Using Systems and Data

Policy – for all users

With effect from:12 August 2013

Using Systems and Data Policy (NOT PROTECTIVELY MARKED) / version 3.0FINAL || August 2013

Introduction

This policy applies to all users of Lambeth ICT facilities, equipment, or information. The term ‘users’ includes permanent staff, temporary staff, agency workers, Councillors, contractors, consultants and secondees or third parties from other organisations.

The policy serves to protect users through greater awareness. It is the responsibility of the user to follow this policy and highlight to their Line Manager any concerns they may have or when they require further guidance.

Line Managers: must follow policy themselves andare also responsible for users within their area. They must ensure that;

  • users are aware of and follow this policy
  • users are suitably trained and resourced
  • new policies are communicated to their users

Managers must ensure that ICT and HR are notified of new starters, movers & leavers via the DIY Portal.

The document is split into the following major sections;

  • Keep it safe.
  • Your responsibilities.
  • Using your personal device to connect to the Council’s network.

Breaches

Any breach of this policy may constitute a disciplinary offence and may also be unlawful. For more information please see the Council’s Disciplinary Policy or Councillors the Member’s Code of Conduct.

Keep it safe

The council is entrusted with sensitive and personal information from a range of citizens, staff, partners and suppliers. We have a responsibility to ensure that this information is looked after and we take this responsibility seriously.
Why is it important?Keeping the information that we hold safe builds trust, and this information plays a role in helping to commission, manage and deliver the right services to the right users at the right time. We would not be trusted with sensitive and personal information if we did not keep it safe. Also, we have to meet government standards on information security, and failure to do so can result in significant fines and the loss of continued access to vital data held by government departments which is needed to deliver services.

How to keep information safe

Securing equipment, data and records
Be aware
  • it is easy to read off a screen and sensitive information can easily be compromised in this way especially when working on the move or flexibly
  • high value equipment can make you a target, keep equipment and records out of sight unless they are needed
  • take care not to leave your equipment or papers behind when visiting someoneor while on the move.
  • take care to collect your print-outs from the printer quickly
  • before posting printed materials review them to ensure that they don’t contain irrelevant material (e.g. other sensitive printed documents).
Use the password and screen lock
  • always lock or logout of your equipment when not using it
  • if using mobile devices ensure they are password protected with a strong password (see the “how do I?” link for further information on setting an effective password).
  • Never share your passwords to the network or Council systems with anyone.
Look after the device, and information on it
  • safely store your equipment and records in locked storage
  • dispose of records in secure waste bins provided or shred them, devices and equipment must be disposed of via the ICT helpdesk
  • report lost or stolen corporate or personal devices to the ICT helpdesk, and if using personal equipment use the ‘remote wipe’ function
/

Keep it safe

Knowing what information you hold and how to share it securely

Classifying the information you create and hold and sharing it securely
Know what information you hold
  • Maintain an inventory of all information assets (e.g. filling cabinets, stores holding paper records, computer databases and electronic files and folders) within your area both onsite and in off-site storage.
  • Electronic corporate information must be stored on centralised facilities (e.g. shared drives, SharePoint, supported applications) to allow regular backups to take place.
Classifying information
  • Information must be classified in line with the guidance on the Government Protective Marking Scheme.
  • The classification level of the information determines how it should be handled and who should be allowed access to it.
  • Standard document templates should be changed to reflect the appropriate information classification level.
Sharing sensitive information
  • Sensitive information (e.g. client personal information) and information classified as “Protect” or “Restricted” must be handled in line with the standards in securing equipment, data and records section above, the guide on handling classified information (see section 1.5)and the guide to sharing sensitive information securely.
Things you need to know
  • To protect sensitive information, you must not set up rules to automatically forward emails from your Council email account.
  • Auto forwarding from GCSx email accounts is disabled.
  • Files over 20 Mb size are automatically blocked from being received by Lambeth email accounts and files over 20 Mb size are automatically blocked from being sent by Lambeth email accounts.
/

Your responsibilities

ICT resources such as internet, email and telephony and information assets you are given access to are there to ensure that you can undertake your work effectively. These resources must be used appropriately and effectively. It is also important to note that you are responsible for the security of the information that you handle as part of your role and must follow the “keep it safe” section above.
Why is it important?
ICT resources are not infinite and the misuse of ICT resources can have serious consequence for both the Council and the individual concerned. For example misuse of ICT resources and information assets could result in disciplinary, criminal or civil action against individuals, issues such as breach of copyright and licensing terms can also have serious consequences for the Council.

