Looking after information: Staff Handbook 1 NOT PROTECTIVELY MARKED
Contents 1.
Introduction ......................................................................................................... 4 1.1 About this Handbook ..................................................................................... 4 1.2 Legal requirements ....................................................................................... 5 1.3 Disciplinary action ......................................................................................... 5 2. Staff responsibilities ............................................................................................ 6 2.1 Data protection .............................................................................................. 6 2.1.1 Understanding data protection................................................................ 6 2.1.2 General responsibilities .......................................................................... 6 2.1.3 Disclosing customer personal information in person .............................. 7 2.1.4 Disclosing customer personal information over the telephone................ 7 2.1.5 Disclosing customer personal information over email ............................. 7 2.2 Access to Official Information ........................................................................ 8 2.2.1 Understanding Access to Official Information ......................................... 8 2.3 Records management ................................................................................... 9 2.3.1 Understanding records management ..................................................... 9 2.4 Information security ....................................................................................... 9 2.4.1 Understanding information security ........................................................ 9 2.4.2 Reporting information security Incidents ................................................. 9 2.4.3 ICT equipment ...................................................................................... 10 2.4.4 Use of computer systems away from the normal workplace ................. 10 2.4.5 Data and software acceptable use ....................................................... 10 2.4.6 Email and internet acceptable use ........................................................ 12 2.5 Data quality ................................................................................................. 13 2.5.1 Understanding data quality ................................................................... 13 2.6 Social media................................................................................................ 14 2.6.1 Understanding social media ................................................................. 14 2.6.2 Taking responsibility for what you publish ............................................ 14 2.7 Copyright law .............................................................................................. 15 2.7.1 Understanding copyright law ................................................................ 15 2.7.2 Avoiding copyright infringement ............................................................ 15 3. Formal guidance and procedures...................................................................... 16 3.1 Data protection ............................................................................................ 16 3.1.1 Handling subject access requests ........................................................ 16 3.1.2 Handling requests involving other people's information ........................ 17 3.1.3 Handling requests for information about children ................................. 18 3.1.4 Subject access exemptions .................................................................. 18 3.1.5 Information supplied by other organisations ......................................... 19 3.1.6 Responding to applications................................................................... 20 3.1.7 Handling requests for CCTV images .................................................... 21 3.1.8 More information on data protection ..................................................... 21 3.1.9 Process flowchart for handling subject access requests....................... 23 3.1.10 Identity checks................................................................................... 24 3.1.11 Disclosing personal information to a person acting on behalf of someone else .................................................................................................... 24 3.1.12 Disclosing personal information to another third party....................... 25 2 NOT PROTECTIVELY MARKED
3.1.13 Sharing multiple records with a third party ........................................ 25 3.1.14 Implementing new services and ICT systems ................................... 27 3.2 Access to Official information ...................................................................... 27 3.2.1 Handling requests for official information .............................................. 28 3.2.2 Process flowchart for official information requests ................................ 29 3.3 Records management ................................................................................. 30 3.3.1 Introduction ........................................................................................... 30 3.3.2 Creation of records ............................................................................... 30 3.3.3 Information classification and protective marking ................................. 30 3.3.4 Maintenance ......................................................................................... 34 3.3.5 Information handling ............................................................................. 34 3.3.6 Retention and disposal ......................................................................... 38 3.3.7 Public access........................................................................................ 38 3.3.8 Board and Committee Reports ............................................................. 39 3.4 Information security ..................................................................................... 39 3.4.1 Key DOs and DON’Ts........................................................................... 39 3.4.2 Passwords ............................................................................................ 43 3.4.3 Protection against virus and other threats ............................................ 43 3.5 Data quality ................................................................................................. 44 3.5.1 Introduction ........................................................................................... 44 3.5.2 Data quality characteristics ................................................................... 44 3.6 Social media................................................................................................ 45 3.6.1 Introduction ........................................................................................... 45 3.6.2 Rules for engagement .......................................................................... 45 3.6.3 Guidance on personal use of social media ........................................... 46 3.7 Copyright law .............................................................................................. 47 3.7.1 Introduction ........................................................................................... 47 3.7.2 Guidance on copyright .......................................................................... 47 4. General advice and frequently asked questions ............................................... 48 4.1 Access to Official information ...................................................................... 48 4.1.1 Frequently asked questions (basic) ...................................................... 48 4.1.2 Frequently asked questions (advanced) ............................................... 52 4.2 Information security ..................................................................................... 57 4.2.1 Email and Calendar good practice guidelines....................................... 57 A. Email ........................................................................................................ 57 B. Calendar .................................................................................................. 59 4.3 Making Information Accessible to Customers ............................................. 60 5. Glossary of terms .............................................................................................. 61 6. Key contacts ..................................................................................................... 62
3 NOT PROTECTIVELY MARKED
1. Introduction Information is a vital asset for Your Homes Newcastle (YHN), supporting both day to day operations and the planning and management of services and resources. It is essential that all YHN information is managed effectively. YHN’s Information Policy sets out the principles on which decision making about information at YHN is based, explains which bodies and officers are responsible for the governance and management of information, and commits YHN to specific aims and practices. It is organised into six themes: Data Protection Access To Official Information Records Management Information Security Data Quality Social Media
1.1
About this Handbook
NOTE: This Handbook replaces the YHN Information Systems Code of Practice and separate corporate guidance about Data Protection and Freedom of Information. It does not replace local procedures relating to records management or other service-specific guidance. This Handbook is aimed primarily at staff and aims to set out, in one place, the personal responsibilities of YHN employees in ensuring that information and information systems within YHN are used correctly and legally. Where applicable, and as determined by the relevant Information Owners, guidance for YHN employees will also apply to other users of information within YHN, including Board members, the Strategic Independent Advisory Group, the general public, contractors, consultants, external auditors and external bodies. It also provides additional background and guidance on each of the themes listed above, including any corporate procedures already in place. It is important that all staff understand the responsibilities set out in this Handbook. All YHN employees and other potential users of YHN’s information and information systems must read and agree to these responsibilities as a condition of working at YHN. The aim of this Handbook is to: guide staff on the proper use of information and information systems; safeguard staff and YHN from future legal action; help staff fulfil their obligations under relevant legislation and best practice. 4 NOT PROTECTIVELY MARKED
1.2
Legal requirements
YHN and its staff are committed to observing all laws and regulations relating to information and information systems. At the time of publication, these include: Data Protection Act 1998 - covering the holding and disclosure of personal information; Copyright, Designs and Patents Act 1988 - covering the copying of software; Computer Misuse Act 1990 - covering unauthorised access to systems; Human Rights Act 1998 - particularly with regard to a citizen’s right to privacy; Lawful Business Practice Regulations 2000 - covering the interception of communications; The Regulation of Investigatory Powers Act 2000 Electronic Communications Act 2000 Privacy and Electronic Communications Regulations 2003 Children’s Act 1989 and 2004 Equality Act 2010 Theft Acts 1968/1978; Freedom of Information Act 2000 – members of the public have a right to see information held by public bodies, including YHN; Environment Information Regulations 2004 - members of the public have a right to see information held by public bodies, including YHN, that relate to the environment and activities and policies that may affect the environment; Public Interest Disclosure Act 1998 - encourages people to raise concerns about malpractice in the workplace and protects whistleblowers from dismissal and victimisation.
1.3
Disciplinary action
Any use of information or information systems which contravenes any relevant legal acts or YHN policies is unacceptable. Compliance with the responsibilities set out in this Handbook is important because they are intended to protect YHN, the users of its services and the employee against unwittingly breaching YHN rules and/or the law. Employees found to be involved in actual or attempted breaches of the responsibilities set out in this Handbook, and the laws/regulations referred to within it, may be subject to disciplinary action or even prosecution. If you would like help with any issues in this document please contact the YHN ICT Service Desk on extension 27766 or at yhn@service-now.com.
5 NOT PROTECTIVELY MARKED
2. Staff responsibilities The YHN Information Policy, requires that all employees understand and follow the responsibilities listed below. Employees must also understand and follow any local information management processes and procedures appropriate to their role. Employees share with their managers the responsibility to ensure that they receive appropriate guidance, training and support.
2.1
Data protection
2.1.1 Understanding data protection Staff should be familiar with the guidance in this handbook and must: Understand that people have a right to know what information we hold about them and to correct any errors Understand that there are some exceptions Recognise a request for personal information and know how to find out how to respond to it Comply with the eight principles of data protection, which demand that personal information is: o Fairly and lawfully processed o Processed for limited purposes o Adequate, relevant and not excessive o Accurate and up to date o Not kept for longer than is necessary o Processed in line with your rights o Secure o Not transferred to other countries without adequate protection.
2.1.2 General responsibilities All staff are required to:
Be aware that they commit an offence if they release customer / employee records without consent (consent is obtained either from the data subject, the relevant Head of Service, Director or our legal advisor). Dispose of sensitive or protectively marked paper waste securely by shredding. Work on a 'clear desk' basis by securely storing hard copy personal information when it is not being used. Ensure that visitors are signed in and out of the premises, or accompanied in areas normally restricted to staff. 6 NOT PROTECTIVELY MARKED
Keep information on display to a minimum and never leave unattended. Screens should be turned away from view from unauthorised people and windows. This is especially important in areas where members of the public or representatives from other organisations visit. Collect only the personal information they need for a particular business purpose. Access personal information only for legitimate work purposes, and never for personal use. Update records promptly – for example, changes of address, change of circumstance, marketing preferences. Delete personal information the business no longer requires in accordance with the relevant retention policy.
2.1.3 Disclosing customer personal information in person When disclosing customer personal information in person all staff are required to:
Be alert to people attempting to gain personal information for illegitimate purposes. Request identification before giving out personal information to someone requesting it in person unless you can positively identify them by other means. Take the same precautions when disclosing personal information to a customer irrespective of the context or setting (eg where a customer is also a member of staff, do not allow them to view information about them or their family members that may contain elements that would be exempt from disclosure, such as potential risk indicators)
2.1.4 Disclosing customer personal information over the telephone When disclosing customer personal information over the telephone all staff are required to:
Be alert to people attempting to gain personal information for illegitimate purposes. Carry out identity checks before giving out personal information to someone making an incoming call. Carry out identity checks before giving out personal information to someone when making outgoing calls. Limit the amount of personal information given out over the telephone and follow up with written confirmation if necessary.
2.1.5 Disclosing customer personal information over email 7 NOT PROTECTIVELY MARKED
When handling customer personal information staff must:
Never disclose any personal information classified as RESTRICTED or CONFIDENTIAL by email to an address outside YHN or Newcastle City Council (unless using a secure email system such as CJSM), even where the identity of recipient has been checked. Carry out identity checks before communicating with anyone via email.
2.1.5.1 Disclosing customer information to utility companies Staff within several services (particularly Finance and Housing Management) often receive email requests from utility companies and other third parties looking to trace a customer, or pursue an outstanding bill. It is within YHN’s interest to prove we have no liability for outstanding bills but we must also protect tenant’s sensitive information. Staff should therefore: Check that the request is from a genuine email address to prevent ‘phishing’; Provide only information that is available through publicly available sources (such as the electoral roll), namely: o Tenant name, o Tenancy start date, o Tenancy end date; Inform the utility company that; o if they require further confirmation that YHN are not liable for unpaid bills, they can request a copy of a tenancy agreement, o all personal information will be redacted from the tenancy agreement before it is provided, and o this process can take up to 28 days. If there are any queries, you need assistance in redacting a document, or you are uncertain whether to respond to a particular request for information, please email information.requestsYHN@newcastle.gov.uk for advice.
