Members information security policy

Policy summary

This summary provides a brief overview of the policy. It is not intended as a substitute for reading the complete policy but to provide a quick reference:

Introduction

Information security means safeguarding information from unauthorised access or modification to ensure its:

Information security is everyone’s responsibility.

Enfield Council’s elected Members need to protect all information assets from risks posed by inappropriate use. This includes protecting devices and information from unauthorised or unlawful access, accidental or deliberate loss, damage, theft, disclosure or destruction.

This policy applies to elected members of the Council.

There is also a specific Staff Information Security Policy which includes most of the content of this document.

This policy applies to all types of information, including, but not limited to:

All members using Council’s systems should be made aware of and be expected to comply with this policy and need to understand that the following UK legislation is relevant to information security:

A serious breach of this policy may lead to:

Compliance with this policy is part of your responsibility as a councillor of Enfield Council. All incidents will be investigated and action may be taken to safeguard the Council and Councillors from legal action.

Breaches of this policy may amount to a breach of the Council’s Code of Conduct for Members. The application of this policy shall be a matter for the Council and for the Councillor Conduct Committee and, as appropriate, the Monitoring Officer, acting in accordance with their terms of reference.

A formal complaint may be made to the Monitoring Officer, who will review the complaint, consult with appropriate parties and then give their decision on how the complaint will be dealt with.

Additionally, breaches of law, such as the Data Protection Act, could lead to fines being issued and possible criminal or civil action being taken against the Council and/or the individual(s) involved.

Aims and objectives

This policy aims to:

Using and protecting our assets

The Council encourages its stakeholders to seek innovative ways of using information technology to improve the way services are provided. This needs to be balanced with the need for information security, making sure that risks are managed and that assets are not used inappropriately.

The basic rules that apply are:

Further information about using our IT equipment can be found in the Acceptable Use Policy, available on the Member’s Portal.

Provision of council IT equipment

The Council’s DS security arrangements are in line with central government’s Public Services Network (PSN) Authority requirements, industry best practice (ISO 27001) and the privacy laws. This document serves as an abridged version of the framework. As part of this, all councillors are required to sign the form in the Privacy, Confidentiality, and Information Security Agreement at the end of this document.

The Council provides councillors with technology to assist in the performance of their duties, which includes laptops, tablets and smart phones together with software and materials for use with the devices. Anyone using the Council’s equipment is required to undertake in writing that they observe and will comply with the procedures and protocols set by the Council as set out in this document.

The Council will provide devices that are security hardened, to enable the councillor to access services required for their role.

The Council provides the devices together with ancillary equipment and materials required, for the councillor’s functions as a councillor. Use of this equipment by anyone other than the councillor to whom it is issued is not permitted.

Support for the device will be limited to resolving any issues with accessing Corporate information systems and will be provided by the authority’s DS section by telephoning the Digital Services Councillor support 020 3880 2430 between the hours of 8am to 5pm – Monday to Friday or email ds.cllr.support@enfield.gov.uk. For any other IT issues, you can contact DS Service Desk on 020 8379 4357.

If you have any problems the equipment will need to be returned to the Civic Centre for inspection of faults, repair or replacement. Before coming into the Civic Centre please ring the Digital Services Councillor support line on 020 3880 2430 to arrange an appointment.

Only Council equipment will be supported by the Digital Services Councillor support Line. The Council cannot provide any support for a Member’s own personal equipment.

All DS equipment provided by the authority remains the property of the Council and must be returned at the end of the election term.

Using your council IT equipment

Councillors are required to act in accordance with the Council’s requirements when using the resources of the Authority. IT equipment must not be used for purely political purposes but may be used where part of the purpose could reasonably be regarded as likely to facilitate or be conducive to the discharge of the functions of the Authority or of an office to which the councillor has been elected or appointed by the Council. Constituency work, for example, is regarded as proper use of the facilities provided, subject to notification to the Office of the Information Commissioner under the Data Protection Act 2018.

The Council is prohibited by law from publishing any material of a party political nature. If a councillor uses their IT equipment for the preparation of material of a party political nature in pursuance of Council duties they must do so in a way which is not attributable to, or appears to be on behalf of the Council. No costs should be incurred by the Council as a consequence of publication of any party political material by a councillor using IT equipment provided at the expense of the Council.

