Data Protection & Cyber Security Policy 

 

Contents.

Subject Page NoPolicy Governance 3Data Protection Context 3Policy and its Purpose 4Scope 5Responsibilities 5General Staff Guidance 6Fair and Lawful Processing. 7Data Use 8Data Accuracy 9Technical and Physical Security 9Record Retention & the Disposal of Hardware and Documents

11

Breaches 11Continuous Improvement 12Data Subject Rights 12Disclosing Data 12Providing Information. 13Appendix A, Cyber Security – Staff Guidance 14

 

2

1. Policy Governance. Prepared By:  Approved by:  Operational From:  Reviewed Date: 

2. Data Protection Context. 

The Data Protection Act 2018 including the reforms contained within new legislation (GDPR) aim to promote high standards in the handling of personal information and also to protect individual’s right to privacy. It applies to organisations processing information about living individuals in digital and in paper formats. Organisations must follow the principles of data protection and other aspects of the legislation. These say that personal information must: 

Be processed lawfully, fairly and transparently;  Used for a specific, explicit & legitimate purpose with no

incompatible processing;  Adequate, relevant and not excessive;  Accurate and kept up to date and rectified or erased if inaccurate;  Not kept for longer than is necessary;  Processed securely. 

Also:  The rights of data subjects are fully embraced.  The responsibilities of data controllers and data processers are

understood and followed.  That the transfer of personal data beyond the EEA is done securely

and lawfully.

The Kent Police Sports and Social Association(KPRA) hereinafter referred to as the Association takes seriously its responsibility to comply with the Act and be able to demonstrate how it does so. 

Data Controller Registration.

The Association is registered as a Data Controller with the Information Commissioners Office, Reg Number ZA362603. It processes personal data for the purpose of managing and the administration of the association in accordance with the aims stated in its constitution. These are to encourage, co-ordinate and promote the pursuit of all forms of sport, leisure and other recreational activities and to assist and support its members in maintaining interest in such activities and a “healthier way of life”.

3

Structure.

The association is a not for profit association, run on behalf of its members. The association consists of branches and sports sections, its operation is administered by employees of the association, and also by members who volunteer to assist with administrative roles. Members consist of Kent Police Officers, PSE’s and the Kent Police Special Constabulary Officers. Also retired employees, who pay a subscription as well as the immediate family, i.e. Spouse, Partner and Dependent Children, of a subscribing member.

The associations administrative centre is at Kent Police HQ, Sutton Road, Maidstone, Kent ME 15 7

Processing.

The personal data processed by the association is primarily for maintaining a membership list, accounts, booking various activities and a lottery. The Association negotiates with third parties, including the leisure industry and various other retailers to obtain offers and benefits on behalf of its members. These offers are circulated to members for their information, the association does not carry out direct marketing with or on behalf of any third party.

Information Assets

Information assets are limited in number and include; membership application requests, a list of approved members, lottery share-holders list, accounts and application forms for the use of holiday homes or equipment belonging to the association.  

3. Policy and its Purpose.

This policy describes the manner and purpose, and also how the collection, recording, organisation, structuring or storage, adaption, alteration, retrieval, dissemination, restriction, security, erasure or destruction of data is carried out. 

  The intention of this data protection policy is to:  Ensure the Association is compliant with data protection law and

follows good practice.  Safeguards the privacy and rights of its employees and members.  Mitigate potential threats posed by cyber criminality. Encourages openness in how it collects, manages, and disposes of

4

individual’s data.  Ensures data is processed securely and avoid the risk of inadvertent

breaches. Provides governance and guidance for employees of the association,

as well as those members who volunteer to assist with its governance and administration, and contractors.

4. Scope.

This policy is applicable to:  Employees of the association.  All members involved in the governance of or taking on

administrative responsibilities for the Association. Contractors, suppliers and other people authorised to work or act on

behalf of the association.  

It applies to all personal data processed by the Association relating to identifiable individuals in the pursuant of the aims stated in its constitution, even if that information technically falls outside of the Data Protection Act 2018 including the GDPR.

This includes: • Names of individuals • IP Addresses • Postal addresses • Email addresses • Telephone numbers. • Digital images. • Biometrics• Plus, any other information relating to individuals.

5. Responsibilities. Every member of staff, or member acting in a governance or administrative role, or contractor or agent is expected to be conversant with the contents of this policy. Everyone who directly handles personal data must ensure that it is handled and processed in accordance with this policy and data protection principles. 

