Consulted Unison
  • Informed All Council employees, Members, temporary staff, contractors

3.9 Review and revision

This policy will be reviewed as it is deemed appropriate, but no less frequently than every 12 months.

Policy review will be undertaken by IT Infrastructure Manager

3.10 References
The following Ryedale District Council policy documents are directly relevant to this policy, and are referenced within this document:

6 Software Policy
12 Legal Responsibilities Policy
16 Communications and Operation Management Policy.

The following Ryedale District Council policy documents are indirectly relevant to this policy:
5 Internet Acceptable Usage Policy.
7 IT Access Policy.
8 Human Resources Information Security Standards.
9 Information Protection Policy.
10 Computer, Telephone and Desk Use Policy.
12 Remote Working Policy.
13 Removable Media Policy.
14 Information Security Incident Management Policy.
16 IT Infrastructure Policy.

3.11 Key Messages

  • It is forbidden to use another person's account/password/user id to send or receive emails.
  • All emails that are used to conduct or support official Ryedale District Council business must be sent using a "@ryedale.gov.uk" address.
  • Non-Council email accounts must not be used to conduct or support official Ryedale District Council business.
  • Ryedale District Council Email addresses must not be auto-forwarded to non-Council (personal) email accounts under any circumstances.
  • All official external e-mail must carry the official Council disclaimer (see section 5.1).
  • Under no circumstances should users communicate material (either internally or externally), which is defamatory, obscene or does not comply with the Council's Equal Opportunities policy.
  • GCSx email must be used for communicating PROTECT and RESTRICTED material to external recipients.
  • Users must take care not to open any links or attachments which may lead to virus infection.

[Back to top]

Internet Acceptable Usage

4.1 Policy Statement

Ryedale District Council will ensure all users of Council provided Internet facilities are aware of the acceptable use of such facilities.

4.2 Purpose of this policy

This Internet Usage Policy advises how you should use your Council Internet facility. It outlines your personal responsibilities and informs what you must and must not do.

However, it is recognised that it is impossible to define precise rules covering all Internet activities available and adherence should be undertaken within the spirit of the policy to ensure productive use of the facility is made.

The Internet facility is made available for the business purposes of the Council. A certain amount of personal use is permitted in accordance with the statements contained within this Policy.

The Council has legal responsibilities in relation to Internet usage and monitoring. The Council must comply with the following legal statutes:

  • Human Rights Act 1998
  • Sexual Offences Act 2003
  • EU Privacy and Monitoring Directive 2000
  • Regulation of Investigatory Powers Act 2000
  • Data Protection Act 1998
  • Telecommunications (Unlawful Business Practice) Interception of Communications Regulations 2000

When and to whom does this policy apply?

This Internet Usage Policy applies at all times to anyone who uses the Council's Intranet and Internet services and ICT equipment., including, but not limited to, all Ryedale District Council Councillors, Committees, Departments, Partners, Employees of the Council, contractual third parties and agents of the Council. It covers access by any device, including desktop, laptop or mobile devices such as smart phones and tablet PCs.

Why is this policy relevant?

Non-compliance with this policy could have a significant effect on the efficient operation of the Council and may result in financial loss and an inability to provide necessary services to our customers. You may also be breaking the law.

4.3 Scope

This Internet Acceptable Usage Policy applies to, but is not limited to, all Ryedale District Council Councillors, Committees, Departments, Partners, Employees of the Council, contractual third parties and agents of the Council who access the Councils Internet service and IT equipment.

4.4 Definition

This Internet Acceptable Usage Policy should be applied at all times whenever using the Council provided Internet facility.

This includes access via any access device including a desktop computer or a smart phone device.

4.5 Risks

Ryedale District Council recognises that there are risks associated with users accessing and
handling information in order to conduct official Council business.

This policy aims to mitigate the following risks:

  • the non-reporting of information security incidents,
  • inadequate destruction of data,
  • the loss of direct control of user access to information systems and facilities amongst others.

Non-compliance with this policy could have a significant effect on the efficient operation of the Council and may result in financial loss and an inability to provide necessary services to our customers.

4.6 Applying the policy

4.6.1 What is the purpose of providing the Internet service?

The Internet service should be used in accordance with this and other relevant policies in pursuance of your duties.

The Internet service is primarily provided to give Council employees and Councillors:
• access to information that is pertinent to fulfilling the Council's business obligations
• updating Council owned and/or maintained web sites
• research in areas relevant to the role of the individual
• an electronic commerce facility (e.g. for authorised purchase of equipment for the Council).

4.6.2 Personal use of the Council's Internet service

The Internet must be used primarily for legitimate business purposes. However, at the discretion of your line manager, the Council permits personal use of the Internet providing that:

  • it is in your own time
  • it does not interfere with the performance of your own duties or those of other users
  • it does not degrade the performance of the ICT network's capacity or security
  • it is not for furthering outside business interests or for personal monetary gain
  • the Internet content accessed conforms to all other requirements and the spirit of this or other policies
  • it does not otherwise compromise the security, business interests or reputation of Ryedale District Council.

Business needs takes precedence over personal use of the Internet at all times. Users must not use the Internet within the Council in the same way they do at home. All users must respect the Council's standards of business conduct whenever the Internet is used.

The Council is not responsible for any personal transactions you enter into - for example in respect of the quality, delivery or loss of items ordered. You must accept responsibility for and keep the Council protected against, any claims, damages, losses or the like which might arise from your transaction - for example in relation to payment for the items or any personal injury or damage to property they might cause.

If you purchase personal goods or services via the Council's Internet service, you are responsible for ensuring that the information you provide shows that the transaction is being entered into by you personally and not on behalf of the Council. You must not arrange for any personal goods to be delivered to Council property.

If you are in any doubt about how you may make personal use of the Council's Internet Service, you are advised not to do so.

4.6.3 Internet account management, security and monitoring

The Council will provide a secure logon-id and password facility for your Internet account. The Council's ICT Service is responsible for the technical management of this account. Access to the Internet is not an automatic right and may be denied or revoked at any time.

You are responsible for maintaining the security provided by your Internet account logon-id and password. Only you should know your log-on id and password and you should be the only person who uses your Internet account.

Your computer and any data held on it are the property of Ryedale District Council and may be accessed at any time by the Council to ensure compliance with all its statutory, regulatory and internal policy requirements. When using Council equipment or facilities either for business or personal purposes, whether permitted or not, you should not have any expectation of 'privacy' in relation to accessing web sites and are deemed to consent to reasonable monitoring of your activities.

The provision of Internet access is owned by the Council and all access is recorded, logged and interrogated for the purposes of monitoring total usage to ensure business use is not impacted by lack of capacity and to detect and deal with abuse. The filtering system monitors and records all access for reports which are produced for line managers and auditors.

4.6.4 Things you must not do

Ryedale District Council will block access to certain types of websites with inappropriate content or which present a perceived risk to it. A list of the categories of prohibited sites is in Appendix 1. Users must not attempt to access any sites in (or expected to be in) these categories, or other sites containing material which could be defined as unsuitable or offensive as outlined in this policy..

The automatic filtering process aims to ensure that it will not be possible to access material which is offensive or illegal. However, the use of web content filtering can decrease the likelihood of inappropriate content being accessible, but cannot guarantee that such content will not be accessible.

Anyone accidentally accessing unsuitable or offensive material should inform their line manager and the ICT Helpdesk immediately and make a note of the date, time and website name if known. ICT Services will then take suitable appropriate action.

Accidental access will not result in disciplinary action but failure to report it may do so.

Except where it is strictly and necessarily required for your work, and officially authorised, for example ICT audit activity or other investigation, you must not use your Internet account to:

  • create, download, upload, display or access knowingly, sites that contain pornography or other "unsuitable" material that might be deemed illegal, obscene or offensive
  • subscribe to, enter or use peer-to-peer networks or install software that allows sharing of music, video or image files
  • subscribe to, enter or utilise real time chat facilities such as chat rooms, text
  • messenger or pager programs
  • subscribe to, enter or use online gaming or betting sites
  • subscribe to or enter "money making" sites or enter or use "money making" programs
  • run a private business
  • use "cloud" facilities, such as data storage via iCloud, Dropbox or SkyDrive, or dictation/transcription via Siri or similar programs, for Council business purposes
  • download any software which does not comply with the Council's Software Policy,
  • download data files (which includes documents, spreadsheets, presentations, pictures, games and screen savers, audio or video) unless:
    • they are business relevant; and
    • it does not infringe copyright.

This policy provides examples of "unsuitable" or "offensive" usage but is neither exclusive nor exhaustive.

This includes accessing or distributing material pertaining to:

  • aggression, including threats, abuse and obscenities
  • sexual advances, propositions, suggestive remarks
  • insults, explicit or pornographic material
  • insults which are related to a person's sex or sexuality
  • racist abuse including 'jokes', insults or taunts
  • offensive abuse, ridicule, 'jokes' or name calling relating to a person's disability
  • material which the person knows or ought to have known, would offend a colleague with particular sensitivities, even if it is not explicitly offensive.

There may be other material, not detailed here, including data, images, audio files or video files, the transmission of which is illegal under British law, and material which is against the rules, essence and spirit of this and other Council policies.

Downloading certain types of material may require the assistance of the ICT Helpdesk (Tel: 01653 600666 ext 229)

4.6.5 Your responsibilities as a user

All users are personally responsible for taking all reasonable steps to prevent unauthorised use of their Internet account. Access to the Internet is controlled via network login. Do not leave your Internet browser accessible when away from your desk. Lock your workstation by holding down the Windows icon button and then the L button (or CTRL, ALT, DELETE, then Lock). Only your user login password will unlock your workstation.

All users will be held responsible for all Internet-related activities undertaken using their account. Unless informed otherwise, the Council assumes that all users understand this policy and accept personal responsibility for adhering to its requirements and spirit.

It is your responsibility to:

  • familiarise yourself with the detail and essence of this policy before using the Internet facility provided for your work or duties
  • assess any risks associated with Internet usage and ensure that the Internet is the most appropriate mechanism to use
  • know that you may only use the Council's Internet facility within the spirit of and terms described in, this and other related policies
  • read and abide by all related policies, including those listed in Section 7 below.

4.6.6 Line manager's responsibilities

It is the responsibility of line managers to ensure that the use of the Council's Internet facility by their staff:

  • within an employee's work time is relevant to and appropriate to the Council's business and within the context of the user's responsibilities
  • within an employee's own time is subject to the rules contained within this document.

4.7 Sanctions for non-compliance with this policy

Any potential misuse or abuse of this policy identified from monitoring or other means will be reported to the appropriate service manager and an investigation may be carried out. Serious breaches of this policy will normally be regarded as gross misconduct. Breaches of this policy may therefore result in disciplinary sanctions under the Council's Disciplinary Procedure up to and including dismissal. Any such breaches may also be criminal offences If a criminal offence is considered to have been committed, further action may be taken to assist in the prosecution of the offender(s), irrespective of any disciplinary action which may have been taken.

4.7.1 Further information and advice

If you do not understand the implications of this policy or how it may apply to you, seek advice from the ICT Helpdesk.

4.8 Policy governance

The following table identifies who within Ryedale District Council is Accountable, Responsible, Informed or Consulted with regards to this policy. The following definitions apply:

  • Responsible – the person(s) responsible for developing and implementing the policy.
  • Accountable – the person who has ultimate accountability and authority for the policy.
  • Consulted – the person(s) or groups to be consulted prior to final policy implementation or amendment.
  • Informed – the person(s) or groups to be informed after policy implementation or amendment.

Responsible IT Infrastructure Manager
Accountable Corporate Director (s151)
Consulted Unison
Informed All Council employees, Members, temporary staff and contractors

4.9 Review and revision

This policy will be reviewed as it is deemed appropriate, but no less frequently than every 12 months.

Policy review will be undertaken by IT Infrastructure Manager.

4.10 References

The following Ryedale District Council policy documents are directly relevant to this policy, and are referenced within this document.

4.11 Key policy messages

  • Users must familiarise themselves with the detail and essence of this policy before using the Internet facility provided.
  • At the discretion of the line manager, and provided it does not interfere with your work, the Council permits personal use of the Internet in your own time (for example during your lunch-break).
  • Users are responsible for ensuring the security of their Internet account logon-id and password. Individual user log-on id and passwords should only be used by that individual user and they should be the only person who accesses their Internet account.
  • Users must not create, download, upload, display or access knowingly, sites that contain pornography or other "unsuitable" material that might be deemed illegal, obscene or offensive.
  • Users must assess any risks associated with Internet usage and ensure that the Internet is the most appropriate mechanism to use.
  • If anyone deliberately visits or downloads material from websites containing illegal or unacceptable material they will be dealt with under the Council's disciplinary procedure. The Police may also be notified.
  • For the purposes of this policy, reference to the "Internet" includes Ryedale District Council's Intranet pages.

Appendix 3

Prohibited Category List

  • Adult/Sexually explicit
  • Alcohol and tobacco
  • Chat
  • Criminal activity
  • Gambling
  • Games
  • Hacking
  • Illegal drugs
  • Intimate apparel and swimwear
  • Intolerance and hate
  • Peer to peer
  • Personals and dating
  • Phishing and fraud
  • Proxies and translators
  • Ringtones/mobile phone downloads
  • Sex education
  • Spam URLs
  • Spyware
  • Tasteless and offensive
  • Violence
  • Weapons

N.B. Specific exceptions can be made to categories on this list, when such access is needed by users in connection with their work duties. Users should seek approval for this from their immediate manager and arrange via the ICT Help Desk.

[Back to top]

Software

5.1 Policy Statement

We will ensure the acceptable use of software by all users of the Council's computer equipment or Information Systems.

5.2 Purpose of this policy

Ryedale District will ensure the acceptable use of software by all users of the Council's computer equipment or information systems.

This policy aims to mitigate the following risks:

  • introduction of non-approved software into the council infrastructure
  • software incompatibility with the current infrastructure
  • increased security risks due to unauthorised software
  • inappropriate procurement procedures being used
  • inappropriate support and maintenance agreements for software

When and to whom does this policy apply?

This policy applies at all times when the Council's computer equipment or information systems are used.

It applies to all council members, committees, departments, partners and employees of the Council, contractual third parties and agents of the Council who have access to information systems or information used for Ryedale District Council purposes.

Why is this policy relevant?

Failure to comply with this policy could lead to customer, member or staff personal data being put at risk and impact the provision of services to our customers. The Council could be fined, its efficiency could be reduced and its good reputation could be lost.

5.3 Scope

5.4 Definition

5.5 Risks

5.6 Applying the Policy

5.6.1 Software acquisition

All software acquired by Ryedale District Council must be purchased through the ICT Service. Software must not be purchased through user corporate credit cards, petty cash, travel or entertainment budgets.

Software acquisition channels are restricted to ensure that Ryedale District Council has a complete record of all software that has been purchased for Ryedale District Council computers and can register, support, and upgrade such software accordingly. This includes software that may be downloaded and/or purchased from the Internet.

You must never load personal or unsolicited software (for example screen savers, games and wallpapers etc.) onto a Council machine, as there is a serious risk of introducing a virus or other security vulnerability.

5.6.2 Free software

Free software can present a particular security risk and therefore you must never install such applications if they are not for Council business purposes. Shareware, Freeware and Public Domain Software are bound by the same policies and procedures as all other software. Users must not install any free or evaluation software onto the Council's systems without prior approval from the ICT Service. If you do have a genuine requirement to install a free application, please contact the ICT Service to arrange this.

5.6.3 Software registration

The Council uses software in all aspects of its business to support the work carried out by its employees. In all instances every piece of software is required to have a licence and the Council will not condone the use of any software that does not have a licence.

Software must be registered in the name of Ryedale District Council and the department in which it will be used. Due to personnel turnover, software must never be registered in the name of the individual user.

The ICT Helpdesk maintains a register of all Ryedale District Council software and will keep a library of software licences. The register must contain:

  • the title and publisher of the software
  • the date and source of the software acquisition
  • the location of each installation as well as the serial number of the hardware on which each copy of the software is installed
  • the existence and location of back-up copies
  • the software product's serial number
  • details and duration of support arrangements for software upgrades

Software on Local Area Networks or multiple machines shall only be used in accordance with the licence agreement.

Ryedale District Council holds licences for the use of a variety of software products on all Council Information Systems and computer equipment. This software is owned by the software company and the copying of such software is an offence under the Copyright, Designs and Patents Act 1988, unless authorised by the software manufacturer.

It is the responsibility of users to ensure that all software they use for Council business is licensed.

Every piece of software is required to have a licence and the Council will not condone the use of any software that does not have a licence.

5.6.4 Software Installation

Software must only be installed by the ICT Helpdesk once the registration requirements have been met. Once installed, the original media will be kept in a safe storage area maintained by the IT Helpdesk.

Software may not be used unless approved by the Service Unit Manager or their nominated representative.

5.6.5 Software Development

All software, systems and data development carried out using Council software, equipment or facilities must be for the purposes of the Council only.

Software must not be changed or altered by any user unless there is a clear business need. All changes to software must be authorised before the change is implemented. A full procedure should be in place and should include, but not be limited to, the following steps:

  1. Change requests affecting a software asset should be approved by the software asset's owner.
  2. A clear impact assessment should be undertaken to consider whether the change is likely to affect existing operational or security arrangements and approval sought for these prior to the change.
  3. A record should be maintained by IT of agreed authorisation levels.
  4. A record should also be maintained by IT of all changes made to software.
  5. Changes to software that have to be made before the authorisation can be granted should be controlled by IT.