A councillor must not use IT equipment provided in any manner which will prevent or interfere with its primary purpose as a facility to assist in the discharge of the functions of the Council. Accordingly, the councillor must not:

The councillor shall make reasonable arrangements for the safe-keeping of the computer.

Using a council issued device

If you are using a Council issued laptop then you will be able to access the Council’s network from your laptop. If you are using a council issued iPad or phone you will not be able to access the Council’s network but will be able to access email and documents.

Information created or collected as part of working for Enfield Council is the property of the Council. Work related information should be saved to an individual’s personal Documents folder on the Council network so that it can be stored securely, or the Council provided externally hosted OneDrive folder if available.

Councillors should not store Council data on their own personal machines - data should only be accessed through the network. The Council cannot recover information stored on devices if the devices are lost, damaged or stolen. Please note that any documents that contain personal or confidential Council information must not be stored externally on member’s own device or a personal hosted storage service excluding the OneDrive service provided by the Council. These include, but are not limited to other OneDrive services, Dropbox, iCloud, Amazon etc. Data stored in these services may not be held in countries allowed by the UK Data Protection law for personal data, and storage in them may put the councillor at risk of breach of law.

All data stored is the property of Enfield Council. There should be no expectation of personal privacy on Council owned devices and the Council may require access at any time to carry out its investigations with the approval of the Chief Executive.

Personal information about others held is also subject to the Data Protection law and may need to be disclosed to the person who the information is about, if they make a request to see it.

Using removable media

The Council has a policy of restricting the use of external hard drives, USB sticks, digital memory cards and CDs/DVDs to meet our Information Security requirements. These, and any other data storage device that can be added and removed from a devices are called 'removable media'.

A Council issued laptop will be able to read removable media. You will also be able to copy files, images etc. from these devices onto the network drive for work related purposes.

Using removable media should be restricted to non-sensitive data wherever possible. However, if you need to put sensitive data on removable media you must ensure that the data is encrypted. The Council will provide you with a USB memory stick that will be encrypted and password protected prior to use for this purpose. If you lose your USB stick you must report it as a security breach.

The use of non-Council removable media is only permitted in the circumstances where you need to use removable media from a third party (for example, someone from another organisation wishes to show a PowerPoint presentation). You may use this media only to read the required data from the device.

NO personal data may be put onto a removable media device unless encrypted. If you wish to share data with others via removable media, please telephone the Digital Services Councillor support on 020 3880 2430 if you need further advice.

Reporting security incidents

An incident is an event that could cause damage to the Council’s reputation, service delivery or persons. This could be a lost laptop or paper case file, a virus on the network or a damaged piece of hardware.

It is everyone’s responsibility to ensure the safekeeping of any Council information or equipment in their control. Any theft or loss of any data or Council issued device used for Council business, email or containing Council related information must be reported to the Digital Services Councillor support on 020 3808 2430 immediately so that action can be taken to limit any potential loss of data and costs.

Once the incident has been reported to the Digital Services Councillor support as above, the Information Security Incident / Risk Reporting Form, available on The Member’s Portal, needs to be completed and sent to the Information Security team as detailed in the form. This needs to be done at the earliest opportunity.

The Council also needs to act where potential incidents are identified. Where ‘near misses’ occur, these should be reported to Digital Services Councillor support Manager and a local decision taken as to whether the cause of the ‘near miss’ is one which could involve the enhancement of the policy or the process. If this is the case the Information Security Incident / Risk Reporting Form should be completed.

If you need further advice contact the Digital Services Councillor support Line on 020 3880 2430 between the hours of 8am to 5pm – Monday to Friday or email ds.cllr.support@enfield.gov.uk. For any other IT issues, you can contact DS Service Desk on: 020 8379 4357

Internet use

Enfield Council provides access to the information resources on the Internet to help Members carry out their role. The Internet must be used for lawful purposes only and you must comply with relevant legislation.

Internet services are provided to Members to help the Council improve services to customers and must be used for Council-related purposes. This includes:

Internet access from the Council’s network for personal use is at the Enfield Council’s discretion and should not be assumed as a given. Any misuse of this facility can result in it being withdrawn. Reasonable personal use of the Internet from a Council issued device is permitted.