2.2
Access to Official Information
2.2.1 Understanding Access to Official Information Staff should be familiar with the guidance in this handbook and must: Understand that people have a right to request information held by public bodies, including YHN. Understand the types of information covered by the Freedom of Information Act and the Environmental Information Regulations. Understand that there are exceptions to this right and that it may be necessary to seek advice before responding. Recognise a valid request for information and know how to find out how to respond to it. 8 NOT PROTECTIVELY MARKED
2.3
Records management
2.3.1 Understanding records management Staff should be familiar with the guidance in this handbook and must: Understand that information is classified according to its sensitivity and confidentiality, and that sensitive information must be protectively marked accordingly. Understand that all information within YHN has a nominated “owner” who is responsible for its classification and for granting access. Handle information in accordance with corporate and local procedures for creating, managing and disposing of records.
2.4
Information security
2.4.1 Understanding information security Staff should be familiar with the guidance in this handbook and must understand that: They are responsible for the workstation they use, the data it holds and the output produced. They are also responsible for YHN portable equipment, media or data that is used away from the normal place of work. All computer systems and data used by YHN are for the sole use of YHN and its business. The use of ICT facilities for purposes not directly concerned with YHN’s business is prohibited unless authorised by the appropriate manager. Limited personal use of email and internet facilities is permitted only in accordance with the Acceptable Use rules included in this Handbook. All communications sent or received via email and/or the internet are the property of YHN, and that YHN reserves the right to monitor all email and internet traffic in accordance with this Handbook and the YHN Information Policy.
2.4.2 Reporting information security Incidents
ICT Security Incidents should be reported immediately to YHN ICT (yhn@service-now.com)
9 NOT PROTECTIVELY MARKED
2.4.3 ICT equipment Staff should understand the importance of monitoring ICT equipment and must: Never remove any ICT equipment from the workplace without the permission of your line manager. Never remove from the workplace, relocate or assign to another member of staff non-portable ICT equipment (including PCs and printers) without the approval of YHN ICT. Never connect personal equipment (for example, speakers, digital camera, USB memory sticks) to any YHN ICT equipment unless it has been supplied by YHN ICT or you have permission from your line manager to do so. YHN ICT can provide guidance on security risks. Keep portable equipment securely when not in use, preferably locked away in a secure cabinet.
2.4.4 Use of computer systems away from the normal workplace Staff using computer systems away from the normal workplace must: Keep the equipment secure, both whilst using/storing the equipment and during transit. Never leave laptops in a car, even when locked. Never store sensitive or protectively marked information on unencrypted portable devices (this memory sticks, cameras, smart phones, etc). This is to guard against the possibility that the device is lost or stolen and the information is disclosed to those for whom it is not intended. YHN ICT can supply encrypted USB sticks and provide advice and guidance on encryption for other portable devices. All YHN laptops are encrypted. Never transfer sensitive or protectively marked information onto home PCs or any other non-YHN equipment without the explicit authorisation of the relevant Head of Service or Director.
2.4.5 Data and software acceptable use Staff must understand and follow the rules below regarding the acceptable use of data and computer systems: 2.4.5.1 Acceptable use Only try to access computer systems that you have been authorised to use, and use them only for legitimate work purposes. System access, and subsequent changes to a user’s access rights, must be requested from YHN ICT by your line manager or the information owner. If you leave your work area unattended for any length of time you should log out completely from all systems and the network and power down your computer if it does not do this itself. If you leave your computer temporarily you should ‘lock’ it. To do this, hold down the Windows Key ( ) and type ‘L’. On older keyboards without a Windows Key, press Ctrl-Alt-Delete (do this by holding down the Ctrl and Alt keys then press the Delete key), then click on Lock Computer. You will only be able to unlock your PC by typing in your user name and password. 10 NOT PROTECTIVELY MARKED
Data should be stored securely at all times. Do this by saving information to network folders (eg W drive or G drive) which is backed up every night. Temporary storage devices such as floppy disks, cd’s, dvds and memory sticks must be stored securely at the end of each day. Sensitive and protectively marked information held on portable devices, including laptops and memory sticks that are taken ‘off-site’ must be secure and encrypted. (Contact YHN ICT (yhn@service-now.com) for further information). Be aware that deleting an unencrypted file from a memory stick or laptop does not erase the data – a hacker can easily recover deleted files. YHN ICT can provide advice on the secure wiping of memory and disk drives. 2.4.5.2
Unacceptable use
Do not store information on the hard drive (Local disk C:), your PC desktop or My Documents. All of these areas are held locally on your computer and if this fails the information will not be recoverable. YHN business documents and information must be stored in a manner which is secure and backed up daily. Do not attempt to access any computer systems or information that you have not been expressly authorised to use. Do not use, or attempt to use, any YHN systems to gain access to information for personal use. Do not save sensitive or protectively marked information onto USB memory sticks or any other form of portable memory without the authorisation of the information owner. Where authorised, YHN ICT can supply encrypted portable devices and software. Unauthorised software, including freeware, shareware, games and screensavers must not be used on any YHN computer system. Games which come as part of an approved software system may only be used for training/skills development in consultation with your line manager. To guard against potential damage, all YHN computer systems have anti-virus software installed. Unauthorised floppy disks, CDs and memory sticks should not be used in YHN equipment. Do not copy software or related documentation. Software must only be used in accordance with the licence agreement. If an organisation uses illegal copies of software, the organisation may face a civil action and individual employees may have criminal liability. Do not reveal your password to anyone else and never ask anyone for their password. Audit trails can record what has been entered using a particular login and password, so if another person uses your password the entries they make will be traced back to you. Do not share your login and password details for any ICT system with colleagues or anyone else. The only exception to this rule is where a group login has been specifically set up with the approval of the information owner. Do not write your password down, memorise it.
11 NOT PROTECTIVELY MARKED
Change your passwords regularly. Some systems enforce this anyway. Change your password immediately if you think your security may have been compromised by someone else learning or finding out your password. Do not leave a PC logged in and accessible unattended with a member of the public present, if you must leave the room you should ‘lock’ your PC. Do not store large non-business files (eg photos, music or video) on your PC hard drive or on the YHN network. Non-business files may be deleted at any time and without warning. Do not use printers for non-business use.
2.4.6 Email and internet acceptable use Email and internet access is provided to employees to support work related activities. It is a means of communicating with other agencies, provides access to information in direct support of YHN’s business activities and promotes services and products provided by YHN. The internet is an open environment with a large amount of easily accessible information some of which contradicts YHN’s policies on standards and behaviour. Where possible, access to material known to be of an offensive or undesirable nature will be prevented using security tools and filtering software; however this is not always possible. The automatic filtering system used to detect inappropriate images in emails will often trap innocent personal emails containing photographs, especially photographs of young children. Emails trapped in this way will be “quarantined”, which means that they will be released only if they relate to official YHN business. Personal emails which are quarantined will not be released. Staff must understand and follow the rules below regarding the acceptable use of email and the internet. These rules apply also to non-business use of the YHN and Council intranet sites.
2.4.6.1 Acceptable use The following list sets out the broad areas of use that YHN considers to be acceptable for email and internet access: o to provide a means of communication with other organisations on YHN business; o to view and obtain information in direct support of YHN's business activities; o to promote services and products provided by YHN; o to communicate and obtain information in support of approved personal training and development activities; o any other use that directly supports work related functions. 12 NOT PROTECTIVELY MARKED
Email and internet access is provided for business purposes, and you should not access email and/or the internet for personal use unless you are clocked out. Personal use must not involve any activity involving heavy network traffic (eg games, music / video, etc). Personal use must still comply with the responsibilities set out in this Handbook. At all times have regard for YHN’s policies and legal requirements when using the internet. Where appropriate, have equal regard for the specified rules and policies of the owners of services you access via the internet. If you unintentionally access an internet site which contains material of an offensive or undesirable nature, you should immediately exit the site and inform the YHN ICT Service Desk (yhn@service-now.com) who will arrange for the site to be blocked.
2.4.6.2
Unacceptable use
Do not use email or the internet for: o illegal or malicious use, including downloading or transmitting copyright material; o access to, or transmission of, material which contravenes YHN’s equality and diversity policies; o access to, or transmission of, pornographic, sexually explicit or obscene material, or any other material of a related nature which may cause offence; o access to, or transmission of, material which contains hate speech or profanity. Do not put into email what you wouldn’t put into print. Always read your mail through to check for accuracy before sending it. Do not engage in activities on the internet that might bring YHN into disrepute. Do not make offensive comments about YHN, Board members, or colleagues on the internet. Do not enter into any commitment on behalf of YHN (unless explicit and written permission is given to do so). Do not allow any other user to send messages from your email address. Keep the password to your email account secret. You will be liable if the message sent contravenes YHN’s policies. Do not send email for private business purposes. Do not send or forward joke emails, pirated software or data.
2.5
Data quality
2.5.1 Understanding data quality Staff should be familiar with the guidance in this handbook and must:
13 NOT PROTECTIVELY MARKED
Understand that they are responsible for the quality of the data that they use and manage and should ensure that, where possible, data is collected only once and is right first time.
2.6
Social media
2.6.1 Understanding social media Staff should be familiar with the guidance in this handbook and must: Understand that what they write is ultimately their own responsibility and requires careful consideration. Understand that participation in social media on behalf of YHN is not a right but an opportunity, to be treated seriously and with respect. Understand that YHN has established corporate accounts on several social websites (including YouTube, LinkedIn, Twitter, Facebook, Slideshare.net and Flickr) and that the management of these accounts, and the creation of new corporate accounts across social media, is the responsibility of the YHN Lead Communications Officer.
2.6.2 Taking responsibility for what you publish Staff must: Remember they are personally responsible for any content they publish. Understand their online privacy settings and how to define and review who can see both the information they publish and their personal information. Make it clear, if they do talk about the work they do or a YHN service they are associated with, that they are speaking for themselves and not on behalf of YHN. Use a disclaimer such as: “The views expressed here are my own and do not necessarily represent the views of Your Homes Newcastle.” Never use the YHN logo on personal web pages. Never reveal information which is sensitive or protectively marked - consult your manager if you are unsure. Never include contact details or photographs of service users or staff without their permission. Never violate YHN’s privacy, confidentiality, and legal guidelines for external commercial speech. Ensure any statements you make are true and not misleading, and that all claims can be substantiated and approved. Never comment on any of the following: o Anything related to legal matters o Financials o Litigation o Anything about YHN’s partner organisations and their capabilities. 14 NOT PROTECTIVELY MARKED
2.7
Copyright law
2.7.1 Understanding copyright law Staff should be familiar with the guidance in this handbook and must understand: that most published content is protected by copyright, that the creator or publisher of published content has certain exclusive rights over their work, so that their permission must be obtained before an organisation can reproduce an extract of their work, that YHN risks infringing copyright (and the potential costs associated with it) if permission is not obtained, that individual employees can be personally liable for infringement in certain circumstances,
2.7.2 Avoiding copyright infringement Staff must also: Ensure that any published material used within their own work, both electronically and on paper, is not subject to copyright restrictions, and Consult with their line manager in the first instance if in any doubt as to whether copyright may be infringed.
15 NOT PROTECTIVELY MARKED
3. Formal guidance and procedures In this section of the Handbook you will find established procedures for managing information, as well as formal guidance for best practice. It is important that you make proper use of procedures and guidance to ensure customers receive a consistent and effective service and to protect yourself and YHN. Where you don’t believe it is appropriate to follow the documented procedure or guidance, always seek advice from your manager.
3.1
Data protection
The Data Protection Act gives individuals the right of access to their personal information. An individual can send YHN a “subject access request” requiring us to tell them about the personal information we hold about them, and to provide them with a copy of that information. This may include information such as tenancy details, customer complaints, leasehold details and financial information. The law requires us to respond to a valid subject access request within 40 calendar days of receiving it, but YHN aims to respond to all requests within 20 working days. There are some exemptions to this requirement, so it is important that you seek appropriate guidance before responding if you are in any doubt. YHN ICT provides advice and operational support on all aspects of Data Protection – please email information.requests@yhn.org.uk providing as much detail as possible and the relevant member of staff will contact you.