5.6.6 Personal software and computer equipment

Ryedale District Council computers are Council-owned assets and must be kept both software-legal and virus-free. Only software acquired through the procedures outlined above may be used on Ryedale District Council machines. Users are not permitted to bring software from home (or any other external source) and load it onto Ryedale District Council computers.

Council-owned software must not be installed onto a user's home computer. If a user needs to use software at home, they will need to purchase a separate package and record it as a Council-owned asset in the software register.

5.6.7 Software misuse

Ryedale District Council will ensure that Personal Firewalls are installed where appropriate. Users must not attempt to disable or reconfigure the Personal Firewall software.

It is the responsibility of all Council staff to report any known software misuse to the appropriate service manager. Councillors should inform the Monitoring Officer of such instances.

According to the Copyright, Designs and Patents Act 1988, illegal reproduction of software is subject to civil damages and criminal penalties. Any Ryedale District Council user who makes, acquires or uses unauthorised copies of software will be disciplined as appropriate under the circumstances. Ryedale District Council does not condone and will not tolerate, the illegal duplication of software.

5.7 Sanctions for non-compliance with this policy

If any user is found to have breached this policy, they may be subject to Ryedale District Council's disciplinary procedure. Serious breaches of this policy may be regarded as gross misconduct. If a criminal offence is considered to have been committed, further action may be taken to assist in the prosecution of the offender(s), irrespective of any disciplinary action which may have been taken.

5.8 Policy governance

The following table identifies who within Ryedale District Council is accountable, responsible, informed or consulted with regards to this policy. The following definitions apply:

• Responsible – the person(s) responsible for developing and implementing the policy.
• Accountable – the person who has ultimate accountability and authority for the policy.
• Consulted – the person(s) or groups to be consulted prior to final policy implementation or amendment.
• Informed – the person(s) or groups to be informed after policy implementation or amendment.

Responsible IT Infrastructure Manager
Accountable Corporate Director (s151)
Consulted Unison
Informed All Council Employees, Members, Temporary Staff, Contractors

5.9 Review and revision

This policy will be reviewed as it is deemed appropriate, but no less frequently than every 12 months.

Policy review will be undertaken by IT Infrastructure Manager

5.10 References

The following Ryedale District Council policy documents are indirectly relevant to this policy:

  • Communications and Operation Management Policy.
  • Computer, Telephone and Desk Use Policy.
  • Email Policy.
  • GCSx Acceptable Usage Policy and Personal Commitment Statement.
  • Human Resources Information Security Standards.
  • Information Protection Policy.
  • Information Security Incident Management Policy.
  • Internet Usage Policy.
  • IT Access Policy.
  • IT Infrastructure Policy.
  • Legal Responsibilities Policy.
  • Remote Working Policy.
  • Removable Media Policy.

If you do not understand the implications of these policies or how they may apply to you, seek advice from the ICT Helpdesk.

5.11 Key policy messages

  • All software acquired must be purchased through the ICT Service
  • Under no circumstances should personal or unsolicited software be loaded onto a Council machine.
  • All software must be correctly licensed and the Council will not condone the use of any software that does not have a licence.
  • Unauthorised changes to software must not be made.
  • Users are not permitted to bring software from home (or any other external source) and load onto Council computers.
  • Users must not attempt to disable or reconfigure anti-virus or firewall software.
  • Illegal reproduction of software is subject to civil damages and criminal penalties.

[Back to top]

IT Access

6.1 Policy Statement

Ryedale District Council will establish specific requirements for protecting information and information systems against unauthorised access.

Ryedale District Council will effectively communicate the need for information and information system access control.

6.2 Purpose of this policy

Ryedale District Council has a responsibility to protect its systems and networks from unauthorised or accidental modification, to preserve confidentiality and protect information and other assets against unauthorised access, modification, destruction or disclosure.

The Council will effectively communicate its specific requirements for controlling access to information and information systems. Access controls must be in place to regulate who can access Council information resources and systems.

Formal procedures must be used to control how access to information and systems is granted, changed and removed. This policy also mandates a standard for the creation of strong passwords, their protection and frequency of change.

The Council is also obliged where relevant to comply with the following legislation (correct at date of ratification:

  • Copyright, Designs and Patents Act 1998
  • Access to Health Records Act 1990
  • Computer Misuse Act 1990
  • The Data Protection Act 1998
  • The Human Rights Act 1998
  • Electronic Communication Act 2000
  • Regulation of Investigatory Powers Act 2000
  • Freedom of Information Act 2000
  • Health & Social Care Act 2001
  • EU Privacy and Monitoring Directives Act 2003
  • Sexual Offenders Act 2003

When and to whom does this policy apply?

This policy applies to all Ryedale District Council Councillors, Committees, Departments, Partners, Employees of the Council (including system support staff with access to privileged administrative passwords), contractual third parties and agents of the Council with any form of access to Ryedale District Council's data and information systems.

It applies at all times and should be adhered to whenever accessing council information in any format and on any device.

Why is this policy relevant?

If you do not comply with this policy it could lead to personal data being put at risk and subsequently the Council may not be able to provide necessary services to customers. The Council could be fined, its efficiency could be reduced and its good reputation could be lost.

6.3 Scope

This policy applies to all Ryedale District Council Councillors, Committees, Departments, Partners, Employees of the Council (including system support staff with access to privileged administrative passwords), contractual third parties and agents of the Council with any form of access to Ryedale District Council's information and information systems.

6.4 Definition

Access control rules and procedures are required to regulate who can access Ryedale District Council information resources or systems and the associated access privileges.

This policy applies at all times and should be adhered to whenever accessing Ryedale District Council information in any format, and on any device.

6.5 Risks

On occasion business information may be disclosed or accessed prematurely, accidentally or unlawfully. Individuals or companies, without the correct authorisation and clearance may intentionally or accidentally gain unauthorised access to business information which may adversely affect day to day business. This policy is intended to mitigate that risk.
Non-compliance with this policy could have a significant effect on the efficient operation of the Council and may result in financial loss and an inability to provide necessary services to our customers.

6.6.1  Applying the policy - passwords

Choosing passwords

Passwords are the first line of defence for our ICT systems and together with the user ID help to establish that people are who they claim to be.

A poorly chosen or misused password is a security risk and may impact upon the confidentiality, integrity or availability of our computers and systems.

Weak and strong passwords

A weak password is one which is easily discovered, or detected, by people who are not supposed to know it. Examples of weak passwords include words picked out of a dictionary, names of children and pets, car registration numbers and simple patterns of letters from a computer keyboard. These can be easy for other users to guess, and for hacking programs to work out.

A strong password is a password that is designed in such a way that it is unlikely to be detected by people who are not supposed to know it, and difficult to work out even with the help of a computer.

Everyone must use strong passwords with a minimum standard of:

  • at least eight characters.
  • a mix of alpha and numeric characters, with at least one digit.
  • more complex than a single word (such passwords are easier for hackers to crack).

Protecting Passwords

It is of utmost importance that the password remains protected at all times. The following guidelines must be followed at all times:

  • Never reveal your passwords to anyone.
  • Never use the 'remember password' function.
  • Never write your passwords down or store them where they are open to theft.
  • Never store your passwords in a computer system without encryption.
  • Do not use any part of your username within the password.
  • Do not use the same password to access different Ryedale District Council systems.
  • Do not use the same password for systems inside and outside of work.

Changing passwords

All user-level passwords must be changed at a maximum of every 60 days, or whenever a system prompts you to change it. Default passwords must also be changed immediately. If you become aware or suspect, that your password has become known to someone else, you must change it immediately and report your concern to the ICT Helpdesk.

Users must not reuse the same password within 20 password changes.

System administration standards

The password administration process for individual Ryedale District Council systems is well-documented and available to designated individuals.
All Ryedale District Council IT systems will be configured to enforce the following:

  • authentication of individual users, not groups of users - i.e. no generic accounts;
  • protection with regards to the retrieval of passwords and security details;
  • system access monitoring and logging - at user level.
  • role management so that functions can be performed without sharing passwords
  • password admin processes must be properly controlled, secure and auditable.

6.6.2 Applying the policy – user access

User access management

Formal user access control procedures must be documented, implemented and kept up to date for each application and information system to ensure authorised user access and to prevent unauthorised access. They must cover all stages of the lifecycle of user access, from the initial registration of new users to the final de-registration of users who no longer require access. Each user must be allocated access rights and permissions to computer systems and data which:

  • are commensurate with the tasks they are expected to perform
  • have a unique login which is not shared with or disclosed to any other user
  • have an associated unique password which is requested at each new login

User access rights must be reviewed at regular intervals to ensure that the appropriate rights are still allocated. System administration accounts must only be provided to users who are required to perform system administration tasks.

User Registration

A request for access to the Council's computer systems must first be submitted to the ICT Helpdesk for approval. Applications for access must only be submitted if approval has been gained from the line manager.

When an employee leaves the Council, their access to computer systems and data must be suspended at the close of business on the employee's last working day. It is the responsibility of the line manager to request the suspension of the access rights via the ICT Helpdesk.

User Responsibilities

It is a user's responsibility to prevent their user ID and password being used to gain unauthorised access to Council systems by:

  • following the Password Policy Statements outlined above in Section 5
  • ensuring that any PC which they are using is locked or logged out whenever left unattended
  • leaving nothing on display which may contain access information such as login names and passwords
  • Managers / system administrators must inform the ICT Helpdesk immediately of any changes to the role and access requirements for users of individual systems

Network access control

Connecting non-Council owned devices to the Council's network can seriously compromise its security and interfere with its normal operation. Specific approval must therefore be obtained from the ICT Helpdesk before connecting any such equipment to the Council's network.

User authentication for external connections

Where remote access to the Ryedale District Council network is required, an application must be made via the ICT Helpdesk. Remote access to the network must be secured by two factor authentication consisting of a username, Windows password and SecurEnvoy token code. For further information please refer to Remote Working Policy.

Supplier's remote access to the Council network

Partner agencies or third party suppliers must not be given details of how to access the Council's network without permission from the ICT Helpdesk. Any changes to suppliers' connections must be immediately sent to the ICT Helpdesk so that access can be updated or ceased. All permissions and access methods must be controlled by the ICT Helpdesk.

Partners or third party suppliers must contact the ICT Helpdesk before connecting to the Ryedale District Council network and a log of activity must be maintained. Remote access software must be disabled when not in use.

Operating system access control

Access to operating systems is controlled by a secure login process. The access control defined in the User Access Management section (section 6.1) and the Password section (section 5) above must be applied. The login procedure must also be protected by:

  • not displaying any previous login information e.g. username
  • limiting the number of unsuccessful attempts and locking the account if exceeded
  • the password characters being hidden by symbols
  • displaying a general warning notice that only authorised users are allowed.

All access to operating systems is via a unique login id that will be audited and can be traced back to each individual user. The login id must not give any indication of the level of access that it provides to the system (e.g. administration rights).

System administrators must have individual administrator accounts that will be logged and audited. The administrator account must not be used by individuals for normal day to day activities.

Computer screens and other devices must be locked to prevent unauthorised access when unattended and screens will lock automatically after a 10 minute period of inactivity, in order to protect information. A screen saver with password protection enabled will be used on all PCs and laptops. Attempts to tamper with this security feature will be investigated and could lead to disciplinary action.

Application and information access

Access to software applications must be restricted using the security features built into the individual product. The ICT Helpdesk or 'business owner' of the software application is responsible for granting access to the information within the system. The access must:

  • Be compliant with the User Access Management section (section 6.1) and the Password section (section 5) above
  • Be separated into clearly defined roles
  • give the appropriate level of access required for the role of the user
  • be unable to be overridden (with the admin settings removed or hidden from the user).
  • be free from alteration by rights inherited from the operating system that could allow unauthorised higher levels of access
  • be logged and auditable.

6.7 Sanctions for non-compliance with this policy

If any user is found to have breached this policy, they may be subject to Ryedale District Council's disciplinary procedure. If a criminal offence is considered to have been committed further action may be taken to assist in the prosecution of the offender(s), irrespective of any disciplinary action which may have been taken.

Further information and advice

If you do not understand the implications of this policy or how it may apply to you, seek advice from the ICT Helpdesk.

6.8 Policy governance

The following table identifies who within Ryedale District Council is Accountable, Responsible, Informed or Consulted with regards to this policy. The following definitions apply:

  • Responsible – the person(s) responsible for developing and implementing the policy.
  • Accountable – the person who has ultimate accountability and authority for the policy.
  • Consulted – the person(s) or groups to be consulted prior to final policy implementation or amendment.
  • Informed – the person(s) or groups to be informed after policy implementation or amendment.

Responsible IT Infrastructure Manager
Accountable Corporate Director (s151)
Consulted Unison
Informed All Council employees, Members, temporary staff, contractors

6.9 Review and Revision

This policy will be reviewed as it is deemed appropriate, but no less frequently than every 12 months.

Policy review will be undertaken by IT Infrastructure Manager

6.10 References

The following Ryedale District Council policy documents are directly relevant to this policy and are referenced within this document:

12 Remote Working Policy.

The following Ryedale District Council policy documents are indirectly relevant to this policy

4 Email Policy
5 Internet Usage Policy
6 Software Policy.
8 Human Resources Information Security Standards.
9 Information Protection Policy.
10 Computer, Telephone and Desk Use Policy.
11 Legal Responsibilities Policy.
13 Removable Media Policy.
14 Information Security Incident Management Policy.
15 Communications and Operation Management Policy.
16 IT Infrastructure Policy.

6.11 Key Messages

  • All users must use strong passwords.
  • Passwords must be protected at all times and must be changed at least every 60 days.
  • User access rights must be reviewed at regular intervals.
  • It is a user's responsibility to prevent their User ID and passwords being used to gain unauthorised access to Council systems. Never allow another user to learn your login details or share your passwords.
  • Partner agencies or third party suppliers must not be given details of how to access the Council's network without permission from the ICT Helpdesk.
  • Partners or third party suppliers must contact the ICT Helpdesk before connecting to the Ryedale District Council network

The Council will take seriously and investigate all security breaches concerning

  • Unauthorised modification of systems
  • Deleting another user's files
  • Introduction of viruses to the network
  • Inappropriate disclosure of information
  • Use of unauthorised software or devices

[Back to top]

Human Resources Information Security Standards

7.1 Policy Statement

Ryedale District Council will ensure that individuals are checked by whatever necessary means are available to ensure that they are authorised to access Council information systems.

Ryedale District Council will ensure that users are trained to use information systems securely.

Ryedale District Council will ensure that user access to information systems is removed promptly when the requirement for access ends.

7.2 Purpose

Ryedale District Council holds large amounts of personal and RESTRICTED information.
Information security is very important to help protect the interests and confidentiality of the Council and its customers.

Information security cannot be achieved by technical means alone. Information security must also be enforced and applied by people, and this policy addresses security issues related to people.

The procedures accompanying this policy are split into 3 key stages of a user's access to information or information systems used to deliver Council business:

  • Prior to granting access to information or information systems - relevant checks must be made to ensure that the individual is suitable for access to Council information systems.
  • The period during access to information or information systems - users must be trained and equipped to use systems securely and their access must be regularly reviewed to ensure it remains appropriate.
  • When a user's requirement for access to information or information systems ends (i.e. when a user terminates their employment with the Council, or changes their role so that access is no longer required) - access needs to be removed in a controlled manner.

This policy also addresses third party access to Council information systems (e.g. contractors, service providers, voluntary agencies and partners).

7.3 Scope

This policy applies to any person that requires access to Council information systems or information of any type or format (paper or electronic).

The policy applies automatically to all Ryedale District Council Councillors, Committees,
Departments, Partners, Employees of the Council, contractual third parties and agents of the Council.

Where access is to be granted to any third party (e.g. contractors, service providers, voluntary agencies, partners) compliance with this policy must be agreed and documented.

Responsibility for ensuring this lies with the Council employee that initiates this third party access.

7.4 Definition

Ryedale District Council understands that to reduce the risk of theft, fraud or inappropriate use of its information systems, anyone that is given access to Council information systems must:

  • Be suitable for their roles.
  • Fully understand their responsibilities for ensuring the security of the information.
  • Only have access to the information they need.
  • Request that this access be removed as soon as it is no longer required.

This policy must therefore be applied prior, during and after any user's access to information or information systems used to deliver Council business.

Access to Council information systems will not be permitted until the requirements of this policy have been met.

7.5 Risks

Ryedale District Council recognises that there are risks associated with users accessing and handling information in order to conduct official Council business.

This policy aims to mitigate the following risks:

  • the non-reporting of information security incidents,
  • inadequate destruction of data,
  • the loss of direct control of user access to information systems and facilities
  • malicious intent – direct sabotage of information which may result in breach of data protection act, loss of trust / goodwill of general public, unwanted press attention amongst others.

Non-compliance with this policy could have a significant effect on the efficient operation of the Council and may result in financial loss and an inability to provide necessary services to our customers.

7.6 Applying the Policy

For information on how to apply this policy, readers are advised to refer to Appendix 1.

7.7 Policy Compliance

If any user is found to have breached this policy, they may be subject to Ryedale District Council's disciplinary procedure.

If a criminal offence is considered to have been committed further action may be taken to assist in the prosecution of the offender(s).

If you do not understand the implications of this policy or how it may apply to you, seek advice from ICT Helpdesk.

7.8 Policy Governance

The following table identifies who within Ryedale District Council is Accountable, Responsible, Informed or Consulted with regards to this policy.