We expect Members to use the Internet honestly and appropriately, to respect copyrights, software licensing rules, property rights, privacy and prerogatives of others, just as in any other business dealings.

All existing Council policies apply to your conduct on the Internet, especially (but not exclusively) those that deal with privacy, misuse of Council resources, sexual or racial harassment, information and data security, confidentiality, and those included in the Code of Conduct for Members.

Any misuse of the Council’s internet facilities could be referred to the Monitoring Officer or the Councillor Conduct Committee and possibly for criminal prosecution.

Council systems and equipment, including email and Internet systems and their associated hardware and software, are for official and authorised purposes only. However, personal use is authorised in cases where it:

You should consider carefully discretionary use for any other purpose.

You may use the Council’s Internet facilities for personal purposes as set out above, but you may not access any illegal material, obscene or pornographic sites, and may not access or use information that would be considered as harassment. Council facilities must not be used in an unlawful way.

A wide variety of materials may be considered offensive by colleagues, customers or suppliers. It is a violation of Council policy to store, view, print or redistribute any document or graphic file that is not directly related to your role as Councillor or to the Council’s business activities. This should be understood with reference to the Council’s policy framework, including the Equal Opportunities policy.

Some uses of the Council connection to the Internet can never be permitted. Internet use is inappropriate when it:

It is impossible to define all possible unauthorised use. However, examples of other unacceptable Internet use include:

All Council Internet users are prohibited from transmitting or downloading material that is obscene, pornographic, threatening, racially or sexually harassing, or in any way contravenes the Equal Opportunities policy.

You may not visit sites known to contain offensive material. If you access an offensive site accidentally you must forward its address to the Digital Services Councillor Support Manager within one working day of access or as soon as practical. We block access to known offensive sites.

You may buy or sell on the Internet. However, there are personal risks attached to this. See the Council’s web site under Trading Standards for guidance.

If you commit the Council to a contract by electronic means without due authority, the Council may seek to recover any losses or expenses from you.

Use of interactive software (such as games) across the Internet is prohibited.

For compliance with standards, the Council’s security software must record the Internet address of any site visited and keep a record of file transmission or reception. Any message sent or received may be recorded and stored in an archive file. This information will be used in the event of an investigation by the Council or other duly authorised bodies.

Email use

The email system is for Council business use only. However, the Council understands that Members may also need to send or receive personal emails using their work address.

If you are found to be deliberately misusing email you will be referred to the Monitoring Officer or the Councillor Conduct Committee.

All electronic messages created and stored on Council computers or networks are the property of the Council and are not considered private.

The Council retains the right to access user electronic mail if it has reasonable grounds to do so. The Council may retrieve email messages even though the sender and the reader have deleted them. The contents of electronic mail will only be accessed or disclosed for security purposes or as required by law.

Council business by email can only be conducted using the provided Enfield email account (for example, no Hotmail or Google mail account can be used for Council business). Communicating with external individuals or organisations as required is permitted from the Enfield email account.

The Council does not automatically forward Council emails to personal email accounts. This is to ensure the authority complies with the Government’s Public Services Network (PSN) Code of Connection. Also, the Council will only send emails to a councillor at the @enfield.gov.uk email address.

Members will need to use their own personal email account if they do not wish to use the Council email account to conduct non-Council related Member duties.

Members will be provided with a Council issued laptop or iPad, and smart phone to access their Council email and store a limited amount of Council data on these devices. Data should be stored on the network as soon as possible to prevent loss of data if the device is lost or stolen. The devices will be encrypted to a standard required by the PSN Code of Connection as well as the Information Commissioner’s Office in order to meet the requirements of the privacy law.

Sending emails within the Council email system is secure. Sending emails externally is not secure and they can be intercepted and viewed by unauthorised people. Secure email must be used when emailing information to external agencies or individuals when the content of the email includes:

Personal or sensitive business information must not be sent to an email address outside of Enfield Council, unless it is absolutely necessary and the transmission is secure. This can be done using Egress Switch secure email and the Council can provide all Members with an Egress Switch account providing they use the Council email account.