3.1.1 Handling subject access requests Only requests made in writing (including fax and email) are covered by the Data Protection Act. Many requests for personal information are made verbally and will be responded to at a local level as part of normal office routine. These requests do not need to be recorded as subject access requests. If you receive a written request from an individual asking for their personal information you must:
Familiarise yourself with the process flow diagram below and understand that people have a right to access the personal information we hold Check and confirm the identify of the requestor Send a copy of the request to information.requests@yhn.org.uk
16 NOT PROTECTIVELY MARKED
If you are asked to respond to a written request from an individual asking for their personal information you must:
Familiarise yourself with the process flow below Ensure that the request is satisfied within 20 working days Have the response approved by the relevant Head of Service Send a copy of the response to the information.requests@yhn.org.uk Send the response to the individual
3.1.2 Handling requests involving other people's information YHN may not be obliged to disclose personal information relating to someone other than the subject access applicant (third party data). If the source of the personal information identifies a third-party it can be withheld, usually by editing the response. Information about a third-party can only be disclosed if: the third-party has given consent to the person making the request, or it is reasonable to reply to the request without the consent of the other individual In these circumstances, YHN has to balance the interests of the parties concerned, taking account of any duty of confidentiality owed to the other individual, any steps taken by YHN with a view to seeking the consent of the other individual, whether the other individual is capable of giving consent, and any express refusal of consent by the other individual. Where practical, YHN should seek consent from the third party before deciding whether to disclose third party information. The following template may be used: Dear [xxx] YHN has received a subject access request from [xxx] for YHN to release information to them under the Data Protection Act. In order to comply with this request, we may need to provide information relating to you, including emails or documents you have written about the requestors. The Data Protection Act provides that if we cannot comply with the request without disclosing information relating to another individual who can be identified from that information, then we do not have to comply with the request unless: • the third party has consented to the disclosure; or • it is reasonable in all the circumstances to comply with the request without the consent of the third party individual. I am therefore writing to you to seek your consent for us to release the information that has been requested, even where it includes information relating to you. This will mainly consist of emails and documents relating to the requestors that you have written, or in which you are mentioned. If you 17 NOT PROTECTIVELY MARKED
wish to review the information before making a decision, please contact me and I will arrange this for you. In order for us to meet the 40 day deadline required under the Data Protection Act, we need to respond to the request by [xxx x xxxx]. If you do not reply before then, or withhold your consent, YHN will decide whether or not to disclose information relating to you on the basis of the guidance issued by the Information Commissioner’s Office. Where it is possible to do so, we will delete names and edit documents to remove references to third parties. However, in order to comply with the law, it may be necessary for us to release some information relating to other people, even where consent has not been obtained. The information requested by [xxx] is: “[direct quote from request]”
3.1.3 Handling requests for information about children Even if a child is too young to understand the implications of subject access rights, data about them is still their personal data and does not belong, for example, to a parent or guardian. So it is the child who has a right of access to the information held about them, even though in the case of young children these rights are likely to be exercised by those with parental responsibility for them. Before responding to a subject access request for information held about a child, you should consider whether the child is mature enough to understand their rights. If you are confident that the child can understand their rights, then you should respond to the child rather than a parent. 3.1.3.1 Information requests from a local authority relating to child protection Requests from a local authority made under Section 47 of the Children’s Act 1989 will always relate to children who are either the subject of emergency protection orders, in police protection, or suffering or likely to suffer significant harm. YHN has a legal duty to provide the information requested in these circumstances. As such, these requests should be treated as urgent. Staff likely to receive these requests should be aware of this, and also that this applies to any local authority requesting information under Section 47.
3.1.4 Subject access exemptions There are a number of exemptions that recognise that there may be a public interest in withholding personal data sought under subject access. 18 NOT PROTECTIVELY MARKED
The exemptions most likely to apply to YHN are listed below, but you should always seek advice from information.requests@yhn.org.uk before applying an exemption. More information on exemptions is available from the Information Commissioner’s Office website.
Crime and Taxation - where disclosure would be likely to prejudice the prevention or detection of crime, apprehension or prosecution of offenders, or the assessment or collection of any tax or duty of any imposition of a similar nature
Physical or Mental Health – where disclosure would be likely to cause serious harm to the physical or mental health of the applicant or another individual
Confidential References – where YHN has provided a confidential employment reference to another organisation about a YHN employee
Negotiations - where disclosing a record of YHN’s negotiations with an individual would be likely to prejudice the negotiations Legal advice and proceedings – where legal professional privilege could be claimed
Management information – where disclosing personal data that is processed for management forecasting or management planning would be likely to prejudice the business or other activity of YHN
Care must be used when applying exemptions. Exemptions that have been used should be documented for subsequent scrutiny, as required. In some exceptional cases discretion may be used and the decision made not to employ an exemption which could have been used.
3.1.5 Information supplied by other organisations YHN is obliged to consider all personal data in our possession when we receive a subject access request, irrespective of where that personal data originated. Some requests are likely to encompass information which was provided or created by third party organisations or individuals, for example the police or social services. In such cases, and where practical, YHN will write to the provider of the information to explain that a request has been received and ask formally for their views on disclosure of any personal data to the applicant, on the basis that the provider would be in a position to comment on relevant exemptions from their perspective. The correspondence should indicate that unless an objection is received before the end of the 40-day deadline, YHN may disclose the personal data sought. In all cases, irrespective of the provider’s comments, the final decision on disclosure rests with YHN. The following template may be used when seeking the views of organisations who have supplied information subsequently requested by its subject: Dear [xxx] 19 NOT PROTECTIVELY MARKED
YHN has received a request from [xxx] for YHN to release to them [description of information] provided by yourselves. I have enclosed a copy of this request, which we are treating as a Subject Access Request under the Data Protection Act. I would be grateful if you would advise on whether you consider that some or all of the information should be treated as exempt from disclosure under the provisions of the Act. If so, please identify those elements you believe to be exempt, or provide a redacted copy of the information reflecting your advice. In order for us to meet the 40 day deadline required under the Data Protection Act, we need to respond to the request by 20 April 2014. If you do not reply before then, YHN will decide whether or not to disclose some or all the information requested you on the basis of our interpretation of the guidance issued by the Information Commissioner's Office.
3.1.6 Responding to applications Any personal data provided must be in permanent form and be legible to the applicant. If it cannot be fully transcribed into an intelligible format, an explanation must be given of any code used in the response. Subject access is a right to the personal data, rather than to documents themselves, and in some cases the most appropriate means of providing personal data will be to extract or copy it from the source document into the response. Generally, responses to applicants will be one of the following: a) Full disclosure (all the applicant’s personal data will be disclosed) or partial disclosure (some of the applicant’s personal data is to be withheld with the use of exemptions): The Data Protection Act places an obligation on YHN, when holding personal data, to provide a copy of that information, (unless an exemption applies), to you on request. From the personal details supplied in your application, please find enclosed the information that YHN is required to supply to you under the provisions of the Act. b) Non-disclosure (all the applicant’s personal data is to be withheld with the use of exemptions) or nothing held (no personal data is processed) The Data Protection Act places an obligation on YHN, when holding personal data, to provide a copy of that information, (unless an exemption applies), to you on request. From the personal details supplied in your application, there is no information that YHN is required to supply to you under the provisions of the Act. YHN is not required to inform applicants that an exemption has been applied; in fact, in most cases it would be inappropriate to do so. 20 NOT PROTECTIVELY MARKED
The response must provide the applicant with information about their right to complain about the information we hold about them, enclosing our “Complaints and Compliments” leaflet and using the following wording in the response letter: If you wish to complain about either the information we hold about you, or the way this request for information has been handled, you have the right to ask us to carry out an internal review. You can do this by emailing us at information.requests@yhn.org.uk or writing to Information Requests, YHN House, Benton Road, Newcastle upon Tyne, NE7 7LX with details. If your concern is about inaccurate information, please tell us any reference numbers associated with the inaccurate information and the reason why you believe the information is inaccurate. If you ask us to carry out an internal review and remain unhappy with the outcome, you can raise a concern with the Information Commissioner at www.ico.org.uk . The information Commissioner’s helpline can be contacted on 0303 123 1113 All responses will normally be sent directly to the applicant at their home address. However, there may be occasions when the applicant specifically requests that nothing be sent to their home address. Such requests must be made in writing by the applicant. In these circumstances, the response may be either sent to an alternative address nominated by the applicant or arrangements can be made so that the applicant attends YHN premises to collect the response in person. In the latter scenario, the person’s identity will need to be confirmed when the information is disclosed.
3.1.7 Handling requests for CCTV images A customer may request information related to images captured on closed circuit television operated by YHN. Individuals are entitled to see such images but we need specific details from them. We also need to ensure that they are unable to identify anyone other than themselves. If a customer asks to see CCTV images, you should forward the request to information.requests@yhn.org.uk, who will request the detailed information we need from the customer and arrange specialist help to prepare the images.
3.1.8 More information on data protection More information about data protection is available: On the “Information we hold about you” page on the YHN website o http://www.yhn.org.uk/freedom_of_information/information_we_hold_a bout_you.aspx On the Information Commissioner’s Office website o http://www.ico.gov.uk/ 21 NOT PROTECTIVELY MARKED
Information request forms which customers can use to request specific information can be downloaded from the Information request form page on the YHN website.
22 NOT PROTECTIVELY MARKED
3.1.9 Process flowchart for handling subject access requests Request is logged by YHN ICT YHN receives request for information via:
Email Fax Letter Telephone Newcastle City Council’s Data Protection officer or in writing
Relevant Officer drafts response and gets it approved by appropriate Head of Service.
YHN ICT sends acknowledgement letter to requester. Letter informs requester of the officer who is dealing with the request Send copy of response to requester
Refer information request to information.requests@yhn.org.uk
information.requests@yhn.org.uk receives request for information via: Email Fax Letter Telephone Newcastle City Council’s Data Protection officer or in writing
YHN ICT forwards request via email to relevant officer with due response date
YHN ICT will contact relevant officer 5 days before response date to check progress
If response deadline can not be met relevant officer to write to requestor informing them that a full response can not be sent within the timescale, reasons why and when a full response will be sent.
23 NOT PROTECTIVELY MARKED
Send copy of response to information.requests@yhn.org.uk
No further actions needed
3.1.10 Identity checks If your role involves communicating with customers about their personal information (eg Housing Management, CCAS, Income, etc), your service will have a procedure in place for checking the identity of customers who contact us. You must always follow this procedure before discussing a customer’s personal information with them. If you work in a service which does not have a procedure for checking identity, you must not give out any personal information either in person, over the phone, by letter or by email. You must simply take a note of any relevant information from the customer and pass this information onto the relevant service. If you receive a forwarded customer request from another member of YHN staff, you must still check the identity of the customer using your service’s standard procedure unless the forwarded message has been marked “Customer identity confirmed”. Only forward contact details you have confirmed with the customer. If you carry out an identity check on a customer and confirm their identity, and have to forward the case to another member of YHN staff at a later date, you should mark the information you forward “Customer identity confirmed”, together with your name and the date you carried out the identity check. This will prevent us repeating identity checks unnecessarily.
