This User Security Policy describes how we (Shires Festival of Dance protect the information you (the general public) provide Shires Festival of Dance.
The main objectives of the policy are:
The Data Protection Officer must ensure that users understand their information security responsibilities and ensure that all volunteers obtain an Enhanced Disclosure and Baring Service (DBS) check where this is required.
Shires Festival of Dance must ensure users are aware of their policies, including all new committee members. Upon termination of our relationship with a user access to data will be removed immediately. The Secretary must ensure that users (leavers) must return all of the organisation’s assets in their possession upon termination of their relationship with Shires Festival of Dance.
Every system and shared drive will require a data owner and list of staff / departments that are allowed access to the data. Additionally, the flow of this data from collection to processing, sharing, storage and through to disposal needs to be recorded (or mapped) as part of the compliance aspect of GDPR 2018.
Users are reminded to be mindful when disclosing sensitive information (General Data Protection Regulation 2018 and Electronic Communication Act 2000, 2012); such information must be sent from an official Shires Festival of Dance email account and not personal accounts.
Emails should be classified as either:
The Shires Festival of Dance must ensure that potential users that are recruited in line with the Shires Festival of Dance Constitution for the roles they are considered for. Background verification checks (DBS) must be carried out on all such potential users, in accordance with all relevant laws, regulations and good practice.
The Data Protection Officer and Secretary must ensure that users understand their information security responsibilities within this policy; policies must be given to all new committee members and explained where necessary for the undertaking of the users’ roles and responsibilities.
The Data Protection Officer must confirm which data systems that are needed, dependent upon that job role as defined in that user’s job description/person specification.
Every system and shared drive will require a data owner and list of volunteers that are allowed access to the data.
Data owners have key responsibilities for data under the DPA 1998 and GDPR 2018. Each data owner needs to maintain a process map or data flow which outlines the flow of information from the point of collection, through processing, sharing, storage and ultimate disposal or archive.
For list of Data owners see below:
All new users who are granted access to sensitive data on behalf of Shires Festival of Dance are to be made aware of the guidelines set out in all policies relating to sensitive data security so that they may carry out their role efficiently and securely. The Shires Festival of Dance must ensure that all users are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organisational security policy in the course of their work, and to reduce the risk of human error.
In addition, all committee members who handle information carrying a protective marking of Official-Sensitive data must be made aware of the impact of loss of such material.
The Data Protection Officer must maintain an up-to-date list of users who have access to official, sensitive, personal and confidential data.
The Secretary will notify the Data Protection Officer of any changes in a user’s role, to ensure that the user’s access can be changed as appropriate. This applies to obtaining new or extended access to systems or data as well as to removing any access that is no longer needed. Any changes to user access must be made in a timely manner and be clearly communicated to the user along with any changes in the security procedures.
Upon on termination of relationship with Shires Festival of Dance users who have access to sensitive data will be restricted from accessing any such data and return any assets provided by the Shires Festival of Dance to be returned.
Leavers are reminded that they should not disclose Shires Festival of Dance data or sensitive information once their relationship is terminated with the Shires Festival of Dance due to the Shires Festival of Dance’s obligation to data protection regulations.
Leavers must not send any Shires Festival of Dance information, files or contacts to their personal email account or take any paper or electronic copies with them.
The Data Protection Officer must ensure that users within the Shires Festival of Dance who have been issued with storage assets, must return all of the association’s assets in their possession upon termination of their involvement with the Shires Festival of Dance. This must include any copies of information in any format. It would also include but not limited to Laptop, Tablet, mobile phone, ID Pass, and memory sticks.