Further information about transferring information securely can be obtained by contacting the Digital Services Councillor support line on 020 3880 2430.

Social media

Social media is the term used for online tools, websites and interactive media that enable users to interact with each other by sharing information, opinions, knowledge and interests. Applications include for example, but are not limited to:

Members must ensure that they use social media sensibly and responsibly, in line with corporate policy. They must ensure that their use will not adversely affect the Council or its business, nor be damaging to the Council’s reputation and credibility or otherwise violate any Council policies. The following risks have been identified with social media use (this is not an exhaustive list):

In light of these risks, the use of social media sites should be regulated to ensure that such use does not damage the Council, its employees, councillors, partners and the people it serves.

Members are personally responsible for the content they publish on any form of social media. Publishing or allowing to be published (in the form of a comment) an untrue statement about a person which is damaging to their reputation may incur a libel action.

Social media sites are in the public domain and it is important to ensure you are confident of the nature of the information you publish. Once published, content is almost impossible to control and may be manipulated without your consent, used in different contexts, or further distributed.

Members should make use of stringent privacy settings if they don’t want their social media to be accessed by the press or public. Read the terms of service of any social media site accessed and make sure you understand their confidentiality/privacy settings.

Do not disclose personal details such as home addresses and telephone numbers. Ensure that you handle any personal or sensitive information in line with the Council’s Data Protection Policy.

Do not publish or report on meetings which are private or internal (where no members of the public are permitted or it is of a confidential nature) or are Part 2 reports (which contain confidential information or matters which are exempt under the provision of the Local Government (Access to Information) Act 1985).

Copyright laws still apply online. Placing images or text from a copyrighted source (for example, extracts from publications or photos) without permission is likely to breach copyright. Avoid publishing anything you are unsure about or seek permission from the copyright holder in advance.

Don’t send or post inappropriate, abusive, bullying, racist or defamatory messages to members of the public, other councillors or officers.

The Council will not promote councillors’ social media accounts during the pre-election period.

In any biography, the account should state the views are those of the councillor in question and may not represent the views of the Council.

Do not use the Council’s logo, or any other Council related material on a personal account or website.

Social media must not be used for actions that would put councillors in breach of the Council’s Code of conduct for members. For example, don’t publish on social media something you wouldn’t say face to face, or at a public meeting.

Be aware of your own safety when placing information on the internet and do not publish information which could leave you vulnerable.

Anyone receiving threats, abuse or harassment via their use of social media should report it to their political group leader, members’ services and/or the police.

It is recommended that in the case of Facebook, councillors wishing to keep their personal life and role as a councillor separate create a Facebook page which members of the public can like rather than using their personal profiles.

Councillors are reminded that in respect of social media, they are governed by the Code of conduct for members and relevant law.

The Council reserves the right to request the removal of any content that is deemed to be in breach of the Code of Conduct for Members.

Telecommunications

The Council may provide Telecommunication Services for Members to facilitate the performance of their work for Enfield Council. Users should not have an expectation of privacy in anything they create, send, or receive on telecoms equipment including tablets and smart phones. However the authority of the Monitoring Officer or the Chief Executive will be sought before officers review any councillor’s email and voice communications using Council equipment.

All use of phones must be in accordance with the Telecommunications Acceptable Usage Policy, available on The Member’s Portal.

Details of calls made (for example, sent to/from, date, duration and cost) are recorded on all mobile and fixed line telephones. It will be assumed that all telephone calls or Short Message Service (SMS) messages made or received on Enfield Council equipment, are for business purposes unless the contrary is indicated.

Internet Usage and access from Mobile Smartphones and Tablets and connecting by Enfield Council Mobile data contracts is included in this policy. Use of mobile Apps is also intended for business purposes and included in this policy.

Only software licensed by Enfield Council and approved by Corporate IT may reside on Enfield Council computer equipment.

Calls, texts and data usage on mobile phones should only be for business purposes. Data limits are set on mobile contracts, and excessive usage over these limits and out of normal working hours or usage abroad will be subject to interrogation. You may be liable to pay charges incurred if usage cannot be shown to be for Council business.