Using ICT resources effectively

Information Security Training
Complete the information security training
  • Complete the information security trainingwithin the first week of joining the Council and subsequent refresher training as instructed.
Using ICT resources
Exercise caution
  • Don’t post messages on sites or send emails that contain obscene, profane, inflammatory, threatening, harassing, disruptive or otherwise offensive language, including anything that reflects poorly on the Council’s name or reputation.
  • You can be personally liable for all statements which you make in email or online.
  • Don’t send any form of electronic communicationthatenters into a contract on behalf of the Council unless you have authority to do so.
  • Don’t try and access banned websites or download banned file types. If there is a business reason for needing to access a banned website or file type ask your business unit manager to request via the ICT helpdesk that the restriction be removed.
  • Your individual network account is provided for your own use, you must not use another individual’s account to send emails or access the internet.
  • If you need to correspond confidentially with a trade union representative, providing documentation that may contravene the above standards you should seek the prior advice from your trade union representative about how to communicate it.
  • If you receive an email that contravenes the above standards, you should report it to the ICT helpdesk (spam email that contravenes these standards need not be reported, unless it is believed to have infected the PC).
/
Using ICT Resources
Sending Large or mass emails
  • Sending large emails (5Mb+) or mass emails can cause annoyance. You must not send such emails without first seeking advice from the ICT helpdesk. Continued misuse of the email system in this way may result in disciplinary action.
  • Departmental or Council wide emails must not be sent unless they have been authorised by either the Chief Executive, an Executive Director, the Divisional Director of ICT Services, the Chief Executive of Lambeth Living (for Lambeth Living all staff emails), or the Campaigns and Communications Team.
Using social media
  • Remember when using social media either in or outside of work time, you must not make statements that are likely to bring the Council into disrepute, or do not meet the standards required by the staff/member code of conduct, the media relations protocol or the “exercise caution” section above.
  • The council’s official presence on social media sites (e.g. Facebook, Twitter, YouTube and Flickr) are managed via Campaigns and Communications. See the “how do I” section above for more information on how you can request to use social media for work purposes.
Using the internet, email and telephony for personal reasons
  • Personal use of the Council’s computing facilities is allowed as a privilege and not a right.
  • You can make reasonable personal use of Council ICT and telephony facilities providing that usage is not excessive and does not interfere with your work duties or the overall operation of the Council. Excessive personal use may lead to disciplinary action (or termination of contract for non-employees).
  • Do not set rules that automatically forward emails from other email accounts to your work email account.
  • When purchasing or registering on sites online do not use your work email address, only use your council email address where the purchase or registration is work related.
  • Personal emails sent should be marked as such “personal” or “non-work” in the subject heading.
  • You must not use the Council’s facilities for personal commercial gain.
  • Remember to close your internet browser when you are not using the internet.
Monitoring ICT resource usage and removing access:
  • Bypassing the Council’s security controls is strictly prohibited, and may be a Criminal Offence under the Computer Misuse Act 1990.
  • The council reserves the right to monitor use of ICT Resources (Internet, email and telephony), such monitoring is normally automated by software.
  • If a line manager considers that this area of the policy has been breached then they can contact their Head of People Management/local HR team and request an email, telephony or Internet activity report.
  • Managers may request the removal of Internet facilities for users who continually breach this policy.
  • ICT Services routinely report on excessive personal use of ICT resources. In such circumstances, ICT Services will suspend the user’s access to the particular resource; inform the user’s line manager, the relevant departmental HR team, and the user themselves.
  • ICT Services also routinely report on inappropriate personal use of ICT resources, for investigation by the Internal Audit and Counter fraud team. Where monitoring uncovers a potential criminal offence then the Council is required to share relevant information with the Police (or other prosecuting body). In such cases, disciplinary as well as legal action will be considered and pursued where appropriate.
  • The Divisional Director of ICT Services can suspend individual network accounts, access to Council telephony or other ICT access where inappropriate or excessive usage is suspected.
  • You have a right of access to the personal data which is collected on you through monitoring. Requests from individuals for copies of their personal data should be made via your local HR team.
Joiners, movers, leavers:
  • All users must meet as minimum theBaseline Security Standard check standard. This standard requires the verification of identity; nationality and immigration status; employment history (past 3 years) and criminal record as part of the recruitment process. For specific roles Disclosure checks (formerly CRB checks) will be undertaken in line Human Resources guidance - seek advice from your departmental HR team if needed.
  • For new users, existing users changing role and leavers, managers must request the instigation/ amendment or removal of access rights and security pass disablement via theDIY Portal’s Joiners, movers, leavers process at the earliest possible date.
  • Managers must ensure that where an employee/agent leaves the Council and they are not being replaced, their IT assets are returned to ICT Services to enable them to be put into use.
  • Accounts of individuals who have left the organisation are routinely deleted after 6 months (subject to requests from line management, Internal Audit, Human Resources or Legal Services to retain specific accounts beyond this period).
  • Managers must take steps to ensure that emails, documents and other electronic information that need to be retained as a corporate record in line with the Council’s Record Retention and Disposal Standard are stored outside of the account of an individual who has left the organisation.
Things you need to know – copyright and software controls:
  • Be careful not to infringe copyright or intellectual property rights when downloading from the internet or sharing information via email.
  • Council owned ICT equipment is configured to not allow individual users to download software on to them.
  • Where software needs to be purchased, this must be done through ICT Services and must not be purchased through corporate credit cards or other means.
  • Shareware, Freeware and Public Domain Software are bound by the same policies and procedures as all other software and you must not install any free or evaluation software onto the Council’s systems without prior approval from the ICT helpdesk.
  • To ensure that only Council owned software and hardware is used within the Council, ICT Services may need access to Council equipment to enable the audit to take place, this could require the removal of equipment at that time to enable further inspection. All users must co-operate fully with any such audit.

