This additional information document and associated policies outline the principles and management of all IT equipment that is owned, subscribed to or leased to SSAFA, The Armed Forces Charity. It additionally applies to all SSAFA data, systems and resources currently in place and any new or developing technology that may not explicitly be referred to.
Our policies and information are in place to protect SSAFA from data or cyber related organisational risks and threats that may affect our ability to operate within specific legislative requirements; the UK General Data Protection Regulation, as amended by Data Protection Act 2018 (“UK GDPR”); Payment Card Industry Data Security Standard; and any other relevant legislation.
A list of definitions is included at the end of this document.
General information
The document is laid out in sections, the first section applies to everyone and covers general information. The following sections provide details on specific topics and, where relevant, are split into what our employees and volunteers need to do to ensure that we are compliant with the requirements of UK GDPR and any other relevant legislation.
Effective information security is everyone’s responsibility, and users of our systems or resources must ensure they understand our IT policy and operate within it.
Inappropriate use, either knowingly or unknowingly, may expose SSAFA to virus attacks, information breaches, damage to clients or reputational damage. Any of these may result in legal proceedings against us.
All users should be cautious when opening email attachments from unknown senders. These may be phishing attacks and are the most likely cause of virus infections as they may contain malware.
If you are accessing the internet using a SSAFA 365 email address you should remember that you are representing the organisation. Any views expressed in the public domain, must be approved by our Public Relations team.
Information about, or lists of, SSAFA employees, volunteers or third parties are not to be provided to anyone outside of SSAFA without prior approval.
You should not read out information from any of SSAFA systems to people on the phone until you have verified the identity of that person and that they have a valid need of that information. Callers can be validated by asking them for information that only they would know, for example their postcode; mobile number; date of birth; or email address. If they do not match, ask them to confirm some or all other key pieces of information, especially their full address. If they have moved, ask them to confirm their previous address or phone number. People who deal with other organisations, should let their contact know that we use verification protocols and we will not be able to correspond with any person claiming to be from that organisation unless pre-authorised. This is good practice as it explains to third parties that we take the protection of their data seriously and will not let anyone else speak to us about company confidential information.
To ensure that SSAFA complies with the UK GDPR and any other relevant legislation, there are some steps you can take to prevent sensitive or personal data falling into the wrong hands.
If an email needs to be forwarded outside of SSAFA, you should check the whole thread to make sure that any sensitive data is redacted or deleted unless you have express permission from the data subject, to share this information with someone else.
When there is a business reason to automatically forward emails, for example if the original recipient is unwell and is not accessing their emails; is working somewhere with limited access; or has left SSAFA, then it may be more appropriate to use auto-reply that asks the sender to resend their email to an alternative person. This allows them the choice of resending to another person or to find an alternative themselves.
We want to make sure that everyone who works for SSAFA is aware of their responsibilities to maintain a high level of security in relation to our IT resources. We will provide advice, guidance and training to promote good practice and help you to comply with our policies and procedures.
All IT systems, equipment and other resources, including data, should be used in line with our policies, guidance and recommendations; this includes the transfer of information between systems and people. If data needs to be accessed by other people within SSAFA, you should use OneDrive. This is storage that is available to everyone using Office 365. External third-party storage providers, such as Dropbox, must not be used to store any personally identifiable data as this storage facility is outside of the European Economic Area (EEA) and SSAFA is unable to control the data, which may put it at risk a breach
To help with the prevention of IT security risks, you should not download software, fonts or other copyrighted material to SSAFA owned, rented or leased devices without permission from our IT team.
Where an individual team member has become a key contact for queries or correspondence, it is recommended that teams have a managed, shared email address. This will help to ensure that your team can respond to any issues in a timely and professional way.
To ensure security of data, users of their own personal devices should know how they can remotely clear any SSAFA data from their device.
If you have a SSAFA owned mobile device, it is your responsibility to make sure that it is kept safe, is regularly updated as required and used in line with our policy. Any loss or damage to the device should be reported to your line manager as soon as possible. You may be required to pay for a replacement if you have not taken appropriate measures to look after the device appropriately.