If Council equipment is being used abroad (see Section 15. Access from Overseas) then Members should use Wi-Fi services wherever possible if this is deemed to be safe to avoid excessive charges being incurred. If Wi-Fi services are not viewed as secure then Council equipment must not be used to access the Council network and email system. Connecting to an unknown publicly available Wi-Fi and sending emails or logging into systems can expose usernames, passwords and confidential information to criminals.

It is everyone’s responsibility to ensure the safekeeping of any telecommunications equipment in their control. Any theft or loss of any mobile device used for work email or containing work related information must be reported to the Digital Services Councillor Support Manager or the DS Security Manager by completing the Information Security Incident / Risk Reporting Form, available on The Member’s Portal.

Access to systems

It is a criminal offence under the Computer Misuse Act 1990, to deliberately attempt to access a system which you have no authority to access. DS Services regularly monitor systems and unauthorised attempts at accessing systems may be investigated.

It is also a criminal offence under the privacy law for any person to knowingly or recklessly obtain, disclose, sell or offer to sell personal information, without the permission of the data controller (Enfield Council). This is subject to certain exemptions.

Members of the public and employees are entitled to see what information is held about them by Enfield Council. This includes handwritten notes, emails and any other information held electronically or in paper form. Always ensure that information is recorded in a professional manner.

Further information about Data Protection and its implication for information security can be obtained from the Digital Services Councillor Support Manager

Access from overseas

Access to the Council’s network from overseas is subject to additional controls to ensure compliance with relevant legislation, including the privacy law, and this may place additional personal liability on to Members.

Members are their own Data Controllers and as such have responsibility for any personal data involving their residents that they may access from abroad and need to ensure that any access to residents’ personal data do not breach the requirements of the privacy law.

Due to legal restrictions created by the combination of UK law and that of other countries, which countries one can safely and legally take personal data and devices is a complex picture:

The current list of countries with an assessment of adequacy is available at the Information Commisioner's Office.

The following countries do not permit encryption (sometimes unless licensed) and Councillors must not take devices to these countries as they would be committing an offence under local law:

Angola, Armenia, Bahrain, Belarus, Brunei Darussalam, Cambodia, China, Egypt, Hong Kong, India, Iran, Iraq, Israel, Kazakhstan, Moldova, Mongolia, Morocco, Myanmar (Burma), Nepal, Nicaragua, North Korea, Pakistan, Russia, Rwanda, South Korea, Tunisia, Turkmenistan, Ukraine, Uzbekistan and Vietnam

To avoid roaming charges, Members should, if practicable, use secure Wi-Fi networks that require authentication when accessing Council data. If Wi-Fi services are not viewed as secure then Council equipment must not be used to access the Council network and email system. Connecting to an unknown publicly available Wi-Fi and sending emails or logging into systems increases the risk of exposing usernames, passwords and confidential information to criminals.

If roaming services are required then a written request including a business case must be submitted to the Monitoring Officer for consideration at least a month in advance of any planned overseas travel. Any charges arising from the use of Council equipment from abroad may have to be paid by the user if prior approval for use has not been granted.

The facility to remotely access the Enfield network from outside of the UK will only be permitted in exceptional circumstances and should not be assumed. A written request including a business case must be submitted to the Monitoring Officer for consideration at least a month in advance of any planned overseas travel, including a request for roaming services if this is required. Any charges arising from the use of Council equipment from abroad may have to be paid by the user if prior approval for use has not been granted. In some countries these costs may be significant.

Members should seek advice from the Digital Services before taking any Council supplied DS equipment outside the United Kingdom. The equipment may not be covered by the Council’s normal insurance against loss or theft.

It should be noted that in some overseas territories electronic devices can be confiscated by customs on arrival, may be subject to search including a requirement to surrender passwords, and should not be used close to security service facilities – including police stations, check points and the like. These risks must be considered before members are permitted to take equipment overseas.

Malware control

Malware is the term applied to all malicious software, that is, software that attempts to damage, extort or otherwise abuse computer equipment and data.

Enfield Council seeks to minimise the risks of computer malware through education, good practice/procedures and anti-malware software on devices. It is a crime under the Computer Misuse Act 1990 to deliberately introduce malicious programmes into the network or server.

