Information Security Policy

Adopted by Council: 15^th December 2020

Planned Review Date: December 2022

1. Principles and Purpose

This Policy sets out the Council’s commitment to information security within the Council and provides clear direction on responsibilities and procedures.

Crewe Town Council is a Data Controller, as defined under the General Data Protection Regulation (GDPR) and has registered as such with the Information Commissioner’s Office.

2. Protocols

2.1 System Security Processes and Procedures

The Council will provide and maintain security processes and procedures for all key information systems. The procedures will uphold the principles of confidentiality, integrity, availability and suitability and be assessed for their impact upon other systems and services.

The security procedures will provide preventative measures to reduce the risks to the system, the information held within the system and the service it supports.

The Council will apply controls to comply with the General Data Protection Regulation.

A Continuity plan is available to support the continuation of services following failure or damage to systems or facilities.

The Clerk will be responsible for the implementation and promotion of the procedures.

2.2 Physical Security

Adequate and practical access controls will be provided in all areas in which personal and business data is stored or used. Unattended rooms should be secured at all times with locked doors as a minimum security requirement.

All documents disclosing identifiable information will be transported in sealed containers e.g. envelopes.

Within their level of authority, staff will be responsible for minimising the risk of theft or vandalism of the data and equipment through common-sense precautions. In particular high value equipment such as, laptop computers, should not be left unattended or unsecured and paper records should not be left in public view.

The physical environment in which data and equipment is stored will be suitable and fit for purpose to ensure the safety of the data and equipment.

2.3 Logical Security

All computerised information and systems must be regularly backed up to a secure environment.

All computerised information systems will be password controlled and all passwords will be treated with the strictest confidence and users will not divulge their password to any unauthorised person. All sensitive data will be password protected.

2.4 Copyright and licences

The Clerk is responsible for ensuring all computer software packages and non-electronic media for use within an information environment are used in accordance with the terms and conditions of use as set out in the licence agreement.

2.5 Disposal and movement of equipment and media

Any media or IT equipment disposed of by the Council will not contain any data or codes that could allow an individual to be identified from it. The disposal of equipment will be made under a controlled and documented environment satisfying the requirements of the General Data Protection Regulation. The disposal of media such as disks and memory sticks must ensure that data cannot be recovered. Disposal of such media through the “everyday” waste collection is not permitted. The Council will implement processes to ensure appropriate disposal of such media.

An inventory of all Council computer equipment will be maintained. Details of any equipment or media disposed of or relocated (other than portable equipment) must be recorded.

2.6 Personal Computers

Computer users have responsibility for the security of the equipment in their care and shall not commit an act to compromise the data or Information Security Policy.

Computer users will be made aware of their responsibilities through this policy and the BYOD Policy.

2.7 Staff and Councillors’ Responsibilities

The Council will make every reasonable effort to ensure that staff and councillors are aware of their responsibilities for the security of information. However, each councillor or member of staff is responsible for ensuring that the Information Security Policy is adhered to and report any breaches of security.

2.8 Incident Reporting

Incidents affecting security must be reported to the Clerk as quickly as possible.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.