3.1.11 Disclosing personal information to a person acting on behalf of someone else Where a solicitor, family member or any other person claims to represent or act on behalf of someone else and requests information from YHN about that person, you must ensure that either: a) they have the consent of the person they claim to represent, usually in writing, or b) it is necessary to share that information to protect the interests of the person whose information you are sharing. You must ensure that you have the approval of the relevant Head of Service or Information Owner, or a manager to whom they have delegated their authority, before releasing information to a third party without written consent. Please also email a summary of the decision and rationale to information.requests@yhn.org.uk to be held centrally. YHN is allowed to disclose personal information about an individual, without a consent form, to MPs, MEPs and Councillors where the individual lives in the elected representative’s ward or constituency, and it is reasonable to believe that they are acting with the consent of that individual. Personal information can also be shared with elected representatives where it is necessary for them to perform their role (eg participation in SNAPS meetings). The relevant Head of Service or Information Owner must approve disclosure in these circumstances. 24 NOT PROTECTIVELY MARKED
3.1.12 Disclosing personal information to another third party Where any other third party (eg the police, a utility company, a health professional) requests information from YHN about that about anyone (eg a tenant or member of staff), you should only disclose the information requested if: a) the person about whom the information is requested has consented, usually in writing, or b) the disclosure is permitted by an existing YHN policy, procedure or information sharing agreement approved by the relevant Head of Service or Information Owner, or c) the disclosure is required by law or by the order of a court, or d) the disclosure is required in connection with legal proceedings or for the purpose of obtaining legal advice, or e) the disclosure is approved by the relevant Head of Service or Information Owner. Those responsible for approving disclosure must ensure that they comply with the requirements of the Data Protection Act, and in particular that “personal data shall be processed fairly and lawfully” (Principle 1). This requires that YHN acts lawfully and:
has legitimate grounds for disclosure,
does not disclose data in a way that has unjustified adverse effects on the individuals concerned,
gives individuals appropriate privacy notices when collecting their personal data, and
discloses personal data only in ways they would reasonably expect.
All disclosures to third parties must be recorded in an appropriate way, clearly identifying the reason for the disclosure and the approver, if relevant. Where personal information has been disclosed under clause (c), (d) or (e) above, please email a summary of the decision and rationale to information.requests@yhn.org.uk to be held centrally. Where the disclosure is being requested in connection with legal proceedings or for the purpose of obtaining legal advice (Section 35 of the Data Protection Act), the requester should be asked to complete the form Request for disclosure under Section 35 of the DPA..
3.1.13 Sharing multiple records with a third party YHN often needs to share bulk records with other organisations, including the Council and other organisations within partnerships. This may include having access to each other’s information systems, or setting up a separate shared database. It 25 NOT PROTECTIVELY MARKED
could lead to the specific disclosure of information on a one-off basis or the regular sharing of bulk data. If you are setting up a project that will involve the sharing of bulk data you must consult the relevant Head of Service or Information Owner who will determine whether you need to carry out a privacy impact assessment and/or write an information sharing agreement. A privacy impact assessment helps to assess privacy risks to individuals in the collection, use and disclosure of information about them. It should help you to identify whether or not you should be using personal data in the project, and what levels of protection may be required. A template and guidance notes are available on the staff intranet. Additional support can be obtained as necessary from your directorate Information Governance Liaison Officer or YHN ICT. An information sharing agreement is a document jointly signed by organisations carrying out bulk sharing of data. Although this is not a legal requirement, it provides assurances for the organisations involved, and the people whose information is being shared, that it is being done so fairly and lawfully. In the event of any complaints about the sharing, it demonstrates that legal and confidentiality issues were considered from the start. An information sharing agreement should usually be written whenever more than 50 records are likely to be involved, or where the information being shared is of a particularly sensitive nature. It normally includes the following information.
The purpose of and legal basis for the sharing The organisations involved The types of information that are to be shared Privacy impact considerations How the information will be transferred How frequently it will be shared How long it will be kept for How the information will be held and destroyed securely
A template and guidance notes are available on the staff intranet. Additional support can be obtained as necessary from your directorate Information Governance Liaison Officer, YHN ICT and Legal Services. The agreement should be signed on behalf of YHN by the relevant Head of Service or Information Owner, and by all other parties to the information sharing process. Whenver a decision is made to share multiple records with a third party for the first time, please email a summary of the decision and rationale to information.requests@yhn.org.uk to be held centrally. Please also send a copy of any new or revised information sharing agreement to information.requests@yhn.org.uk. 26 NOT PROTECTIVELY MARKED
Information sharing agreements should be reviewed regularly, and usually annually.
3.1.14 Implementing new services and ICT systems Whenever a new service is established, or a new ICT system is implemented, it is important to ensure that the information being used is appropriately protected. If you are setting up a new service or ICT system, or making significant changes to something that already exists, you must carry out an information risk assessment, which will consider three potential compromise areas:
confidentiality: the potential impact if the information is seen by those who should not see it integrity: the potential impact if the accuracy or completeness of the information is compromised availability: the potential impact if the information becomes inaccessible.
The risk assessment will help you to identify important requirements in relation to business continuity and disaster recovery, information security and privacy. Assistance and guidance can be obtained as necessary from your directorate Information Governance Liaison Officer, the Service Quality team or YHN ICT. In addition, if the new service or ICT system will capture or process personal data, or will share information with third parties, you must consult the relevant Head of Service or Information Owner who will determine whether you need to carry out a privacy impact assessment and/or write an information sharing agreement. Privacy impact assessments and information sharing agreements are covered in more detail in section 3.1.13.
3.2
Access to Official information
The Freedom of Information Act provides individuals and organisations with the right to request information held by a public authority. This must be done in writing (including email and fax). The Environmental Information Regulations provide a similar right to request information about the environment, including policies or activities likely to affect the environment. Requests under the Environmental Information Regulations do not have to be in writing. The law requires us to respond to a valid request within 20 calendar days of receiving it, but YHN aims to respond to all requests within 10 working days. We are not required to confirm or deny the existence of the information or provide it, if an exemption applies. An exemption includes the following:
The request is vexatious or similar to a previous request; or 27 NOT PROTECTIVELY MARKED
The cost of compliance exceeds an appropriate limit.
If exemption applies, but is qualified, we will decide whether the public interest in using the exemption outweighs the public interest in releasing the information. If an applicant is unhappy with a refusal to disclose information they can file a complaint using our compliment, complaint and comment procedure. If the customer is not satisfied with the resolution offered by the procedure the complaint can be taken to the Information Commissioner's Office. Information must also be published through the public authority's publication scheme. YHN ICT and the Communications Team provide advice and operational support on all aspects of Freedom of Information – please email information.requests@yhn.org.uk providing as much detail as possible and the relevant member of staff will contact you.
3.2.1 Handling requests for official information Only requests made in writing are covered by the Freedom of Information Act. Many requests for official information about YHN are informal and will be responded to at a local level as part of normal office routine, often by directing the requestor to our website or other published material. These requests do not need to be recorded as Freedom of Information requests. All requests for information relating to the environment, including verbal requests, are covered by the Environmental Information Regulations. Even where these are responded to at a local level as part of normal office routine, these requests do need to be recorded as Environmental Information requests. If you receive a request from an individual asking for official information about YHN which needs be recorded in accordance with the criteria above:
Familiarise yourself with the process flow diagram and understand that people have a right to access information about YHN Check and confirm the identify of the requestor Send a copy of the request to the information.requests@yhn.org.uk
If you are asked to respond to a written request from an individual asking for information about YHN you must:
Familiarise yourself with the process flow diagram in Section 3.2.2. Ensure that the request is satisfied within 10 working days. Have the response approved by the relevant Head of Service Send a copy of the response to the information.requests@yhn.org.uk Send the response to the requester
28 NOT PROTECTIVELY MARKED
3.2.2 Process flowchart for official information requests YHN receives request for information via:
Is the request from a journalist, political researcher or other media professional?
Email Fax Telephone Newcastle City Council’s Data Protection officer or in writing
Y
Refer information request to information.requests@yhn.org.uk
YHN ICT acknowledges and records request and discusses with Communications Team
information.requests@yhn.org.uk receives request for information via: Email Fax Telephone Newcastle City Council’s Data Protection officer or in writing
N
YHN ICT acknowledges request in writing and records
Monitor progress and chase as required
Identify responding officer and send copy of request
Communications Team contact requester and advise Chief Executive
Responding officer investigates, drafts a response and gets it approved by the relevant Head of Service
Chief Executive and Communications Team agree response
Send copy of response to requestor and copy information.requests@yhn.org.uk
No further actions needed
29 NOT PROTECTIVELY MARKED
3.3
Records management
3.3.1 Introduction Information is a corporate asset and YHN must ensure that it protects its records throughout their business life, from creation to disposal. The records kept by YHN are unique to the organisation and must be authentic, reliable, complete, useable and have integrity. They are a record of business activities at YHN and must be maintained for business, legal and accountability purposes. Records management procedures are needed to standardise the creation and management of records at YHN. This, in turn, will ensure that staff are not spending time looking for lost/misplaced records, that storage space is used more effectively, that the costs of managing records is reduced and that records vital to YHN’s operation on a daily basis are identified and secured. YHN considers that a record is created when information related to YHN’s business activities is formally written down or electronically captured. Formal internal and external documents, and information held in YHN’s ICT systems are all ‘records’ and are covered by this guidance. It covers paper and electronic records, audio visual media, electronic communication (e.g. fax, email), floppy discs, CD-Roms etc.
3.3.2 Creation of records All records should be given a short but meaningful name. This will ensure that records can be found and identified easily. The date of creation should be included in the filename, in the format YYYYMMDD. The name of the record should also be placed in the header or footer, so that when the record is printed, its name can be easily located.
3.3.3 Information classification and protective marking All information created or used in support of YHN’s business activities is corporate information. It must be maintained in a secure, accurate and reliable manner and be readily available for authorised use. However, different security requirements apply to different types of information. We therefore classify information according to confidentiality and sensitivity. All corporate information should also have a designated Information Owner (usually the relevant Head of Service or Director) who is responsible for determining the appropriate classification level and granting access to it. Access should be granted only when the requester needs to have access because of their formal responsibilities. This section will help you to determine the classification of different types of information, and to determine the appropriate security requirements. Whilst the
30 NOT PROTECTIVELY MARKED
Government Security Classification includes three levels – OFFICIAL, SECRET and TOP SECRET, YHN uses only one. This is:
OFFICIAL
The majority of information that is created or processed by YHN. This includes routine business operations and services. Some of which could have damaging consequences if lot, stolen or published in the media.
There is no requirement to mark routine OFFICIAL information, although doing so will make it clear to others that the type of information contained has been properly considered. Sensitive information on a need to know basis can be marked with an additional descriptor. This is detailed in the next section. The originator or relevant Information Owner is responsible for applying the correct protective marking. When classifying information, regard should be paid to the requirements of the Freedom of Information Act. Careful consideration should be given before marking documents that would normally be published or disclosed on request. The following points should be considered when applying a protective marking:
Applying too high a protective marking can inhibit access, lead to unnecessary and expensive protective controls, and impair the efficiency of the business.
Applying too low a protective marking may lead to damaging consequences and compromise of the asset.
The sensitivity of an asset may change over time and it may be necessary to reclassify assets. If a document is being de-classified or the marking changed, the file should also be changed to reflect the highest marking within its contents.
3.3.3.1 Optional Descriptors When protectively marking a document, an optional “descriptor” of SENSITIVE may be added to information that could have more damaging consequences if it were lost, stolen or published in the media. To reinforce the ‘need to know’, information should be conspicuously marked ‘OFFICIAL SENSITIVE’.
31 NOT PROTECTIVELY MARKED
3.3.3.2
Classification guidance
Label
Description
OFFICIAL SENSITIVE
Compromise of information can or will have a severe impact on YHN (may be indirect, by claims of customers, suppliers, partners, or another external organisation).
Examples: Live investigations where there is a risk of immediate harm Serious case reviews
Impact level 4 Serious immediate risk / threat to any party’s personal safety Loss of major services leading to major financial losses (up to £100,000).
Compromise of information can or will cause serious or significant harm or distress.