The Associations trustees are responsible for ensuring it meets its legal obligations. 

The association Recreation Association Manager acts as the Data Controller on the Associations behalf and is responsible for: 

5

Directing the manner and purpose for how personal data is used and for the transparency in how it is processed. 

Keeping the trustees updated about data protection responsibilities, risks and issues. 

Reviewing technical countermeasures and policy compliance, in line with an agreed schedule. 

Arranging data protection training and advice for the those highlighted in this policy. 

Responding to data protection questions from staff and anyone else mentioned in this policy. 

Managing requests from individuals to see the data the Association holds about them (Subject Rights) 

Checking and approving any contracts and agreements with third parties that may process, handle or access personal data on behalf of the Association. 

Approving any data protection statements attached to letters and emails. 

Addressing data protection queries from external bodies such as the media. 

Working with other members of staff to ensure marketing initiatives comply with data protection principles. 

The IT used by the association is maintained by, INSERT NAMES who are responsible for: 

Ensuring all systems, services and equipment used for storing data meet acceptable security standards. 

Perform regular security checks to ensure security hardware and software is functioning correctly. 

Evaluating any third- party services the company is considering using for the storage or processing of its data. 

Only employees or volunteers in governance or administrative positions or authorised third parties have access to personal data and information.  

6. General Guidance. 

Personal data collected and processed by the Association is not shared informally. Access to it granted is by KPRA Recreation Association Manager only if the request is justified within the controlling legislation. 

The Association provides guidance and advice to help employees, volunteers and contractors understand their responsibilities and refresh this knowledge to reduce the risk of the loss or inappropriate use of personal information. 

Employees and volunteers take sensible precautions to keep all data secure by following the guidance contained in this policy. 

6

The Association has a password policy to ensure that strong passwords are used, not shared, and changed frequently.

Access to the various databases used by the Association is strictly controlled. 

Employees, volunteers and contractors, as well as any data processors contracted to act on behalf of the Association understand that personal data must not be disclosed to unauthorised persons, either within the Association or to anybody external to it. 

Personal data is regularly reviewed and updated. Only that which is adequate, relevant and not excessive for our processing purpose is used, and not retained longer than is necessary.  Employees and volunteers should seek advice and guidance from the Kent Police Data Protection Officer if they are unsure about any aspect of data protection.  

Remote Working.

The Association from time to time relies on volunteers to carry out the administration of its various branches or sports sections. These responsibilities may be taken on by members who are no longer employed by Kent Police, and therefore unable to access the IT systems used by the force. In such cases they may need to use of their own IT equipment as well as their own document filing systems to carry out secretarial responsibilities.

When members volunteer to take on such administrative responsibilities it is incumbent on them to follow this policy whilst working remotely. This includes:

Complying with the contents of this policy including the guidance relating to Cyber Crime contained in Appendix A.

Ensuring that the IT and filing systems used to process personal data on behalf of the Association have proportionate security and anti-virus protection systems in place.

That once these administrative responsibilities have concluded, all personal data processed on personal IT systems or paper files are either deleted or returned to the association.

7. Fair, Lawful and Transparent Processing.

7

We collect and process your personal information to enable us to manage the Association and to inform members of offers and benefits.

It is necessary for to collect personal information from perspective members at the point of application. This is to maintain an accurate and up to date membership list, for keeping records of accounts, and to assist with booking any of the activities or equipment we make available to our members.

The Association operates a lottery on behalf of its members. It is a requirement for those wishing to become a share-holder to provide additional personal information including payroll or pension data to become a participant.

The Association negotiates favourable offers with third parties, these include companies who provide leisure and sporting activities, as well as retailers. We do not share personal information with them. Any special offers or discounts we are able to secure are exclusive to our membership. We communicate offers to members either by posting them on our web site, and by email. We do not carry out direct marketing, nor do we do so on behalf of any third party.

Our legal basis for collecting and using your personal information is:

With consent.

It is necessary for us to collect and process personal information to register applicants and once a member maintain communications.

To enable participation in our lottery.

Before publishing personal information, including any pictures or images on our web site.

In our legitimate interests.

We have an ongoing responsibility for the administration of the Association. This includes hiring out our holiday accommodation and other equipment which can be loaned to members, as well as negotiating deals and offers for the benefit of members.