The following definitions apply:

Responsible – the person(s) responsible for developing and implementing the policy.
Accountable – the person who has ultimate accountability and authority for the policy.
Consulted – the person(s) or groups to be consulted prior to final policy implementation or amendment.
Informed – the person(s) or groups to be informed after policy implementation or
amendment.

Responsible ICT Manager
Accountable Corporate Director (s151)
Consulted Unison
Informed All Council Employees, All Temporary Staff, All Contractors

7.9 Review and Revision

This policy will be reviewed as it is deemed appropriate, but no less frequently than every 12 months.

Policy review will be undertaken by the relevant manager.

7.10 References

The following Ryedale District Council policy documents are directly relevant to this policy, and are referenced within this document:

4 Email Policy.
5 Internet Acceptable Usage Policy.
6 Software Policy.
7 IT Access Policy.
9 Information Protection Policy.
14 Information Security Incident Management Policy.

The following Ryedale District Council policy documents are indirectly relevant to this policy;

10 Computer, Telephone and Desk Use Policy.
11 Legal Responsibilities Policy.
12 Remote Working Policy.
13 Removable Media Policy.
15 Communications and Operation Management Policy.
16 IT Infrastructure Policy.

7.11 Key Messages

Every user must be aware of, and understand, the following policies :

  • Information Protection Policy.
  • Email Policy.
  • Internet Acceptable Usage Policy
  • Software Policy.
  • GCSx Acceptable Usage Policy and Personal Commitment Statement.
  • IT Access Policy.
  • Information Security Incident Management Policy.
  • Background verification checks must be carried out on all users.
  • Users who require access to PROTECT and RESTRICTED information and / or require use of the Government Connect Secure Extranet (GCSx) email facility must be cleared to "Baseline Personnel Security Standard".
  • All users must receive appropriate information security awareness training and regular updates in related statute and organisational policies and procedures as relevant for their role.
  • Processes must be implemented to ensure that all access rights of users of Council information systems shall be removed in a timely manner upon termination or suspension of their employment, contract or agreement.

Appendix 5

A5 Applying the Policy – Prior to Access to Information or Information Systems

A5.1 Prior to Employment

The Council must ensure that potential users are recruited in line with the Council's Recruitment and Selection Policy for the roles they are considered for and to reduce the risk of theft, fraud or misuse of information or information systems by those users. These requirements are corporate in nature.

A5.2 Roles and Responsibilities

Decisions on the appropriate level of access to information or information systems for a particular user are the responsibility of the Information Asset Owner – please refer to the Information Protection Policy.

Line managers are responsible for ensuring that creation of new users, changes in role, and termination of users are notified to the ICT Helpdesk in a timely manner, using an agreed process.

The information security responsibilities of users must be defined and documented and
incorporated into induction processes and contracts of employment. As a minimum this will include:

A statement that every user is aware of, and understands, the following Council policies:

  • Information Protection Policy.
  • Email Policy.
  • Internet Acceptable Usage Policy.
  • Software Policy.
  • GCSx Acceptable Usage Policy and Personal Commitment Statement.
  • IT Access Policy.
  • Information Security Incident Management Policy.

A5.3 User Screening

Background verification checks must be carried out on all potential users, in accordance with all relevant laws, regulations and ethics. The level of such checks must be appropriate to the business requirements, the classification of the information to be accessed, and the risks involved.

The basic requirements for Council employment must be :

  • Minimum of two satisfactory references.
  • Completeness and accuracy check of employee's application form.
  • Confirmation of claimed academic and professional qualifications.
  • Identity check against a passport or equivalent document that contains a photograph.

Users who require access to PROTECT and RESTRICTED information and / or require use of the Government Connect Secure Extranet (GCSx) and email facility must be cleared to "Baseline Personnel Security Standard". The following requirements must be met:

  • Minimum of 2 satisfactory references.
  • Completeness and accuracy check of employee's application form.
  • Confirmation of claimed academic and professional qualifications.

Identity check against a passport or equivalent document that contains a photograph.

Identity must be proven through visibility of:

  • A full 10 year passport.

Or two from the following list:

  • British driving licence.
  • P45 form.
  • Birth certificate.
  • Proof of residence – i.e. council tax or utility bill.
  • Verification of full employment history for the past 3 years.
  • Verification of nationality and immigration status.
  • Verification of criminal record (unspent convictions only).

Criminal Records Bureau checks on the user must be carried out to an appropriate level as demanded by law.

Where access is to systems processing payment card data, credit checks on the user must be carried out to an appropriate level as required by the Payment Card Industry Data Security Standards (PCI-DSS).

All the above requirements for verification checks must be applied to technical support and temporary staff that have access to those systems or any copies of the contents of those systems (e.g. backup tapes, printouts, test data-sets).

A5.4 Terms and Conditions of Employment

As part of their contractual obligations users must agree and sign the terms of their employment contract, which shall state their and the Council's responsibilities for information security.

This must be drafted by the Council's lawyers and must form an integral part of the contract of employment.

Each user must sign a confidentiality statement that they understand the nature of the information they access, that they will not use the information for unauthorised purposes and that they will return or destroy any information or assets when their employment terminates.

A6 Applying the Policy – During Access to Information or Information Systems

A6.1 During Continued Employment

The Council must ensure that all users are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organisational security policy in the course of their work, and to reduce the risk of human error.

It is also necessary that user changes in role or business environment are carried out in an orderly manner that ensures the continuing security of the information systems to which they have access.

A6.2 Management Responsibilities

Line managers must notify the appropriate function in a timely manner of any changes in a user's role or business environment, to ensure that the user's access can be changed as appropriate.

Processes must ensure that access to information systems is extended to include new user
requirements and also that any access that is no longer needed is removed.

Any changes to user access must be made in a timely manner and be clearly communicated to the user.

Service managers must require users to understand and be aware of information security threats and their responsibilities in applying appropriate Council policies. These policies include:

  • Information Protection Policy.
  • Information Security Incident Management Policy.

This requirement must be documented.

A6.3 Information Security Awareness, Education and Training

All users must receive appropriate information security awareness training and regular updates in related statute and organisational policies and procedures as relevant for their role.

It is the role of Service managers to ensure that their staff are adequately trained and equipped to carry out their role efficiently and securely.

A7 Applying the Policy – When Access to Information or Information Systems is No Longer Required

A7.1 Secure Termination of Employment

Termination of employment may be due to resignation, change of role, suspension or the end of a contract or project.

The key requirement is that access to Ryedale District Council information assets is removed in a timely manner when no longer required by the user.

A7.2 Termination Responsibilities

Line managers must notify the ICT Helpdesk in a timely manner of the impending termination or suspension of employment so that their access can be suspended.

ICT Helpdesk must notify the appropriate system owners who must suspend access for that user at an appropriate time, taking into account the nature of the termination.

Responsibilities for notifying changes, performing employment termination or change of
employment must be clearly defined and assigned.

A7.3 Return of Assets

Processes must be implemented to ensure that users return all of the organisation's assets in their possession upon termination of their employment, contract or agreement.

This must include any copies of information in any format.

A7.4 Removal of Access Rights

Processes must be implemented to ensure that all access rights of users of Council information systems shall be removed in a timely manner upon termination or suspension of their employment, contract or agreement.

Processes and responsibilities must be agreed and implemented to enable emergency suspension of a user's access when that access is considered a risk to the Council or its systems as defined in the Information Security Incident Management Policy.

[Back to top]

Information Protection

8.1 Policy Statement

Ryedale District Council will ensure the protection of all information assets within the custody of the Council.

High standards of confidentiality, integrity and availability of information will be maintained at all times.

8.2 Purpose

Information is a major asset that Ryedale District Council has a responsibility and requirement to protect.

Protecting information assets is not simply limited to covering the stocks of information (electronic data or paper records) that the Council maintains. It also addresses the people that use them, the processes they follow and the physical computer equipment used to access them.

This Information Protection Policy addresses all these areas to ensure that high confidentiality, quality and availability standards of information are maintained.
The following policy details the basic requirements and responsibilities for the proper management of information assets at Ryedale District Council.

The policy specifies the means of information handling and transfer within the Council.

8.3 Scope

This Information Protection Policy applies to all the systems, people and business processes that make up the Council's information systems.

This includes all Councillors, Committees, Departments, Partners, Employees of the Council, contractual third parties and agents of the Council who have access to Information Systems or information used for Ryedale District Council purposes.

8.4 Definition

This policy should be applied whenever Council Information Systems or information is used.
Information can take many forms and includes, but is not limited to, the following:

  • Hard copy data printed or written on paper.
  • Data stored electronically.
  • Communications sent by post / courier or using electronic means.
  • Stored tape or video.
  • Speech.
  • USB memory stick or Compact Disc
  • Application or removal of data on an internet site or intranet

8.5 Risks

Ryedale District Council recognises that there are risks associated with users accessing and handling information in order to conduct official Council business.

This policy aims to mitigate the following risks:

  • the non-reporting of information security incidents,
  • inadequate destruction of data,
  • the loss of direct control of user access to information systems and facilities,
  • sending email messages which are not appropriate to recipients, in particularly emails sent to large numbers of recipients;
  • knowingly burdening the E-mail system with non-business critical data especially involving the transmission of large data files and/or large attachments; along with others not listed.

Non-compliance with this policy could have a significant effect on the efficient operation of the Council and may result in financial loss and an inability to provide necessary services to our customers.

8.6 Applying the Policy

For information on how to apply this policy, readers are advised to refer to Appendix 1.

8.7 Policy Compliance

If any user is found to have breached this policy, they may be subject to Ryedale District Council's disciplinary procedure.

If a criminal offence is considered to have been committed further action may be taken to assist in the prosecution of the offender(s).

If you do not understand the implications of this policy or how it may apply to you, seek advice from the ICT helpdesk.

8.8 Policy Governance

The following table identifies who within Ryedale District Council is Accountable, Responsible, Informed or Consulted with regards to this policy. The following definitions apply:

Responsible – the person(s) responsible for developing and implementing the policy.
Accountable – the person who has ultimate accountability and authority for the policy.
Consulted – the person(s) or groups to be consulted prior to final policy implementation or amendment.
Informed – the person(s) or groups to be informed after policy implementation or amendment.

Responsible ICT Manager
Accountable Corporate Director (s.151)
Consulted Unison
Informed All Council Employees, All Temporary Staff, All Contractors

8.9 Review and Revision

This policy will be reviewed as it is deemed appropriate, but no less frequently than every 12 months.

Policy review will be undertaken by the relevant manager.

8.10 References

The following Ryedale District Council policy documents are directly relevant to this policy, and are referenced within this document:

4 Email Policy
5 Internet Acceptable Usage Policy.
6 Software Policy.
10 Computer, Telephone and Desk Use Policy.
12 Remote Working Policy.
13 Removable Media Policy.
The following Ryedale District Council policy documents are indirectly relevant to this policy:

6 IT Access Policy.
8 Human Resources Information Security Standards.
11 Legal Responsibilities Policy.
14 Information Security Incident Management Policy.
15 Communications and Operation Management Policy.
16 IT Infrastructure Policy.

8.11 Key Messages

  • The Council must draw up and maintain inventories of all important information assets.
  • All information assets, where appropriate, must be assessed and classified by the owner in accordance with the HMG Security Policy Framework (SPF).
  • Information up to RESTRICTED sent via the Government Connect Secure Extranet (GCSx) must be labelled appropriately using the SPF guidance.
  • Access to information assets, systems and services must be conditional on acceptance of the appropriate Acceptable Usage Policy.
  • Users should not be allowed to access information until their line managers are satisfied that they understand and agree the legislated responsibilities for the information that they will be handling.
  • PROTECT and RESTRICTED information must not be disclosed to any other person or organisation via any insecure methods including paper based methods, fax and telephone.
  • Disclosing PROTECT or RESTRICTED classified information to any external organisation is also prohibited, unless via the GCSx email.
  • Where GCSx email is available to connect the sender and receiver of the email message, this must be used for all external email use and must be used for communicating PROTECT or RESTRICTED material.
  • The disclosure of PROTECT or RESTRICTED classified information in any way other than via GCSx email is a disciplinary offence.

Appendix 7

A7 Applying the Policy

A7.1 Information Asset Management

A7.1.1 Identifying Information Assets

The process of identifying important information assets should be sensible and pragmatic.
Important information assets will include, but are not limited to, the following

• Filing cabinets and stores containing paper records.
• Computer databases.
• Data files and folders.
• Software licenses.
• Physical assets (computer equipment and accessories, PDAs, cell phones).
• Key services.
• Key people.
• Intangible assets such as reputation and brand.
The Council must draw up and maintain inventories of all important information assets that it relies upon.

These should identify each asset and all associated data required for risk assessment, information/records management and disaster recovery.

At minimum it must include the following:

• Type.
• Location.
• Designated owner.
• Security classification.
• Format.
• Backup.
• Licensing information.
• Quality and data protection checks

A7.1.2 Classifying Information

On creation, all information assets must be assessed and classified by the owner according to their content.

At minimum all information assets must be classified and labelled in accordance with the HMG Security Policy Framework (SPF).

The classification will determine how the document should be protected and who should be allowed access to it.

Any system subsequently allowing access to this information should clearly indicate the classification.

Information up to RESTRICTED sent via GCSx must be labelled appropriately using the SPF guidance.

The SPF requires information assets to be protectively marked into one of 6 classifications. The way the document is handled, published, moved and stored will be dependant on this scheme.

The classes are:

• Unclassified.
• PROTECT.
• RESTRICTED.
• CONFIDENTIAL.
• SECRET.
• TOP SECRET.

You should refer to local GPMS usage guide for full details on the application of information classification.

Personal Information

Personal information is any information about any living, identifiable individual.

The Council is legally responsible for it. Its storage, protection and use are governed by the Data Protection Act 1998.

Details of specific requirements can be found in the Legal Responsibilities Policy. Point to note - Within the Data Protection Act for keeping information, personnel records should be kept for a period of approx 7 years (1st year, live leavers file – following 6 – archive) whether deceased or not.

A7.1.3 Assigning Asset Owners

All important information assets must have a nominated owner and should be accounted for.

An owner must be a member of staff whose seniority is appropriate for the value of the asset they own.

The owner's responsibility for the asset and the requirement for them to maintain it should be formalised and agreed.

A7.1.4 Unclassified Information Assets

Items of information that have no security classification and are of limited or no practical value should not be assigned a formal owner or inventoried.

Information should be destroyed if there is no legal or operational need to keep it and temporary owners should be assigned within each department to ensure that this is done.

A7.1.5 Information Assets with Short Term or Localised Use

For new documents that have a specific, short term localised use, the creator of the document will be the originator.

This includes letters, spreadsheets and reports created by staff.

All staff must be informed of their responsibility for the documents they create.

A7.1.6 Corporate Information Assets

For information assets whose use throughout the Council is widespread and whose origination is as a result of a group or strategic decision, a corporate owner must be designated and the responsibility clearly documented.

This should be the person who has the most control over the information.

A7.1.7 Acceptable Use of Information Assets

The Council must document, implement and circulate Acceptable Use Policies (AUP) for
information assets, systems and services.

These should apply to all Ryedale District Council Councillors, Committees, Departments, Partners, Employees of the Council, contractual third parties and agents of the Council and use of the system must be conditional on acceptance of the appropriate AUP.

This requirement must be formally agreed and auditable.

As a minimum this will include:

• Email Policy.
• Internet Acceptable Usage Policy.
• Computer and Telephone Misuse Policy.
• Software Policy.
• Remote Working Policy.
• Removable Media Policy.

A7.2 Information Storage

All electronic information will be stored on centralised facilities to allow regular backups to take place.

Records management and retention guidance will be followed.

Staff should not be allowed to access information until their line managers are satisfied that they understand and agree the legislated responsibilities for the information that they will be handling.

Databases holding personal information will have a defined security and system management procedure for the records and documentation.

This documentation will include a clear statement as to the use, or planned use of the personal information.

Files which are identified as a potential security risk should only be stored on secure network areas
e.g. ESCR.

A7.3 Disclosure of Information

A7.3.1 Sharing PROTECT or RESTRICTED Information with other Organisations

PROTECT or RESTRICTED information must not be disclosed to any other person or organisation via any insecure method including, but not limited, to the following:

• Paper based methods.
• Fax.
• Telephone.

Where information is disclosed/shared it should only be done so in accordance with a documented Information Sharing Protocol and/or Data Exchange Agreement.
Disclosing PROTECT or RESTRICTED information to any external organisation is also prohibited, unless via the Government Connect Secure Extranet (GCSx) email.

Emails sent between Ryedale District Council.gov.uk addresses are held within the same network and are deemed to be secure.

However, emails that are sent outside this closed network travel over the public communications network and are liable to interception or loss.

There is a risk that copies of the email are left within the public communications system.

Where GCSx email is available to connect the sender and receiver of the email message, this must be used for all external email use and must be used for communicating PROTECT and
RESTRICTED material. For further information see the Email Policy.

An official email legal disclaimer must be contained with any email sent. This can be found in the Email Policy.

The disclosure of PROTECT or RESTRICTED information in any way other than via GCSx email is a disciplinary offence.

If there is suspicion of a Councillor or employee treating PROTECT or RESTRICTED information in a way that could be harmful to the Council or to the data subject, then it is be reported to the ICT helpdesk, and the person may be subject to disciplinary procedure.

Any sharing or transfer of Council information with other organisations must comply with all Legal, Regulatory and Council Policy requirements.

In particular this must be compliant with the Data Protection Act 2000, The Human Rights Act 2000 and the Common Law of Confidentiality.

