Information Security Policy
Part 4
4. Core principles behind information security measures
4. Core principles behind information security measures
Confidential information will be protected from unauthorised disclosure. The following principles form the core of the LGSCO’s approach to protecting information:
- Information will be maintained to provide timely access by authorised staff when needed. Security controls will be risk based and proportionate to minimise disruption to the efficient operation of the service.
- Records will be classified and labelled, if necessary, according to sensitivity.
- All information systems will have appropriate measures to guard against loss, theft, damage and unauthorised access to, and misuse of, information.
- Information will be protected from corruption and unauthorised change.
- Appropriate checks will be made before anyone is authorised to access official information.
- All staff will complete appropriate mandatory training in information security and data protection on starting, and periodic refresher training thereafter.
- Staff will not deliberately attempt to break through security controls or access information which is not required for authorised work purposes.
- All staff will be personally responsible for maintaining the confidentiality of confidential information.
- Access to information will be handled in accordance with relevant legislation, including the Local Government Act 1974, the UK GDPR, the Data Protection Act 2018, the Freedom of Information Act 2000, and the Environmental Information Regulations 2004. Guidance can be found in the Policy on Access to Information.
- Only where it is strictly necessary will information be passed on to third parties. Where appropriate it will be accompanied by directions for its use, storage and destruction.
- Where a document needs to be redacted before being passed to a third party, this should be done using Nuance (PDF Converter Enterprise). In exceptional cases other redaction software may be used, by individual agreement and installation.
- All information will be handled in accordance with the records management guidance and corporate retention schedules. Casework information will be destroyed in accordance with the Policy on Retention and Disposal of Casework Records.
- Systems will be in place to address information security breaches and suspected breaches, which must be reported to the line manager immediately. The procedure for reporting breaches is on the Intranet. Where appropriate, procedural, disciplinary and/or legal action will be taken and practical lessons learnt.
- All information and equipment remains the property of the LGSCO and will be returned on request and when contractual obligations end.
- Regular auditing and review will take place to ensure compliance with this policy.