It is therefore necessary for us to do so for our own legitimate interests whilst ensuring at all times that your information and your rights in relation to that information are protected.

8. Data Use. 

The Association processes personal data having obtained it lawfully fairly and transparently as described above.

8

When working with personal data employees and volunteers are instructed to make use of screensavers and to lock screens when unattended, also to ensure their screens cannot be viewed or accessed by unauthorised persons when in use. 

Employees and volunteers are encouraged to exercise great care when using email, or conventional postal services to prevent personal data being unlawfully disclosed or lost.  

The Associations web site is used to keep members updated with its activities and the offers available to them. Members who use the secure registration system can access more information from the site such as lottery results, or for direct communication. The web site does not currently use cookies.

Personal data is never transferred outside of the European Economic Area. 

Employees and volunteers do not save or use personal data controlled by the Association on their own personal computer, smart phone, laptop or tablet unless authorised by the Association and that use is in strict compliance with this policy. 

9.Data Accuracy. All employees and volunteers understand that it’s a legal obligation to ensure the data they process is accurate, and take steps to ensure it is kept up to date. 

The more sensitive or important the personal data is, extra effort is made to safeguard its security. 

The type of personal data processed by the Association is kept to a minimum and retained in as few places as possible, employees and members acting as volunteers are encouraged not to create duplicate or additional data sets, such as mailing lists or bespoke spreadsheets. 

Employees and volunteers take every opportunity to test the accuracy of the data held by the association. E.G. validating personal information with members during routine communication. 

Personal data is updated as soon as inaccuracies are discovered. E.G. where email addresses generate a message delivery failure response, or telephone numbers listed cannot be reached.

Personal data is retained no longer than is necessary. When members leave the association their details are removed from our membership and branch and sports section lists as soon as is possible. Some personal information may need to be retained for longer periods for the association

9

to comply with legal requirements such as those relating to accounting or health & safety.

10. Technical and Physical Security.

It is everybody’s responsibility to maintain vigilance during normal office hours, this includes verifying the identity of visitors, checking that only persons who our authorised are admitted, visitors are supervised, and access to any parts of the business premises containing sensitive information is controlled.

Access is controlled including segregated access to different parts of the building.

Technical measures are in place to protect the personal data stored electronically to protect it from unauthorised access, accidental deletion and vulnerability to cyber- attacks. This protection is reviewed with our IT supplier annually.

If personal data is stored on removable media, such as CD, DVD or memory sticks, these are encrypted or where this is not technically feasible then alternative safeguards are employed to mitigate against the risk of accidental or unlawful loss or use of personal data. 

Personal data is stored on designated servers, and drives on a secure cloud storage site. 

Servers or files containing personal data are annexed from those in general business use. 

Secure back- up systems are used to protect the personal data processed by the company. 

Personal data controlled and processed by the company are not permitted to be saved directly to laptops or other mobile devices such as smart phones or tablets, other than those authorised by the company. 

The use of smart phones and tablets belonging to employees or volunteers for use in the workplace to capture images for private use or sharing on social media is actively discouraged. This also includes uploading files from personally owned accounts. 

Manual records, such as paper records and files, including those files printed from digital records, are kept in a secure place where unauthorised people cannot access, view or copy them. 

When not required documents or files containing personal data are kept in a locked draw or filing cabinet. 

10

When handling paper records employees are encouraged not to remove them from the office unless absolutely necessary. When such circumstances arise, they are kept secure and are not left where unauthorised people can view them, or are at risk of accidental loss, or theft.  

11

11. Record Retention and the Disposal of Hardware & Documents.

We retain personal information for the duration of a person’s membership, it will be removed as soon as possible after leaving. We are legally obliged to retain some records, such as those used for accounting purposes for a longer period which in most instances will be for at least seven years.

Those carrying out voluntary secretarial responsibilities using their own equipment, must upon transferring that responsibility or leaving the Association delete or personal information relating to Association members, as well as returning any similar record in a paper format to the Recreation Association Manager.

When volunteers upgrade or replace their own IT equipment great care should be taken to wipe all persona information relating to Association members from the computer, hard or remote drives.

When the Association disposes of old computer hardware or removable media, extreme care is exercised to ensure that all personal data is wiped from its memory. The disposal is carried out by an IT specialist, and the operation to cleanse personal data from a computer or device is recorded.

