Why security is important – protecting our operations and avoiding harm to our users
If the security of our IT systems and the data they contain is compromised or fails the consequences for ART could be severe. These might include:
Operations are hindered or interrupted with consequent loss of service to our users.
Reputational damage to the Association and loss of users’ confidence in ART.
Legal action by the Information Commissioner’s Office which may result in significant fines.
Harm to our users – while most of the information we hold about them is not sensitive in the vast majority of cases, we need to be aware that the release of personal information to unauthorised persons or its publication may, in special cases, result in harm to the data subject. An example might be revealing the location of a user who is involved in an acrimonious relationship breakdown or who is taking refuge from domestic abuse.
What the GDPR requires of us
The GDPR places a legal obligation on ART to process its personal data “in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”. It requires the Association to ensure the ‘confidentiality, integrity and availability’ of our data and furthermore that our systems are ‘resilient’ in the face of adverse events such as cyber attack or accidental loss of data.
What the IT Team will do to maintain security
The IT Team have a key role in maintaining our data security. In brief they will ensure that:
There is effective back-up of our data.
There is an up-to-date disaster recovery plan for our systems.
Our suppliers of IT services meet their agreed obligations in terms of reliability of services and support in the event of technical problems.
There are appropriate and up-to-date protection measures against malware and cyber attack.
Regular monitoring and resilience testing take place.
What individuals can do to maintain security
While much depends on the work of the IT Team, all staff and volunteers have a duty to prevent breaches of data security by following good practice guidelines. These include the following measures:
Use strong passwords which are not easy for others to guess or discover to protect access to systems and devices.
Avoid disclosure to unauthorised persons – do not give information in response to telephone requests or emails unless you are certain that they come from staff or volunteers authorised to have access.
Protect laptops and other portable devices from theft or accidental loss – do not leave them unattended in a public area.
Ensure external hard drives are kept secure and avoid using memory sticks to store personal data as these are easily lost or mislaid.
Ensure paper records are not left unattended where others can view their contents. When not in use they should be filed away. If they contain sensitive personal data, they should be stored in a locked filing cabinet.
Ensure that you have adequate security software installed on personal computers and other devices to protect against malware and cyber-attack. Keep this up-to-date and act on security warnings from software providers.
Avoid opening attachments or internet links unless you are certain that they are safe – be wary of phishing and malware emails
Use passwords or encryption to protect folders and files contain personal data.