ICT/GDPR/data protection Policies

Please provide to me, copies of your most recent policies relevant to the use of ICT/GDPR/data protection or relevant within your local authority and which is published and in the public domain, or published internally or issued to staff internally as part of a staff Handbook, or any other soft copy communication as a memorandum or newsletter etc.

The polices may be combined or in separate distinct policies or ‘Guidance /procedures

·  Password policy and or guidance

·  Clear desk policy and or guidance

·  Offsite working policy or guidance

·  Removable media policy sharing personal information policy

·  Social media policy and or guidance

·  Access control policy and or guidance

·  Accurate data guide policy and or guidance

·  Backup procedure policy and or guidance

·  Retention schedule policy and or guidance

·  Disposable and deletion policy and or guidance

·  Information security incident reporting procedures/policy or guidance

·  Subject access request policy and or procedures or guidance

·  Photographs and video footage policy and procedures

·  Handling of requests for access to personal information

·  Using your own device policy and or guidance

·  Data protection policy and or guidance

·  Confidentiality policy and or guidance

·  End of employment and volunteering procedures policy or guidance

·  Third party supplier’s policy or guidance

·  Procurement policy and or guidance

·  Acceptable use policy and or guidance

Devon County Council

Please note that Devon County Council is currently reviewing its data protection and ICT policies due to the implementation of the General Data Protection Regulations (GDPR).  Therefore, current policies are liable to change.  Those policies, procedures and guidance notes that are currently in place, are available from the hyperlinks below.

1)  Password policy and or guidance

Guidance on passwords is currently included under Section 8.0 of the Council’s Personal Information Security Policy.

2)  Clear desk policy and or guidance

Section 15 of the Personal Information Security Policy outlines the need for a clear desk.  Further guidance is also available from the Council’s guidance entitled “Keeping my office work station secure”.

3)  Offsite working policy or guidance

The Council have produced a number of guides covering remote working.  These are listed below;

·  Carrying paper files off site

·  Keeping personal data secure

·  Keeping my mobile device secure

·  Sharing information securely by phone

4)  Removable media policy sharing personal information policy

Devon County Council do not have a removable media policy. Therefore this information is not held.

5)  Social media policy and or guidance

The Council’s Social Media Policy (not available) and associated guidance is available from the link provided.

6)  Access control policy and or guidance

Access controls are referred to in the Council’s Personal Information Security Policy

7)  Accurate data guide policy and or guidance

Please see the Council’s Filing Information Accurately guide.

8)  Backup procedure policy and or guidance

This is covered by the Council’s Disaster Recovery Plan.  Devon County Council is not able to release this information as we consider disclosure would be likely to reveal information into the public domain that may enhance the ability of third party threat actors to compromise the security of our network.  As such, we consider this information is exempt under Section 31 of the Freedom of Information Act 2000.

Whilst the Council is mindful of the public interest in openness and transparency, we consider that in this instance, there is a stronger public interest in ensuring that the Council does not release information that might expose us to the risk of a successful cyber-attack.  As such, we consider that the public interest falls in favour of withholding this information from disclosure at this time.

9)  Retention schedule policy and or guidance

Please note that the Council’s records retention schedules are publicly available and are available to view Keeping Devon’s Data

10)  Disposable and deletion policy and or guidance

This is covered by Section 15 of the Personal Information Security Policy and by the Council’s Disposal of Media and Equipment Policy.

11)  Information security incident reporting procedures/policy or guidance

Please see hyperlinks to the relevant policies and guidance below.

·  Security Incident Reporting Policy

·  Security Incident Management Procedure

·  How to handle a security incident

12)  Subject access request policy and or procedures or guidance

Please see hyperlink to the Council’s subject access request handling procedure.

13)  Photographs and video footage policy and procedures

Devon County Council does not have a photography and or video footage policy or procedure therefore this information is not held.

14)  Handling of requests for access to personal information

Please see hyperlink to the Council’s subject access request handling procedure.

15)  Using your own device policy and or guidance

Devon County Council does not currently have a use your own device policy. Therefore, this information is not held.

16)  Data protection policy and or guidance

Please find hyperlinks below to the Council’s suite of data protection policies and associated guidance.

·  Data protection policy

·  Disposal of media and equipment policy

·  Information security policy

·  Information security guidance

·  Personal information security policy

17)  Confidentiality policy and or guidance

The requirement to maintain confidentiality is included in the Council’s Data Protection Policy and Personal Information Security Policy.  See hyperlinks in response to question 16.

18)  End of employment and volunteering procedures policy or guidance

Devon County Council does not have an end of employment / volunteering policy. Therefore this information is not held.

19)  Third party supplier policy or guidance

The Council does not have a third-party supplier policy; therefore this information is not held.  Any proprietary based systems are assessed to ensure that they comply with the security requirements of the council prior to being procured / implemented.

20)  Procurement policy and or guidance

Devon County Council’s Procurement Guidance is available from the hyperlink.

21)  Acceptable use policy and or guidance

Acceptable use of the Council’s network is covered under Section 7.0 and Section 14 of the Council’s Personal information security policy.