Similarly, great care is exercised when storing and destroying paper documents which contain personal data relating to members or contractors. These type of records are destroyed using the Kent Police secure shredding system.

12. Breaches.

A data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to personal data transmitted, stored or otherwise processed.

All employees and volunteers have a responsibility to escalate any potential security risks, or actual breaches as defined above to their line manager immediately.

All employees and volunteers are responsible for recording any actual and “near miss” security incident and escalating the event to the Recreation Association Manager immediately.

They will be responsible for consulting with the Kent Police Data Protection Officer and if required notifying the Information Commissioners Office of the breach within 72 hours of it becoming known.

12

Records of breaches are maintained by the Association including how any lessons learned have been disseminated to employees and volunteers to avoid a repition.

13. Continuous Improvement The Association encourages staff and volunteers to be mindful of the need to safeguard the privacy of our customers, clients, contractors and staff personal data. Employees are volunteers are provided with guidance and encouraged to report actual or potential security breaches.

In addition: 

A data protection compliance audit is carried out internally by the Recreation Association Manager. 

Employees and volunteers are provided with threat and risk awareness guidance relative to their role. 

Employees and volunteers are provided with guidance promoting information security is on display in appropriate parts our premises.

14. Data Subject Rights. The Association understand the rights of those whose personal data we process, and will facilitate those wishing to exercise those rights fully and as promptly as possible.

These rights include:  • The right to be informed with fair processing information. • The right of access. • The right to rectification. • The right to erasure. • The right to restrict processing. • The right to data portability. • The right to object. • Rights in relation to automated decision making and profiling. 

A request for such information is called a Subject Access Request (SAR). Ideally these should be made in writing, supported by proof of identity, such as copy of a driving license or utility bill and sent to the Associations address for the attention of the Recreation Association Manager. We will provide the relevant data within one month from receiving a request. 

13

15. Disclosing Data. (other reasons) In certain circumstances the Data Protection Act allows for personal data to be disclosed to law enforcement agencies, such as the police or HMRC without the consent of the data subject. 

In such circumstances the Recreation Association Manage will disclose the data requested, having first established that the request is legitimate, and lawful and after seeking legal advice before doing so if necessary.  

16. Providing Information The Association is transparent in the methods it employs to process personal data. This includes:

o Its purpose and lawful grounds for doing so.o How their data is being used. o How it is shared. o How long it is kept for.o Who is involved in its processing. o How to exercise their rights. 

 Signed:                            Chair Date:

            

14

Appendix A. Cyber Security Staff Guidance. 

Cyber- crime represents a significant threat to the privacy of individuals as well as to the Associations systems. It also poses a security threat to volunteers who support the Association by using their own computing equipment.

Types of Cyber Crime.

Hackers Often called vandals, they scan the internet looking for well-known software security gaps. Web servers and email are their favoured target, which they exploit to plant viruses, or use the resources of systems belonging to others for their own means. If no apparent weakness is found they move on to an easier target.

Malware Refers to various forms of intrusive or hostile computer software, such as viruses, worms and Trojan horses.

Phishing The fraudulent practice of sending emails purporting to be from reputable companies to induce individuals to reveal personal information, such as passwords, bank account or credit card details. Those details can then be used for criminal purposes.

Ransomware A type of malicious software designed to block access to a computer system until a sum of money is paid.

Spam Irrelevant or unsolicited messages sent over the internet to a large number of users, for marketing, phishing or spreading malware.

Spoofing The creation of an email with a forged sender address. This uses a respectable or reputable email address to hide that the email has been sent by somebody else.

Denial of Service

The use of multiple computers to overwhelm the victim’s own computer system to shut down their

15

World Wide Web (www) sites to conventional commercial activity.

16

Individual Responsibilities

All employees and volunteers have a duty to: Ensure that no breaches or cyber security risks occur as a

consequence of their actions. Ensure the accuracy and integrity of the data they record on the

organisations systems. Take steps to ensure that confidential and sensitive information is

stored securely on the system, and encrypted when used on removable media.

Awareness of the various types of cyber and information security incidents and how to report them.

