Information handling policy

Policy overview

This policy aims to ensure we maintain the confidentiality, integrity, and availability of information in accordance with its importance to us.

The policy supports effective and secure processing of information.  This includes sharing across organisational and professional boundaries.

Scope

This policy applies to all our information in all formats including:

  • hard copy information:
    • files
    • documents
    • reports
  • digital information:
    • emails
    • instant messaging
    • electronic files

It applies to all aspects of information and data processing:

  • creating
  • collecting
  • using
  • storing
  • handling
  • disclosing
  • disposing of

Information classification

We have adopted a single classification which recognises that all information has value.

The principles of the classification are drawn from the Government classification of OFFICIAL.

The single classification includes a wide range of information of differing value and sensitivity which we need to protect.  The classification also recognises the need to operate within a legal framework.

Adopting a single classification with common key principles and controls which are understood, achievable, and based on commercial good practice supports the delivery of services in a multi-agency environment.  Such an environment can present challenges because of a multitude of organisation specific schemes requiring handling conditions not fully understood by all parties.

Categories of sensitive information

While we have adopted a single classification some categories of information will attract additional safeguards because of its level of sensitivity.

You must take particular care when processing this type of information ensuring that it is subject to enhanced controls.  Such information includes:

  • personal data and data defined as special categories of personal data
  • information that if compromised, amended, or made unavailable, would cause a negative impact on reputation, service delivery, finance, or people

You must consider the nature and context of the information you are working with.  You must exercise good judgement to ensure that you always process our information appropriately.

General principles

You must respect the confidentiality, integrity and availability of information at all times. All information required to deliver services and conduct business has inherent value.  It requires an appropriate degree of protection.

When processing information you must ensure it is subject to proportionate and reasonable controls:

  • relative to the sensitivity of the information
  • in a manner which reduces the risk of compromise or loss

You must process information in a manner which meets legal and regulatory requirements.  This includes information received from, or exchanged with, external partners.

You must not access or attempt to access information unless you have a clear and authorised business need.

You must process personal data in accordance with our Data protection policy.  This supports our obligations under current data protection legislation.

All staff must be subject to appropriate employment checks prior to handling information. This includes verification of identity.

All staff processing information must undertake annual information assurance training.  They must be aware of their individual responsibilities.

You must not use private or personal devices to process our information unless you are using an authorised corporate solution, for example accessing Microsoft 365 web applications.

Handling, storing and transferring information

You must:

  • adopt a clear desk and clear screen policy in accordance with the Physical security policy.
  • store information securely when not in use, for example under lock and key. This applies particularly to sensitive information
  • ensure information is protected to prevent unauthorised access
  • only remove information from official premises when necessary. When doing so you must ensure it remains accounted for and always protected in line with the requirements of this policy
  • collect printed material from printers as soon as possible
  • use secure printing when the facility is available. This requires you to be physically present at the printer to receive the prints
  • encrypt information that you store on portable ICT devices:
    • laptops
    • smartphones
    • removable media, for example:
      • CDs
      • USB
  • only store ICT, removable media or hard copy information in an unoccupied vehicle if it is secured out of sight in the locked boot of the vehicle and only if the alternative option is less secure. For example when entering a service users home
  • exercise discretion when discussing council business in public or by telephone
  • avoid being overlooked when working

Before you distribute sensitive information ensure it is the minimum necessary to achieve your aim. For example, only share personal data with those who have a defined business need to see it. You must redact documents to remove unnecessary sensitive information.

When redacting information you must ensure it prevents accidental disclosure of data. You must carry out quality assurance checks before releasing the document to ensure redaction is successful.

You must never:

  • store passwords with an ICT device
  • store ICT devices in a vehicle overnight

Transferring information

By post or courier:

  • consider using a ‘signed for service’ when sending individual mail items containing particularly sensitive information. Your decision should be informed by the additional cost of such a service versus the additional security benefits it provides, for example an audit trail
  • you must use a reputable tracking service for bulk transfer of sensitive information via post to a named individual
  • packaging must be robust to prevent damage

You must not transfer data using removable media. If no secure alternative exists you must:

  • use a reputable tracked service to a named individual
  • encrypt removable media using AES 256 encryption
  • communicate passwords separately and do not include them with the removable media.  You must use a different communication method when providing the password.

The receiving party must confirm by email, before the transfer takes place, that:

  • they are ready for the transfer 
  • the recipient address is correct
  • a further email must be sent confirming when the recipient has received, intact, the data

The receiving party must confirm when they have received the removable media and that it is intact. 

Facsimile

You must not use facsimiles (fax) to transmit sensitive information unless:

  • exceptional circumstances exist, and
  • a more secure option of transmission is not available

You must use sound judgement and actions must be justified.

Where a decision has been made to use fax you must:

  • check and confirm the dialled number carefully
  • confirm with the intended recipient that the receiving fax machine is:
    • located in a secure area or,
    • that the intended recipient is waiting by the fax machine to receive the transmission
  • obtain confirmation that the fax has been received
  • include a fax header which includes:
    • the number of pages transmitted
    • the name of the intended recipient

By electronic means:

  • electronic transfer of council information must occur in a secure manner
  • you must encrypt email traffic when emailing sensitive information
  • staff must check and confirm the email address of the recipient is the intended one before sending

Accommodation moves

Prior to accommodation moves you must make adequate provision for the security of information in line with this policy.

When accommodation is no longer required physical security measures must remain in place until all information has been removed. 

You must ensure that hard copy information no longer required is securely destroyed.

The vacating team must complete a security sweep once accommodation has been vacated to ensure information does not remain.

Information sharing and disclosure

There is no presumption to disclose or provide unbounded access to information.  You must consider the principles of openness, transparency and relevant information legislation.

You must only share information with third parties when there is a legitimate purpose.

You must comply with our Information security policies for the systematic sharing of sensitive information, such as personal data

You must protect information received from external partners in accordance with any relevant legislative or regulatory requirements.  This includes any sharing agreement or contractual obligations.

Destroying information

You must destroy hard copy information securely when no longer required. You can achieve this by:

  • using a crosscut shredder
  • using a confidential waste service such as the councils "blue bin" service

You must always control access to information until it is securely destroyed.

You must not place hard copy information in open waste bins or waste skips.

You must securely delete digital information from hardware and media when no longer required.

You must consider several factors when destroying or sanitizing digital information including: 

  • the sensitivity of the data therein
  • the type of hardware or media
  • the  potential re-use of the hardware

You should seek specialist advice from the service desk by telephone: 01522 555555.

Security incidents and further information

Security incidents

You must report all security incidents involving information in accordance with our Security incident reporting policy.

Further information

For further information regarding appropriate handing of council information email IA@lincolnshire.gov.uk.