Examples: Information on looked after children Witness protection information Safeguarding children and adults information Taped interview records Benefit fraud files Copies of authorised signatories’ signatures Business continuity plans Legal correspondence from Solicitors
Information that is destined for public access, or where
Examples Google searches
Impact level 3 Risk to any party’s personal safety (e.g. the compromise of the address of a victim of abuse that now lives in sheltered housing, where it is assessed that there is a high risk of further abuse if such information became known to the original perpetrator). Likely to cause significant financial loss to any party (e.g. loss of £1000 to £10000 for an individual or sole trader, loss of £1000 to £100,000 for a larger business or organisation). Likely to cause prolonged distress for an individual, or short-term distress for many people. Likely to cause loss of reputation for many people or organisations. Business-wide disruption, compromise or flawed working of services which could pose an increased risk to health (e.g. spread of disease). Cancellation of multiple services to a number (up to 1000) of customers leading to financial losses (up to £10,000). Impact levels 0 Minimal impact
NB: Should only be used in exceptional circumstances OFFICIAL
UNCLASSIFIED
Examples of information assets
32 NOT PROTECTIVELY MARKED
Impact Level
the exercise of common sense by staff and mangers should provide adequate protection.
Internal policies Leaflets Pay and Grading Structure Location and contact details of YHN offices Minutes from team meetings which do not contain sensitive information Staff Directory Draft documents where early release would not be detrimental to YHN
33 NOT PROTECTIVELY MARKED
May cause minor inconvenience to an individual Likely to have no impact or minimal impact (e.g. cost of sundries)
3.3.4 Maintenance The safe and secure maintenance of vital documents for YHN’s operation is essential. Where possible, sensitive records which are paper based should be locked away in filing cabinets or lockable desk drawers. Sensitive records which are electronic should be password protected and/or encrypted. Electronic records need to be maintained in formats which will ensure that they remain available for future reference. The transfer of non-current records to an archive or records centre should be carried out in a controlled manner in order to ensure no loss, damage or theft occurs and that a record is kept of what has been deposited and when.
3.3.5 Information handling The table explains the security requirements that are appropriate for information classified as OFFICIAL or OFFICIAL-SENSITIVE, and for unclassified information. For further guidance relating to the labelling, handling, transfer and destruction of information classified as OFFICIAL or OFFICIAL-SENSITIVE, please refer to YHN ICT.
34 NOT PROTECTIVELY MARKED
Classification Storage
OFFICIAL – SENSITIVE
OFFICIAL
Unclassified
Paper:
Paper:
Paper:
Kept in a locked storage area or cabinet, only accessible by owner or person receiving the information.
Kept in a lockable storage area or cabinet.
Can be stored on top of desk / in unlocked storage cabinets.
Electronic: DO NOT copy or transfer to disk or memory stick. Store on YHN network, NOT on a local drive or C: drive. Use additional password protection if appropriate.
Electronic: Store on YHN network, NOT on local drive or C: drive. Only store on disk or memory stick by exception. Relevant Head of Service, Director must accept risk and removable device must be encrypted.
Electronic: Store on YHN network, NOT on local drive or C: drive. Can be stored on disk or memory stick.
Access rights
The relevant Head of Service, Director or corporate information owner decides who can have access – this should be on a need to know basis. Remove access when staff change roles. Electronic databases must have strong password access (i.e. upper and lower case letters used, in addition to a number alphanumeric). Do not give out information over the phone or pager.
Local manager decides who can have access – this should be on a need to know basis. Remove access when staff change role. Electronic databases must be password protected to prevent unauthorised access. Information can be discussed over the phone but identity of caller must be checked. If in doubt, arrange to call back using a trusted number.
35 NOT PROTECTIVELY MARKED
No specific access restrictions.
Transfer
Approval of relevant Head of Service, Director or corporate information owner required.
Approval of relevant Head of Service, Director or corporate information owner required.
Paper:
Paper:
Normal Royal Mail post can be used.
Must be sent by recorded delivery post or courier special delivery and obtain transaction receipt.
Normal Royal Mail post can be used.
Use single envelope.
Address to specific recipient.
Can be sent via internal post.
Address to specific person.
Envelope does not need to be marked.
Mark with ‘OFFICIAL-SENSITIVE’ on outside of the envelope (for central or local government and agencies - NOT REQUIRED FOR MEMBERS OF THE PUBLIC). Keep record of recipients. Deliver in person for internal use – do not use internal post. NB: Incoming paper documents must be marked by the recipient and then treated as above. Electronic: For council staff (@newcastle.gov.uk addresses): send by standard email (email traffic between YHN and NCC is secure) For central government, police and similar agencies: send by secure email (GSX or CJSM) – contact YHN ICT Service Desk on 27766 for more information or to request an account.
Use sealed envelope for internal post. NB: Incoming paper documents must be marked by the recipient and then treated as above. Electronic: Information can be sent by standard corporate email. NB: Bulk transfers (more than 50 records): Approval of relevant Head of Service or Director, plus the Head of IT or authorised deputy. A signed NDA (non disclosure agreement) and/or a TTP (Trusted third agreement for remote access to network) may be required. MUST NOT be placed on internet or on open pages of theintranet..
For non–government: contact YHN ICT Service Desk and request document be sent by encrypted email NB: Bulk transfers (more than 50 records): Approval of relevant Head of Service or Director, plus the Head of IT or authorised deputy. A signed NDA (non disclosure agreement) and/or a TTP (Trusted third agreement for remote access to network) may be required. MUST NOT be placed on internet / intranet. Fax – check telephone number and make the person receiving the fax aware in advance
36 NOT PROTECTIVELY MARKED
Paper:
Electronic: Transfer by normal email. Can be placed on internet / intranet.
Copying / Printing / Faxing
Permission of relevant Head of Service, Director or corporate information owner required. Keep copies to a minimum. Mark fax header as ‘OFFICIAL-SENSITIVE’. Cross check the fax number and ensure that the recipient is waiting ready for the fax.
Disposal
Labelling
Keep copies to a minimum. Cross check the fax number and ensure that the recipient is waiting ready for the fax. Fax header does not need to be marked ‘PROTECT’.
Keep copies to a minimum. Fax header does not need to be marked. Cross check the fax number.
Paper:
Paper:
Use cross cut shredders or a secure disposal service.
Use cross cut shredders.
Other media:
Other Media:
Empty used fax rolls to be stored securely and returned to YHN Central Services. These will then be securely destroyed.
Empty used fax rolls to be stored securely and returned to YHN House security. These will then be securely destroyed by Central Services.
CDs, DVDs, Audio tapes. Contact YHN ICT Service Desk on ext 27766 for guidance.
CDs, DVDs, Audio tapes. Contact YHN ICT Service Desk on ext 27766 for guidance.
Hard drives – contact YHN ICT Service Desk on ext 26677.
Hard Drives –contact YHN ICT Service Desk on ext 26677.
Mark with ‘OFFICIAL-SENSITIVE’in footer on every page. Ensure name of relevant Head of Service, Director or corporate Information Owner and document version number are clearly shown.
Mark with ‘OFFICIAL’ in footer on every page. Ensure name of relevant Head of Service, Director or corporate Information Owner and document version number are clearly shown.
37 NOT PROTECTIVELY MARKED
Use cross cut shredders for any potentially sensitive information. Newspapers, leaflets, public documents can be recycled.
Mark with ‘NOT PROTECTIVELY MARKED’ where appropriate.
3.3.6 Retention and disposal Retention YHN is required to keep records for business, legal and regulatory purposes. These records should not be retained for longer than is necessary. The retention action specified in the Retention Guidelines for Local Authorities should be followed unless a different retention action is set out explicitly in a corporate or local YHN policy. Disposal Disposal of records should be monitored and enforced – retaining unnecessary paper or electronic records wastes space and staff time. The Data Protection Act stipulates that records should be kept for no longer than necessary and regular destruction of data is required in compliance with the proposed retention schedule. Disposal takes two forms – destruction or archiving. Records that have no further value to YHN should be destroyed; records that are of organisational value should be archived. Destruction All records marked as OFFICIAL or OFFICIAL-SENSITIVE must be disposed of securely – they must be made either unreadable or unreconstructable. Paper documents should be cross-cut shredded, CD Roms/DVDs/floppy disks should be cut into pieces, audio/video tapes/fax rolls should be dismantled and shredded and hard disks should be dismantled and sanded so no access to the information can be obtained. Where electronic documents are stored on shared network folders, deletion of the document can be treated as secure disposal. Unclassified information can be disposed of in standard waste paper bins. A record of disposal should be kept – this is one of the stipulations of Section 46 of the Freedom of Information Act 2000. Archiving Records that need to be retained for any length of time, but do not need to be retained in the office for current use, should be archived securely. Within YHN this is provided by the Records and document management system.
3.3.7 Public access Under Section 5.3 of the Public Records Act, it is stipulated that YHN should have ‘reasonable facilities’ which will afford the public access to public records. These facilities should provide the ability to inspect and obtain copies. 38 NOT PROTECTIVELY MARKED
Records created by individuals should not be seen as personal documents, but documents owned by YHN. Therefore, these documents must be saved on a shared drive so all members of the department can have access to them i.e. work must not be stored on desktops, USB sticks or CD Rom, without the information being accessible on the shared area. YHN will ensure that records are accessible to relevant staff, secure from loss or damage, kept for no longer than necessary and disposed of in accordance with their classification.
3.3.8 Board and Committee Reports In the past, YHN has used the term “Confidential” to identify reports containing sensitive information. This term should no longer be used for this purpose. Reports containing sensitive information should instead be labelled OFFICIAL or OFFICIAL-SENSITIVE, and will continue to be printed on pink paper. An optional descriptor (eg “Not for distribution”) may be used for the purposes of clarity.
3.4
Information security
3.4.1 Key DOs and DON’Ts The following section explains the justification for some of the key DOs and DON’Ts of information security. Password sharing
Never, under any circumstances, share your login and password details for any ICT system with colleagues or anyone else.
There are three reasons for this. 1.
2.
3.
It’s important that we maintain a complete audit trail of everything that happens on our ICT systems. We need to be able to trace each action back to an individual. YHN’s policies on access rights are enforced through the allocation of logins – if a member of staff needs access to an application, it must be formally requested and approved. The sharing of logins often breaches software licensing rules. If discovered, very large fines can arise from licensing infringements. It may be easier to allow a colleague access for a number of reasons, but you could be liable if an incident occurs and it is traced back to your ICT system 39 NOT PROTECTIVELY MARKED
account. Tell your colleague that they should contact YHN ICT and they will prioritise the call if it is a simple case of resetting that person’s password. Lock your PC
Your keyboard should have a ’windows key’ ( ) – by holding this key down and pressing the letter ‘L’, you can lock the screen in less than a second. Do this every time you leave your desk, even if you’re just walking across the office.
If you leave your PC unlocked, it’s possible for anyone walking past to access any applications you have open, to send email in your name, or to attempt to access inappropriate websites. Locking your PC provides protection to you and to YHN against these risks. This rule applies whether or not members of the public have access to your office. Protect confidential and personal information whenever it leaves the office See the Information Classification section of this document for more information about the kind of information that requires special protection. This classifies information by confidentiality (OFFICIAL or OFFICIALSENSITIVE).
Following recent publicity, it is more important than ever that we do not put YHN’s reputation at risk by allowing confidential or personal information to leave the office in a way that would allow someone else to read it. There are simple and cheap ways to encrypt data securely which YHN ICT can advise you about.
As the use of USB memory sticks and laptops has grown, so has the risk to confidential and sensitive information. While information held on the YHN network is well protected as soon as it’s copied onto USB memory, that protection is reduced. If it leaves the office, virtually all protection is lost. Many staff will not have fully considered the associated risks – but must now do so.