Protect all hardware, software and documents in their care. Take precautions to avoid the introduction of malicious software on

the organisations systems. Intervene or report any inappropriate use of computer equipment

and systems. (Such behaviour constitutes a breach)

Passwords:

Are confidential and must not be shared with anyone. Must not be inserted into emails or any other form of electronic

communications. Those applied to user accounts should not be given out. Are never to be revealed on security forms. Do not record hints or prompts that help you remember a password. Must never be shared with anyone. Must never be written down and kept insecurely. Must never be stored in a file on a computer or on a mobile device. Do not use the “remember password” function. Any suspicion that your password has been compromised must be

reported immediately.

Computer Use.

If you have to leave your desk even for a short time, either log off or ensure that access is denied by a password protected screensaver.

Log off and close down when finishing your working day.

Allowing another individual to use your login to access data for any reason is a breach of the Associations policy, and may contravene the Data Protection Act or the Computer Misuse Act.

You should take reasonable physical steps to prevent your computer or other devices, such as lap tops, tablets and the like being accessed unlawfully. Examples include, ensuring doors and windows are kept shut when the office is unoccupied, keeping laptops, tablets and smart phones

17

out of site when being transported, and never leaving them unattended or in cars overnight.

USB Drives & Removable Media.

Only use devices provided by the Association and only in connection with its business.

If a colleague or friend share such a device with you or you find one and are intrigued to find out about its contents, do not be tempted to access it on an Association or Force owned computer. You may trust the person sharing the device with you, but the device or their own computer may be infected.

Bring Your Own device.

You must not download personal data from the Associations system to your own device unless authorised by the Recreation Associations Manager to do so. This includes capturing images in the workplace or scanning documents.

Email & Malware

Emails can be generated from anywhere around the world, so until you are absolutely sure an email is genuine and its sender credible, do not:

Click links or open attachments. Reply to the email, or unsubscribe. Ring any numbers in the email.

How to spot a Phishing Email

Is your name missing, genuine emails senders personalise the text of their emails with your first name?

Is it requesting personal data or bank details? Is it unexpected? Is it something related to a current news event? If it’s from someone you know or a well-known organisation, does it

look right, is it phrased correctly? Is it grammatically correct, or are there spelling mistakes?

Identifying Hooks.

Does the senders address match the organisation that supposedly sent the email?

Hover over the links to show the real destinations. Contact the sending organisation, using the organisations official

website. DO NOT trust or use the contact details or links in the email.

18

19

Suspicious Activity.

If you identify a suspect email alert your Recreation Association Manager. Do not forward the email. Do not click the “unsubscribe “links, this alerts the sender that they

have located an active email account If you have clicked a link that took you to a web site it may be

infecting your computer. Tell-tale signs include you being linked to an unrelated or unexpected web site, random activity such as windows opening and closing unexpectedly, if in the slightest doubt turn off the computer, and remove the network cable.

Websites.

Browsing infected or malicious websites presents a significant threat. Only browse known and trusted websites.

Remote Working.

You are expected to take exactly the same security precautions when working away from the office, as you do in it. This includes when working in a public space such as on a train or other public area, also when working at home. Measures include ensuring whatever computer, laptop, tablet, smart phone or other type of removable device you are using cannot be unlawfully viewed, accessed, lost or stolen. Or for personal data processed by the Association to be disclosed or viewed by anybody who is not employed by the company or authorised to see it.

The software used on the Associations systems for its business purposes must not be copied or used for personal reasons, this would be a breach of the licensing agreements as well as the Data Protection Act if the software contained personal data processed legitimately by the business.

Ransomware.

Signs of this type of attack include: After opening an attachment or link in an email the performance of

your PC starts to slow down. You are unable to open certain files, and get messages which may

say the file type is unsupported, or Windows is unable to open the file.

There are unusual shortcuts on your desk top. Examples used include messages such as “README.html”or README.txt”, there are other examples.

20

Malicious Software. (Viruses)

The Associations systems use sophisticated Anti-Virus software countermeasures.

Where a virus is identified or suspected, notify the Recreation Association Manager straight away.

Newly acquired discs, magnetic media, DVD,s or memory sticks should not be loaded onto computers and other devices used by the Association unless they have been virus checked beforehand. If in doubt seek advice before loading.

21

 Information Security - Staff Guidance

  Store documents safely, do not take off site unnecessarily. 

Emails - check recipients or source’s address before sending or opening. 

Change password frequently - do not share yours with others. 

Update the information and data we hold regularly. 

Remove information/data that no longer serves a business need. 

Exclude general access to areas where personal information is in use.    

22