Information Management System Policy

Mar 31, 2026 | Governance Policies

Information Management System Policy

Background

Blackawton Parish Council – Clerk and Councillors – must comply with the Data Protection legislation.

BPC’s Code of Conduct requires Councillors not to disclose confidential information.

Failure to correctly manage its information is a risk to BPC’s reputation.

This policy outlines the guidelines and responsibilities for the appropriate use of IT resources and email by council members, employees, volunteers, and contractors.

Data Protection Legislation And Its Key Principles

Personal data”: Any information about a living individual which allows them to be identified from that data (for example a name, photographs, videos, email address, or address). Identification can be directly using the data itself or by combining it with other other information which helps to identify a living individual.

The UK General Data Protection Regulation sets out seven key principles for processing personal data1:

    • Must be processed lawfully, fairly and transparently.

    • Purpose limitation: Can only be used for the purpose it was collected for.

    • Data minimisation – Should be adequate, relevant and limited i.e. only the minimum amount of data should be kept for specific processing.

    • Accuracy: Must be kept accurate and current, and inaccurate data erased

    • Storage limitation: Must only be retained for the time necessary for the purposes and that storage is safe and secure

    • Integrity and confidentiality: Must remain secure.

    • Accountability:The data processor is responsible for complying, must be able to demonstrate compliance, and must have measures in place to meet the requirements of accountability

Processing can only be a carried out lawfully if one of six specific conditions is met: consent, or necessary for a contract, to comply with the law, to protect someone’s life, in the public interest or official functions based in law, or meet legitimate interests.

Core processes relevant to BPC Councillors’ GDPR responsibility

  1. A regular data audit to review what personal data is held.

  2. Data security: for example, lock filing cabinets outside working hours and keep the keys secure, use secure computer passwords, switch computers off when not in use.

  3. Follow processes when councillors cease office to remove their data from public records and for return or destruction of the council’s information held by them.

  4. Deletion of out of date or no longer required data thoroughly, for example good quality shredder.

  5. Data protection impact assessments for new projects.

Information Management Requirements

  1. Scope

    1. This policy applies to all individuals who use Blackawton Parish Council’s IT resources, including computers, networks, software, devices, data, and email accounts.

    2. This policy outlines the guidelines and responsibilities for the appropriate use of IT resources and email by council members, employees, volunteers, and contractors.

  2. Acceptable Use of IT Resources and Email

    1. Blackawton Parish Council IT resources and email accounts are to be used for official council-related activities and tasks. Limited personal use is permitted, provided it does not interfere with work responsibilities or violate any part of this policy. All users must adhere to ethical standards, respect copyright and intellectual property rights, and avoid accessing inappropriate or offensive content.

  3. Device and software usage

    1. Where possible, authorised devices, software, and applications will be provided by Blackawton Parish Council for work-related tasks.

    2. Unauthorised installation of software on authorised devices, including personal software, is strictly prohibited due to security concerns.

  4. Mobile Devices and Remote Work

    1. Mobile devices provided by Blackawton Parish Council should be secured with passcodes and/or biometric authentication. When working remotely, users should follow the same security practices as if they were in the office.

  5. Data Management and Security

    1. All sensitive and confidential Blackawton Parish Council data should be stored and transmitted securely using approved methods. Regular data backups should be performed to prevent data loss, and secure data destruction methods should be used when necessary.

  6. Network and Internet Usage

    1. Blackawton Parish Council ’s network and internet connections should be used responsibly and efficiently for official purposes. Downloading and sharing copyrighted material without proper authorisation is prohibited.

  7. Email Communication

    1. Email accounts provided by Blackawton Parish Council are for official communication only. Emails should be professional and respectful in tone. Confidential or sensitive information must not be sent via email unless it is encrypted.

    2. Be cautious with attachments and links to avoid phishing and malware. Verify the source before opening any attachments or clicking on links.

    3. Email monitoring

      1. Blackawton Parish Council reserves the right to monitor email communications to ensure compliance with this policy and relevant laws. Monitoring will be conducted in accordance with the Data Protection Act and GDPR.

    4. Emails Can be viewed in these ways:

      1. https://blackawtoncommunity.com:2096

      2. In a tool which does not move the information – for example Thunderbird (desktop), TypeApp (desktop and phone), Apple Mail

      3. Cannot be viewed in free Gmail – which may move the information outside of UK and the EU.

      4. Outlook – GDPR compliance seems to depend on how it is set up.

      5. Cannot be forwarded to a private email account.

  8. Electronic Information

    1. Locate BPC information in an identifiable location(s) eg folder.

    2. Cloud servers must be in the UK or a location with comparable data protection legislation. (iCloud appears to not be GDPR compliant).

    3. BPC information cannot be placed on a shared device.

    4. External drives must be encrypted.

  9. Paper Documents

    1. Organise in an identifiable location(s) eg folders.

    2. Lock-up confidential documents.

    3. Destroy confidential documents securely – high quality shredder (can be given to the Clerk to shred).

  10. Return of BPC’s Information

    1. Organise documents so that the information can be easily returned or destroyed as appropriate when you cease to be a Councillor.Password and account security

    2. Blackawton Parish Council users are responsible for maintaining the security of their accounts and passwords. Passwords should be strong and not shared with others. Regular password changes are encouraged to enhance security.

  11. Passwords

11.1 To access BPC information (laptops/PC, email, bank)

Must be:

  • unique

  • 11 characters or more

  • a mix of alphanumeric characters (letters and numbers) and symbols at least one of each:

Uppercase (capital) letters. Examples: A, E, R

Lowercase (small) letters. Examples: a, e, r

Numbers. Examples: 2, 6, 7

Symbols and special characters. Examples: ! @ & *

        • Not use personal information or common words & patterns

A password manager can help you.

Examples

Replace letters with numbers & symbols: Choose a word or phrase and use numbers and symbols instead of some letters. Examples:

“Spooky Halloween” becomes “sPo0kyH@ll0w3En”

“Later gator” becomes “L8rg@+0R”

Abbreviate a sentence: Come up with a sentence and use the first letter of each word. Example:

“Uncle Peter always ate chocolate-covered everything” becomes “uP@8cCe!”

Check your password:

https://www.security.org/how-secure-is-my-password/

    1. Two step verification & Two factor authorisation recommended where available.

  2. Device Protection

    1. Use antivirus/anti-malware and secure firewall software with automatic updates on computer/PC/phone.

    2. Laptop/PC/phone must lock automatically after [not more than two minutes] if left unattended.

    3. Must be locked when not in use.

  3. Review of Information

    1. Have a system for the information you hold to be reviewed, destroyed, and to update personal data.

    2. Set emails to be automatically deleted after no longer than [24 months] and earlier as appropriate (where no longer useful or relevant).

  4. Training and awareness

    1. Blackawton Parish Council will provide regular training and resources to educate users about IT security best practices, privacy concerns, and technology updates. All employees and councillors will receive regular training on email security and best practices.

  5. Record Retention & Disposal Policy

    1. BPC’s Record Retention & Disposal Policy provides further detail about specific types of records.

    2. Emails should be retained and archived in accordance with legal and regulatory requirements. Regularly review and delete unnecessary emails to maintain an organised inbox.

  6. Reporting security incidents

    1. All suspected security breaches or incidents should be reported immediately to the Clerk for investigation and resolution. Report any email related security incidents or breaches to the Clerk immediately.

  7. Compliance and consequences

    1. Breach of this IT and Email Policy may result in the suspension of IT privileges and further consequences as deemed appropriate.

  8. Policy review

    1. This policy will be reviewed annually to ensure its relevance and effectiveness. Updates may be made to address emerging technology trends and security measures.

Version History

Adopted 4 April 2023

Reviewed and extended 9 March 2026