To ensure that everyone understands their responsibility for the appropriate use of information technology (IT) resources including SSAFA owned or leased systems and equipment and personal equipment.
This policy aims to protect all users by minimising risks and providing clarity on the behaviours expected and required by SSAFA. It sets out a framework within which we must conduct our business and explains how we maintain compliance. The policy is supported by a further information document, with more detailed advice, for users.
This policy applies to anyone using SSAFA IT equipment and services (hardware, software, data, network access, telephony, social media, email, services provided by third parties, online cloud services or using SSAFA IT credentials). It includes new and developing technologies that may not be explicitly referred to.
It applies to all volunteers, permanent and temporary employees or contractors and any third parties who are provided with access to any SSAFA provided IT service using SSAFA or personally owned equipment, also known as Bring Your Own Device (BYOD).
It covers all SSAFA locations, other locations where people have access to SSAFA networks, and storage of any non-public SSAFA information in an electronic format. Throughout the policy, all these groups of people will be termed users.
1.1. How to use this policy
The policy is laid out in sections, the first section applies to everyone and covers general principles. The following sections provide more detailed information on specific topics and, where relevant, are split into what our employees and volunteers need to do to ensure that we are compliant with the requirements of the UK General Data Protection Regulation, as amended by the Data Protection Act 2018 (“UK GDPR”).
Key responsibilities for specific groups of people are defined within each section of the policy. Responsibilities will differ depending on circumstances and roles. Everyone has a responsibility to ensure that they complete all training mandated by SSAFA and comply with requests to retrain if there is a breach of this policy. Mandated training requirements for employees are available on the intranet or through your line manager. Mandated training requirements for volunteers include; Caseworker refresher; GDPR and Data Protection Refresher; and safeguarding.
All our equipment, systems and networks are audited and monitored by the Central Office IT team to ensure compliance with this policy and its associated guidance. The security of our data and systems is very important to us and all reasonable steps will be taken to support everyone who works with SSAFA to comply with this policy.
SSAFA IT equipment and services may be accessed via SSAFA owned or provided equipment or via personally owned equipment and this policy applies regardless of the ownership of the equipment used. Personally owned equipment must be maintained with up-to-date anti-virus software (where appropriate), system patches and kept secure.
SSAFA e-mail addresses and systems must be used for all SSAFA business to facilitate auditing and record keeping and ensure that all data under SSAFA’s control is kept securely. You must take all reasonable precautions to safeguard your username, password and any other IT credentials issued to you and not provide access to your system to another individual. This means not sharing this information with someone else or not taking appropriate steps to secure your equipment for example by locking your screen.
All equipment, (phones, tablets, iPads, laptops or computers) whether they are owned by SSAFA or are personal devices, must be secured with a password protected screensaver, a biometric lock, or Personal Identification Number (PIN) with the automatic activation feature set to 15 minutes or less.
If you are working on SSAFA related information, you must lock the screen or log off when you leave your equipment unattended. This will ensure that we do not breach Data Protection requirements, (see Data Protection Policy and Guidance) and make sure that we prevent anyone from seeing anything that could be interpreted as personal or sensitive.
If in doubt about opening email attachments from unknown senders contact the Central Office IT team for advice as these could be phishing attacks. Attachments can carry malicious software, known as Malware or viruses that may affect your equipment or SSAFA systems.
Anyone using their mobile phone for SSAFA business should avoid discussing sensitive information in public places.
When speaking to someone on the phone, and before you divulge any sensitive information, make sure you know who you are speaking to, and be confident that you are not being overheard.
Anyone who chooses to use their own device for SSAFA business must take all reasonable steps to ensure that information and data on or accessed through the device is kept confidential by using the security features of the device. This includes encrypting documents that may contain personal or sensitive data.
If your device is an Apple iPhone or iPad it is encrypted and protection is effective as soon as you set a PIN locking code. If your device is Android, there is an option to turn on whole device encryption in its configuration settings. Other devices may not be encryptable.
SSAFA, as the Data Controller, must control any data it is responsible for, regardless of the ownership of the equipment that is being used to process the data and expects employees and volunteers to take responsibility for the use, safety and security of their equipment.
The Central Office IT team will try to assist users where possible but cannot take responsibility for supporting devices it does not provide.
It is your responsibility to configure and maintain your device, however, SSAFA IT reserves the right to remotely wipe any organisational data, for example emails, from your device.
You must inform your line manager, Branch or Service Committee Chair and the IT team if your device is lost or stolen and know how to remotely wipe your own device to ensure integrity of any SSAFA data held on it.
Any information required to carry out your work and stored on the device should be transferred to the relevant SSAFA system, for example CMS or Care Director, as soon as possible and then deleted from your device. This includes information contained in emails or email attachments. Do not set up any non-SSAFA approved storage – whether cloud based or on physical drives.
