Protecting sensitive and personal data
As a large council we hold information in different forms such as on paper or electronically and different levels of sensitivity. Sensitive information can include any confidential information you work with that is expected to remain private, for example personal data, commercial or management information.
In these unprecedented times, where many of us are working from home or in an unfamiliar role, how we protect our sensitive information is even more important.
Working with sensitive information remotely
Follow our guidance for working with sensitive information remotely:
- you may be sending more emails than usual. As ever, take care to use the right email address and check any attachments when sending sensitive information. Make sure you use bcc when sending to large groups of people
- never save council information on personal computers, phones or tablets
- store your files in secure cloud locations such as Teams, SharePoint or OneDrive, rather than third party apps like Dropbox or Google Drive, or removable media
- it’s possible to access Office 365 applications including SharePoint, Word, Excel, PowerPoint, Teams, Skype and email on your personal device. Speak to your manager about setting up multi-factor authentication or setting up remote access from a phone or tablet
- lock your device when you're not using it. This is still important at home so that only you as the permitted user can access council information
- take care to protect access to apps such as Teams and Yammer on personal phones or tablets that are used by other family members
- if you have phone calls or video meetings be aware of whether other people might be able to eavesdrop, even inadvertently
- if you’re using Microsoft Teams, make sure you have the correct sensitivity classification set. Ask your manager about this.
- check the membership of the Team is appropriate before sharing any sensitive information, either in posts or when uploading documents.
Working with sensitive paper records
Follow our guidance for working with sensitive paper records during coronavirus. Make sure you:
- update your line manager if you’re working with paper records at home and return the records safely when you return to the office
- only take paper records away from the office if you're unable to carry out your role without them. If you need to be out and about as part of your role, think about whether you need to take paper files; is the information available electronically?
- remove any council information or devices from your car and keep it securely and out of sigh at home, including notepads, laptops and files
- shred any notes written on paper (for example, notepads, post its) that are of a confidential, personal or sensitive nature. Use a cross shredder or set it aside securely until you can put them in office confidential waste bins
Sharing sensitive information externally
Follow these steps when sharing sensitive information externally:
- think: what is your objective for sharing the information. Can this be achieved without sharing? Is the sharing fair to data subjects and would they reasonably expect it?
- check: are you sharing only the minimum amount of information necessary? Is the information accurate and suitable for its intended purpose? Are you sharing the correct information with the right recipients; take particular care when using email? Is there a legal reason the information cannot be shared or used for your intended purpose?
- share: if the information is sensitive, use a secure means to send it to your target recipients, for example encrypted email or Teams. Record what, when, why and how the information was shared and who with
Be alert for phishing emails. Criminals try to take advantage of fear and uncertainty by sending email that appears to be from authorities or council officers to lure you into clicking on malicious links or providing your private information.
Recent phishing attempts include a link to purchase PPE, tax refunds and the cure for COVID-19.
Before clicking on a link, ask yourself a few questions:
- was I expecting this email? If unsure, contact the sender directly using the email address in your address book (don’t just click ‘reply’)
- do I know the person or company that sent the message?
- am I addressed by name both in the email ‘To’ field and in the body text of the email?
- does the email read well with appropriate punctuation and spelling?
- is the sender’s email address correct?
- have I checked where the link is sending me by holding the mouse cursor over the link and checking the address? You can search for the legitimate website instead of clicking on the link
Never click an attachment you weren’t expecting, even if it appears to be from somebody you know. The sender’s email address may appear genuine but could be spoofed. Always best to check back with that person to make sure the attachment is legitimate before you open it.
Do you have a smart speaker like Google or Alexa or a virtual assistant enabled on your mobile phone?
If you do, make sure your speaker's microphone or your phone's virtual assistant is switched off when holding private conversations. Sometimes they can be falsely triggered causing conversations to be accidentally recorded. Read more about using these devices safely.
Get support for protecting sensitive data
Find out who to contact if you need help with protecting sensitive data.
If you experience a personal data breach, still report as normal. Speak to your manager for information on how to do this and what constitutes a data breach.
If you receive a request from someone wanting to exercise their information rights, for example request a copy of their personal data, refer them to the Information Compliance Team by emailing:
Records Management Unit
The Records Management Unit at County Hall is open on Wednesdays for emergency record retrievals by request only.
Email the Records Management Team: firstname.lastname@example.org
Speak to your manager about information governance or contact the Information Governance team directly:
Contact Alex Barrett for any cyber security questions: email@example.com.