All Enfield Council devices have approved anti-malware software installed and this is scheduled to be updated at regular intervals. Users need to ensure that the anti-malware software is being updated on their devices and to report any problems with anti-malware updates.

Users of Enfield supplied equipment must be aware of the risk of viruses from email, internet and any removable devices inserted into their machine. Users should never download files from unknown or suspicious sources, or allow software to be installed not supplied by the Council. All spam emails should be deleted and suspicious attachments or those from an unknown source must not be opened.

The Council will take measures to prevent malware from entering the Council environment. There may be cases where software will not detect a malware and the Council may subsequently need to access a Member’s device, email account, OneDrive or network drive to remove the malware without prior notice. Any such access or investigation will be carried out by an appropriate and competent member of the relevant DS Team under the guidance of the Information Security Team. Where possible, this will be authorised by the Director of Digital Services.

If you are in doubt about any data received or suspect malware has entered your PC, log out of the network immediately, stop using the device and inform the Digital Services Councillor support line on 020 3880 2430. You should always follow the instructions that the service desk issues about malware attacks.

Phishing

Members need to be aware that criminals frequently seek to exploit persons in positions of authority via fraudulently assuming identities. For example, a member may receive an apparently legitimate email from a Director asking for information, in reality the email is faked and from a fraudster seeking to steal data. Other common types of attack include requests to transfer money, or for assistance for someone stranded in a foreign country.

The Council has protections against phishing attacks, but these cannot be perfect. If you receive an apparently unusual mail, it is good practice to check by calling or emailing (do not use reply to the email - that may be fake) the sender to confirm the message.

If you are uncertain about whether you should give information in response to an email, please contact the Monitoring Officer.

Passwords and security measures

All users are given a unique Username and Password. Passwords should not be written down, kept where others might find them and must not be shared with anyone else. Members must change their passwords every 60 days. Should a member be locked out their account or forget their password, a self-service password reset is available. Members should not repeat the same password within a cycle of 20 password changes.

Additional security measures such as multi-factor authentication are also required which will ensure that in the event a password is discovered the risk of anyone being able to access Council data using it is minimised.

The strength of your password will depends on the different types of characters that you use, the overall length of the password, and whether the password can be found in a dictionary.

The kinds of dictionary used by people attempting to guess your password are very different to the kind found on a library shelf. They will contain words from every language, including fictional ones. They include substitutions such as 'P455w0rd.' and large numbers of phrases such as 'It’sAS3cret.' People are generally very poor at picking good passwords that avoid this kind of attack.

For this reason, the council is now enforcing multi-factor authentication. This requires that in addition to your password, from outside the Council network you also have access to either your mobile phone which will be sent a code or authentication request, or enter a code from a device.

In addition to the multi-factor authentication, to ensure that passwords have a reasonable level of complexity, passwords must be a minimum of 8 characters and contain the following:

It is the councillor’s responsibility to ensure their password and multi-factor authentication device for accessing any Council IT service is not shared with any other person and that connection to such services is ended by logging off the system, as soon as work is completed or the connection is left unattended. This is to prevent unauthorised access to information.

It is recommended that members register to reset their own passwords in case of passwords being forgotten or accidentally locked out. Guidance on this is given on the intranet.

If it suspected that someone else may know their password, the multi-factor device is lost or compromised, or any security problem has occurred, councillors must report this to the Digital Services Councillor support line on 020 3880 2430 immediately so it can be rectified.

Further information on passwords can be found on the Access Control Policy, available on The Member’s Portal.

Information classification

Information is a valuable asset and aids a local authority to carry out its legal and statutory functions. The information that the Council processes can be highly confidential and very personal and therefore the Council has a legal duty to take care of it. Like any other strategic asset, information must be protected appropriately depending on the level of sensitivity of the information.

The new government classification scheme has three levels of classification. These are TOP SECRET, SECRET and OFFICIAL.

The Council will only be using the OFFICIAL classification and only OFFICIAL information may be stored on Council devices and networks.

The OFFICIAL classification also includes a handling caveat of OFFICIAL-SENSITIVE to identify information that must be strictly need to know basis and may need additional measures of protection. These classifications should be applied to all information including emails, paper documents, electronic documents, systems etc.