Everyone using their own device must remove all SSAFA information from their device and return to factory settings before you sell, exchange or dispose of your device.
The UK GDPR requires everyone who handles personal or sensitive personal data to be aware of their responsibility to protect that data from inappropriate or inadvertent disclosure. You should read and be familiar with our Data Protection Policy and associated guidance to understand how this applies to your role. These are available on SSAFAnet and the intranet.
Information relating to our activities, clients and beneficiaries should only be disclosed to those who have a legitimate need to know, therefore automatic forwarding of emails from any email account is not allowed. SSAFA does not prohibit the forwarding of individual email messages to other organisations we have a data sharing agreement with, if it is necessary to support our work.
When emails are forwarded outside of SSAFA, we cannot be certain of how that information will be stored, used or circulated by the recipient or external system. This could result in confidential information being accessed on unsecured devices or by individuals who are not the intended recipient, which could constitute a breach of the UK GDPR for which SSAFA would be responsible.
Automatic forwarding of emails should not be confused with automatic replies which are also known as out of office replies.
Setting an automatic reply that provides information about leave or changes to who may need the information allow the sender to decide whether they wish to resend their email and its content to a new recipient.
These principles also apply when you are replying or forwarding email trails to other individuals in the course of your work. You should be mindful that there may be sensitive information within an email thread which it may be appropriate to delete before forwarding.
If you are using a group email address or choose to ‘reply all’ make sure that all those receiving your response are entitled to have the information you are sharing.
A “User” is anyone who is given access to a SSAFA email account or who receives information in relation to SSAFA activities, clients or beneficiaries by email. Users are responsible for protecting that data from inappropriate disclosure and for ensuring that the settings and rules they apply to their email account enable compliance with this policy.
You are given a SSAFA email account to enable you to carry out your role. Whilst we accept that there may be times when you use your work email for personal business, you should be aware that if you leave SSAFA or are away for a long time, your emails may be accessed by a senior line manager. Electronic files, folders and emails may be accessed to help new joiners or temporary workers to be fully operational in their role.
In addition, they may be accessed for security or disciplinary reasons; to ensure use is legitimate; to assist in the investigation of disputes, including complaints by third parties and to comply with any legal obligations.
We recommend that personal information is not stored in your email account or on SSAFA owned equipment. This includes:
- Emails containing personal observations, sensitive data or concerns shared with others
- Non-work related emails, for example personal banking or shopping details
The Data Protection Officer, the Data Governance Manager, managers and the IT team are responsible for ensuring that where breaches of this policy occur, they are resolved promptly with the user, in order to protect data.
The principles and management of data security are designed to protect our data and make sure that information is processed and stored securely and appropriately.
Guests or visitors to SSAFA locations who need internet access should connect through SSAFA guest Wi-Fi networks where they exist. This applies to all non-SSAFA equipment, including laptops, tablets and mobile phones.
Personal data (or Personal Identifiable Data – PII) must always be protected, and users will only have access to data they need to be able to carry out their role. All users should make sure that the personal data SSAFA holds about them is accurate and up to date.
Work email addresses should only be used for business purposes and not for external, personal accounts such as Facebook, Amazon, or Twitter. Personal email accounts are not to be used for SSAFA activities or conducting SSAFA business.
You must not infringe copyright information but ask for permission from the copyright owner if you wish to use their material or break the terms of licenses for software or other material. It is your responsibility to ensure that you understand how intellectual property and copyright apply to web-based resources.
You must not send spam (unsolicited bulk email), forge addresses, forward chain mails, or use SSAFA mailing lists other than for legitimate purposes related to SSAFA activities.
As a branch chair or officer with line management responsibility it is your responsibility to ensure that new volunteers complete SSAFA induction and have access to relevant training and that they do not have access to personal or sensitive data held by SSAFA until their induction has been completed. The relevant Induction Plan, available on SSAFAnet, should be completed, signed and recorded for all volunteers.
You should inform the Volunteer Experience (VE) Team of all changes in volunteer numbers. Volunteers who are no longer working with us, for whatever reason, need for their access to be removed from our systems, including access to email accounts, to make sure we remain compliant.
As a volunteer you should let your Branch or Service Committee know if your personal details have changed. You must also inform the Volunteer Support Advisors so that Progress is updated.
You should ensure that any data we hold about you is kept updated, you can either use our HR system, Natural HR, or notify your HR team. You are accountable for all activity that is associated with equipment and network access that SSAFA has provided for you and you must never allow anyone else to use your equipment or log-in details. You should not download and use software or fonts without permission from the IT team.
