User Security Policy


This User Security Policy describes how we (Shires Festival of Dance protect the information you (the general public) provide Shires Festival of Dance.

The main objectives of the policy are:

  • To ensure only authorised users have access to the Shires Festival of Dance systems and data;
  • To ensure awareness within the Shires Festival of Dance of the need for ICT Security to be made an integral part of the day to day operation of the festival and users understand their own responsibilities;
  • To minimise business damage and interruption caused by security incidents.

Security Responsibilities:

The Data Protection Officer must ensure that users understand their information security responsibilities and ensure that all volunteers obtain an Enhanced Disclosure and Baring Service (DBS) check where this is required.

Security Awareness:

Shires Festival of Dance must ensure users are aware of their policies, including all new committee members. Upon termination of our relationship with a user access to data will be removed immediately. The Secretary must ensure that users (leavers) must return all of the organisation’s assets in their possession upon termination of their relationship with Shires Festival of Dance.

Data Owners

Every system and shared drive will require a data owner and list of staff / departments that are allowed access to the data. Additionally, the flow of this data from collection to processing, sharing, storage and through to disposal needs to be recorded (or mapped) as part of the compliance aspect of GDPR 2018.

Sensitive Information

Users are reminded to be mindful when disclosing sensitive information (General Data Protection Regulation 2018 and Electronic Communication Act 2000, 2012); such information must be sent from an official Shires Festival of Dance email account and not personal accounts.

Email Classification

Emails should be classified as either:

  1. Public – Shires Festival of Dance information that can be seen by anyone;
  2. Restricted – Information restricted to users of Shires Festival of Dance Committee only;
  3. Confidential - Information which is sensitive because it is personal data, commercial or legal information, under embargo prior to wider release, or which could not be disclosed under Freedom of Information Act 2000 legislation, including information about an individual or the organisation. May also include information provided to the Shires Festival of Dance by other organisations.

System User Access

Recruitment

The Shires Festival of Dance must ensure that potential users that are recruited in line with the Shires Festival of Dance Constitution for the roles they are considered for. Background verification checks (DBS) must be carried out on all such potential users, in accordance with all relevant laws, regulations and good practice.

Responsible Persons

The Data Protection Officer and Secretary must ensure that users understand their information security responsibilities within this policy; policies must be given to all new committee members and explained where necessary for the undertaking of the users’ roles and responsibilities.

System Access

Data Owners

The Data Protection Officer must confirm which data systems that are needed, dependent upon that job role as defined in that user’s job description/person specification.

Every system and shared drive will require a data owner and list of volunteers that are allowed access to the data.

Data owners have key responsibilities for data under the DPA 1998 and GDPR 2018. Each data owner needs to maintain a process map or data flow which outlines the flow of information from the point of collection, through processing, sharing, storage and ultimate disposal or archive.

For list of Data owners see below:

New Users (Committee Members)

All new users who are granted access to sensitive data on behalf of Shires Festival of Dance are to be made aware of the guidelines set out in all policies relating to sensitive data security so that they may carry out their role efficiently and securely. The Shires Festival of Dance must ensure that all users are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organisational security policy in the course of their work, and to reduce the risk of human error.

In addition, all committee members who handle information carrying a protective marking of Official-Sensitive data must be made aware of the impact of loss of such material.

Existing Users

The Data Protection Officer must maintain an up-to-date list of users who have access to official, sensitive, personal and confidential data.

The Secretary will notify the Data Protection Officer of any changes in a user’s role, to ensure that the user’s access can be changed as appropriate. This applies to obtaining new or extended access to systems or data as well as to removing any access that is no longer needed. Any changes to user access must be made in a timely manner and be clearly communicated to the user along with any changes in the security procedures.

Leavers

Upon on termination of relationship with Shires Festival of Dance users who have access to sensitive data will be restricted from accessing any such data and return any assets provided by the Shires Festival of Dance to be returned.

Leavers are reminded that they should not disclose Shires Festival of Dance data or sensitive information once their relationship is terminated with the Shires Festival of Dance due to the Shires Festival of Dance’s obligation to data protection regulations.

Leavers must not send any Shires Festival of Dance information, files or contacts to their personal email account or take any paper or electronic copies with them.

Return Assets

The Data Protection Officer must ensure that users within the Shires Festival of Dance who have been issued with storage assets, must return all of the association’s assets in their possession upon termination of their involvement with the Shires Festival of Dance. This must include any copies of information in any format. It would also include but not limited to Laptop, Tablet, mobile phone, ID Pass, and memory sticks.