[Back to top]

Computer, Telephone and Desk Use

9.1 Policy Statement

Ryedale District Council will ensure that every user is aware of, and understands, the acceptable use of Council Name's computer and telephony resources and the need to operate within a "clear desk" environment.

9.2 Purpose

Modern day business operations and advances in technology have necessitated the wide spread use of computer facilities into most offices within Ryedale District Council and, with the advent of portable computers, away from the Council's premises.

As such, there is considerable scope for the misuse of computer resources for fraudulent or illegal purposes, for the pursuance of personal interests or for amusement/entertainment.

The Council also handles large amounts of PROTECT and RESTRICTED information.

The security of this information is of paramount importance. Ensuring that a clear desk policy operates across the Council can help prevent the security of this information from being breached.

The misuse of Ryedale District Council's computer and telephony resources is considered to be potential gross misconduct and may render the individual(s) concerned liable to disciplinary action including dismissal.

The purpose of this document is to establish guidelines as to what constitutes "computer and telephony resources", what is considered to be "misuse" and how users should operate within a clear desk environment.

9.3 Scope

This document applies to all Councillors, Committees, Departments, Partners, Employees of the Council, contractual third parties and agents of the Council who have access to information systems or information used for Ryedale District Council purposes.

This policy should be read in conjunction with the following policies:

  • Email Acceptable Use Policy.
  • Internet Acceptable Use Policy.
  • Software Policy.
  • Legal Responsibilities Policy.

9.4 Definition

This policy should be applied whenever users who access information systems or information
utilise Ryedale District Council's computer and telephony resources.

Computer and telephony resources include, but are not restricted to, the following :

  • Central servers.
  • Departmental computers.
  • Personal computers.
  • Portable laptop computers.
  • Terminals.
  • Printers.
  • Network equipment.
  • Telecommunications facilities.

9.5 Risks

Ryedale District Council recognises that there are risks associated with users accessing and handling information in order to conduct official Council business.

This policy aims to mitigate the following risks:

  • the non-reporting of information security incidents,
  • inadequate destruction of data,
  • the loss of direct control of user access to information systems and facilities and others not mentioned

Non-compliance with this policy could have a significant effect on the efficient operation of the Council and may result in financial loss and an inability to provide necessary services to our customers.

9.6 Applying the policy

9.6.1 Computer resources misuse

No exhaustive list can be prepared defining all possible forms of misuse of computer resources.

The individual circumstances of each case will need to be taken into account. However, some examples are outlined below:

  • Use of computer resources for the purposes of fraud, theft or dishonesty.
  • Storing/loading/executing of software for a purpose which is not work related.
  • Storing/loading/executing of software:

which has not been acquired through approved Council procurement procedures, or
for which the Council does not hold a valid program licence, or
which has not been the subject of formal virus checking procedures.

  • Storing/processing/printing of data for a purpose which is not work related.

For further information, users are requested to read the following policies:

  • Email Policy.
  • Internet Acceptable Use Policy.
  • Software Policy.

9.6.2 Telephone

Ryedale District Council has an Acceptable Use Policy / Code of Practice relating to telephone use.

This relates to the use of Council owned static and mobile telephones for private telephone calls.

This is reproduced in Appendix 1 and must be adhered to at all times.

The misuse of Ryedale District Council's telephone services is also considered to be potential gross misconduct and may render the individual(s) concerned liable to disciplinary action.

9.6.3 Clear desk

Ryedale District Council has a clear desk policy in place in order to ensure that all information is held securely at all times.

Work should not be left on desks unattended and should be removed from view when unsupervised.

At the end of each day, every desk will be cleared of all documents that contain any Ryedale District Council PROTECT or RESTRICTED information, or any information relating to clients or citizens.

Unclassified material, together with non-Ryedale District Council specific operating manuals may be left tidily on desks.

Work should be stored in a locked cupboard overnight, and there should be nothing left on desks at the end of the working day. Trays containing work must be locked away in cabinets or drawers.

Ryedale District Council PROTECT or RESTRICTED information must be stored in a facility (e.g. lockable safe or cabinet) commensurate with this classification level.

Nothing should be left lying on printers, photocopiers or fax machines at the end of the day.

Users of IT facilities are responsible for safeguarding data by ensuring that equipment is not left logged-on when unattended, and that portable equipment in their custody is not exposed to opportunistic theft.

Computer screens must be locked to prevent unauthorised access when unattended and screens will lock automatically after a short period of inactivity, in order to protect information.

A screen saver with password protection enabled will be used on all PCs.

Attempts to tamper with this security feature will be investigated and could lead to disciplinary action.

Remember, when you are not working at your workstation there could be a business requirement for other staff to use that station.

Floor space under furniture and around the office should remain free from obstructions at all times to facilitate the cleaning and maintenance of the building.

As part of good housekeeping, boxes, folders etc. should not be stored on top of furniture, cabinets, window ledges etc.

The clear desk policy is not intended to hinder your day to day working. In an ideal world, we would all work with a clear desk.

9.6.4 Legislation

Users should understand the relevant legislation relating to Information Security and Data
Protection, and should be aware of their responsibilities under this legislation. The following statutory legislation governs aspects of the Council's information security arrangements. This list is not exhaustive:

  • The Freedom of Information Act 2000.
  • The Human Rights Act 1998.
  • The Electronic Communications Act 2000
  • The Regulation of Investigatory Powers Act 2000.
  • The Data Protection Act 1998.
  • The Copyright Designs and Patents Act 1988.
  • The Computer Misuse Act 1990.
  • The Environmental Information Regulations 2004.
  • The Re-use of Public Sector Information Regulations 2005.

Individuals can be held personally and legally responsible for breaching the provisions of the
above Acts.

9.7 Policy Compliance

If any user is found to have breached this policy, they will be subject to Ryedale District Council's disciplinary procedure.

If a criminal offence is considered to have been committed further action may be taken to assist in the prosecution of the offender(s).

If you do not understand the implications of this policy or how it may apply to you, seek advice from ICT helpdesk.

9.8 Policy Governance

The following table identifies who within Ryedale District Council is Accountable, Responsible, Informed or Consulted with regards to this policy. The following definitions apply:

Responsible – the person(s) responsible for developing and implementing the policy.
Accountable – the person who has ultimate accountability and authority for the policy.
Consulted – the person(s) or groups to be consulted prior to final policy implementation or amendment.
Informed – the person(s) or groups to be informed after policy implementation or
amendment.

Responsible ICT Manager
Accountable Corporate Director s151
Consulted Unison
Informed All Council Employees, All Temporary Staff, All Contractors

9.9 Review and Revision

This policy will be reviewed as it is deemed appropriate, but no less frequently than every 12 months.

Policy review will be undertaken by the relevant manager.

9.10 References

The following Ryedale District Council policy documents are directly relevant to this policy, and are referenced within this document:

4 Email Policy.
5 Internet Acceptable Usage Policy.
6 Software Policy.
11 Legal Responsibilities Policy.

The following Ryedale District Council policy documents are indirectly relevant to this policy:

7 IT Access Policy.
8 Human Resources Information Security Standards.
9 Information Protection Policy.
12 Remote Working Policy.
13 Removable Media Policy.
14 Information Security Incident Management Policy.
15 Communications and Operation Management Policy.
16 IT Infrastructure Policy.

9.11 Key Messages

  • Users must adhere to Ryedale District Council Telephone Acceptable Use Policy / Code of Practice at all times.
  • Users must maintain a clear desk at all times.
  • Ryedale District Council PROTECT or RESTRICTED information must be stored in a facility (e.g. lockable safe or cabinet) commensurate with this classification level.

Appendix 8 – Code of Practice relating to Private Telephone Calls

This Code of Practice applies to the use of Council owned static and mobile telephones for private telephone calls.

The Council acknowledges that employees may need to make calls of a personal nature whilst at work.

This Code of Practice outlines reasonable steps that all employees are expected to take to ensure that the provision of service is not compromised and there is no financial loss.

  • Where possible, private calls should be made outside standard hours of service provision, i.e. before 9pm, after 5pm, or during an employee's lunch break.
  • Private calls during these hours should be kept to a minimum, so as not to prevent business calls getting through.
  • Each employee should keep a record of the private calls they make on the forms in Appendix 2. Periodic and regular collections should be made.
  • Where an itemised telephone bill is available, the actual cost of each private call per the bill (plus VAT) should be recharged to the relevant employee. Employees should check the details of the itemised bills against their own records of private calls. Where itemised bills are not available, charges detailed in Appendix 3 should be applied.
  • There may be times when unforeseen working commitments may require the rearranging of personal engagements.The Council recognises that such calls are necessary in order for employees to effectively perform their duties, and should not be treated as private. However, the Council stresses that such calls are normally exceptional, and expect employees to recognise when such calls are required.
  • Where private calls from a mobile telephone are made but are not charged on the bill because they form part of a free use period within the contract, the employee will calculate the cost of the call at the normal tariff for the day and time that the call was made and pay that amount to the Council.
    This is in order to be equitable between employees and to ensure that it is the Council, and not employees who use the mobile telephone for private purposes, who benefit from any period of free usage that is associated with the Council owned telephone.

Appendix 10 – Private Telephone Call Rates

Ryedale District Council
Private Telephone Call – Scale of Charges
Local Calls (within local call area)
Charge rate period Pence per minute
(ex VAT)
Regional Calls (up to 35 miles)
Charge rate period Pence per minute
(ex VAT)
National Calls (over 35 miles)
Charge rate period Pence per minute
(ex VAT)
Calls to mobile telephones
Charge rate period Pence per minute
(ex VAT)

[Back to top]

Legal Responsibilities

  • 10.1 Policy statement
  • 10.2 Purpose
  • 10.3 Scope
  • 10.4 Definition
  • 10.5 Risks
  • 10.6 Applying the policy
  • 10.7 Policy compliance
  • 10.8 Policy governance
  • 10.9 Review and revision
  • 10.10 References
  • 10.11 Key messages
  • Appendix 8

10.1 Policy Statement

Ryedale District Council will ensure that every user is aware of, and understands, their
responsibilities under the Data Protection Act 1998 and other relevant legislation.

10.2 Purpose

Ryedale District Council collects, holds and uses data about people and organisations with whom it deals with in order to conduct its business. This data covers, but is not restricted to, the following

  • Current, past and prospective employees.
  • Suppliers.
  • Customers.
  • Others with whom the Council communicates.

In addition, it may occasionally be required by law to collect and use certain types of personal information to comply with the requirements of government departments.

This policy outlines every user's responsibilities under the Data Protection Act 1998 and other relevant legislation.

10.3 Scope

Any information must be dealt with properly however it is collected, recorded and used, whether on paper, in a computer, or recorded on other media.

There are safeguards in the Data Protection Act 1998 to ensure that personal information is dealt with correctly.

This policy relates to all personal data held by Ryedale District Council in any form, and all PROTECT or RESTRICTED information held or processed by the Council.

It applies to all Councillors, Committees, Departments, Partners, Employees of the Council, contractual third parties and agents of the Council who has access to information held or processed by Ryedale District Council.

10.4 Definition

Ryedale District Council fully endorses and adheres to the Principles of Data Protection as set out in the Data Protection Act 1998, and other relevant information security legislation.

Therefore, the Council will ensure that all Councillors, Committees, Departments, Partners, Employees of the Council, contractual third parties and agents of the Council who have access to any information held by or on behalf of the Council are fully aware of, and abide by, their duties and responsibilities under this legislation.

10.5 Risks

Ryedale District Council recognises that there are risks associated with users accessing and handling information in order to conduct official Council business.

This policy aims to mitigate the following risks:

  • the non-reporting of information security incidents,
  • inadequate destruction of data,
  • the loss of direct control of user access to information systems and facilities, amongst others

Non-compliance with this policy could have a significant effect on the efficient operation of the Council and may result in financial loss and an inability to provide necessary services to our
customers.

10.6 Applying the Policy – Data Protection

10.6.1 Relevant Legislation

The following statutory legislation governs aspects of the Council's information security
arrangements. This list is not exhaustive:

Legislation Areas Covered

  • The Freedom of Information Act 2000 - Public access to Council information
  • The Human Rights Act 1998 - Right to privacy and confidentiality
  • The Electronic Communications Act 2000 - Cryptography, electronic signatures
  • The Regulation of Investigatory Powers Act 2000 - Hidden surveillance of staff
  • The Data Protection Act 1998 - Protection and use of personal information
  • The Copyright Designs and Patents Act 1988 - Software piracy, music downloads, theft of Council data
  • The Computer Misuse Act 1990 - Hacking and unauthorised access
  • The Environmental Information Regulations 2004 - Public access to Council information related to the environment
  • The Re-use of Public Sector Information Regulations 2005 -The Council's ability to sell certain data sets for commercial gain.

Data protection and privacy must be ensured as required in relevant legislation, regulations, and, if applicable, contractual clauses.

Key records must be protected from loss, destruction and falsification, in accordance with statutory, regulatory, contractual, and business requirements.

10.6.2 What is Personal Data?

Personal data is defined as:  "data which relate to a living individual who can be identified:

  1. from those data; or,
  2. from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller; and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual."

10.6.3 What are the Principles of Data Protection?

The Data Protection Act 1998 stipulates that anyone processing personal data must comply with Eight Principles of good practice.

These Principles are legally enforceable.

The Principles require that personal information:

  1. Shall be processed fairly and lawfully and in particular, shall not be processed unless specific conditions are met;
  2. Shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes;
  3. Shall be adequate, relevant and not excessive in relation to the purpose or purposes for which it is processed;
  4. Shall be accurate and where necessary, kept up to date;
  5. Shall not be kept for longer than is necessary for that purpose or those purposes;
  6. Shall be processed in accordance with the rights of data subjects under the Data Protection Act 1998;
  7. Shall be kept secure - i.e. protected by an appropriate degree of security;
  8. Shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of data protection.

The Data Protection Act provides conditions for the processing of any personal data. It also makes a distinction between personal data and sensitive personal data. Sensitive personal data is defined as: "personal data consisting of information as to:

  1. the racial or ethnic origin of the data subject,
  2. his political opinions,
  3. his religious beliefs or other beliefs of a similar nature,
  4. whether he is a member of a trade union,
  5. his physical or mental health or condition,
  6. his sexual life,
  7. the commission or alleged commission by him of any offence, or any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings."

The data subject also has rights under the Data Protection Act. These consist of:

  • The right to be informed that processing is being undertaken;
  • The right of access to one's personal information within the statutory 40 days;
  • The right to prevent processing in certain circumstances; and,
  • The right to correct, rectify, block or erase information regarded as wrong information.

10.6.4 How will Ryedale District Council Ensure Compliance?

In order to ensure it meets its obligations under the Data Protection Act, Ryedale District Council will ensure that:

  • There is an individual with specific responsibility for data protection in the organisation.
  • Everyone managing and handling personal information understands that they are contractually responsible for following good data protection practice.
  • Everyone managing and handling personal information is appropriately trained to do so.
  • Everyone managing and handling personal information is appropriately supervised.
  • Persons wishing to make enquiries about handling personal information, whether a member of staff or a member of the public, is aware of how to make such an enquiry.
  • Queries about handling personal information are promptly and courteously dealt with.
  • Methods of handling personal information are regularly assessed and evaluated.

Ryedale District Council will, through appropriate management and the use of strict criteria and controls,:

  • Observe fully conditions regarding the fair collection and use of personal information.
  • Meet its legal obligations to specify the purpose for which information is used.
  • Collect and process appropriate information and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements.
  • Ensure the quality of information used.
  • Apply strict checks to determine the length of time information is held.
  • Take appropriate technical and organisational security measures to safeguard personal information.
  • Ensure that personal information is not transferred abroad without suitable safeguards.
  • Ensure that the rights of Data Subjects can be fully exercised under the Data Protection Act.

10.6.5 What Roles and Responsibilities have been Assigned?

Proper definitions of roles and responsibilities are essential to assure compliance with this Policy.

In summary these are as follows:

10.6.6 Data Protection Officer and the Legal Department

The Data Protection Officer and the Legal department will promote this policy and provide detailed advice training and resources to departments to facilitate the correct processing of Requests for Access and other Data Protection related issues.

They will also monitor departments to ensure compliance with statutory and regulatory obligations.

10.6.7 Senior Management

Senior management will provide support and approval for this Data Protection Policy and any related initiatives across the Council.

It will also ensure that adequate funding is made available.

10.6.8 ICT Working Group

Members of the ICT Working Group will meet regularly to review information management across the Council.

As part of this they will address any Data Protection related issues that arise and generate initiatives or communications as necessary to ensure compliance with Ryedale District Council policy.

10.6.9 Departmental Managers

Departmental managers are responsible for ensuring that Ryedale District Council Data Protection Policy is communicated and implemented within their area of responsibility, and for ensuring that any issues such as resourcing or funding are communicated back to their strategic directors in a timely manner.

10.6.10 Individual Employees

Individual employees will be responsible for understanding this Data Protection Policy and ensuring that Requests for Access and other Data Protection related issues in their own department are handled in compliance with this policy.

10.6.11 Freedom of Information Act

The Freedom of Information Act came into force in January 2005.

By granting a general right of access to records held by Public Authorities it encourages an attitude of openness and will enable the public to scrutinise their decisions and working practises.

The key features of the Freedom of Information Act are:

  • Every Council employee has a duty to provide advice and assistance to anyone requesting information.
  • The public has a general right of access to all recorded information held by the Council and some Independent Contractors. Subject to exemptions set out in the Freedom of Information Act, a requester has the right to know whether a record exists and the right to a copy of that record supplied in a format of their choice.
  • Every Council must adopt and maintain a Publication Scheme, listing what kinds of record it chooses to publish, how to obtain them and whether there is a charge involved.