Make sure, when completing IT new starter forms, that you only request access to drives, folders and files, software and systems applicable to the role
Each team should have a managed, shared email address to provide departmental cover during periods of holiday or other absence.
If you do need to work in a public place and there is risk of a non-SSAFA person seeing your screen, then you should reconsider working in that place.
Ideally work in secure, private spaces and if you are in an office, use a screen protector to reduce visibility of your screen and its contents.
Only carry the equipment, papers, data or other information necessary for your work of the day, leaving the rest in a secure place, either at home, in a SSAFA office or locked in the boot of your car.
Use trusted, secured Wi-Fi networks only, with the addition of a VPN client. Some hotel networks are not secure, they do not require you to put in a password to access the internet.
If your device is set to automatically connect to available open Wi-Fi networks, then you run the risk of automatically connecting to unknown and potentially dangerous networks. You should switch off auto-connect on your device settings – refer to the manufacturer’s instructions for how to do this.
In relation to your work, we strongly advise that you do not give out your personal phone number to contacts that you do not know. Further guidance is provided in our Lone Working policy with additional information for volunteers in our Personal Safety Leaflet.
Only respond to emails containing non-sensitive information when you are working away from a secure environment, for example a secure environment is your home or a SSAFA office. This will reduce the chance of others seeing personal or sensitive information. A breach of the GDPR occurs if another person sees data they are not entitled to see.
Never leave devices unattended or on view in a vehicle or bag. Ideally always take your equipment with you, but if you can’t, make sure it is locked away out of sight.
Use a rucksack or another type of bag to carry your laptop rather than a laptop bag.
Everyone who carries out any work for SSAFA must ensure they are aware of the risks of using mobile devices and should apply safe working practices to minimise these risks.
Each and every system, site or online resource must have a unique password. Passwords should never be reused. SSAFA takes a zero tolerance approach to people found to be using a password for more than one resource.
You should not use a name or any variation of your personal or account name. SSAFA minimum standards are to use a password consisting of a short phrase of at least three words. This can also be known as a passphrase.
The SSAFA IT team have agreed that users will not normally be forced to change their passwords on SSAFA systems (for example, email, web, or computer), if they are suitable passwords using alphanumeric and complex characters. The IT team has the right to ask you to change your password at any time.
See the guidance document for examples of good and bad practice when selecting passwords.
Your passwords should not be written down – users are expected to take all reasonable steps to ensure their password remains known only to them and use unrelated passwords for different systems.
You must not share your password with colleagues or others. If you need to share access to accounts, please ask the IT team for advice.
If someone claims to be from IT and asks for your details, please report to the IT helpdesk using known comms channles.
If you suspect that your password may have been compromised, you must report this to the IT team and change your password straight away. Phishing emails typically ask for username and password. Seek advice from IT if you receive any suspicious emails.
Everyone who is given access to any of our systems is responsible for choosing strong passwords and for protecting their log-in information
The IT team will monitor compliance with this protocol using a variety of methods and provide feedback to the policy owner. They will provide guidance to individual users to protect access to SSAFA’s data and systems.
It is your responsibility to make sure that your mobile device is maintained, and any theft or loss must be reported to your line manager and IT immediately. To prevent loss of data or information, you should make sure that your device is protected with PIN numbers and passwords. Our IT team can remotely clear your SSAFA data if required.
Personal use of SSAFA issued mobiles should be kept to a minimum, agreed with your line manager and restricted to phone calls or text messages. Users may have to justify any non- SSAFA use.
Our IT team will use a centralised management system to log connection information by all devices for governance purposes and under certain circumstances we reserve the right to:
- Prevent access to a device from wired or wireless networks
- Prevent access to systems from a device
- Take necessary steps to retrieve information owned by SSAFA
Any suspected breach of this policy will be investigated, and access to systems may be suspended as a risk reduction measure until an investigation has concluded.
Non-compliance with this policy may result in a range of actions up to and including disciplinary action (for employees), or revocation of membership (for volunteers) depending on the circumstances.
7. Social media
7.1. Acceptable use
Everyone within the scope of this policy, must use their own personal email address when using social media or social networking sites to express their own views and opinions.
When using social media on behalf of SSAFA, you must use your SSAFA email address.
No one must make any comment on social media on SSAFA’s behalf without the prior approval of the Public Relations team or the Director of Marketing and Communications.
7.2. Unacceptable use
Using or signing up to social media sites with SSAFA email addresses for personal use.
Employees should only access social media sites for personal use outside of core business hours. This is a privilege that may be withdrawn by the IT Director at any time if there is an infringement of the law or access is inappropriate during working hours.
You must not use language that could be described as offensive, this includes abusive, insulting, aggressive, discriminatory, extremist or distasteful language.