Date approved: May 2020 Min: 67/20/TC
Review Date: May 2021
In this policy:
Committee members – means all elected and co-opted members of any Committee or Sub-Committee of the Town Council.
Staff – means those employed by the Council and volunteering for the Council
Device – means computers (desktop and laptop), tablets, smartphones, external hard drives or other such equipment capable of storing & accessing data
Town Council business – means any activity undertaken under instruction or general control of the Town Council.
Personal data – follows the meaning set out in Article 4(1) of the General Data Protection Regulation:
“any information relating to an identified or identifiable natural person
(‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”
Personally owned – means ownership of a Device by a person or legal entity, that is not the Town Council
The purpose of this policy is to ensure, so far as possible, that personally owned Devices used by councillors, staff and committee members to conduct Town Council business are used in a manner that protects and lawfully processes personal data.
- Town Council owned devices
Staff use Town Council owned devices to undertake their work and access official information.
Desktop computers are provided to staff members and are password protected. They do not store files locally. All files are accessed through a closed and secure Citrix system controlled by the IT provider, Microshade.
Staff laptops are enabled with the same closed Citrix file system. From time to time, if an adequate internet signal is not available, documents might be downloaded to the laptop for use before being either deleted or uploaded back into Citrix once they are no longer required locally. Documents are not permitted to be stored locally for any length of time beyond that reasonably required to undertake an identified piece of work. All laptops are password protected and fitted with anti-virus protection provided by the Council’s IT provider.
One Town Council owned laptop is provided for use by the Town Mayor in order to carry out official Town Council business. The laptop is password protected and fitted with anti-virus protection provided by the Council’s IT provider.
The Town Council provides official staff and councillor email addresses on an Exchange server controlled by the Council’s IT provider.
Staff email addresses are retained within the closed Citrix system and can be remotely wiped if necessary. If the Exchange email system is linked to an iOS or android device for remote access to emails, this can also be wiped remotely if required.
- Personally owned devices
The Town Council provides official staff and councillor email addresses on an Exchange server controlled by the Council’s IT provider. If the Exchange email system is linked to a personally owned iOS or android device for remote access to emails, this can be wiped remotely by the IT provider if required.
Each email user is responsible for memorising and keeping secure their own password. If emails are accessed via a personal laptop or desktop computer, the operating system of that device will usually automatically remember the password for ease of future access. The Council’s IT provider is unable to remotely wipe the Council email used on these devices.
Councillors using their own device for Council business are requested to ensure they keep secure the password and set the device to lock once it is has been idle for five minutes.
Whenever possible, councillors are requested not to access Council information on shared devices. If councillors require a new password for any reason, they are required to notify the Council office before making contact with the Council’s IT provider direct by phone, who will confirm the call with the Council office and check the credentials of the caller/councillor.
The Town Council has identified the following risks inherent in using personally owned devices to conduct Town Council business:
Event / Action Risk Action to mitigate risk
Inadequate or lack of appropriate security measures used to control access to Device Personal Data might be accessible to unauthorised third parties All councillors are requested to keep passwords secure and not to share devices with others, including children.
Device used in an insecure manner Device could be affected by malware which could result in Personal Data being accessed by unauthorised third parties Councillors are made aware of their obligations to exercise care when using devices to access Council information, and to ensure passwords and anti-virus software are up to date.
Device lost or stolen Personal Data may be accessible to unauthorised third parties If the Exchange email system is linked to an iOS or android device for remote access to emails, it can tracked and remotely wiped.
Device sold or given away without being cleaned before transfer Personal Data may be accessible to unauthorised third parties If the Exchange email system is linked to an iOS or android own device for remote access to emails, it can tracked and remotely wiped.
Staff member ceases to be employed by the Council or Councillor ceases to be a member of the Council and Device is not returned Personal Data may remain accessible on the Device and could be used for unauthorised purposes or disclosed to third parties Staff are aware of the requirement to return Council assets, failure of which can result in a deduction from final salary and/or police action.
Any suspected data breach will be reported to the ico, as necessary. Failure by a councillor to return a Council owned device can result in loss of reputation and/or police action.
If the Exchange email system is linked to an iOS or android own device for remote access to emails, it can tracked and remotely wiped.
- Access to devices
4.1 Devices used for Town Council business must be secured by a password or a biometric access control such as fingerprint recognition.
4.2 Passwords must comply with the following rules:
(a) Passwords should not be written down.
(b) A different password should be used for each and all devices or email accounts.
(c) Passwords must not be disclosed to any other person. If a password is disclosed to any other person, whether deliberately or inadvertently, it must be changed immediately.
(d) Passwords should be changed at least every 12 months.
(e) Passwords should be a complex mix of letters and symbols, at least 8 characters long.
4.3 Devices used by one or more persons must have a separate user profile for each user and secured by password, as above.
4.4 Devices must be configured to automatically lock if left idle for more than five minutes. Passwords must be required to unlock the device.
- Safe use of own devices
5.1 Devices must have appropriate and up to date anti-virus and other anti-malware software.
5.2 Home Wi-Fi networks must be encrypted.
5.3 Reasonable care should be exercised if using public Wi-Fi to connect devices.
- Retention and Use of Personal Data
6.1 Personal Data received for the purposes of Town Council business and accessed via a personally owned device must be permanently deleted from the device or email account once the related Council business is completed.
6.2 Personal Data should not be retained on a device or in an email account in case it is needed for a different purpose in the future, unless permission has been obtained to retain the data for general Town Council Business or unless the Town Council is required by law to retain the Personal Data.
6.3 Personal Data must not be used by any person or for any purpose other than that for which it has been provided.
6.4 Personal Data received for the purposes of Town Council Business must not be shared with any other person or organisation without prior authority from the data subject or the Town Clerk.
- Lost or Stolen Devices
7.1 In the event that a Device is lost or stolen, or is suspected of having been lost or stolen, the Town Clerk must be informed so that appropriate steps can be taken to disable email access and remotely wipe the account if possible. The Town Council will work with the owner of the lost or stolen Device to identify any personal data at risk and will then take appropriate action, including reporting any breach to the ICO as necessary.
- Repair of Devices
If a Device needs to be repaired, the owner will take all reasonable steps to ensure that the repairer cannot access any Personal Data.
- Transfer or Disposal of Devices used for Town Council Business
If the owner wishes to transfer or dispose of a personal Device which has been used for Town Council Business, all Personal Data must be deleted from that Device using a method which prevents recovery. Any email accounts set up locally for Town Council Business should be deleted from the Device.
- Leaving the Town Council
10.1 If a Councillor ceases to be a member of the Town Council for any reason, all confidential or Personal Data received in the course of Town Council Business must be permanently deleted from own Devices.
10.2 On the termination of staff member’s employment or service from the Town Council:
(a) the staff member must immediately return Devices issued by the Town Council; and
(b) all Personal Data or apps used to access information received in the course of Town Council Business must be permanently deleted from personally owned Devices.
(c) Staff will be asked to provide evidence that this has been actioned.