Do not:-
- Use someone else’s password/access code to access information.
- Leave personal data or sensitive personal data on your desk or photocopier at any time; this type of data should be held securely and locked away.
- Transfer data from your own personal computer to work or vice versa
- Use USB sticks to transfer data between your own personal computer and work computer
- Release CCTV footage without making the necessary checks as it may contain information which an individual is not entitled to receive
- Send personal or sensitive personal data via facsimile, as it is very easy to send information to the wrong number
- Provide personal or sensitive personal information over the telephone unless you know the person from the organisation that is requesting it and even then always ensure that there is a data sharing agreement in place or a legitimate reason for sharing that information.
- Take hard copy files containing personal and sensitive personal data out of the office to visit tenants or to take to meetings; as there is always the risk that a piece of sensitive information may fall out of the file which may go unnoticed, or the information could be lost, left in someone’s house, left on public transport or stolen.
Do:-
- Check that the email address and recipient are correct before sending any personal or sensitive personal data via email.
- Check some background information if you receive a request for sensitive personal information by e-mail i.e. is the name and address correct? Does it refer to the correct sections of the Act?
- Ensure that all portable media containing personal data is encrypted.
- Ensure that any personal data or sensitive personal data that is sent to someone via email is either sent via secure e-mail or encrypted. Whilst files sent via internal email from the office are secure, individual emails sent to external organisations that contain such data are not secure. Where large volumes of personal or sensitive personal data are being sent by email then the file(s) should be password protected first and then encrypted. Under no circumstances should the password be sent by email or included in the body of text in an email. Passwords may be provided by telephoning the person once they acknowledge receipt of your email, or may be sent by text if you are certain that the telephone number that you have been provided with is correct.
- Ensure that any files being taken to Court, or solicitors offices are logged out recording the signature , date, and time and that they are then logged back in on return with a signature, date and time.
- Ensure that if you are disposing of furniture as part of an office move, that any cabinets are empty prior to disposal. In 2017, the ICO fined Norfolk County Council £60,000 for leaving files which contained sensitive information about children in a cabinet that was sold to a second hand shop.