The next section applies to the use of personal or SSAFA owned iPads, iPhones, Android phones and tablets.
SSAFA must ensure that it remains in control of the data that we are responsible for, regardless of the ownership of the device being used to carry out any processing. We must also protect our intellectual property as well as empowering employees and volunteers to protect their own personal information.
Passwords and PINs used to make sure your device is secure should be created in line with the section on passwords in this document. You may also use biometric alternatives.
It is good practice to disable your Bluetooth connection unless you are in a safe environment as this functionality opens your device to malicious attacks.
If you are using your device to access emails, please remember that this is a communication tool and not a data storage tool. All data should be stored on SSAFA systems and be deleted form mobile devices as soon as possible.
Our IT team will use a centralised management system to log connection information for governance purposes and under certain circumstances we reserve the right to:
- Prevent access to a device from wired or wireless networks
- Prevent access to systems from a device
- Take necessary steps to retrieve information owned by SSAFA.
SSAFA accepts that volunteers and some employees need to work away from an office environment. It is your responsibility to make sure that all reasonable precautions, for example the use of a privacy screen, have been taken to minimise the risks associated with this way of working.
The risks to SSAFA are:
- A data breach/ breach of beneficiary confidentiality through the loss or the unauthorised sharing of their personal data
- Disclosure of sensitive data to unauthorised people.
- Loss or damage to business-critical data
Definitions of personal and sensitive data are in the definitions section at the end of this document
These can occur if you connect to unsecured networks as other people may have visibility of any data you receive or send and servers may be capturing and storing your details.
Choosing a password
Each system has its own password requirements and some are more limited than others. However, the following is good practice and must be followed.
- It is recommended that you use a password consisting of at least 15 characters (including spaces), therefore a pass phrase of three words is deemed good practice.
- If a password is limited in characters, it should begin with a capital letter, contain at least one number, be at least 8 characters in length and include a character such as a full stop, exclamation mark or question mark.
- A password should be quick and easy to type to reduce the risk of someone looking over your shoulder and seeing what you type.
We understand that everyone has numerous accounts and passwords to remember. The following is good practice and must be observed:
- Passwords should not be shared with anyone.
- All passwords are to be kept confidential, even if you are away, as everyone must have their own unique access to our systems. If someone needs additional access, you should request this from the IT team.
- Passwords must not be revealed over the phone to anyone other than verified IT administrators who will ask you to change your password once IT support has finished
- Passwords should not be given on questionnaires or security forms, we will never ask you to do this
- You should not hint at the format of your password (for example, "my family name") You should not write down your passwords either on paper or electronically
- You should not use the "Remember Password" feature of any applications (for example, web browsers).
I hate passwords! 17 characters: 3 complex
Going 2 the shops? 18 characters: 4 complex, 1 numeric
P3r1odically! 13 characters: 1 complex, 2 numeric
Passw0rd
Despite the 0, this can be cracked quickly
Password01
Just adding a number to the end doesn’t make this any safer.
Arsenal1977
Using football team names are easily cracked
Mathematics Password cracking software will quickly identify this as a word
For additional help and support in relation to setting, changing or protecting your passwords, please contact the IT team in Central Office.
If you do suspect that your password may have been compromised in any way, please report this to the IT team and change your passwords straight away.
These rules will enable you to participate online in a respectful, relevant way that protects our reputation and of course follows the letter and spirit of the law.
If you use any kind of social media you must be careful to observe the following:
- be smart about protecting yourself, your privacy and SSAFA’s confidential information. What you publish is widely accessible and will be around for a long time, so consider the content carefully. Google has a long memory and the internet never forgets, even if you think you’ve deleted a posting
- post meaningful, respectful comments — in other words, please, no spam and no remarks that are off-topic or offensive
- use common sense and common courtesy: for example, you must ask prior permission from your line manager to publish or report on conversations that are meant to be private or internal to SSAFA. Make sure your efforts to be transparent don't violate SSAFA's or a fellow colleague’s privacy or confidentiality.
- defame or disparage SSAFA, our volunteers or any employee
- breach any laws, regulatory requirements or ethical standards to which SSAFA is subject
- use your social media entries as a marketing tool
- post any information about your personal life that could be misconstrued by someone looking to make mischief. It is quite easy nowadays to build a profile of an individual by linking all their web presences so don’t write anything you wouldn’t want to become completely public, even when commenting on your social activities
- breach any obligations of confidentiality that you owe to SSAFA or any of our service users, staff, donors, clients, customers or other contacts
- represent yourself or SSAFA in a false or misleading way. All statements must be true and not misleading; and must be capable of substantiation.
Remember that any media enquiries must always be referred to our Public Relations team. For further guidance on what is appropriate use, contact the Media team.
This is not an exhaustive list but covers most of the commonly used technical terms.
Biometric data: personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopy data.
Chain letters - chain letters are messages sent to a huge number of people, asking each recipient to forward them to as many other people as they can. This can create problems for organisations as mail servers become clogged up.
Data breach – is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data. says that a data breach has occurred if any unauthorised person sees or accesses personal or sensitive data that they should not.
Data controller - A “data controller” refers to a person, company, or other body which decides the purposes and methods of processing personal data. SSAFA is a Data Controller.
Data controller - A “data controller” refers to a person, company, or other body which decides the purposes and methods of processing personal data. SSAFA is a Data Controller.
Data subject: a natural person whose personal data is processed by a data controller or processor.
Dropbox – Dropbox is a file hosting service operated by American company Dropbox, Inc., headquartered in San Francisco, California, that offers cloud storage, file synchronisation, personal cloud, and client software. Under Data protection legislation, we must ensure that all our data is stored within the European Economic Area.
Malware – a generic term for different types of malicious code
Personal data - is defined as any information that could identify a living individual, either on its own or with other information that is held or likely to come into SSAFA’s possession. It includes but is not limited to: name, address, date of birth, Internet protocol address or National Insurance number.
Personally identifiable information (PII) - is information that, when used alone or with other relevant data, can identify an individual. PII may contain direct identifiers (e.g., passport information) that can identify a person uniquely, or quasi-identifiers (e.g., race) that can be combined with other quasi-identifiers (e.g., date of birth) to successfully recognise an individual.
Phishing - the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.
Ransomware is one of the fastest-growing forms of cyber-attack. There are roughly 2.8 million known unique samples of ransomware, and this number is growing. Ransomware attacks are becoming more sophisticated and cyber attackers are demanding higher payments from their victims.
Social media - Social media are media for social interaction, using highly accessible and scalable communication techniques. Social media is the use of Web-based and mobile technologies to turn communication into interactive dialogue.
Social networking - A social networking service is an online service, platform or site that focuses on building and reflecting social networks or social relations among people who, for example, share interests and/or activities. A social network service essentially consists of a representation of each user (often a profile), their social links and a variety of additional services.
Most social network services are Web-based and provide means for users to interact over the Internet, such as email and instant messaging. Online community services are sometimes considered as a social network service, though in a broader sense, social network service usually means an individual-centred service whereas online community services are group-centred. Social networking sites allow users to share ideas, activities, events and interests within their individual networks and include Facebook, Snapchat and Instagram.
Special category or sensitive personal data - includes race or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
Trojan horse – a computer programme that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorisations of a system entity that invokes the programme
Worms - computer programmes that can run independently, can propagate a complete working version of itself onto other hosts on a network, and may consume computer resources destructively
Data processor - A “data processor” refers to a person, company, or other body which processes personal data on behalf of a data controller. SSAFA contracts data processing to a number of third-party Data Processors
6. Social media
You should always keep your personal on-line life separate from your professional one. SSAFA recognises that social media is a normal part of our work and social lives.
Employees should not expect social media interactions received or sent on SSAFA, MOD, GSTT, NHS or other workplace computers or mobile devices to be private.