Further information about information classification can be found in the Information Classification and Handling Policy available on The Member’s Portal.

Security of equipment

Users are required to screen-lock their devices when moving away from their computer for any length of time.

To lock your screen:

Unsecured devices should never be left unattended. You should lock your laptop using a laptop security cable lock when left unattended but it is good practice to lock it at all times to help prevent it from being stolen. It is your responsibility to ensure that adequate safeguards are taken to protect your equipment.

All confidential or sensitive information held in paper form, should be shredded or ripped up and placed in the ‘confidential waste bins’ located in Council buildings, when they are no longer required. Personal or sensitive information must not be disposed of in the black general waste sacks. These sacks are not held or disposed of securely and can be accessible to the public.

All confidential documents that have been sent to a shared printer should be collected immediately, to ensure they are not picked up or read accidentally or deliberately by someone not authorised to see the information. Documents sent to a multi-function device (MFD) which incorporates follow-me printing can be collected using the appropriate identification card.

Further information about using security of equipment and information can be found in the Acceptable Use Policy, available on The Member’s Portal.

Remote working

Working remotely can pose several security risks. To help reduce these risks, you should ensure you carry out the following:

Remember that these rules apply equally when you working at home. Not even a member of your family should have access to Enfield Council’s information.

Disclosure of information

Personal or sensitive business information held by Enfield Council must not be disclosed to anyone internally or externally, unless the person disclosing the information is fully satisfied that the enquirer or recipient is authorised in all respects and is legally entitled to the information. Verification can be sought from the Council’s Information Governance Board when this is not clear. To learn more about sharing information, refer to the Information Handling and Protection Policy, available on the Member’s Portal.

If you have received a request for information from a member of the public, or another organisation and they mention the Freedom of Information Act 2000 or the privacy law, contact the Council’s Monitoring Officer for further advice if it involves Council information.

Further information about this can be found in the Freedom of Information Policy and the Data Protection Policy available on The Member’s Portal.

Physical security

Council office areas are protected by appropriate entry controls to ensure that only authorised personnel are allowed access. All members are required to wear visible identification.

Further information about this can be found in the Physical and Environmental Security Policy available on The Member’s Portal.

Disposal of computer equipment

If you have any redundant, faulty or unused hardware or software, contact the Enfield DS Service Desk on 020 8379 4357. Do not dispose of this yourself. The disposal of all IT equipment, for example, PC’s, printers, laptops, tablet PCs, PDAs etc. must be carried out in a secure manner to ensure that no data is left on devices that can be retrieved after disposal.

London Borough of Enfield

Privacy, confidentiality, and information security agreement

As a user of Enfield Council’s IT systems and data, I understand that I am responsible for the security of my User ID (login) (s) and Password(s) to any computer system for which I am granted access. I understand that I have the following responsibilities:

I understand that where I have access to or use of information classified as OFFICIAL - MEMBERS, OFFICIAL - RESTRICTED ACCESS or OFFICIAL - SENSITIVE, additional protections are expected.

I understand that I must maintain and safeguard the confidentiality of any and all sensitive information accessed or obtained in the performance of my authorized duties or activities. I will not access, use, and/or disclose information for any purpose other than the performance of authorized activities or duties. I will limit my access, use and disclosure to the minimum amount of information necessary to perform my authorized activity or duty.

I have been given access to all of Enfield Council’s Information Security Policies and Guides relevant to my role as an elected Member.

In order to fully understand my responsibilities with respect to Privacy, Confidentiality and Information Security I undertake to complete the following training course:

I understand that failure to comply with the above Privacy, Confidentiality, and Information Security agreement may result in denial of access to information and termination of my access to the London Borough of Enfield’s Digital Services.

View the Members Information Security Policy declaration (PDF, 105.04 KB).


Policy details

Author – Information Governance Manager
Owner – Information and Data Governance Board
Version – 2.9
Reviewer – Information and Data Governance Board
Classification – Official
Issue status – Final
Date of first issue – 28.05.2014
Date of latest re-issue – 30.05.2024
Date approved by IGB – 19.05.2024
Date of next review – 30.04.2025

Council news directly to you

The latest news in your inbox every week. Council news, community updates, local events and more.

Sign up Sign up