Please provide to me, copies of your most recent policies relevant to the use of ICT/GDPR/data protection or relevant within your local authority and which is published and in the public domain, or published internally or issued to staff internally as part of a staff Handbook, or any other soft copy communication as a memorandum or newsletter etc.
The polices may be combined or in separate distinct policies or ‘Guidance /procedures
· Password policy and or guidance
· Clear desk policy and or guidance
· Offsite working policy or guidance
· Removable media policy sharing personal information policy
· Social media policy and or guidance
· Access control policy and or guidance
· Accurate data guide policy and or guidance
· Backup procedure policy and or guidance
· Retention schedule policy and or guidance
· Disposable and deletion policy and or guidance
· Information security incident reporting procedures/policy or guidance
· Subject access request policy and or procedures or guidance
· Photographs and video footage policy and procedures
· Handling of requests for access to personal information
· Using your own device policy and or guidance
· Data protection policy and or guidance
· Confidentiality policy and or guidance
· End of employment and volunteering procedures policy or guidance
· Third party supplier’s policy or guidance
· Procurement policy and or guidance
· Acceptable use policy and or guidance
Devon County Council
Please note that Devon County Council is currently reviewing its data protection and ICT policies due to the implementation of the General Data Protection Regulations (GDPR). Therefore, current policies are liable to change. Those policies, procedures and guidance notes that are currently in place, are available from the hyperlinks below.
1) Password policy and or guidance
Guidance on passwords is currently included under Section 8.0 of the Council’s Personal Information Security Policy.
2) Clear desk policy and or guidance
Section 15 of the Personal Information Security Policy outlines the need for a clear desk. Further guidance is also available from the Council’s guidance entitled “Keeping my office work station secure”.
3) Offsite working policy or guidance
The Council have produced a number of guides covering remote working. These are listed below;
· Carrying paper files off site
· Keeping personal data secure
· Keeping my mobile device secure
· Sharing information securely by phone
4) Removable media policy sharing personal information policy
Devon County Council do not have a removable media policy. Therefore this information is not held.
5) Social media policy and or guidance
The Council’s Social Media Policy (not available) and associated guidance is available from the link provided.
6) Access control policy and or guidance
Access controls are referred to in the Council’s Personal Information Security Policy
7) Accurate data guide policy and or guidance
Please see the Council’s Filing Information Accurately guide.
8) Backup procedure policy and or guidance
This is covered by the Council’s Disaster Recovery Plan. Devon County Council is not able to release this information as we consider disclosure would be likely to reveal information into the public domain that may enhance the ability of third party threat actors to compromise the security of our network. As such, we consider this information is exempt under Section 31 of the Freedom of Information Act 2000.
Whilst the Council is mindful of the public interest in openness and transparency, we consider that in this instance, there is a stronger public interest in ensuring that the Council does not release information that might expose us to the risk of a successful cyber-attack. As such, we consider that the public interest falls in favour of withholding this information from disclosure at this time.
9) Retention schedule policy and or guidance
Please note that the Council’s records retention schedules are publicly available and are available to view Keeping Devon’s Data
10) Disposable and deletion policy and or guidance
This is covered by Section 15 of the Personal Information Security Policy and by the Council’s Disposal of Media and Equipment Policy.
11) Information security incident reporting procedures/policy or guidance
Please see hyperlinks to the relevant policies and guidance below.
· Security Incident Reporting Policy
· Security Incident Management Procedure
· How to handle a security incident
12) Subject access request policy and or procedures or guidance
Please see hyperlink to the Council’s subject access request handling procedure.
13) Photographs and video footage policy and procedures
Devon County Council does not have a photography and or video footage policy or procedure therefore this information is not held.
14) Handling of requests for access to personal information
Please see hyperlink to the Council’s subject access request handling procedure.
15) Using your own device policy and or guidance
Devon County Council does not currently have a use your own device policy. Therefore, this information is not held.
16) Data protection policy and or guidance
Please find hyperlinks below to the Council’s suite of data protection policies and associated guidance.
· Disposal of media and equipment policy
· Information security guidance
· Personal information security policy
17) Confidentiality policy and or guidance
The requirement to maintain confidentiality is included in the Council’s Data Protection Policy and Personal Information Security Policy. See hyperlinks in response to question 16.
18) End of employment and volunteering procedures policy or guidance
Devon County Council does not have an end of employment / volunteering policy. Therefore this information is not held.
19) Third party supplier policy or guidance
The Council does not have a third-party supplier policy; therefore this information is not held. Any proprietary based systems are assessed to ensure that they comply with the security requirements of the council prior to being procured / implemented.
20) Procurement policy and or guidance
Devon County Council’s Procurement Guidance is available from the hyperlink.
21) Acceptable use policy and or guidance
Acceptable use of the Council’s network is covered under Section 7.0 and Section 14 of the Council’s Personal information security policy.