The Information Commissioner's Office will oversee the implementation and compliance with the Freedom of Information Act and the Data Protection Act 1998.

10.6.12 Individual Responsibilities

All Councillors must accept responsibility for maintaining Information Security standards within the Council.

All managers must accept responsibility for initiating, implementing and maintaining security standards within the Council.

All non-managerial users must accept responsibility for maintaining standards by conforming to those controls, which are applicable to them.

The ICT Service will be responsible for implementation of the controls marked for IT specialists.

Local managers must undertake yearly assessments of security risks within their own areas to ensure that the security breaches are kept to a minimum.

10.7 Policy Compliance

If any user is found to have breached this policy, they will be subject to Ryedale District Council's disciplinary procedure.

If a criminal offence is considered to have been committed further action may be taken to assist in the prosecution of the offender(s).

If you do not understand the implications of this policy or how it may apply to you, seek advice from the ICT Helpdesk.

10.8 Policy Governance

The following table identifies who within Ryedale District Council is Accountable, Responsible, Informed or Consulted with regards to this policy. The following definitions apply:

Responsible – the person(s) responsible for developing and implementing the policy.
Accountable – the person who has ultimate accountability and authority for the policy.
Consulted – the person(s) or groups to be consulted prior to final policy implementation or amendment.
Informed – the person(s) or groups to be informed after policy implementation or amendment.

Responsible ICT Manager
Accountable Corporate Director (s151)
Consulted Unison
Informed All Council Employees, All Temporary Staff, All Contractors

10.9 Review and Revision

This policy will be reviewed as it is deemed appropriate, but no less frequently than every 12 months.

Policy review will be undertaken by the appropriate manager.

10.10 References

Internal guidance on implementation of the Data Protection Act, and key Data Protection Act related documents are available to Council employees via the Ryedale District Council Intranet:

General guidance and a free helpdesk dealing with Data Protection Act related issues are available to Council employees and the public via the Internet on the Information Commissioner's website at: http://www.ico.gov.uk/.

The Data Protection Act can be accessed on the Internet via the UK Statute Law Database  .

The Data Protection Officer for Ryedale District Council can be contacted via the ICT Helpdesk.

The following Ryedale District Council policy documents are relevant to this policy, and are
referenced within this document

4 Email Policy.
5 Internet Acceptable Usage Policy.
6 Software Policy.
7 IT Access Policy.
8 Human Resources Information Security Standards.
9 Information Protection Policy.
10 Computer, Telephone and Desk Use Policy.
12 Remote Working Policy.
13 Removable Media Policy.
14 Information Security Incident Management Policy.
15 Communications and Operation Management Policy.
16 IT Infrastructure Policy.

10.11 Key Messages

  • The Council will ensure compliance with the Data Protection Act 1998.
  • The Council has established a number of roles to assure compliance of this policy.
  • Every Council user has a duty to provide advice and assistance to anyone requesting information under the Freedom of Information Act.
  • All Councillors must accept responsibility for maintaining Information Security standards within the Council.

[Back to top]

11 Remote Working

Ryedale District Council provides users with the facilities and opportunities to work remotely as appropriate. The Council will ensure that all users who work remotely are aware of the acceptable use of portable computer devices (see below) and requirements in relation to remote working opportunities

Portable computing devices are provided to assist users to conduct official Council business efficiently and effectively. This equipment, and any information stored on portable computing devices, should be recognised as valuable organisational information assets and safeguarded appropriately.

Ryedale District Council recognises that there are risks associated with users accessing and handling information in order to conduct official Council business. The mobility, technology and information which make portable computing devices so useful to employees and organisations also make them valuable prizes for thieves.

Securing PROTECT or RESTRICTED data when users work remotely or beyond the Council network is a pressing issue – particularly in relation to the Council's need as an organisation to protect data in line with the requirements of the Data Protection Act 1998 (see the Legal Responsibilities Policy).

11.2.1 When and to whom does this policy apply?

This policy applies to, but is not, limited to, all Councillors, Committees, Departments, Partners, Employees of the Council, contractual third parties and agents of the Council who makes use of portable computing equipment or work on official Council business away from Ryedale District Council premises (i.e. working remotely).

This policy also applies to all users' use of Ryedale District Council ICT equipment or personal ICT equipment to access Council information systems or information whilst outside the United Kingdom.

Portable computing devices include, but are not restricted to, the following:

  • laptop computers;
  • tablets (including iPads);
  • mobile phones and smart phones (including BlackBerrys)

11.2.1 Why is this policy relevant?

Non-compliance with this policy could have a significant effect on the efficient operation of the Council and may result in financial loss and an inability to provide necessary services to our customers. You may also be breaking the law.

11.6 Applying the policy

All IT equipment (including portable computer devices) supplied to users remains the property of Ryedale District Council and must be returned upon the request of Ryedale District Council. Occasional access to the devices maybe required by ICT Support staff of Ryedale District Council to allow essential maintenance upon request.

All IT equipment and software must be supplied and installed by Ryedale District Council ICT Service staff.

11.6.1 User responsibilities

It is the user's responsibility to ensure that the following points are adhered to at all times:

  • users must take due care and attention of portable computer devices when moving between home and another business site
  • users must not install or update any software, including screen savers, on to a Council-owned portable computer device
  • users must not change the configuration of any Council-owned portable computer device
  • users must not install any hardware to or inside any Council owned portable computer device, unless authorised by the Ryedale District Council ICT service
  • users must allow the installation and maintenance of Ryedale District Council installed anti-virus or system updates immediately
  • users must inform the ICT Helpdesk of any Council owned portable computer device message relating to configuration changes
  • users must store business-critical data on a Council file server wherever possible and not solely on the portable computer device
  • users must report all faults, loss, damage or theft to the ICT Helpdesk at the earliest possible time
  • users must not remove or deface any asset registration number
  • user registration must be requested from ICT Support. Users must state to which applications they require access
  • user requests for upgrades of hardware or software must be approved by their line manager. Equipment and software will then be purchased and installed by ICT Support
  • IT equipment may be used for personal use by staff so long as it is not used in relation to an external business or for personal gain. Only software supplied and approved by Ryedale District Council must be used
  • no family members or other persons must use the IT equipment. The IT equipment is supplied solely for the use of the Council-authorised person
  • users must ensure that reasonable care is taken of the IT equipment supplied. Where any fault in the equipment has been caused by the user in breach of this or other policies or procedures, Ryedale District Council may recover the costs of repair
  • users must seek permission from Ryedale District Council before taking any Council supplied ICT equipment outside the United Kingdom
  • Ryedale District Council may at any time, and without notice, request a software and hardware audit and may be required to remove any equipment at the time of the audit for further inspection. All users must co-operate fully with any such audit
  • any user accessing Ryedale District Council systems and applications must only use Council-owned equipment which has appropriate technical security and advanced authentication mechanisms whilst working remotely.
  • users must not pass on equipment to other users without permission from ICT Services. If it is no longer required or if a user ceases Council employment or service, Council-supplied equipment must be returned to ICT Services. Equipment must also be returned at any time upon the request of Ryedale District Council
  • upon request users must allow ICT Services staff of the Council to access equipment for essential maintenance, security work or removal.

11.6.2 Remote and mobile working arrangements

Users should be aware of the physical security dangers and risks associated with working within any remote office or mobile working location.

Users should ensure that equipment is not left unattended or otherwise open to theft or damage whether in the office, during transit or at home. In the home it should also be located out of sight of the casual visitor. For home working it is recommended that the office area of the house should be kept separate from the rest of the house. Equipment should, where appropriate, be disguised (e.g. laptops should be carried in less formal bags, and must be secured whenever not in use).

Users must ensure that access / authentication tokens and personal identification numbers are kept in a separate location to the portable computer device at all times. Removable media or devices and paper documentation must also not be stored with the portable computer device.

Users must also take care to ensure that their screen cannot be read by bystanders (known as "shoulder surfing") if they are accessing personal or sensitive information.

The use of equipment off-site must be formally approved by the user's line manager and a record must be kept when all equipment is removed from site or returned thereafter to the original location. Equipment taken away from Ryedale District Council premises is the responsibility of the user.

11.6.3 Access controls

It is essential that access to all PROTECT or RESTRICTED information is controlled. This can be done through physical controls, such as locking the home office or locking the computer's keyboard. Alternatively, or in addition, this can be done logically such as by password controls or User Login controls.

Portable computer devices should be switched off, logged off or the keyboard locked when left unattended, even if only for a few minutes.

All data on portable computer devices must, where possible, be encrypted.

An SSL or IPSec VPN must be configured to allow remote users access to Council systems if connecting over Public Networks, such as the Internet.

SecurEnvoy Dual-factor authentication must be used when accessing the Council network and information systems remotely, via Council-owned equipment.

Access to the Internet from Ryedale District Council owned ICT equipment, should only be allowed via onward connection to Council-provided proxy servers and not directly to the Internet.

For further information about any of the above, please contact the ICT Helpdesk.

11.6.4 Anti virus protection

ICT Services will deploy an up-to-date anti-virus signature file to all users who work away from Ryedale District Council premises. Users who work remotely must ensure that their portable computer devices are connected to the corporate network at least once every two weeks to enable the anti-virus software and other critical security updates to be applied.

11.7 Sanctions for non-compliance with this policy

If any user is found to have breached this policy, they may be subject to Ryedale District Council's disciplinary procedure. If a criminal offence is considered to have been committed further action may be taken to assist in the prosecution of the offender(s), irrespective of any disciplinary action which may have been taken.
If you do not understand the implications of this policy or how it may apply to you, seek advice from ICT helpdesk

11.8 Policy governance

The following table identifies who within Ryedale District Council is Accountable, Responsible, Informed or Consulted with regards to this policy. The following definitions apply:

• Responsible – the person(s) responsible for developing and implementing the policy.
• Accountable – the person who has ultimate accountability and authority for the policy.
• Consulted – the person(s) or groups to be consulted prior to final policy implementation or amendment.
• Informed – the person(s) or groups to be informed after policy implementation or amendment.

Responsible IT Infrastructure Manager
Accountable Corporate Director (s151)
Consulted Unison
Informed All Council employees, Council members, temporary staff and contractors

11.9 Review and revision

This policy will be reviewed as it is deemed appropriate, but no less frequently than every 12 months.

Policy review will be undertaken by IT Infrastructure Manager

11.10 References

All users must comply with appropriate codes and policies associated with the use of IT equipment, and the spirit of them. This includes, but is not limited to, the following Ryedale District Council policy documents, which are indirectly relevant to this policy:

4 Email Policy
5 Internet Acceptable Use Policy
6 Software Policy
7 ICT Access Policy
8 Human Resources Information Security Standards
9 Information Protection Policy
10 Computer, Telephone and Desk Use Policy
11 Legal Responsibilities Policy.
13 Removable Media Policy
14 Information Security Incident Management Policy
15 Communications and Operation Management Policy.
16 IT Infrastructure Policy

If you do not understand the implications of any of these policies, or how they may apply to you, seek advice from the ICT Helpdesk.

11.11 Key Messages

  • It is the user's responsibility to use portable computer devices in an acceptable way. This includes not installing software, taking due care and attention when moving portable computer devices and not emailing information to a non-Council email address.
  • Users should be aware of the physical security dangers and risks associated with working within any remote office or mobile working location.
  • It is the user's responsibility to ensure that access to all information is controlled – e.g. through password controls.
  • All data held on portable computer devices must be encrypted.

[Back to top]

12 Removable Media

12.1 Policy Statement

Ryedale District Council will ensure the controlled use of removable media devices to store and transfer information by all users who have access to information, information systems and IT equipment for the purposes of conducting official Council business.

12.2 Purpose of this policy

Ryedale District Council will ensure the controlled use of portable data storage media and devices to store and transfer information by all users who have access to Council information, information systems and IT equipment.

This policy establishes the principles and working practices which are to be adopted by all users in order for data to be safely stored and transferred on portable media.

This policy aims to inform staff and others who use portable devices at any site or at home in the course of council business of information security issues, so that they can apply procedures accordingly. The use of portable data storage media is controlled by the Council in order to:

  • prevent unauthorised disclosure, modification, removal or destruction of information assets;
  • prevent unintended or deliberate effects on the stability of Ryedale District Council's computer network;
  • avoid contravention of any legislation (and in particular the Data Protection Act 1998), policies or good practice requirements;
  • ensure that information and in particular person identifiable information or business sensitive data, is not disclosed to unauthorised third parties by any means.

12.? When and to whom does this policy apply?

This policy applies to all Councillors, Committees, Departments, Partners, Employees of the Council, contractual third parties and agents of the Council who have access to Ryedale District Council information, information systems or IT equipment and intends to store any information on portable data storage devices.

A summary of examples of portable data storage media and devices can be found in appendix 1.

12.? Why is this policy relevant?

If you do not comply with this policy, it could lead to customers or staff personal data being put at risk and impact services to our customers. The Council could be fined, its efficiency could be reduced and its good reputation could be lost.

12.3 Scope

12.4 Definition

12.5 Risks

12.6 Applying the policy

12.6.1 Restricted access to portable data storage media

It is Ryedale District Council policy to restrict or disallow the use of some media and devices, details of which are included in Appendix 1 below. The use of restricted devices will only be approved if a valid business case for its use is presented and approved by the IT Infrastructure Manager. There are significant risks associated with the use of some devices and therefore clear business benefits that outweigh the risks must be demonstrated before approval is given by the IT Infrastructure Manager.

Requests for access to and use of, these devices must be made to the ICT Helpdesk.

Should access to and use of, restricted devices be approved, this policy applies and must be adhered to at all times.

12.6.2 Procurement of devices

All devices which will be connected to Ryedale District Council computers or information systems must be purchased, configured and installed by ICT Services. Users must not use non-council owned devices to store any information used to conduct official Council business and must not connect them to or otherwise directly interface them with any Council-owned or leased ICT equipment.

All portable device users must receive training in the use of the device and its encryption functionality. This should include their responsibility for safeguarding the device and their obligation to comply with this policy and other relevant information governance and security policies.

Approved equipment will always be security marked to show that it is owned by the council, with devices having a metallic green security tag attached.

12.6.3 Preventing information security incidents

Each user is responsible for the appropriate use and security of data and for not allowing portable data storage media or devices and the information stored on them, to be compromised in any way whilst in their care or under their control. Anyone using portable data storage media or devices to transfer data must consider the most appropriate way of transporting them and be able to demonstrate that they took reasonable care to avoid damage, theft or loss.

Data which is only held in one place and in one format is at much higher risk of being unavailable or corrupted through loss, destruction or malfunction of equipment than data which is frequently backed up. Therefore Council data must be held on the Council network and portable media should never be the only place where Council data is held. They must not be used as an alternative means of data warehousing, archiving or other long-term storage. Copies of any data stored on or transferred via portable media must remain on the source system or networked computer until the data is successfully transferred to another networked computer or system. For further information please see the Remote Working Policy.

Please contact ICT Services to discuss your information storage needs if necessary.

In order to minimise physical risk, loss, theft or electrical corruption, all storage media must be stored in an appropriately secure and safe environment.

Each user is responsible for the appropriate use and security of data and for not allowing portable data storage media devices and the information stored on these devices, to be compromised in any way whist in their care or under their control.

All data stored on portable media must be secured according to the type of data and its sensitivity. All personal, PROTECT and RESTRICTED data held on any portable data storage media or devices must be encrypted at all times.

Only data which is authorised and necessary to be transferred should be saved on to a portable media device.

Damaged or faulty portable media devices must not be used. It is the duty of all users to contact the ICT Helpdesk should portable data storage media or devices be damaged.

Virus and malware checking software approved by ICT Services must be operational and up to date on both the machine from which the data is taken and the machine on to which the data is to be loaded. The data must be scanned by virus checking software products, before being loaded on to the receiving machine.

Only authorised and licensed software provided by the Council should be loaded onto portable devices. Contact the ICT Helpdesk for further guidance.

Users should be aware that the Council may audit / log the transfer of data files to and from all portable data storage media or devices and Council-owned IT equipment for the purposes of forensic investigation in the event of data misuse or loss, however caused.

12.6.4 Third party access to Council information

No third party (external contractors, partners, agents, the public or non-employee parties) may receive data or extract information from the Council's network, information stores or IT equipment without explicit agreement from the IT Infrastructure Manager or the designated Data Protection manager where appropriate.

Should third parties be allowed access to Council information then all the considerations of this policy apply to their storing and transferring of the data.

Contractors, agency staff and other non-employee parties are not permitted to use any portable media other than those provided and explicitly approved by ICT Services.

12.6.5 Disposal or transfer of devices

Data left on portable devices can present a particular risk to information security. All portable data storage devices which are no longer required or have become damaged, must be returned to ICT Services immediately for secure disposal to avoid data leakage. Alternatively, if ICT Services reissue any device to another user, they must erase all previous contents held on the device.

Please note that simply deleting files does not permanently remove them from the device. Devices must undergo a thorough removal of all data from them using specialist software and tools. This must be performed by ICT Services.

12.6.6 Incident management

It is the duty of all users to report any loss of data, or actual or suspected breaches in information security immediately to the ICT Helpdesk, who will initiate the appropriate action. This includes any misuse or irresponsible actions which could affect Council data security.