Deleting an unencrypted file from a memory stick or laptop does not erase the data – a hacker can easily recover deleted files. YHN ICT can provide advice on the secure wiping of memory and disk drives.
When a file is deleted, the data itself is not erased – the location and name of the file are simply removed from the file directory. The secure wiping of data from memory sticks, PCs and laptops requires special software.
Do not transfer confidential or personal information onto home PCs or any other non-YHN equipment without the explicit authorisation of the information owner and YHN ICT. This must be requested by your line manager. 40 NOT PROTECTIVELY MARKED
Home PCs, especially if connected to the internet, do not have the same protection from hacker attacks, viruses and other internet threats as YHN PCs connected only to our own network. If information were copied onto a vulnerable PC, a hacker might be able to copy or corrupt that information. For the purposes of flexible working, YHN ICT is able to provide staff with access to Netilla, which provides secure access to the YHN network while insulating the information being accessed from the PC. YHN ICT will not normally give permission for the use of a home PC to work with confidential or personal information other than via Netilla.
Do not save confidential or personal information onto the hard drive (C or D drive) of your laptop computer unless YHN ICT has installed encryption software.
If a laptop is lost or stolen, the login password does not protect information held on the hard drive which can be removed and read. Confidential and personal data must be saved to a drive on the YHN network, including user (U drive) folders. If an employee has a genuine need to work with confidential or personal information on their laptop while offline, YHN ICT is able to install encryption software to protect the information in the event that the laptop falls into the wrong hands.
Do not save sensitive or personal information onto USB memory sticks or any other form of portable memory without the authorisation of the information owner. Where authorised, portable memory used for this purpose must either be secured when not in use in a locked cabinet or have encryption software installed by YHN ICT.
Information saved on a portable memory device can be accessed by anyone with access to that device unless encryption software is installed. Unless the portable device is always kept locked away, there is a risk of unauthorised access. Do not connect any personal equipment (for example, speakers, digital camera, USB memory sticks) to any YHN PC or other ICT equipment unless it has been purchased by YHN ICT or permission has been given to your line manager by YHN ICT. Personal ICT equipment, especially if usually connected to home PCs, are vulnerable to viruses and other attacks. If connected to the YHN network following such an attack, the network itself could be compromised.
Do not leave laptops in your car, even when locked.
For insurance purposes, laptops should never be left in a car unattended. Non-business use of email and the internet
41 NOT PROTECTIVELY MARKED
All email and internet traffic (including attempts to access internet pages that are blocked by the system) are monitored and logged.
YHN’s email and internet monitoring policy can be found on the staff intranet in the YHN Information Policy.
Never send by email, or attempt to access on the internet, anything that is illegal, malicious, pornographic, sexually explicit, in breach of YHN’s equality and diversity policies or likely to cause offence.
This instruction should require no further explanation. Disciplinary action should always be anticipated in the event that a member of staff breaks this instruction.
Don’t use email and/or the internet for personal use except in your own time (when clocked out). Personal use in working time will result in disciplinary action.
YHN encourages all staff to become competent users of ICT, and recognises that the internet has the potential to support staff in all areas of YHN’s business. YHN therefore allows internet access to all staff on the request of their line managers. All new staff are automatically set up with email access. In return, YHN expects all staff to use these facilities responsibly. During the day, YHN recognises that staff may send and receive occasional personal emails and visit a small number of websites for personal reasons, but you must clock out first. Online access to the flexi system allows staff to clock in and out at their PC easily. If you wish to browse the internet or send personal emails during your lunch break, you must ensure you clock out first. Regular or significant personal use while clocked in may result in disciplinary action. Removal or relocation of equipment
Do not remove any ICT equipment from the workplace without the permission of your line manager. Do not relocate PCs, printers or other non-portable ICT equipment, or assign them to another member of staff, without the prior approval of YHN ICT.
YHN ICT manages a complete ICT asset register, recording which members of staff use each item of ICT equipment. We also track the software being used on each PC, or registered to each person. In order to maintain the asset register accurately, and therefore to ensure that we comply with licensing requirements and keep our equipment up to date, we need to know where each piece of equipment is and who is using it. 42 NOT PROTECTIVELY MARKED
3.4.2 Passwords Not all passwords are secure If you use any personal online financial services websites (eg online banking) or other web-based systems you need to ensure are fully secure, always use a different password to access those systems to the passwords you use at work or for general web use. Hackers will sometimes try to extract passwords from website with low security (online forums and lists, etc) in the hope that those passwords may work with high security websites such as online banking. Password setting guidance By following a few simple rules you can help make it difficult for unauthorised people to gain access to YHN’s computer systems. Do not use obvious things, for example, your own, your partner's, your child's or your pet's name, your telephone number, your car registration or anything that is easily recognised. Use a mixture of letters and numbers whenever possible. Use acronyms which only you know. For example ‘This Is A Good Idea For Passwords’ would be TIAGIFP. Self-service reset password management system (SSRPM) If you forget your log-on password, you can reset this yourself using the self-service reset password management system (SSRPM). This system will help to:
Get you back on-line quickly Make sure that your password is secure.
You need to enroll before you can unlock your account or reset your password. For guidance on how to enroll into and use the SSRPM system please follow this link: SSRPM staff guidance.
3.4.3 Protection against virus and other threats
All YHN PCs are protected by anti-virus software which is automatically updated as new threats become known. All YHN PCs are ‘locked’ to prevent users from installing software. All installations must be carried out by YHN ICT. 43 NOT PROTECTIVELY MARKED
3.5
All internet access is provided through a secure gateway. All email is scanned for viruses, inappropriate content and other threats.
Data quality
3.5.1 Introduction Good quality data is essential:
to ensure we understand how well we are progressing towards our vision and discharging our corporate values
for sound decision making at all levels
to standardise communications for all systems, programmes and projects
for a reliable assessment of YHN’s performance
when working in partnership with other organisations or with other third parties, such as contractors (where appropriate, minimum data quality standards should be stated in all contractual arrangements)
in order to maintain credibility with external bodies, such as the Audit Commission and to ensure a high standard of performance against their inspection criteria
in order to ensure compliance with the 4th principle of the Data Protection Act i.e. that information must be accurate and up-to-date
in maintaining credibility with the public which YHN serves
for safeguarding children and adults
for accurate risk assessment.
Weakness in the quality of our data will mean that:
data could be misleading
decision making may be flawed
resources may be wasted
poor services may not be improved
policy may be ill-founded
areas where there is good performance may not be recognised and rewarded
the reputation of YHN could be damaged.
3.5.2 Data quality characteristics There are six key characteristics of data quality: 44 NOT PROTECTIVELY MARKED
Accuracy – Data should be sufficiently accurate for their intended purposes, representing clearly and in enough detail of the activity or interaction. Errors should be promptly corrected, with evidence of an adequate audit trail whenever data is changed.
Validity – Data should represent clearly and appropriately the intended result. Data should be recorded and used using standard definitions, and the correct application of guidelines and rules.
Reliability – Data should reflect stable and consistent data collection processes and analysis methods across collection points and over time, whether using a manual or computer based system or a combination. This will ensure that progress towards targets reflects real change rather than variation in data collection methods.
Timeliness – Data should be captured as quickly as possible after the event or activity and must be available for the intended use within a reasonable time period.
Relevance – Data captured should be relevant to the purposes for which they are used. This will involve periodic reviews to reflect changing needs and priorities.
Completeness – All relevant data should be recorded and included. Missing, incomplete or invalid data should be identified, rectified and monitored to identify errors in the collection system. Appropriate solutions should be devised to prevent future recurrence.
3.6
Social media
3.6.1 Introduction YHN and Newcastle City Council are working to create a vibrant, inclusive, safe, sustainable and modern European city. Contributing to online communities by tweeting, blogging, wiki posting, participating in forums, etc, is a good way to communicate with our audience. We believe participation through social media can empower us as professionals, innovators and citizens. However, it is also important to ensure that we balance this with our duties to our services users and partners, our legal responsibilities and our reputation.
3.6.2 Rules for engagement Before you engage in social media on behalf of YHN such as Facebook, you must consult the Communications Officer within the Communications team. The Communications Officer will guide you through the best option Emerging platforms for online communication and collaboration are fundamentally changing the way we work, offering new ways to engage with customers, colleagues, and the world at large. It's a new way of interaction and we believe social media can 45 NOT PROTECTIVELY MARKED
help you to build stronger, more successful customer relationships. And it's a way for you to take part in local conversations related to the work we are doing at YHN and the things we care about. When creating and managing YHN social media campaigns:
All proposals for using social media applications as part of a YHN service (whether they are hosted by YHN, Newcastle City Council or by a third party) must first be agreed and then approved by the Lead Communications Officer within the Communications team. There must be a clear business case for the use of social media with objectives, measures and evaluation in place. The Request for Social Media form must be completed in the first instance and sent to Communications team for evaluation. Employees must use their business email address - @yhn.org.uk Colleagues who are considering social media campaigns should firstly consult the Communications team for guidance. Together the teams can ensure that the project has a clear purpose, fits into the existing communications plan, is suitable for the target audience they wish to reach and that they understand what the policy is with regards to branding and transparency. At this stage, maintenance and moderation of the channels should be discussed and the responsibility for the channel’s upkeep is with the service area. Failure to maintain high standards will result in the channel being removed. Although there is no formal training at present, the Communications team must be satisfied that any employee is adequately skilled and experienced to manage any campaigns.
3.6.3 Guidance on personal use of social media
Keep work and personal content separate. For example, if you intend to use Facebook on behalf of YHN, create a work profile for work use only. Adding “At Yhn” to your surname helps to identify work profiles (e.g. Geof Ellingham At Yhn). Most of your Facebook friends are your real friends and you’d like to share things with them that aren’t always professional. For advice and guidance, contact the Communications team or YHN ICT team
Like many social media sites such as Facebook, the privacy and security settings are continually reviewed. Consider using the privacy settings of ‘Friends Only’ to help protect your identity. However, for assistance, refer to Facebook’s current guidance on controlling what you share at the following link: http://www.facebook.com/settings/?tab=privacy#!/privacy/explanation.php
46 NOT PROTECTIVELY MARKED
3.7
Copyright law
3.7.1 Introduction The Copyright, Designs and Patents Act 1988 gives the owner of the copyright (the creator or publisher) certain exclusive rights so that their permission must be obtained before an organisation (commercial or public sector) can reproduce (by digital copying, photocopying, scanning, storing or emailing) an extract of their work. If permission is not obtained the organisation risks infringing copyright and the potential costs associated with it. Copyright law applies to YHN just the same as it does other public and commercial sector organisations. Most published content is protected by copyright. If YHN is found to be infringing copyright law the costs can be varied and damaging. Individual employees can be personally liable for infringement in certain circumstances.
3.7.2 Guidance on copyright
 
Ensure that any published material that you use within your own work, both electronically and on paper, is not subject to copyright restrictions. This includes material from books, magazines, newspapers, journals, newsletters, reports and a wide range digital material including articles and images from many websites.
47 NOT PROTECTIVELY MARKED
4. General advice and frequently asked questions In this section of the Handbook you will find general advice and frequently asked questions to support you in your job.