Using your personal device to connect

to Council systems

To provide greater flexibility, you are permitted to connect to Council systems through your own personal device (e.g. smart phone, Laptop).
Why is it important? The ability to use personal devices to connect to the Council’s systems through agreed methods enables flexible working and provides greater access to information, whilst at the same time maintaining security of the Council’s systems and Data.

Using your personal device to connect to the Council’s network

Using your personal devices to connect to the
Council
Your responsibilities
  • Remember to keep your device secure in line with the “keep it safe” section above.
  • Do not allow unauthorised users (e.g. family members) access to council systems or information.
  • Ensure software and operating system updates to your device are performed regularly.
  • Do not attempt to disable any security policies we apply to your device.
  • Report any suspected loss or theft of a personal device which has been used for work to the ICT helpdesk immediately, obtaining a police reference number for any theft and provide that to the ICT helpdesk.
  • You are advised to check that any insurance policies you have for the personal device cover usage for work purposes. The Council does not accept liability for loss, theft or damage to personal devices.
Things you need to know
  • The Council may scan your personal device to check for any security issues that could compromise the Council’s network/data.
  • ‘Jail broken’ devices are not permitted to access our services, as we cannot trust that they are secure.
  • The Council can revoke access at any time.
  • The council will not provide hardware or general software support for personal devices.
  • The Council will not be liable for any damage to the device, its hardware, software or data contained on it through using the Council’s systems.
  • Free wifi is available from most Council buildings, however you are liable for any data charges incurred from using your personal device to connect to the Council’s network/systems from other locations.
/

Appendix 1: Document control

Change Record

Date / Author / Version / Reason for Change
21/01/2013 / Ian Goodwin / 2.0 Draft / Initial draft
28/03/2013 / Ian Goodwin / 2.1 Draft / Further amendments following comments from Divisional Director of ICT Services.
05/04/2013 / Ian Goodwin / 2.2 Draft / Incorporating comments from ICT Strategic User Group.
29/05/2013 / Ian Goodwin / 2.3 Draft / Further amendments following comments from Divisional Director of ICT Services.
21/06/2013 / Ian Goodwin / 2.4 Draft / Comments from union consultation incorporated
01/08/2013 / Ian Goodwin / 3.0 FINAL / Final version (links to other documents included) for publishing.
04/06/14 / Dean Evans / 3.1 FINAL / Repaired Hyperlinks following move of Intranet

Reviewers

Name / Position
Ed Garcez / Divisional Director of ICT Services
Information Governance Working Group / -
Finance and Resources DLT / -

Approved by

Name / Position / Date
Ed Garcez / Divisional Director of ICT Services / 30 July 2013

Published location

Where

Page || 1Using Systems and Data Policy (NOT PROTECTIVELY MARKED) / version 3.1 FINAL || June 2014