12.7 Sanctions for non-compliance with this policy

If any user is found to have breached this policy, they may be subject to Ryedale District Council's disciplinary procedure. Serious breaches of this policy may be regarded as gross misconduct. If a criminal offence is considered to have been committed further action may be taken to assist in the prosecution of the offender(s), irrespective of any disciplinary action which may have been taken.

12.8 Policy governance

The following table identifies who within Ryedale District Council is Accountable, Responsible, Informed or Consulted with regards to this policy. The following definitions apply:

• Responsible – the person(s) responsible for developing and implementing the policy.
• Accountable – the person who has ultimate accountability and authority for the policy.
• Consulted – the person(s) or groups to be consulted prior to final policy implementation or amendment.
• Informed – the person(s) or groups to be informed after policy implementation or amendment.

Responsible IT Infrastructure Manager
Accountable Corporate Director (s151)
Consulted Unison
Informed All Council Employees, Members, Temporary Staff, Contractors

12.9 Review and revision

This policy will be reviewed as it is deemed appropriate, but no less frequently than every 12 months.

Policy review will be undertaken by IT Infrastructure Manager

12.10 Further information and advice

If you do not understand the implications of this policy or how it may apply to you, seek advice from the ICT Helpdesk.

For technical advice or assistance on how to securely use portable data storage devices and media, please also contact the ICT Helpdesk.

The following Ryedale District Council policy documents are indirectly relevant to this policy:

  • Communications and Operation Management Policy.
  • Remote Working Policy.
  • Email Policy.
  • Internet Acceptable Use Policy.
  • Software Policy.
  • Computer, Telephone and Desk Use Policy.
  • IT Access Policy.
  • Information Protection Policy.
  • Human Resources Information Security Standards.
  • IT Infrastructure Policy.

12.11 Key Messages

  • It is Ryedale District Council policy to restrict the use of portable data storage media or devices, as detailed in this document. Their use will only be approved if there is a valid business case.
  • Any medium or device which has not been supplied by the Council's ICT Service must not be used on any Council system or network or with any Council-owned equipment.
  • Only RDC hardware-encrypted memory sticks should be used on council owned assets.
  • All data stored on portable data storage media or devices must be encrypted where possible, in accordance with the terms of this policy and be securely deleted from the medium or device as soon as possible.
  • Special care must be taken to physically protect portable data storage media or devices and stored data from loss, theft or damage. Anyone using portable data storage media or devices to transfer data must consider the most appropriate way to transport them and be able to demonstrate that they took reasonable care to avoid damage or loss.
  • Damaged or faulty media or devices or those which are no longer required, must be returned to ICT Services so that they can be disposed of securely to avoid compromise of the information stored on them.
  • The sending of information classified as Protect or above must only be sent to external recipients using a GCXSx email account.
  • Only software authorised and licensed by the Council should be used on its portable device, for further details please refer to separate the Software Policy.
  • Advice on encryption methodology and usage is available from ICT Services.

Appendix 1

Devices currently considered to be portable data storage media

Device Description Usage Explanation
Any device not supplied by Ryedale District Council Any device including but not limited to the types below, on which data can be stored. Not allowed Only devices purchased and issued by RDC may be connected. Their use must also be in accordance with the terms of this policy.
External hard drives Portable device for storing large quantities of data. Restricted Only Council-supplied encrypted USB storage media are authorised for use on the RDC network. No other devices are permitted. All data must be stored on the RDC network
SD Cards (for use with phones, cameras etc)  Removable media for portable storage of data  Restricted  Use of such media is restricted due to the potential issues with storing and transporting data in this format. 
USB memory sticks  Removable media for portable storage of data Restricted  Only Council-supplied encrypted USB storage media are authorised for use on the RDC network. No other devices are permitted. All data must be stored on the RDC network.
CDS and DVDs (recordable)  Discs that can be written (saved) to using an appropriate drive. Restricted Use of such media is restricted due to the potential issues with storing and transporting data in this format. 
Digital cameras to include mobile phones and similar devices Any device which creates and stores digital images Restricted Use of such media is restricted due to the potential issues with storing and transporting data in this format 
CDS and DVDs (non-recordable) Read-only discs, data cannot be written (saved) to this media.  Allowed  Ryedale District Council data must not be stored using unencrypted media.
Laptops, tablets and PDAs (including iPads)    Restricted  Data must not be saved to unencrypted devices 
Mobile phones and smartphones    Restricted Data must not be saved to unmanaged devices. 

Any other devices or media not mentioned here MUST be reviewed by ICT Services before use.

Others devices to be considered:

  • Embedded microchips (including smart cards and mobile phone SIM cards)
  • MP3 and other media players
  • Digital dicta-phones and other voice recorders
  • Analogue Dictaphones
  • Digital Dictaphones
  • Analogue video recorders and cameras
  • Digi-Pens

[Back to top]

13 Information Security Incident Management

Contents

1 Policy Statement
2 Purpose
3 Scope
4 Definition
5 Risks
6 Procedure for Incident Handling
7 Policy Compliance
8 Policy Governance
9 Review and Revision
10 References
11 Key Messages
12 Appendices
Appendix 11 – Process Flow; Reporting an Information Security Event or Weakness 7
Appendix 12 – Examples of Information Security Incidents
Appendix 13 - Procedure for Incident Handling
Appendix 14 - Risk Impact Matrix

13.1 Policy Statement

Ryedale District Council will ensure that it reacts appropriately to any actual or suspected incidents relating to information systems and information within the custody of the Council.

13.2 Purpose

The aim of this policy is to ensure that Ryedale District Council reacts appropriately to any actual or suspected security incidents relating to information systems and data.

13.3 Scope

This document applies to all Councillors, Committees, Departments, Partners, Employees of the Council, contractual third parties and agents of the Council who use Ryedale District Council IT facilities and equipment, or have access to, or custody of, customer information or Ryedale District Council information.

All users must understand and adopt use of this policy and are responsible for ensuring the safety and security of the Council's systems and the information that they use or manipulate.
All users have a role to play and a contribution to make to the safe and secure use of technology and the information that it holds.

13.4 Definition

This policy needs to be applied as soon as information systems or data are suspected to be, or are actually affected by an adverse event which is likely to lead to a security incident.

The definition of an "information management security incident" ('Information Security Incident' in the remainder of this policy and procedure) is an adverse event that has caused or has the potential to cause damage to an organisation's assets, reputation and / or personnel. Incident management is concerned with intrusion, compromise and misuse of information and information resources, and the continuity of critical information systems and processes.

An Information Security Incident includes, but is not restricted to, the following:

  • The loss or theft of data or information.
  • The transfer of data or information to those who are not entitled to receive that information.
  • Attempts (either failed or successful) to gain unauthorised access to data or information storage or a computer system.
  • Changes to information or data or system hardware, firmware, or software characteristics without the Council's knowledge, instruction, or consent
  • Unwanted disruption or denial of service to a system.
  • The unauthorised use of a system for the processing or storage of data by any person.

Examples of some of the more common forms of Information Security Incidents have been
provided in Appendix 2.

13.5 Risks

Ryedale District Council recognises that there are risks associated with users accessing and
handling information in order to conduct official Council business.

This policy aims to mitigate the following risks:

  • To reduce the impact of information security breaches by ensuring incidents are followed up correctly.
  • To help identify areas for improvement to decrease the risk and impact of future incidents.

Non-compliance with this policy could have a significant effect on the efficient operation of the
Council and may result in financial loss and an inability to provide necessary services to our
customers.

13.6 Procedure for Incident Handling

Events and weaknesses need to be reported at the earliest possible stage as they need to be
assessed by an Information Security Advisor.

The Advisor enables the ICT service to identify when a series of events or weaknesses have escalated to become an incident.

It is vital for the ICT service to gain as much information as possible from the business users to identify if an incident is occurring.

For full details of the procedure for incident handling please refer to Appendix 3.

13.7 Policy Compliance

If any user is found to have breached this policy, they may be subject to the Council's disciplinary procedure.

If a criminal offence is considered to have been committed further action may be taken
to assist in the prosecution of the offender(s).

If you do not understand the implications of this policy or how it may apply to you, seek advice from the ICT helpdesk.

13.8 Policy Governance

The following table identifies who within Ryedale District Council is Accountable, Responsible, Informed or Consulted with regards to this policy.

The following definitions apply:

Responsible – the person(s) responsible for developing and implementing the policy.
Accountable – the person who has ultimate accountability and authority for the policy.
Consulted – the person(s) or groups to be consulted prior to final policy implementation or amendment.
Informed – the person(s) or groups to be informed after policy implementation or amendment.

Responsible ICT Manager
Accountable Corporate Director
Consulted Unison
Informed All Council Employees, All Temporary Staff, All Contractors

13.9 Review and Revision

This policy, and all related appendices, will be reviewed as it is deemed appropriate, but no less frequently than every 12 months.

Policy review will be undertaken by the relevant manager.

13.10 References

The following Ryedale District Council policy documents are directly relevant to this policy:

4 Email Policy.
5 Internet Acceptable Use Policy.
6 Software Policy.
7 IT Access Policy.
8 GCSx Acceptable Usage Policy and Personal Commitment Statement.
9 Human Resources Information Security Standards.
10 Information Protection Policy.
11 Computer, Telephone and Desk Use Policy.
12 Legal Responsibilities Policy.
13 Remote Working Policy.
14 Removable Media Policy.
16 Communications and Operation Management Policy.
17 IT Infrastructure Policy.

13.11 Key Messages

  • All staff should report any incidents or suspected incidents immediately by contacting the ICT helpdesk on X229 or
  • We can maintain your anonymity when reporting an incident if you wish.
  • If you are unsure of anything in this policy you should ask for advice from the ICT helpdesk

13.12 Appendices

Appendix 12 – Examples of Information Security Incidents

Examples of the most common Information Security Incidents are listed below.

It should be noted that this list is not exhaustive.

Malicious

  • Giving information to someone who should not have access to it - verbally, in writing or electronically.
  • Computer infected by a Virus or other malware.
  • Sending a sensitive e-mail to 'all staff' by mistake.
  • Receiving unsolicited mail of an offensive nature.
  • Receiving unsolicited mail which requires you to enter personal data.
  • Finding data that has been changed by an unauthorised person.
  • Receiving and forwarding chain letters – including virus warnings, scam warnings and other emails which encourage the recipient to forward onto others.
  • Unknown people asking for information which could gain them access to council data (e.g. a password or details of a third party).

Misuse

  • Use of unapproved or unlicensed software on Ryedale District Council equipment.
  • Accessing a computer database using someone else's authorisation (e.g. someone else's user id and password).
  • Writing down your password and leaving it on display / somewhere easy to find.
  • Printing or copying confidential information and not storing it correctly or confidentially.

Theft / Loss

  • Theft / loss of a hard copy file.
  • Theft / loss of any Ryedale District Council computer equipment.

Appendix 13 - Procedure for Incident Handling

Reporting Information Security Events or Weaknesses

The following sections detail how users and IT Support Staff must report information security
events or weaknesses.

Appendix 1 provides a process flow diagram illustrating the process to be followed when reporting information security events or weaknesses.

Reporting Information Security Events for all Employees

Security events, for example a virus infection, could quickly spread and cause data loss across the organisation.

All users must understand, and be able to identify that any unexpected or unusual
behaviour on the workstation could potentially be a software malfunction.

If an event is detected users must:

  • Note the symptoms and any error messages on screen.
  • Disconnect the workstation from the network if an infection is suspected (with assistance from IT Support Staff.
  • Not use any removable media (for example USB memory sticks) that may also have been infected.

All suspected security events should be reported immediately to the ICT helpdesk on X 229.

If the Information Security event is in relation to paper or hard copy information, for example personal information files that may have been stolen from a filing cabinet, this must be reported to Senior Management and the Data Protection Officer for the impact to be assessed.

The ICT Helpdesk will require you to supply further information, the nature of which will Depend upon the nature of the incident.

However, the following information must be supplied

  • Contact name and number of person reporting the incident.
  • The type of data, information or equipment involved.
  • Whether the loss of the data puts any person or other data at risk.
  • Location of the incident.
  • Inventory numbers of any equipment affected.
  • Date and time the security incident occurred.
  • Location of data or equipment affected.
  • Type and circumstances of the incident.

Reporting Information Security Weaknesses for all Employees

Security weaknesses, for example a software malfunction, must be reported through the same process as security events.

Users must not attempt to prove a security weakness as such an action may be considered to be misuse.

Weaknesses reported to application and service providers by employees must also be reported internally to ICT support.

The service provider's response must be monitored and the effectiveness of its action to repair the weakness must be recorded by ICT.

Reporting Information Security Events for IT Support Staff

Information security events and weaknesses must be reported to a nominated central point of contact within ICT as quickly as possible and the incident response and escalation procedure must be followed.

Security events can include:

  • Uncontrolled system changes.
  • Access violations – e.g. password sharing.
  • Breaches of physical security.
  • Non compliance with policies.
  • Systems being hacked or manipulated.

Security weaknesses can include:

  • Inadequate firewall or antivirus protection.
  • System malfunctions or overloads.
  • Malfunctions of software applications.
  • Human errors.

The reporting procedure must be quick and have redundancy built in. All events must be reported to the ICT helpdesk and the ICT Manager, who must both be required to take appropriate action.

The reporting procedure must set out the steps that are to be taken and the time frames that must be met.

An escalation procedure must be incorporated into the response process so that users and support staff are aware who else to report the event to if there is not an appropriate response within a defined period.

Incidents must be reported to the Business Continuity Management teams should the incident become service affecting.

Management of Information Security Incidents and Improvements

A consistent approach to dealing with all security events must be maintained across the Council.

The events must be analysed and the ICT Manager must be consulted to establish when security events become escalated to an incident.

The incident response procedure must be a seamless continuation of the event reporting process and must include contingency plans to advise the Council on continuing operation during the incident.

All incidents should be reported to the ICT Manager.

To decide what level of impact an incident has users should refer to the Risk Impact Matrix in Appendix 4.

Collection of Evidence

If an incident may require information to be collected for an investigation strict rules must be
adhered to.

The collection of evidence for a potential investigation must be approached with care.

Internal Audit must be contacted immediately for guidance and strict processes must be followed for the collection of forensic evidence.

If in doubt about a situation, for example concerning computer misuse, contact the IT Helpdesk for advice.

Responsibilities and Procedures

Management responsibilities and appropriate procedures must be established to ensure an effective response against security events.

The security advisor from ICT must decide when events are classified as an incident and determine the most appropriate response.

An incident management process must be created and include details of

  • Identification of the incident, analysis to ascertain its cause and vulnerabilities it exploited.
  • Limiting or restricting further impact of the incident.
  • Tactics for containing the incident.
  • Corrective action to repair and prevent recurrence.
  • Communication across the Council to those affected.

The process must also include a section referring to the collection of any evidence that might be required for analysis as forensic evidence.

The specialist procedure for preserving evidence must be carefully followed.

The actions required to recover from the security incident must be under formal control.

Only identified and authorised staff should have access to the affected systems during the incident and all of the remedial actions should be documented in as much detail as possible.

The officer responsible for an incident should risk assess the incident based on the Risk Impact Matrix (please refer to Appendix 4).

If the impact is deemed to be high or medium this should be reported immediately to the ICT Manager.

Learning from Information Security Incidents

To learn from incidents and improve the response process incidents must be recorded and a Post Incident Review conducted.

The following details must be retained:

  • Types of incidents.
  • Volumes of incidents and malfunctions.
  • Costs incurred during the incidents.

The information must be collated and reviewed on a regular basis by ICT and any patterns or trends identified.

Any changes to the process made as a result of the Post Incident Review must be formally noted.

The information, where appropriate, should be shared with the Warning, Advice and Reporting Point (WARP) to aid the alert process for the region.

Appendix 14 - Risk Impact Matrix

14.14.1 Risk Impact Matrix

To decide on the potential or actual impact of an information security incident, the impact matrix below should be used.

[Back to top]

14 Communications and Operation Management

14.1 Policy Statement

Ryedale District Council will ensure the protection of the Council IT service (including any
information systems and information processing equipment used by the Council) against malware and malicious and mobile code.

Only authorised changes will be made to the Council IT service (including any information systems and information processing equipment).

Information leakage will be prevented by secure controls.

14.2 Purpose

This policy covers the key areas in day to day operations management of the Council's IT services.

This is in order to protect the systems and ultimately the data and delivery of services to the public.

14.3 Scope

This policy applies to all Ryedale District Council Councillors, Committees, Departments, Partners,Employees of the Council, contractual third parties and agents of the Council with access to Ryedale District Council's IT facilities and equipment.

All users have a role to play and a contribution to make to the safe and secure use of technology and the information that it holds.

14.4 Definition

This policy should be applied whenever users access Ryedale District Council's IT facilities and equipment, and especially when managing, developing, configuring or maintaining Ryedale District Council's IT facilities and equipment.

Local procedures, standards and work instructions may be defined in the appendices to allow flexibility of organisational practices.

This policy provides a minimum requirement to be met under nationally recognised standards.

14.5 Risks

Ryedale District Council recognises that there are risks associated with users accessing and
handling information in order to conduct official Council business.
This policy aims to mitigate the following risks:

  • the non-reporting of information security incidents,
  • inadequate destruction of data,
  • the loss of direct control of user access to information systems and facilities amongst others.

Non-compliance with this policy could have a significant effect on the efficient operation of the
Council and may result in financial loss and an inability to provide necessary services to our
customers.