4.1
Access to Official information
4.1.1 Frequently asked questions (basic) 1. What is Access to Official Information? Access to Official Information refers to the general right of access that the public have to the information held by Your Homes Newcastle (YHN) and other public authorities. This right of access comes from legislation: the Environmental Information Regulations 2004 (EIRs) the Freedom of Information Act (FOIA) 2. Does the legislation apply to YHN? Yes, they apply to all the organisations that make up the public sector. The Environmental Information Regulations covers more organisations as its definition of a public authority is very broad. 3. What’s the difference between the Act and the Regulations? The Freedom of Information Act concerns all information except personal information (handled by the Data Protection Act) and environmental information. The Environmental Information Regulations provide the public with a right to request access to environmental information held by us. 4. What are the Environmental Information Regulations? The Environmental Information Regulations 2004 provide a right of public access to environmental information. They enable compliance with the UK’s commitments under the UNECE Convention of Access to Information, Public Participation in Decision-making, and Access to Justice in Environment Matter (the ’Aarhus’ Convention), and with the EU Directive 2003/4/EC of the European Parliament on public access to environmental information. 5. Who can make requests for information? 48 NOT PROTECTIVELY MARKED
Anyone of any nationality is entitled to make a request for information, and no one need state their reasons for applying. 6. Who is likely to make a request for information? Although the legislation is open to anyone of any nationality, the experience of other countries with similar legislation suggests that many requests are likely to come from the media and business. 7. Do we treat requests from different people differently? No, all requests should be treated on an equal footing. 8. Who oversees/enforces the legislation? The Information Commissioner’s Office. If the Information Commissioner finds that material has been incorrectly exempted from disclosure they can issue a decision notice in favour of release. The decision notice can only be overruled by a Cabinet Minister. Without the authority of a Cabinet Minister, failure to comply with a decision notice can cause the organisation to be treated as if it had committed contempt of court. 9. How does the legislation relate to the Data Protection Act? If someone requests personal information about themselves or the information requested contains personal information then this information should be treated under the Data Protection Act. If someone requests information concerning another person this is likely to be exempt from disclosure. 10. Is this all new? Not really – the Freedom of Information Act extends and formalises existing requirements. The non-statutory Code of Practice on Access to Government Information has been in place since 1994. The Environmental Information Regulations have been in force since 1992 and were revised for 2005. 11. What sort of information can YHN be asked for? All YHN information is covered by the legislation, in every format: requests apply to emails, personal notebooks, miscellaneous collections of papers, as well as our registered paper and electronic files. The Act is fully retrospective. Information can be disclosed either in the form of existing documents or by extracting the specific information requested. The legislation gives a right of access to information rather than documents. 12. Can we ask why the applicant wants the information?
49 NOT PROTECTIVELY MARKED
No, the information can be requested for any purpose. The legislation tells us to be applicant and purpose-blind. 13. What is a valid request for official information? Requests for official information must be in writing (including emails) except requests for Environmental Information which can be verbal, and clear enough to enable us to identify and locate the information requested. However, if we need further clarification from the applicant in order to identify and locate the information requested, then we must tell the applicant what information we require in order to do so. We need not supply information where the cost of compliance exceeds an appropriate limit, nor where requests are too broad, vexatious or repeated. 14. What happens if we don't understand what information the applicant wants? If we have a reasonable need for further information from the applicant in order to identify and locate the information requested, we have to tell the applicant what information we require. We are not obliged to supply the information to the applicant unless we are given the further information requested. Under the legislation, we have a duty to provide advice and assistance, where reasonable, to applicants in framing their requests. 15. Can we charge for access to the information? Yes, the legislation provides for charging for access to information. However, we will continue not to charge for requests for information, unless the charge is set out in our Publication Scheme. We may charge for the cost of media/transit, photocopying etc where these are exceptionally high. 16. How long do we have to answer a request? The legislation makes clear that all requests must be complied with promptly, but there is a deadline of 20 calendar days. 17. Can we refuse a request? Requests for information must be clear enough to enable us to identify and locate the information requested. We may make further enquiries to deal with a request. We need not supply information where the cost of compliance exceeds an appropriate limit, nor where requests are too broad, vexatious or repeated. 18. What about exemptions? The legislation does provide exemptions to disclosure of information. For the Freedom of Information Act eight exemptions are absolute, the rest are subject to the public interest test. For the Environmental Information Regulations all exemptions are subject to the public interest test. 19. What is the public interest test? 50 NOT PROTECTIVELY MARKED
The public interest test means that information covered by certain exemptions must still be released unless it can be demonstrated that the public interest in withholding the information outweighs the public interest in disclosing it. 20. Do we have to tell the applicant why we have refused to supply the information? If we decide not to disclose information in response to a request, the applicant is entitled to know why. We must give notice that we are not disclosing the information sought, or where appropriate, that we are relying on the ’neither confirm nor deny’ (that the information is held) provision. We must specify which exemption is being relied upon, and, if it is not obvious, explain why the exemption applies to the information in question. The notice that we give must contain particulars of our procedure for dealing with complaints, and particulars of the right to apply to the Information Commissioner for a decision.
21. Can applicants appeal against decisions refusing disclosure? In the first instance they should complain to us and request a review of the decision, under our complaints procedure. We are obliged to give details of such procedures on decision notices. If this proves unsatisfactory they then may approach the Information Commissioner to investigate and adjudicate on the matter. 22. What about the 30 year rule? The 30 year rule provides for the release of government records to the National Archives after 30 years unless an exemption applies. This will not change under FOIA. The only difference will be that some of the information will already have been released in response to FOIA requests. 23. Can I accept information in confidence? We should only accept information from third parties in confidence if it is necessary to obtain that information in connection with the exercise of any of our functions. In addition, we should not agree to hold information received from third parties ‘in confidence’ which is not confidential in nature. And again, acceptance of any confidentiality provisions must be for good reasons, capable of being justified to the Information Commissioner. 24. Does the legislation apply to older information? Yes. It apply to all recorded information held by YHN, regardless of when or how it was created or filed. 51 NOT PROTECTIVELY MARKED
4.1.2 Frequently asked questions (advanced) 1. What types of request are there? There are two types of requests routine and complex. You will only need to refer complex requests to information.requests@yhn.org.uk 2. What are routine requests? If someone is asking for routine information you hold about YHN’s business or the services we provide, there is no need to change the way you deal with the request, and no need refer to information.requests@yhn.org.uk The legislation is not intended to turn routine provision of information into a bureaucratic process. We do not want to spend time logging requests when the time spent logging is more than the time spent supplying the information. Therefore when requests are quickly answered in full (ie in a couple of minutes eg over the telephone, by-return to an email or posting a leaflet, then this procedure doesn’t apply. 3. What are complex requests? It is important to create an audit trail for all complex requests by keeping a proper record of: requests which fall outside your normal course of business requests for information where you might refuse eg sensitive, confidential information or a repeat request. requests for information related to the policy making process requests on which it may be necessary to consult with others either within YHN or outside requests for large amounts of information or information which may be difficult to locate requests which seem unclear or too general to deal with, and where you will need to seek clarification from the applicant requests for information where a search is made but none is found. 4. What about a request that is both? If the request is partly for routine information, and partly for more sensitive information that will need to be considered carefully before a decision is reached, you should release the routine material without delay and inform the applicant that the other part of their request is under consideration. 5. What is sensitive information? Sensitive information can be thought of as ‘tricky issues’. Examples could be: controversial building schemes with local impact information that may have been exchanged in confidence relating to high profile issues, whether current or historical release of ministerial advice/correspondence. 52 NOT PROTECTIVELY MARKED
6. What is Environmental Information? Environmental Information is any information in written, visual, aural, electronic or any other material form which relates to: (a) the state of the elements of the environment, such as air and atmosphere, water, soil, land, landscape and natural sites including wetlands, coastal and marine areas, biological diversity and its components, including genetically modified organisms, and the interaction among these elements; (b) factors, such as substances, energy, noise, radiation or waste, including radioactive waste, emissions, discharges and other releases into the environment, affecting or likely to affect the elements of the environment referred to in (a); (c) measures (including administrative measures), such as policies, legislation, plans, programmes, environmental agreements, and activities affecting or likely to affect the elements and factors referred to in (a) and (b) as well as measures or activities designed to protect those elements; (d) reports on the implementation of environmental legislation; (e) cost-benefit and other economic analyses and assumptions used within the framework of the measures and activities referred to in (c); and (f) the state of human health and safety, including the contamination of the food chain, where relevant, conditions of human life, cultural sites and built structures inasmuch as they are or may be affected by the state of the elements of the environment referred to in (a) or, through those elements, by any of the matters referred to in (b) and (c). 7. What are the Exceptions under the Environmental Information Regulations? Exemptions from Disclosure under Regulation 12(3). Information does not have to be disclosed if the information requested includes personal data of which the applicant is not the data subject and: (a) disclosure would contravene any of the Data Protection principles or (b) disclosure would contravene the right to prevent processing likely to cause damage or distress or (c) YHN could claim an exemption if the person to whom it relates submitted a Subject Access Request. Exemptions from Disclosure under Regulation 12(4) Information does not have to be disclosed if: (a) YHN does not hold that information when an applicant’s request is received (b) the request for information is manifestly unreasonable (c) the request for information is formulated in too general a manner and YHN has complied with a code of practice (if one exists) or has asked for more specific details and has provided any necessary assistance to the applicant (d) the request relates to material which is still in the course of completion, to unfinished documents or to incomplete data, or (e) the request involves the disclosure of internal communications. Exemptions from Disclosure under Regulation 12(5)
53 NOT PROTECTIVELY MARKED
Information does not have to be disclosed if the disclosure would adversely affect: (a) international relations, defence, national security or public safety (b) the course of justice, the ability of a person to receive a fair trial or the ability of YHN to conduct an inquiry of a criminal or disciplinary nature (c) intellectual property rights (d) the confidentiality of the proceedings of YHN or any other public authority where such confidentiality is provided by law (e) the confidentiality of commercial or industrial information where such confidentiality is provided by law to protect a legitimate economic interest (f) the interests of the person who provided the information where that person: (i) was not under, and could not have been put under, any legal obligation to supply it to YHN or any other public authority (ii) did not supply it in circumstances such that YHN or any other public authority is entitled apart from these Regulations to disclose it, and (iii) has not consented to its disclosure (g) the protection of the environment to which the information relates. To the extent that the environmental information to be disclosed relates to information on emissions, YHN is not be entitled to refuse disclosure of that information under an exception referred to in paragraphs (d) to (g) above. 8. Are my emails covered by FOIA and/or EIRs? Yes. The right of access under the Freedom of Information Act and the Environmental Information Regulations extends to all recorded information held by YHN, regardless of the format or storage medium. This means that emails in your YHN email account could potentially be disclosed in response to an information request. However, personal emails to friends, relatives etc which are not work-related would be exempt from disclosure, as they contain information relating to your private life. 9. What if I receive a request for information which I do not have? You do not have the means to answer the request, but you must still take some action. If it is:  obvious that a request relates to another part of YHN, send it to that department as soon as possible. Let them know when the request arrived, as the 20 working day deadline for our response starts when a request is delivered to YHN, not when you forward it internally. If you aren't sure which part of the YHN holds the information or whether YHN holds the information, contact information.requests@yhn.org.uk  If you forward a request internally, it is good practice to inform the person who submitted the request of this fact, and to give them the contact details of the staff member or the Directorate to whom you have passed the request. 10. Do we have to disclose confidential information? 'Confidential' has a particular meaning, as far as the Access to Information legislation is concerned: it means information provided to YHN from an organisation or an individual outside YHN, whose disclosure in response to an information request 54 NOT PROTECTIVELY MARKED
would constitute an actionable breach of confidence (ie one for which we could be sued). Such information is exempt from disclosure. However, this exemption does not apply to information created within YHN (including information transferred from one part of YHN to another), or to information which is merely sensitive. Sensitive information may be subject to an exemption, but it cannot be assumed that all internally generated information labeled as 'confidential' is exempt from disclosure. The key point is that, regardless of how we classify it, information can only be withheld if a valid exemption/exception applies. For example, YHN Board minutes may have to be released in response to a request, if there is no relevant exemption that would justify not providing the information to the applicant. 11. What happens if someone tries to split a big request into lots of little requests? If we receive identical or similar requests within 60 working days from the same person or from a group of people who appear to be acting together (eg as part of a campaign), we can treat them as if they were a single request for the purpose of determining whether the time required to locate and extract the information would exceed the "appropriate limits" (see Handling with requests for information). We still need to respond to each enquiry individually, but we may refuse to comply if the cost of responding to all the requests would exceed the appropriate limit. In certain circumstances, we may refuse to respond to multiple requests from the same person or a group of people on the grounds that the requests are vexatious. This exemption under FOIA can be applied regardless of whether the requests arrived within 60 working days of each other. A typical example would be a pattern of nuisance or trivial requests which appear to be designed to consume staff time. Contact information.requests@yhn.org.uk if you have received what you believe to be a vexatious request, as we need to have valid grounds for invoking this exemption. The EIRs do not contain any equivalent to vexatious. However, we do not have to respond to EIR requests which are "manifestly unreasonable", and this could be used to refuse to comply with requests which are clearly vexatious. 12. Can we destroy information which has been requested? Only if you can demonstrate that the information would have been destroyed anyway under a policy or procedure which existed before the request was received. For example, if a retention schedule specifies that a class of information should be destroyed after a certain number of years, it can still be legally destroyed if its destruction date happens to fall in the period after a request has been received but before a response has been sent. However, it would be good practice in this situation to avoid destroying the information until the request had been answered. Under no circumstances should you deliberately destroy information which has been requested in order to prevent its release. Doing so is a criminal offence under the legislation for which you could be held individually liable as well as YHN. 55 NOT PROTECTIVELY MARKED
13. Are research materials covered by FOIA or EIRs? Yes. However, there are a number of exemptions which could potentially be applied should a request be received. These include the exemptions/exceptions for:
Information accessible by other means, if the results of the research or the raw data behind it have been published. Information intended to be published, if an intention to publish the research was formed before the request was received Personal data, information provided in confidence or commercially sensitive information, in respect of certain types of research data (eg information supplied by interviewees or survey respondents).