14.6 Applying the Policy

Operational Procedures and Responsibilities

14.6.1 Documented Operating Procedures

Operating procedures are used in all day to day maintenance of Ryedale District Council IT
systems and infrastructure in order to ensure the highest possible service from these assets.

These operating procedures must be documented to an appropriate level of detail for the
departmental team that will be using them.

14.6.2 Change Management

Changes to the Council's operational systems must be controlled with a formally documented
change control procedure.

The change control procedure should include references to :

  • A description of the change and business reasons.
  • Information concerning the testing phase.
  • Impact assessment including security, operations and risk.
  • Formal approval process.
  • Communication to all relevant people of the changes.
  • Procedures for aborting and rolling back if problems occur.
  • Process for tracking and audit.

All significant changes to the main infrastructure (e.g. Network, Directories) need to be assessed for their impact on information security as part of the standard risk assessment.

14.6.3 Separation of Development, Test and Operational Facilities

The development and test environments must be separate from the live operational environment to reduce the risk of accidental changes or unauthorised access. The environments must be segregated by the most appropriate controls including, but not limited to, the following :

  • Running on separate computers, domains, instances and networks.
  • Different usernames and passwords.
  • Duties of those able to access and test operational systems.

System Planning and Acceptance

14.6.4 Capacity Planning

All Ryedale District Council IT infrastructure components or facilities are covered by capacity
planning and replacement strategies to ensure that increased power and data storage requirements can be addressed and fulfilled in a timely manner.

Key IT infrastructure components include, but are not restricted to, the following:

  • File servers.
  • Domain servers.
  • E-mail servers.
  • Web servers.
  • Printers.
  • Networks.
  • Environmental controls including air conditioning.

14.6.5 System Acceptance

All departments must inform the ICT Service via the ICT Helpdesk of any new product requirements or of any upgrades, service packs, patches or fixes required to existing systems.

All new products must be purchased through ICT.

New information systems, product upgrades, patches and fixes must all undergo an appropriate level of testing prior to acceptance and release into the live environment.

The acceptance criteria must be clearly identified, agreed and documented and should involve management authorisation.

3rd party applications must also be monitored for service packs and patches.

Major system upgrades must be thoroughly tested in parallel with the existing system in a safe test environment that duplicates the operational system.

14.6.6 Protection against Malicious and Mobile Code

Appropriate steps are taken to protect all Ryedale District Council IT systems, infrastructure and information against malicious code.

Effective and up-to-date anti-virus software is run on all servers and PCs.

Ryedale District Council staff are responsible for ensuring that they do not introduce malicious code into Ryedale District Council IT systems – as stated within the Software Policy.

Where a virus is detected on a Ryedale District Council system, the individual must inform the ICT Helpdesk immediately.

14.6.7 Patching

All servers must have appropriate critical security patches applied as soon as they become available and have passed the system acceptance testing. All other patches must be applied as appropriate.

Patches must be applied to all software on the Council network where appropriate.

Unpatchable software must not be used where there is a GCSx connection provided.

There must be a full record of which patches have been applied and when.

14.6.8 Controls against Malicious and Mobile Code

In order to prevent malicious and mobile code, appropriate access controls (e.g. administration /user rights) shall be put in place to prevent installation of software by all users.

Requests for software installation shall only be accepted where there is a clear technical
verification.

Anti-malware software will be installed on appropriate points on the network and on hosts.

This should make reference to appropriate backups, should comply with the change control process, and checks should be made against incident reporting via a WARP or similar.

14.6.9 Examples of Malicious and Mobile Code

Mobile code represents newer technologies often found in web pages and emails, and includes, but is not limited to:

  • ActiveX.
  • Java.
  • JavaScript.
  • VBScript.
  • Macros.
  • HTTPS.
  • HTML.

Backups

14.6.10 Information Backup

Regular backups of essential business information must be taken to ensure that the Council can recover from a disaster, media failure or error. An appropriate backup cycle must be used and fully documented.

Any 3rd parties that store Council information must also be required to ensure that the information is backed up.

Full backup documentation, including a complete record of what has been backed up along with the recovery procedure, must be stored at an off site location in addition to the copy at the main site and be readily accessible.

This must also be accompanied by an appropriate set of media tapes and stored in a secure area.
The remote location must be sufficiently remote to avoid being affected by any disaster that takes place at the main site.

14.6.11 Information Restore

Full documentation of the recovery procedure must be created and stored.

Regular restores of information from back up media must be tested to ensure the reliability of the back up media and restore process and this should comply with the agreed change management process.

Retention schedules are defined in the Ryedale District Council disaster recovery plan.

14.6.12 Storage Media Handling

Storage media includes, but is not restricted, to the following:

  • Computer Hard Drives (both internal and external).
  • CDs.
  • DVDs.
  • Optical Disks
  • USB Memory Sticks
  • Media Card Readers.
  • MP3 Players.
  • Digital Cameras.
  • Backup Cassettes.
  • Audio Tapes (including Dictaphones and Answering Machines).

14.6.13 Management of Removable Media

Removable computer media (e.g. tapes, disks, cassettes and printed reports) must be protected to prevent damage, theft or unauthorised access.

Documented procedures must be kept for backup tapes that are removed on a regular rotation from Council buildings.

Media stores must be kept in a secure environment.

Appropriate arrangements must be put in place to ensure future availability of data that is required beyond the lifetime of the backup media.

For further information, please refer to Removable Media Policy.

14.6.14 Physical Storage Media in Transit

Storage media being transported must be protected from unauthorised access, misuse or
corruption.

Where couriers are required a list of reliable and trusted couriers should be established.

If appropriate, physical controls such as encryption or special locked containers should also be used.

For further information, please refer to Removable Media Policy.

14.6.15 Disposal of Storage Media

Storage media that is no longer required must be disposed of safely and securely to avoid data leakage.

Any previous contents of any reusable storage media that are to be removed from the Council must be erased.

This must be a thorough removal of all data from the storage media to avoid the
potential of data leakage.

For further information, please refer to Removable Media Policy.

14.6.16 Security of System Documentation

System documentation must be protected from unauthorised access.

This includes bespoke documentation that has been created by ICT Services or any other departmental IT staff.

This does not include generic manuals that have been supplied with software).

Examples of the documentation to be protected include, but are not restricted to, descriptions of:

  • Applications.
  • Processes.
  • Procedures.
  • Data structures.
  • Authorisation details.

Effective version control should be applied to all documentation and documentation storage.

Monitoring

14.6.17 Audit Logging for Restricted Data and GCSx Services

Audit logs must be kept for a minimum of six months which record exceptions and other security
related events.

As a minimum audit logs must contain the following information :

  • It is good practice to keep all audit logs for 6 months
  • System identity.
  • User ID.
  • Successful/Unsuccessful log in.
  • Successful/Unsuccessful log off.
  • Unauthorised application access.
  • Changes to system configurations.
  • Use of privileged accounts (e.g. account management, policy changes, device configuration).

Access to the logs must be protected from unauthorised access that could result in recorded information being altered or deleted.

System administrators must be prevented from erasing or deactivating logs of their own activity.

Where appropriate, classified data should be stored separately from non-classified data. Data sent or received via GCSx must be stored separately from non-classified data .

14.6.17 Administrator and Operator Logs

Operational staff and system administrators must maintain a log of their activities. The logs should include:

  • Back-up timings and details of exchange of backup tapes.
  • System event start and finish times and who was involved.
  • System errors (what, date, time) and corrective action taken.

The logs should be checked regularly to ensure that the correct procedures are being followed.

14.6.18 Clock Synchronisation

All computer clocks must be synchronised to the GSI time source to ensure the accuracy of all the systems audit logs as they may be needed for incident investigation.

14.6.19 Network Management

14.6.20 Network Controls

Connections to the Ryedale District Council network infrastructure are made in a controlled manner.

Network management is critical to the provision of Council services and must apply the following controls:

  • Operational responsibility for networks should, where possible be separate from computer operations activities.
  • There must be clear responsibilities and procedures for the management of remote equipment and users (please refer to the Remote Working Policy and Removable Media Policy).
  • Where appropriate, controls must be put in place to protect data passing over the network (e.g. encryption).

The network architecture must be documented and stored with configuration settings of all the hardware and software components that make up the network.

All components of the network

All hosts must be security hardened to an appropriate level. Operating systems will have their network services reviewed, and those services that are not required will be disabled.

14.6.21 Wireless Networks

Wireless networks must apply controls to protect data passing over the network and prevent
unauthorised access.

Encryption must be used on the network to prevent information being
intercepted.

WPA2 should be applied as a minimum.

Systems Development and Maintenance

14.6.22 Protection of System Test Data

If personal information is used during the development and test phase of preparing application software it must be protected and controlled in line with the Data Protection Act (please refer to the Legal Responsibilities Policy) and where possible depersonalised.

If operational data is used controls must be used including, but not limited to, the following:

  • An authorisation process.
  • Removal of all operational data from the test system after use.
  • Full audit trail of related activities.
  • Any personal or confidential information must be protected as if it were live data.

14.6.23 Annual Health Check

An annual health check of all Council IT infrastructure systems and facilities must be undertaken by the ICT Service every 12 months. This health check must include, but is not restricted to, the following:

  • A full penetration test.
  • A network summary that will identify all IP addressable devices.
  • Network analysis, including exploitable switches and gateways.
  • Vulnerability analysis, including patch levels, poor passwords and services used.
  • Exploitation analysis.
  • A summary report with recommendations for improvement.

14.7 Policy Compliance

If any user is found to have breached this policy, they may be subject to Ryedale District Council's disciplinary procedure.

If a criminal offence is considered to have been committed further action may be taken to assist in the prosecution of the offender(s).

If you do not understand the implications of this policy or how it may apply to you, seek advice from ICT Helpdesk.

14.8 Policy Governance

The following table identifies who within Ryedale District Council is Accountable, Responsible, Informed or Consulted with regards to this policy.

The following definitions apply:

Responsible – the person(s) responsible for developing and implementing the policy.
Accountable – the person who has ultimate accountability and authority for the policy.
Consulted – the person(s) or groups to be consulted prior to final policy implementation or amendment.
Informed – the person(s) or groups to be informed after policy implementation or amendment.

Responsible - ICT Manager
Accountable - Corporate Director
Consulted - Unison
Informed - All Council Employees, All Temporary Staff, All Contractors

14.9 Review and Revision

This policy will be reviewed as it is deemed appropriate, but no less frequently than every 12 months.

Policy review will be undertaken by the relevant manager.

14.10 References

The following Ryedale District Council policy documents are directly relevant to this policy, and are referenced within this document :

6 Software Policy.
12 Legal Responsibilities Policy.
13 Remote Working Policy.
14 Removable Media Policy.
17 IT Infrastructure Policy.

The following Ryedale District Council policy documents are indirectly relevant to this policy:

4 Email Policy.
5 Internet Acceptable Usage Policy.
7 IT Access Policy.
8 GCSx Acceptable Usage Policy and Personal Commitment Statement.
9 Human Resources Information Security Standards.
10 Information Protection Policy.
11 Computer, Telephone and Desk Use Policy.
15 Information Security Incident Management Policy.

15.11 Key Messages

  • Changes to the Council's operating systems must be follow the Council's formal change control procedure.
  • Unpatchable software must not be used where there is GCSx connection provided.
  • Appropriate access controls shall be put in place to prevent user installation of software and to protect against malicious and mobile code.
  • Regular backups of essential business information will be taken to ensure that the Council can recover from a disaster, media failure or error.]
  • Storage media must be handled, protected and disposed of with care.
  • Audit logs for RESTRICTED data and GCSx services must be kept for a minimum of six months.
  • Connections to the Council network are made in a controlled manner.
  • An annual health check must be made of all Council IT infrastructure systems.

[Back to top]

15 IT Infrastructure

15.1 Policy Statement

There shall be no unauthorised access to either physical or electronic information within the
custody of the Council.

Protection shall be afforded to:

  • Sensitive paper records.
  • IT equipment used to access electronic data.
  • IT equipment used to access the Council network.

15.2 Purpose of this policy

Ryedale District Council will ensure the controlled use of its information, information systems and ICT equipment by all users.

The purpose of this policy is to establish standards in regard to the physical and environmental security of the Council's information, in line with section A9 of ISO/IEC/27001.

This policy establishes the principles and working practices which are to be adopted by all users, so that they can apply procedures accordingly, in order to:

  • prevent unauthorised disclosure, modification, removal or destruction of information assets
  • prevent unintended or deliberate effects on the stability of Ryedale District Council's computer network
  • comply with relevant legislation (see below)
  • ensure that information and in particular person identifiable information or business sensitive data, is not disclosed to unauthorised third parties by any means.

Users should also understand the relevant legislation relating to information security and data protection, and should be aware of their responsibilities under this legislation. The following statutory legislation governs aspects of the Council's ICT security arrangements. This list is not exhaustive:

  • Freedom of Information Act 2000
  • Human Rights Act 1998
  • Electronic Communications Act 2000
  • Regulation of Investigatory Powers Act 2000
  • Protection of Freedoms Act 2012
  • Data Protection Act 1998
  • Copyright Designs and Patents Act 1988
  • Computer Misuse Act 1990
  • Environmental Information Regulations 2004
  • Re-use of Public Sector Information Regulations 2005

15.2.1 When and to whom does this policy apply?

This policy applies to all Ryedale District Council-owned or leased / hired facilities and equipment.

This policy applies to, but is not limited to, all Ryedale District Council Councillors, Committees, Departments, Partners, Employees of the Council, contractual third parties and agents of the Council who have access to Ryedale District Council's equipment and information (electronic and paper records) are responsible for ensuring the safety and security of the Council's equipment and the information that they use or manipulate.

15.2.2 Why is this policy relevant?

Non-compliance with this policy could have a significant effect on the efficient operation of the Council and may result in financial loss and an inability to provide necessary services to our customers. You may also be breaking the law.

15.3 Scope

All Ryedale District Council Councillors, Committees, Departments, Partners, Employees of the Council, contractual third parties and agents of the Council with access to Ryedale District Council's equipment and information (electronic and paper records) are responsible for ensuring the safety and security of the Council's equipment and the information that they use or manipulate.

15.4 Definition

This policy applies to all users of the Council's owned or leased / hired facilities and equipment.

The policy defines what paper and electronic information belonging to the Council should be protected and, offers guidance on how such protection can be achieved.

This policy also describes employee roles and the contribution staff make to the safe and secure use of information within the custody of the Council.

This policy should be applied whenever a user accesses Council information or information equipment.

This policy applies to all locations where information within the custody of the Council or information processing equipment is stored, including remote sites.

15.5 Risks

Ryedale District Council recognises that there are risks associated with users accessing and handling information in order to conduct official Council business.

This policy aims to mitigate the following risks:

  • the non-reporting of information security incidents,
  • inadequate destruction of data,
  • the loss of direct control of user access to information systems and facilities along with others.

Non-compliance with this policy could have a significant effect on the efficient operation of the Council and may result in financial loss and an inability to provide necessary services to our customers.

15.6 Applying the policy

15.6.1 Delivery and receipt of equipment into the Council

All ICT equipment (this includes computer, telephony and peripheral devices) acquired by Ryedale District Council must be purchased through ICT Services. ICT equipment must not be purchased through user corporate credit cards, petty cash, travel or entertainment budgets. This includes software that may be downloaded and/or purchased from the Internet.

In order to confirm accuracy and condition of deliveries and to prevent subsequent loss or theft of stored equipment, the following must be applied:

  • Equipment deliveries must be signed for by an authorised representative of Ryedale District Council using an auditable formal process. This process should confirm that the delivered items correspond fully to the list on the delivery note. Actual assets received must be recorded.
  • Loading areas and holding facilities should be adequately secured against unauthorised access and all access should be auditable.
  • Subsequent removal of equipment should be via a formal, auditable process.
  • All items of equipment must be recorded on an inventory within ICT Services. Procedures should be in place to ensure inventories are updated as soon as assets are received.
  • All equipment must be security marked, where possible using asset tags and have a unique asset number allocated to it. This asset number should be recorded in the ICT inventory as soon as possible.

15.6.2 Physical security

Physical security must begin with the building itself and an assessment of perimeter vulnerability must be conducted. The building must have appropriate control mechanisms in place for the type of information and equipment stored there. PROTECT and RESTRICTED information must be stored securely. A risk assessment should identify the appropriate level of protection to be implemented to secure the information being stored.

These could include, but are not restricted to, the following:

  • alarms fitted and activated outside working hours
  • window and door locks, or other access control mechanisms and window bars on lower floor levels
  • CCTV cameras.
  • staffed reception area.
  • protection against damage - e.g. from fire, flood, dust, vibration, vandalism.
  • consideration should be given to items, such as laptops, being physically attached to desks in public areas.
  • workstations handling sensitive data must be positioned to eliminate the risk of the data being seen by unauthorised people.

The data centre and similar areas must be protected by additional security measures and access should be restricted according to need. Staff working in secure areas should challenge anyone not wearing a badge. Each department must ensure that doors and windows are properly secured.

Keys to all secure areas housing IT equipment and lockable IT cabinets are held centrally by IT Support, as appropriate. Keys are not stored near these secure areas or lockable cabinets.

Business critical systems should be protected by an uninterruptible power supply (UPS) to reduce the risk of data corruption from power failures. The equipment must not be moved or modified by anyone without authorisation from ICT Support.

Where coded access control mechanisms are used, codes should be known only to those people authorised to access the area/building. They must be changed regularly and also be changed immediately when a member of staff leaves or changes role and no longer requires access, or the same level of access.

Identification and access tools/passes (e.g. badges, keys, entry codes etc.) must only be held by officers authorised to access those areas and should not be loaned/provided to anyone else. They must be recovered from the staff member when they leave or change role and no longer require access, or the same level of access.

Visitors to secure areas are required to sign in and out with arrival and departure times and are required to wear an identification badge. A Council IT employee must monitor all visitors accessing secure IT areas at all times.

Wherever security processes are in place, instructions must be issued to all relevant staff to address the event of a security breach.

15.6.3 Maintaining the integrity of structured cabling

Cables that carry data or support key information services must be protected from interception or damage. Power cables should be separated from network cables to prevent interference. Network cables should be protected by conduit and where possible avoid routes through public areas.

15.6.4 Equipment maintenance

ICT, all Departmental ICT representatives and 3rd party suppliers must ensure that all of Ryedale District Council's ICT equipment is maintained in accordance with the manufacturer's instructions and with any documented internal procedures to ensure it remains in working order. Staff involved with maintaining Ryedale District Council ICT equipment should:

• retain all copies of manufacturer's instructions
• identify recommended service intervals and specifications
• enable a call-out process in event of failure
• ensure only authorised technicians complete any work on the equipment
• record details of all remedial work carried out
• identify any insurance requirements
• record details of faults incurred and actions required

A service history record of equipment should be maintained by IT to outline replacement and renewal schedules and to ensure budget provision is in place.

Equipment maintenance must be in accordance with the manufacturer's instructions. This must be documented and available for support staff to use when arranging repairs.

15.6.5 Use of local hard drives

Users should not store data on the local hard drive of their PC or other device. Data must be stored on the network file servers where appropriate. This ensures that information lost, stolen or damaged can be restored with its integrity maintained. Information concerning network drives and the appropriate place to store Council information can be obtained from the ICT Helpdesk.

15.6.6 Security of equipment off premises

The use of equipment off-site must be formally approved by the user's line manager and equipment taken away from Ryedale District Council premises is the responsibility of the user.

Please refer to the Remote Working Policy for further details.

15.6.7 Misuse of equipment and resources

No exhaustive list can be prepared defining all possible forms of misuse of computer resources. The individual circumstances of each case will need to be taken into account and users are expected to act within the terms and spirit of this and other relevant Council policies and procedures at all times. However, some examples are outlined below:

• use of computer resources for the purposes of fraud, theft, dishonesty or any other illegal activity
• storing/loading/executing of software for a purpose which is not work related
• storing / processing / printing of data for a purpose which is not work-related, such as for personal gain

15.6.8 Telephony

The Council acknowledges that employees may need to make calls of a personal nature whilst at work. This Code of Practice outlines reasonable steps that all employees are expected to take to ensure that the provision of service is not compromised and there is no financial loss.

There may be times when unforeseen working commitments may require the rearranging of personal engagements. The Council recognises that such calls are necessary in order for employees to effectively perform their duties and should not be treated as private. However, the Council stresses that such calls are normally exceptional and expect employees to recognise when such calls are required.

  • The misuse of Ryedale District Council's mobile or static telephone and fax services could be considered as gross misconduct and may render the individual(s) concerned liable to disciplinary action. The following conditions must be adhered to at all times:
  • Where possible, private calls should be made outside standard hours of service provision, i.e. before 9pm, after 5pm or during an employee's lunch break.
  • Private calls during these hours should be kept to a minimum and users should avoid giving out their work number for non-essential purposes, so as not to prevent business calls getting through
  • Each employee should keep a record of the private calls they make.
  • Where an itemised telephone bill is available, the actual cost of each private call per the bill (plus VAT) should be recharged to the relevant employee. Employees should check the details of the itemised bills against their own records of private calls.
  • Where private calls from a mobile telephone are made but are not charged on the bill because they form part of a free use period within the contract, the employee will calculate the cost of the call at the normal tariff for the day and time that the call was made and pay that amount to the Council. This is in order to be equitable between employees and to ensure that it is the Council, and not employees who use the mobile telephone for private purposes, who benefit from any period of free usage that is associated with the Council-owned telephone.

15.6.9 Disposal or re-use of equipment

Equipment that is damaged or is to be reused or disposed of must be returned to IT immediately. Users must not reassign equipment to other users without the permission of IT.

Please note that deleting files does not permanently remove them from a device. If IT reissue any device to another Council user or a device is passed to a third party, they must securely erase all previous contents held on the device using specialist data removal software
tools. If a third party is used for data removal or drive destruction, the data removal must be achieved by using professional software tools e.g. equipment must be returned to IT for data removal.

Devices not intended for any form of re-use may alternatively have their internal data storage media put beyond use to an approved standard.

Software must also be removed from devices by IT before they are passed to third parties for re-use to avoid the possibility of infringing copyright or terms and conditions of the licences held.

All disposals must be authorised in writing by IT Infrastructure Manager. Procedures should be in place to ensure that inventories are updated as soon as assets are disposed of.

If equipment is returned to another organisation for repair or replacement (e.g. multi-function printer/scanner/copiers) under a leasing agreement, IT must seek written assurance that no Council data can remain in any internal memory or other storage.

15.6.10 Regular inventory check

There should be an inventory check at least annually. Hard copy evidence of stock checks should be signed by the IT Infrastructure Manager and retained securely.

15.7 Sanctions for non-compliance with this policy

If any user is found to have breached this policy, they may be subject to Ryedale District Council's disciplinary procedure. If a criminal offence is considered to have been committed further action may be taken to assist in the prosecution of the offender(s), irrespective of any disciplinary action which may have been taken.

15.8 Policy governance

The following table identifies who within Ryedale District Council is Accountable, Responsible, Informed or Consulted with regards to this policy. The following definitions apply:

• Responsible – the person(s) responsible for developing and implementing the policy.
• Accountable – the person who has ultimate accountability and authority for the policy.
• Consulted – the person(s) or groups to be consulted prior to final policy implementation or amendment.
• Informed – the person(s) or groups to be informed after policy implementation or amendment.

Responsible - IT Infrastructure Manager
Accountable - Corporate Director
Consulted - Unison
Informed - All Council employees, Members, temporary staff, contractors

15.9 Review and revision

This policy will be reviewed as it is deemed appropriate, but no less frequently than every 12 months.

Policy review will be undertaken by IT Infrastructure Manager

15.10 References

If you do not understand the implications of this policy or how it may apply to you, seek advice from the ICT Helpdesk.

The following Ryedale District Council policy documents are directly relevant to this policy, and are referenced within this document:


7 IT Access Policy
8 Human Resources Information Security Standards
12 Remote Working Policy

The following Ryedale District Council policy documents are indirectly relevant to this policy:

4 Email Policy
5 Internet Usage Policy
6 Software Policy
9 Information Protection Policy
10 Computer, Telephone and Desk Use Policy
11 Legal Responsibilities Policy
13 Portable Data Storage Media Policy
14 Information Security Incident Management Policy
15 Communications and Operation Management Policy

15.11 Key policy messages

  • PROTECT or RESTRICTED information and equipment used to store and process this information, must be stored securely.
  • Keys to all secure areas housing IT equipment and lockable IT cabinets are held centrally by IT Support, as appropriate. Keys must not be stored near these secure areas or lockable cabinets.
  • All general computer equipment must be located in suitable physical locations.
  • Devices should not normally have data stored solely on the local hard drive.
  • Non-electronic information must be assigned an owner and a classification. PROTECT or RESTRICTED information must have appropriate information security controls in place to protect it.
  • Staff should be aware of their responsibilities in regard to the Data Protection Act.
  • Equipment that is to be reused or disposed of must be returned to ICT Services.

[Back to top]

16 Records Management Policy

16.1 Introduction

Ryedale District Council (RDC) recognises that its records are an important public asset, and are a key resource to effective operation and to accountability.

Like any asset, they require careful management and this policy sets out the Council's responsibilities and activities in regard to the management of its records.

It provides the framework for specific departmental and service guidance and detailed operating procedures.

16.2 Scope

This policy aims to ensure that records are managed effectively throughout the organisation in accordance with professional principles and specified legislation and guidelines (see appendix 1).

It applies to all the records of Ryedale District Council.

A record is any information held in permanent form regardless of medium, which is created, collected, processed, used, stored and/or disposed of by RDC organisations, employees, as well as those acting as its agents in the course of a Council activity.

16.3 Policy Statement

The aim of the policy is to define a framework for managing the Council's records that will:

  • create and capture accurate evidence of our decisions and activities meet the needs of our stakeholders, including the public, our partners, our employees and the County Record Office
  • meet our business needs
  • protect vital records against possible disasters
  • maintain security and access
  • facilitate auditing and accountability
  • comply with statutory and other legal requirements and take into account government advice dispose of records appropriately when they are no longer needed

16.3.1 Identification of roles and responsibilities

  • The Council is responsible for approving a framework for managing and overseeing its duties in relation to records management as set out in this policy.
  • The Organisational Development unit will provide the link between ICT, Data Protection and Freedom of Information, and records management practices. Where appropriate, it will co-ordinate activities, with the County Record Office, such as maintaining the Corporate Retention Schedule and publication schemes.
  • Service Unit Managers are responsible for the management of their records, in accordance with this policy, and ensuring that all staff are aware of record keeping issues.
  • The Council will liaise with the County Record Office and will advise units and individuals on the retention and management of their records and where appropriate will take custody of those records deemed worthy of permanent preservation.
  • All Council employees will be responsible for creating and maintaining records in relation to their work that are authentic and reliable.
  • Staff with specific responsibilities for records management will have these clearly defined in their job descriptions.

16.3.2 Training and Awareness

Since all Council employees are involved in creating, maintaining and using records, it is vital that everyone understands their record management responsibilities as set out in this policy.

Service Unit Managers will ensure that staff responsible for managing records are appropriately trained or experienced and that all staff understand the need for records management.

A training programme will be established to ensure that all staff are aware of their obligations around Data Protection, Freedom of Information and Records Management.

16.3.3 Records Creation and Record Keeping

Each Service Unit must have in place a record keeping system (paper or electronic) that documents it activities and provides for quick and easy retrieval of information.

It must also take into account the legal and regulatory environment specific to their area of work.

This system will include:

  • Records arranged and indexed in such a way that they can be retrieved quickly and efficiently.
  • Records are linked with the Council's metadata framework and Freedom of Information Scheme.
  • Procedures and guidelines for referencing, titling, indexing and version control and security marking.
  • Procedures for keeping the system updated.
  • The ability to cross reference electronic and paper records.
  • Documentation of this system and guidelines on how to use it.

16.3.4 Record Maintenance

The record keeping system must be maintained so that the records are properly stored and protected, and can easily be located and retrieved. This will include:

  • Ensuring that adequate storage accommodation is provided for the records.
  • Monitoring the movement and location of records so that they can be easily retrieved and provide an audit trail.
  • Controlling access to the information.
  • Identifying vital records and applying the appropriate protection, including a business recovery plan.
  • Ensuring non-current records are transferred in a controlled manner to a designated records centre rather than stored in offices.

16.3.5 Record Retention and Disposal

With increasing public access to our records, it is important that disposal of records happens as part of a managed process and is adequately documented.

Therefore, departments must have in place clearly defined arrangements for the appraisal and selection of records for disposal, and for documenting this work.

The system should ensure that:

  • The appropriate records are reviewed and disposed of /transferred to the County Record Office each year in accordance with the Retention Guidelines for Local Authorities produced by the Records Management Society of Great Britain, specific department requirements and RDC procedures for destroying confidential material and magnetic media.
  • Documentation of the disposal/transfer of records is completed and retained.
  • Records selected for permanent preservation are transferred to the County Record Office, the Place of Deposit for Public Records in North Yorkshire, as soon as possible.
  • An intended disposal/review date must be captured when creating electronic records.
  • Records subject to a Freedom of Information request are not destroyed.

16.4 Review of Policy

This policy will be reviewed regularly in accordance with the publication
scheme review.

Appendix 15: Standards and Legislation

Archive and Record-Keeping legislation*

  • Local Government (Access to Information) Act 1985
  • Data Protection Act 1998
  • Freedom of Information Act 2000
  • Local Government Act 2000

* There will be other record-keeping legislation specific to certain areas of work, which should also be taken into account.

Records Management Standards and guidelines

  • British Standards (BSI) BS 4783 Storage, transportation and maintenance of media for use in data processing and information storage
  • BS 7799 Code of practice for information security management
  • BS ISO 15489 Information and Documentation - Records Management
  • BSI DISC PD 0008 Code of practice for legal admissibility and evidential weight of information stored on electronic document management systems
  • BSI DISC PD0010 Principles of good practice for information management
  • BSI DISC PD0012 Guide to the practical implications of the Data Protection Act 1998
  • Public Record Office standards for the management of public records
  • Retention Guidelines for Local Authorities (2003:1) by the Local Government Group of the Records Management Society Great Britain

Appendix 16: Corporate Records Management Programme

Action Date
Perform a records review of all areas of the Council Complete
Review good/bad records management practice Ongoing
Develop metadata for each area Ongoing
Examine DMS/DIP specification in relation in relation to local requirements Ongoing
Information Audit Complete
Section by section information audit assessing records created, storage, disposal procedures, retention schedules, metadata thesaurus etc Ongoing
Develop corporate metadata framework (in accordance with FOI scheme) Ongoing
Develop and apply retention schedules to existing records Ongoing
Develop procedures to ensure records are appraised and that decisions are documented Ongoing
Design and implement procedures for documenting disclosure and non-disclosure decisions Complete
Ensure records for permanent preservation are routinely transferred to the Record Office Ongoing
Ensure that procedures are in place, which enable the quick and efficient location and retrieval of information Ongoing
Ensure that a business recovery plan is in place Ongoing
Ensure procedures comply with standards set in the RM Policy Ongoing
Establish a performance measurement scheme for the records management system Ongoing
Ensure compatibility of practices with ERM system in accordance with priorities established by the EGovernment Working Party and Panel Ongoing
Train those responsible for ensuring record-system standards are maintained Ongoing
   
Phase Two: Maintenance and Development of the Programme Jun 2005 onwards
Monitoring and review Ongoing
Ongoing training and support Ongoing
Maintenance of systems Ongoing

17 Retention Policy

See PDF below.

[Back to top]

18 Freedom of Information

18.1 Introduction

1.1 Ryedale District Council welcomes the coming into force of the Freedom of Information Act 2000 (FoIA).

It is hoped that, through the Act's support for a culture of openness and accountability, it will lead to a better public understanding of how the Council carries out its duties,the reasons for the decisions it makes and how it spends public money.

18.2 Background

The FoIA already requires the Council to have a publication scheme. This sets out which information the Council is making available to the public as a matter of course.

The present publication scheme has been updated in line with guidance from the Information Commissioner although it must remain under regular review.

From 1 January 2005, in principle, anyone may send a written request for any information held by the Council and, unless it is exempt, the Council must provide it within twenty working days.

In order to achieve this, the Council is required to review the management of its records and to produce a Records Management Policy.

If an applicant is dissatisfied with the way the Council has handled the request, the Council must consider any appeal.

If the applicant is still not satisfied, there is a further right of appeal to the Information Commissioner.

18.3 Administration

The Council has a long history of providing the public with particular information about its services, its finances and its decision-making processes.

This 'every-day' information will be included in the publication scheme.

This means that it will be treated as exempt from the formal FoIA regime and will continue to be dealt with as before, avoiding any additional work or administrative costs.

We will keep track of all formal FoIA requests using existing soft are and ensure that they are dealt with within the requisite timescale.

The same system will also be used to administer requests for personal data under the Data Protection Act 1998.

It is expected that simple requests for information will be dealt with by the section receiving the request.
Where the request is more complicated, it will be referred for advice to the Freedom of Information Officer or, in his/her absence, to the Council Solicitor

Where the disclosure of any information held by the Council might affect a third party, that party will, if practicable, be given the opportunity to explain why the information should not be disclosed.

How ever, the ultimate decision on whether to disclose will remain with the Council.

Where it is believed that the information may be exempt (e.g. where it is someone else's personal data covered by the Data Protection Act) , the request will be referred to the Freedom of Information Officer or his/her deputy.

Any decision to with hold information will always explain, in as much detail as possible, the grounds f or the decision and the rights of appeal.

Any appeal against the way the Council has handled a request for information will be heard by an Appeal Panel.

The panel will be made up from Officer(s) of the Council . No one who has been involved in the information itself or the earlier decision to withhold it may sit on the panel.

Records will be kept of all FoIA requests for information and the Council's response.

These records, omitting details of the person making the request, will be made available to the public under the publication scheme.

They will also be used to review the contents of the publication scheme.

18.4. Training

Since a request for information may be delivered to anyone representing the Council, it is essential that all Members and officers should be given appropriate training.

In the first instance, this was given by the Information Access Officer from October to December 2004.

Training on the FoIA is included in all inductions for new officers and Members.

Special training will be provided for those who sit on any Appeal Panel.

An Information Management Group under the chairmanship of the Corporate Director will

  • provide help, advice and training on freedom of information
  • review the corporate freedom of information policy

For further information contact the Council Solicitor.

 

Attachments (downloads)
FileNo of pagesFile sizeCreated
Download this file (Information_Security_Overview.pdf)Information security overview purpose and key messages8128 kB04-2014
Download this file (Retention_policy_Mar_2014.pdf)Records Retention Policy March 20148102 kB03-2014

Contact us

Main contact links for the Council:

Find our main offices by map

Connect with us

We're on Social Networks. Follow us and get in touch.
You are here: Home All services About the Council Strategies, plans and policies Data Protection