In addition, any information supplied in response to a request will continue to be subject to copyright protection. This means that if research materials have to be released, the person who receives the information will not be able to re-use it without permission except in a very limited way, as permitted by copyright law. 14. Can my personal information be released under the legislation? If you are seeking information about yourself, you cannot do so under the Freedom of Information Act or the Environmental Information Regulations. There are exemptions for data about the person making the request, because individuals have a right of access to data about themselves under the Data Protection Act. This means that if you submit a request for information about yourself, you will be asked to re-submit your request as a Data Protection Act request. Certain limited categories of information about individuals can be released to third parties in response to requests. The Information Commissioner has indicated that it is reasonable to release:
Basic details about staff, such as name, job title, responsibilities and work contact details. YHN already publishes much of this information in newsletters, annual reports and on its website. The salaries and business expenses of senior staff, and grades of more junior staff. Information about decisions and actions taken by individuals in an official or work capacity. This is fundamental to the accountability aspect of Access to Information. (For example, if a staff member's name appears as the author or recipient of a work related letter or email which has to be released, the identity of the author or recipient will also be released).
In certain situations, we may be able to withhold information in the above categories. For example, we could refuse to release a staff member's contact details or information about decisions made by them if disclosure would be likely to endanger their health or safety. Other types of personal information will not normally be released without the permission of the person who is the subject of the data. Doing so would be likely to 56 NOT PROTECTIVELY MARKED
contravene the Data Protection Principles set down in the Data Protection Act, and would therefore be subject to exemptions/exceptions in Access to Information legislation. 15. Can references be released? If a request is received from the person who is the subject of the reference, they will be asked to re-submit their request as a Data Protection Act request. Under the Data Protection Act, a right of access only exists to references received by YHN, not to references produced by YHN. The information can only be released without disclosing personal information about other people, such as the referee. 16. What happens if we fail to comply with the legislation? If we fail to respond to a request, or we handle it in a way with which the applicant is dissatisfied, they have the right to ask for a review of their case under our internal appeal procedures. See our Complaints and Comments Policy for information about these procedures. If the applicant's appeal is upheld, any information, which has to be released, sis to be provided as soon as possible. Applicants can also appeal to the Information Commissioner, who monitors compliance with the Access to Information legislation. The Commissioner will require them to have gone through our internal appeal process first. The Commissioner will investigate the circumstances of the case, and will issue a Decision Notice upholding or rejecting the appeal. If the appeal is upheld, the Decision Notice may require us to release information to the applicant. We and the applicant have the right to appeal the Commissioner's decision to the Information Tribunal, whose decisions can be appealed to the courts on points of law. The Commissioner also has the power to investigate whether our handling of information requests and our management of our records conform to two codes of practice issued by the Lord Chancellor under the Freedom of Information Act. If the Commissioner determines that we are failing to abide by the codes, he can issue a non-binding Practice Recommendation specifying the steps which YHN should take to conform. Staff should also note that the legislation makes it a criminal offence to deliberately destroy, amend or conceal information which has been the subject of a request in order to prevent its release. Individual staff can be held liable for this as well as YHN.
4.2
Information security
4.2.1 Email and Calendar good practice guidelines A. Email We are exchanging more email than ever before and we have become accustomed to using it in an informal way, however, the same guidelines apply to email as to other written documents. 57 NOT PROTECTIVELY MARKED
Before you start writing, think about whether you actually need to send an email. A phone call gets an instant response and may resolve your issue quicker. Make an email as short and to the point as possible. Sometimes one sentence can be enough. Before you send your message, check your spelling and grammar. Mistakes can confuse your message, and can give the recipient a poor impression of YHN. Make your email accessible to everyone by using the YHN standard font which is Arial with a size of at least 12 point. Use black text on a white background. You would not send a business letter using lots of different fonts and colour, so avoid it in email. Styled text is not supported by all email software and so may be difficult or impossible for the recipient to read. Click here for “Can you see it making documents accessible” Do not put into email what you wouldn’t put into print. If you have an ‘issue’ it can sound unintentionally harsher when put in an email, a telephone call to discuss a matter is often a better option. Always read your emails through to ensure that they make sense. Include a standard signature file at the bottom of all your messages as below.
Forename Surname Job Title Your Homes Newcastle Your Section, Your Direcrorate, (Address e.g.)YHN House, Benton Park Road, Newcastle upon Tyne. NE7 7LX email: an.other@yhn.org.uk website: www.yhn.org.uk telephone: 0191 278 8645 fax: 0191 278 9999 Your Homes Newcastle Limited. Registration Number 5076256. Registered in England and Wales Registered Office: Newcastle Civic Centre, Barras Bridge, Newcastle upon Tyne. NE1 8PR A company controlled by Newcastle City Council.
Use the ‘high importance’ option sparingly. The more you use it, the less likely it is that people will take it seriously. Only send your email to the people that need to receive it. There are many ways we can share information, such as the YHN Intranet, team meetings, Rewind. If you’re copying other people into an email with more than one recipient, or introducing new staff members into an email exchange, tell them why. Try to make clear whether you want them to act on the issue that’s being discussed or whether the issue is significant to them and you just want to keep them informed. Try to check your email at least twice a day.
58 NOT PROTECTIVELY MARKED
If you receive an unwanted email please delete it immediately. If you feel that it is inappropriate or offensive then please forward it to yhn@service-now.com. Do not use text message language. It may be appropriate for the size of a mobile phone screen, but email grammar should conform to the standards used for other business documents. DO NOT TYPE IN UPPER CASE … or in red as it makes your message more difficult to read, as well as looking as if you are shouting. Do not type in italics or use underline. Text should be aligned to the left (not fully justified). If you’re sending something really important that you need to make sure is delivered, there may be a better way to send it. It is not possible to guarantee delivery, or speed of delivery, especially for messages going to people outside of YHN. You should also bear in mind that the recipient can choose not to open the message immediately. Avoid sending email with large attachments, especially to many people. There may be other ways to distribute this. Attachments such as pictures, databases, executable files and those over 10MB in size are automatically stopped by the server. Avoid printing email or following up email with printed copies. Check the list of people the email has already been circulated to before forwarding it again to avoid duplicate copies. Restrict the use of email-to-all messages and reply-to-all messages. There are a number of targeted groups that you can use. You can see these by searching the Address Book for “YHN”. Do not send an email just to thank somebody for doing something discussed in a previous email. Do not try to access and use web based email such as Hotmail (these should already be blocked by the internet server). If you need access to web based email for business purposes, ask your manager to request access from the YHN ICT Service Desk.
B. Calendar
Try and add a short note about what the meeting is about. You can put this in the message window. This will help people decide what they need to prepare for the meeting, and confirm whether they are the correct person to attend.
Only invite people to your meeting that need to attend! As with email, it’s good to involve people, but there are other ways of sharing information – team meetings, Housing Service News – that you can use.
Attach papers for the meeting onto the appointment. This lightens the burden on the email system.
All staff have the right to take at least 30 minutes break at lunch time, so avoid burdening someone with too many appointments around lunchtime. 59 NOT PROTECTIVELY MARKED
Similarly try and give people a chance to get from place to place. Try and check where your recipients’ adjacent meetings are, and try to give them a break in between where possible. If they are travelling across town to attend your meeting try to give them 30-45 minutes for travelling.
If your meeting is taking place in YHN House try and book your room at the same time. You can do this by asking a member of the Administration Team at YHN House to set the meeting for you. Tell them how many people are expected to attend. This will help them select a room appropriate to the size of the group.
Ensure your calendar is open to everyone. Contact YHN’s ICT Team if you need help to open your calendar. If there is something that you don’t want anyone else to see create a private appointment.
Calendar permissions should be set as follows: o o o o o
4.3
Calendar tab Share my calendar… link Highlight the ’default’ entry Select “Reviewer” from the drop-down against Permission Level Click OK
Making Information Accessible to Customers
As part of our on-going commitment to help people access our services, YHN offers a number of facilities to assist customers who require information in different formats. Examples include: easy read, large print, braille, audio tape or a translation. We can also arrange for a British Sign Language interpreter, provide telephone or face to face interpreting. Further guidance is available from the Communications Team based at YHN House or via the Making Information Accessible Policy on the intranet
60 NOT PROTECTIVELY MARKED
5. Glossary of terms Note: This glossary will be developed during the implementation of the Information Policy based on feedback from staff. Term
Explanation
CJSM
Criminal Justice System Mail – a secure email system used for communication between agencies dealing with crimerelated information.
USB Memory Stick
A small storage device which can be inserted into a slot on a PC and acts like an internal disk drive to allow information to be moved easily from one place to another.
61 NOT PROTECTIVELY MARKED
6. Key contacts Organisation/Team Data Protection/Freedom of Information Requests (YHN ICT Service Desk)
Telephone 0191 278 7766
Email Website information.requests@yhn.org.uk
Geof Ellingham (Head of IT, Data Protection Officer)
0191 278 4392
geof.ellingham@yhn.org.uk
Martyn Burn (Tenancy Services Information Governance Liaison Officer)
0191 278 8599
martyn.burn@yhn.org.uk
Louise Horsefield (Corporate Services Information Governance Liaison Officer)
0191 278 8720
louise.horsefield@yhn.org.uk
Jen Vinton (Property Services Information Governance Liaison Officer)
0191 278 8789
jen.vinton@yhn.org.uk
Information Commissioner’s Office
0303 123 1113
casework@ico.gsi.gov.uk
62 NOT PROTECTIVELY MARKED
Address YHN House Benton Park Road Newcastle upon Tyne NE7 7LX YHN House Benton Park Road Newcastle upon Tyne NE7 7LX YHN House Benton Park Road Newcastle upon Tyne NE7 7LX YHN House Benton Park Road Newcastle upon Tyne NE7 7LX YHN House Benton Park Road Newcastle upon Tyne NE7 7LX http://www.ico.gov.uk/ Information Commissioner's Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF