This summary provides a brief overview of the policy. It is not intended as a substitute for reading the complete policy but to provide a quick reference:
- Policy applies to all information, however stored, and to all elected members. Policy is part of your responsibility as a Councillor and breach of policy may have serious consequences.
- All usage of Council equipment is subject to restrictions intended to ensure the good reputation of the Council and Councillors is maintained, and that individuals are treated fairly, legally and respectfully
- Council provides Councillors with equipment to allow conduct of duties, no-one other than the Councillor is permitted to use the equipment. Equipment remains the property of the Council and must be returned at the end of Councillor’s term of office.
- Council equipment is supported 8am to 5pm, Monday to Friday by Digital Services Councillor support line 020 3880 2430
- Care must be taken of equipment to avoid damage (both hardware and software) or theft. If you suspect data has been compromised or leaked, or if equipment is stolen, please call the Digital Services Councillor support line.
- Do not store data locally - save it to Council-provided cloud storage to ensure that in the event the device is lost or stolen you don’t use data. Data stored on council storage is the property of the council and there is no expectation of personal privacy on council devices.
- You may not forward your council email to personal addresses, you may use a personal address on your Council supplied devices for non-Council related member duties
- There are restrictions on use for political purposes. Additional restrictions will apply during 'purdah' periods, for example, around elections.
- Council equipment may be used overseas, but not in all countries, a list is provided
Information security means safeguarding information from unauthorised access or modification to ensure its:
- Confidentiality - ensuring that the information is accessible only to those authorised to have access
- Integrity - safeguarding the accuracy and completeness of information by protecting against unauthorised modification
- Availability - ensuring that authorised users have access to information and associated assets when required
Information security is everyone’s responsibility.
Enfield Council’s elected Members need to protect all information assets from risks posed by inappropriate use. This includes protecting devices and information from unauthorised or unlawful access, accidental or deliberate loss, damage, theft, disclosure or destruction.
This policy applies to elected members of the Council.
There is also a specific Staff Information Security Policy which includes most of the content of this document.
This policy applies to all types of information, including, but not limited to:
- electronic documents (for example, Word, Excel, PDF)
- text messages
- still visual media such as photographs, scans of documents
- audio and video recordings on any medium
- published and private web content (intranet, internet, extranet, social media sites, wikis blogs)
- databases and information systems
All members using Council’s systems should be made aware of and be expected to comply with this policy and need to understand that the following UK legislation is relevant to information security:
- The privacy laws:
- Data Protection Act 2018
- UK General Data Protection Regulation
- Freedom of Information Act 2000
- Computer Misuse Act 1990
- Electronic Communications Act 2000
- Copyright, Designs and Patents Act 1988
- Human Rights Act 1998
- Regulation of Investigatory Powers Act 2000
- Telecommunications (Lawful Business Practice) Regulations 2000
A serious breach of this policy may lead to:
- withdrawal of DS services
- a breach of the Code of Conduct for Members and / or
- a criminal action being taken by the Police
Compliance with this policy is part of your responsibility as a councillor of Enfield Council. All incidents will be investigated and action may be taken to safeguard the Council and Councillors from legal action.
Breaches of this policy may amount to a breach of the Council’s Code of Conduct for Members. The application of this policy shall be a matter for the Council and for the Councillor Conduct Committee and, as appropriate, the Monitoring Officer, acting in accordance with their terms of reference.
A formal complaint may be made to the Monitoring Officer, who will review the complaint, consult with appropriate parties and then give their decision on how the complaint will be dealt with.
Additionally, breaches of law, such as the Data Protection Act, could lead to fines being issued and possible criminal or civil action being taken against the Council and/or the individual(s) involved.
Aims and objectives
This policy aims to:
- Assist with raising the level of awareness of the need for information security as an integral part of the day to day business
- Ensuring that Council Members are aware of and comply with the relevant legislation as described in policies and fully understand their own responsibilities
- Ensure the Council’s investment in information, software, hardware and other electronic resources is protected
- Ensure the Council is compliant with law and government guidelines around information management
- Safeguarding the accuracy, completeness and authorised accessibility of information and preventing unauthorised disclosure
Using and protecting our assets
The Council encourages its stakeholders to seek innovative ways of using information technology to improve the way services are provided. This needs to be balanced with the need for information security, making sure that risks are managed and that assets are not used inappropriately.
The basic rules that apply are:
- The level of security required for records, manual or electronic, is determined by a risk-based approach. Security is then set to provide the best balance between risk and usability/accessibility. Bypassing this security exposes the Council to unacceptable risk.
- Enfield Council electronically audits computers, internet and email usage and random audits are also carried out to ensure that abuse or other issues are detected quickly
- All information relating to our customers and business operations is confidential. You should treat paper-based and electronic information with equal care.
- Any correspondence, documents, records or handwritten notes that you create for Council related purposes, may have to be disclosed to the public under the Freedom of Information Act 2000 or the privacy laws. Any comments recorded or notes written must therefore be professional.
- A certain amount of limited and responsible personal use of our equipment is permitted. No Council assets or information can be used for your own commercial or business use or for political purposes (see Section 5).
Further information about using our IT equipment can be found in the Acceptable Use Policy, available on the Member’s Portal.
Provision of council IT equipment
The Council’s DS security arrangements are in line with central government’s Public Services Network (PSN) Authority requirements, industry best practice (ISO 27001) and the privacy laws. This document serves as an abridged version of the framework. As part of this, all councillors are required to sign the form in the Privacy, Confidentiality, and Information Security Agreement at the end of this document.
The Council provides councillors with technology to assist in the performance of their duties, which includes laptops, tablets and smart phones together with software and materials for use with the devices. Anyone using the Council’s equipment is required to undertake in writing that they observe and will comply with the procedures and protocols set by the Council as set out in this document.
The Council will provide devices that are security hardened, to enable the councillor to access services required for their role.
The Council provides the devices together with ancillary equipment and materials required, for the councillor’s functions as a councillor. Use of this equipment by anyone other than the councillor to whom it is issued is not permitted.
Support for the device will be limited to resolving any issues with accessing Corporate information systems and will be provided by the authority’s DS section by telephoning the Digital Services Councillor support 020 3880 2430 between the hours of 8am to 5pm – Monday to Friday or email firstname.lastname@example.org. For any other IT issues, you can contact DS Service Desk on 020 8379 4357.
If you have any problems the equipment will need to be returned to the Civic Centre for inspection of faults, repair or replacement. Before coming into the Civic Centre please ring the Digital Services Councillor support line on 020 3880 2430 to arrange an appointment.
Only Council equipment will be supported by the Digital Services Councillor support Line. The Council cannot provide any support for a Member’s own personal equipment.
All DS equipment provided by the authority remains the property of the Council and must be returned at the end of the election term.
Using your council IT equipment
Councillors are required to act in accordance with the Council’s requirements when using the resources of the Authority. IT equipment must not be used for purely political purposes but may be used where part of the purpose could reasonably be regarded as likely to facilitate or be conducive to the discharge of the functions of the Authority or of an office to which the councillor has been elected or appointed by the Council. Constituency work, for example, is regarded as proper use of the facilities provided, subject to notification to the Office of the Information Commissioner under the Data Protection Act 2018.
The Council is prohibited by law from publishing any material of a party political nature. If a councillor uses their IT equipment for the preparation of material of a party political nature in pursuance of Council duties they must do so in a way which is not attributable to, or appears to be on behalf of the Council. No costs should be incurred by the Council as a consequence of publication of any party political material by a councillor using IT equipment provided at the expense of the Council.
A councillor must not use IT equipment provided in any manner which will prevent or interfere with its primary purpose as a facility to assist in the discharge of the functions of the Council. Accordingly, the councillor must not:
- misuse the computer in such a manner as to cause it to cease to function
- install or use any equipment or software which may cause the computer to malfunction
The councillor shall make reasonable arrangements for the safe-keeping of the computer.
- devices must be removed from a vehicle when it is left unattended
- devices must be placed away from windows
- when not in use devices should be kept out of sight and preferably locked away
Using a council issued device
If you are using a Council issued laptop then you will be able to access the Council’s network from your laptop. If you are using a council issued iPad or phone you will not be able to access the Council’s network but will be able to access email and documents.
Information created or collected as part of working for Enfield Council is the property of the Council. Work related information should be saved to an individual’s personal Documents folder on the Council network so that it can be stored securely, or the Council provided externally hosted OneDrive folder if available.
Councillors should not store Council data on their own personal machines - data should only be accessed through the network. The Council cannot recover information stored on devices if the devices are lost, damaged or stolen. Please note that any documents that contain personal or confidential Council information must not be stored externally on member’s own device or a personal hosted storage service excluding the OneDrive service provided by the Council. These include, but are not limited to other OneDrive services, Dropbox, iCloud, Amazon etc. Data stored in these services may not be held in countries allowed by the UK Data Protection law for personal data, and storage in them may put the councillor at risk of breach of law.
All data stored is the property of Enfield Council. There should be no expectation of personal privacy on Council owned devices and the Council may require access at any time to carry out its investigations with the approval of the Chief Executive.
Personal information about others held is also subject to the Data Protection law and may need to be disclosed to the person who the information is about, if they make a request to see it.
Using removable media
The Council has a policy of restricting the use of external hard drives, USB sticks, digital memory cards and CDs/DVDs to meet our Information Security requirements. These, and any other data storage device that can be added and removed from a devices are called 'removable media'.
A Council issued laptop will be able to read removable media. You will also be able to copy files, images etc. from these devices onto the network drive for work related purposes.
Using removable media should be restricted to non-sensitive data wherever possible. However, if you need to put sensitive data on removable media you must ensure that the data is encrypted. The Council will provide you with a USB memory stick that will be encrypted and password protected prior to use for this purpose. If you lose your USB stick you must report it as a security breach.
The use of non-Council removable media is only permitted in the circumstances where you need to use removable media from a third party (for example, someone from another organisation wishes to show a PowerPoint presentation). You may use this media only to read the required data from the device.
NO personal data may be put onto a removable media device unless encrypted. If you wish to share data with others via removable media, please telephone the Digital Services Councillor support on 020 3880 2430 if you need further advice.
Reporting security incidents
An incident is an event that could cause damage to the Council’s reputation, service delivery or persons. This could be a lost laptop or paper case file, a virus on the network or a damaged piece of hardware.
It is everyone’s responsibility to ensure the safekeeping of any Council information or equipment in their control. Any theft or loss of any data or Council issued device used for Council business, email or containing Council related information must be reported to the Digital Services Councillor support on 020 3808 2430 immediately so that action can be taken to limit any potential loss of data and costs.
Once the incident has been reported to the Digital Services Councillor support as above, the Information Security Incident / Risk Reporting Form, available on The Member’s Portal, needs to be completed and sent to the Information Security team as detailed in the form. This needs to be done at the earliest opportunity.
The Council also needs to act where potential incidents are identified. Where ‘near misses’ occur, these should be reported to Digital Services Councillor support Manager and a local decision taken as to whether the cause of the ‘near miss’ is one which could involve the enhancement of the policy or the process. If this is the case the Information Security Incident / Risk Reporting Form should be completed.
If you need further advice contact the Digital Services Councillor support Line on 020 3880 2430 between the hours of 8am to 5pm – Monday to Friday or email email@example.com. For any other IT issues, you can contact DS Service Desk on: 020 8379 4357
Enfield Council provides access to the information resources on the Internet to help Members carry out their role. The Internet must be used for lawful purposes only and you must comply with relevant legislation.
Internet services are provided to Members to help the Council improve services to customers and must be used for Council-related purposes. This includes:
- communicating with citizens, customers and suppliers
- researching relevant topics to obtain useful information to assist you in your duties
Internet access from the Council’s network for personal use is at the Enfield Council’s discretion and should not be assumed as a given. Any misuse of this facility can result in it being withdrawn. Reasonable personal use of the Internet from a Council issued device is permitted.
We expect Members to use the Internet honestly and appropriately, to respect copyrights, software licensing rules, property rights, privacy and prerogatives of others, just as in any other business dealings.
All existing Council policies apply to your conduct on the Internet, especially (but not exclusively) those that deal with privacy, misuse of Council resources, sexual or racial harassment, information and data security, confidentiality, and those included in the Code of Conduct for Members.
Any misuse of the Council’s internet facilities could be referred to the Monitoring Officer or the Councillor Conduct Committee and possibly for criminal prosecution.
Council systems and equipment, including email and Internet systems and their associated hardware and software, are for official and authorised purposes only. However, personal use is authorised in cases where it:
- does not interfere with the performance of your official duties
- is of reasonable duration and frequency
- serves a legitimate Council interest, such as enhancing your special interests or education or
- does not overburden the system or create any additional expense to the Council
You should consider carefully discretionary use for any other purpose.
You may use the Council’s Internet facilities for personal purposes as set out above, but you may not access any illegal material, obscene or pornographic sites, and may not access or use information that would be considered as harassment. Council facilities must not be used in an unlawful way.
A wide variety of materials may be considered offensive by colleagues, customers or suppliers. It is a violation of Council policy to store, view, print or redistribute any document or graphic file that is not directly related to your role as Councillor or to the Council’s business activities. This should be understood with reference to the Council’s policy framework, including the Equal Opportunities policy.
Some uses of the Council connection to the Internet can never be permitted. Internet use is inappropriate when it:
- compromises the privacy of users and their personal data
- damages the integrity of a computer system, or the data or programs stored on a computer system
- disrupts the intended use of system or network resources
- uses or copies proprietary software when not authorised to do so
- results in the uploading, downloading, modification, or removal of files on the network for which such action is not authorised
It is impossible to define all possible unauthorised use. However, examples of other unacceptable Internet use include:
- unauthorised attempts to break into any computer or network
- using Council time and resources for personal gain
- theft or copying of electronic files without permission
- sending or posting Council confidential information outside the Council or inside the Council to unauthorised personnel
- refusing to cooperate with a reasonable security investigation
- sending chain letters through email
All Council Internet users are prohibited from transmitting or downloading material that is obscene, pornographic, threatening, racially or sexually harassing, or in any way contravenes the Equal Opportunities policy.
You may not visit sites known to contain offensive material. If you access an offensive site accidentally you must forward its address to the Digital Services Councillor Support Manager within one working day of access or as soon as practical. We block access to known offensive sites.
You may buy or sell on the Internet. However, there are personal risks attached to this. See the Council’s web site under Trading Standards for guidance.
If you commit the Council to a contract by electronic means without due authority, the Council may seek to recover any losses or expenses from you.
Use of interactive software (such as games) across the Internet is prohibited.
For compliance with standards, the Council’s security software must record the Internet address of any site visited and keep a record of file transmission or reception. Any message sent or received may be recorded and stored in an archive file. This information will be used in the event of an investigation by the Council or other duly authorised bodies.
The email system is for Council business use only. However, the Council understands that Members may also need to send or receive personal emails using their work address.
If you are found to be deliberately misusing email you will be referred to the Monitoring Officer or the Councillor Conduct Committee.
All electronic messages created and stored on Council computers or networks are the property of the Council and are not considered private.
The Council retains the right to access user electronic mail if it has reasonable grounds to do so. The Council may retrieve email messages even though the sender and the reader have deleted them. The contents of electronic mail will only be accessed or disclosed for security purposes or as required by law.
Council business by email can only be conducted using the provided Enfield email account (for example, no Hotmail or Google mail account can be used for Council business). Communicating with external individuals or organisations as required is permitted from the Enfield email account.
The Council does not automatically forward Council emails to personal email accounts. This is to ensure the authority complies with the Government’s Public Services Network (PSN) Code of Connection. Also, the Council will only send emails to a councillor at the @enfield.gov.uk email address.
Members will need to use their own personal email account if they do not wish to use the Council email account to conduct non-Council related Member duties.
Members will be provided with a Council issued laptop or iPad, and smart phone to access their Council email and store a limited amount of Council data on these devices. Data should be stored on the network as soon as possible to prevent loss of data if the device is lost or stolen. The devices will be encrypted to a standard required by the PSN Code of Connection as well as the Information Commissioner’s Office in order to meet the requirements of the privacy law.
Sending emails within the Council email system is secure. Sending emails externally is not secure and they can be intercepted and viewed by unauthorised people. Secure email must be used when emailing information to external agencies or individuals when the content of the email includes:
- personally identifiable client or third party information
- financial, sensitive or other information that could cause detriment to the Council or to an individual
Personal or sensitive business information must not be sent to an email address outside of Enfield Council, unless it is absolutely necessary and the transmission is secure. This can be done using Egress Switch secure email and the Council can provide all Members with an Egress Switch account providing they use the Council email account.
Further information about transferring information securely can be obtained by contacting the Digital Services Councillor support line on 020 3880 2430.
Social media is the term used for online tools, websites and interactive media that enable users to interact with each other by sharing information, opinions, knowledge and interests. Applications include for example, but are not limited to:
- blogs, for example, Blogger
- online discussion forums, such as Ning
- media sharing services, for example, YouTube
- applications such as Facebook, Twitter and LinkedIn
Members must ensure that they use social media sensibly and responsibly, in line with corporate policy. They must ensure that their use will not adversely affect the Council or its business, nor be damaging to the Council’s reputation and credibility or otherwise violate any Council policies. The following risks have been identified with social media use (this is not an exhaustive list):
- Virus or other malware infection from infected sites
- Disclosure of confidential information
- Damage to the Council’s reputation
- Social engineering attacks (also known as ‘phishing’)
- Bullying or witch-hunting
- Civil or criminal action relating to breaches of legislation
- Breach of safeguarding with images or personal details leading to the exploitation of vulnerable individuals
- Breach of the code of conduct for members through inappropriate use
In light of these risks, the use of social media sites should be regulated to ensure that such use does not damage the Council, its employees, councillors, partners and the people it serves.
Members are personally responsible for the content they publish on any form of social media. Publishing or allowing to be published (in the form of a comment) an untrue statement about a person which is damaging to their reputation may incur a libel action.
Social media sites are in the public domain and it is important to ensure you are confident of the nature of the information you publish. Once published, content is almost impossible to control and may be manipulated without your consent, used in different contexts, or further distributed.
Members should make use of stringent privacy settings if they don’t want their social media to be accessed by the press or public. Read the terms of service of any social media site accessed and make sure you understand their confidentiality/privacy settings.
Do not disclose personal details such as home addresses and telephone numbers. Ensure that you handle any personal or sensitive information in line with the Council’s Data Protection Policy.
Do not publish or report on meetings which are private or internal (where no members of the public are permitted or it is of a confidential nature) or are Part 2 reports (which contain confidential information or matters which are exempt under the provision of the Local Government (Access to Information) Act 1985).
Copyright laws still apply online. Placing images or text from a copyrighted source (for example, extracts from publications or photos) without permission is likely to breach copyright. Avoid publishing anything you are unsure about or seek permission from the copyright holder in advance.
Don’t send or post inappropriate, abusive, bullying, racist or defamatory messages to members of the public, other councillors or officers.
The Council will not promote councillors’ social media accounts during the pre-election period.
In any biography, the account should state the views are those of the councillor in question and may not represent the views of the Council.
Do not use the Council’s logo, or any other Council related material on a personal account or website.
Social media must not be used for actions that would put councillors in breach of the Council’s Code of conduct for members. For example, don’t publish on social media something you wouldn’t say face to face, or at a public meeting.
Be aware of your own safety when placing information on the internet and do not publish information which could leave you vulnerable.
Anyone receiving threats, abuse or harassment via their use of social media should report it to their political group leader, members’ services and/or the police.
It is recommended that in the case of Facebook, councillors wishing to keep their personal life and role as a councillor separate create a Facebook page which members of the public can like rather than using their personal profiles.
Councillors are reminded that in respect of social media, they are governed by the Code of conduct for members and relevant law.
The Council reserves the right to request the removal of any content that is deemed to be in breach of the Code of Conduct for Members.
The Council may provide Telecommunication Services for Members to facilitate the performance of their work for Enfield Council. Users should not have an expectation of privacy in anything they create, send, or receive on telecoms equipment including tablets and smart phones. However the authority of the Monitoring Officer or the Chief Executive will be sought before officers review any councillor’s email and voice communications using Council equipment.
All use of phones must be in accordance with the Telecommunications Acceptable Usage Policy, available on The Member’s Portal.
Details of calls made (for example, sent to/from, date, duration and cost) are recorded on all mobile and fixed line telephones. It will be assumed that all telephone calls or Short Message Service (SMS) messages made or received on Enfield Council equipment, are for business purposes unless the contrary is indicated.
Internet Usage and access from Mobile Smartphones and Tablets and connecting by Enfield Council Mobile data contracts is included in this policy. Use of mobile Apps is also intended for business purposes and included in this policy.
Only software licensed by Enfield Council and approved by Corporate IT may reside on Enfield Council computer equipment.
Calls, texts and data usage on mobile phones should only be for business purposes. Data limits are set on mobile contracts, and excessive usage over these limits and out of normal working hours or usage abroad will be subject to interrogation. You may be liable to pay charges incurred if usage cannot be shown to be for Council business.
If Council equipment is being used abroad (see Section 15. Access from Overseas) then Members should use Wi-Fi services wherever possible if this is deemed to be safe to avoid excessive charges being incurred. If Wi-Fi services are not viewed as secure then Council equipment must not be used to access the Council network and email system. Connecting to an unknown publicly available Wi-Fi and sending emails or logging into systems can expose usernames, passwords and confidential information to criminals.
It is everyone’s responsibility to ensure the safekeeping of any telecommunications equipment in their control. Any theft or loss of any mobile device used for work email or containing work related information must be reported to the Digital Services Councillor Support Manager or the DS Security Manager by completing the Information Security Incident / Risk Reporting Form, available on The Member’s Portal.
Access to systems
It is a criminal offence under the Computer Misuse Act 1990, to deliberately attempt to access a system which you have no authority to access. DS Services regularly monitor systems and unauthorised attempts at accessing systems may be investigated.
It is also a criminal offence under the privacy law for any person to knowingly or recklessly obtain, disclose, sell or offer to sell personal information, without the permission of the data controller (Enfield Council). This is subject to certain exemptions.
Members of the public and employees are entitled to see what information is held about them by Enfield Council. This includes handwritten notes, emails and any other information held electronically or in paper form. Always ensure that information is recorded in a professional manner.
Further information about Data Protection and its implication for information security can be obtained from the Digital Services Councillor Support Manager
Access from overseas
Access to the Council’s network from overseas is subject to additional controls to ensure compliance with relevant legislation, including the privacy law, and this may place additional personal liability on to Members.
Members are their own Data Controllers and as such have responsibility for any personal data involving their residents that they may access from abroad and need to ensure that any access to residents’ personal data do not breach the requirements of the privacy law.
Due to legal restrictions created by the combination of UK law and that of other countries, which countries one can safely and legally take personal data and devices is a complex picture:
- Members visiting countries with a valid 'assessment of adequacy on the protection of personal data' (decision of adequacy) from the UK ICO can use their Council equipment to carry out Council business and access the Council’s network
- Members must not take devices into countries with import bans on encryption as they would then be breaking the law of the country they are entering
- Some countries insist on a right to copy data and being given decryption keys, this puts members at risk of breaching UK law via unauthorised disclosure. Members are permitted to take laptops to these countries as long as they have a decision of adequacy, but should take care to ensure personal data is managed to minimise risk.
The current list of countries with an assessment of adequacy is available at the Information Commisioner's Office.
The following countries do not permit encryption (sometimes unless licensed) and Councillors must not take devices to these countries as they would be committing an offence under local law:
Angola, Armenia, Bahrain, Belarus, Brunei Darussalam, Cambodia, China, Egypt, Hong Kong, India, Iran, Iraq, Israel, Kazakhstan, Moldova, Mongolia, Morocco, Myanmar (Burma), Nepal, Nicaragua, North Korea, Pakistan, Russia, Rwanda, South Korea, Tunisia, Turkmenistan, Ukraine, Uzbekistan and Vietnam
To avoid roaming charges, Members should, if practicable, use secure Wi-Fi networks that require authentication when accessing Council data. If Wi-Fi services are not viewed as secure then Council equipment must not be used to access the Council network and email system. Connecting to an unknown publicly available Wi-Fi and sending emails or logging into systems increases the risk of exposing usernames, passwords and confidential information to criminals.
If roaming services are required then a written request including a business case must be submitted to the Monitoring Officer for consideration at least a month in advance of any planned overseas travel. Any charges arising from the use of Council equipment from abroad may have to be paid by the user if prior approval for use has not been granted.
The facility to remotely access the Enfield network from outside of the UK will only be permitted in exceptional circumstances and should not be assumed. A written request including a business case must be submitted to the Monitoring Officer for consideration at least a month in advance of any planned overseas travel, including a request for roaming services if this is required. Any charges arising from the use of Council equipment from abroad may have to be paid by the user if prior approval for use has not been granted. In some countries these costs may be significant.
Members should seek advice from the Digital Services before taking any Council supplied DS equipment outside the United Kingdom. The equipment may not be covered by the Council’s normal insurance against loss or theft.
It should be noted that in some overseas territories electronic devices can be confiscated by customs on arrival, may be subject to search including a requirement to surrender passwords, and should not be used close to security service facilities – including police stations, check points and the like. These risks must be considered before members are permitted to take equipment overseas.
Malware is the term applied to all malicious software, that is, software that attempts to damage, extort or otherwise abuse computer equipment and data.
Enfield Council seeks to minimise the risks of computer malware through education, good practice/procedures and anti-malware software on devices. It is a crime under the Computer Misuse Act 1990 to deliberately introduce malicious programmes into the network or server.
All Enfield Council devices have approved anti-malware software installed and this is scheduled to be updated at regular intervals. Users need to ensure that the anti-malware software is being updated on their devices and to report any problems with anti-malware updates.
Users of Enfield supplied equipment must be aware of the risk of viruses from email, internet and any removable devices inserted into their machine. Users should never download files from unknown or suspicious sources, or allow software to be installed not supplied by the Council. All spam emails should be deleted and suspicious attachments or those from an unknown source must not be opened.
The Council will take measures to prevent malware from entering the Council environment. There may be cases where software will not detect a malware and the Council may subsequently need to access a Member’s device, email account, OneDrive or network drive to remove the malware without prior notice. Any such access or investigation will be carried out by an appropriate and competent member of the relevant DS Team under the guidance of the Information Security Team. Where possible, this will be authorised by the Director of Digital Services.
If you are in doubt about any data received or suspect malware has entered your PC, log out of the network immediately, stop using the device and inform the Digital Services Councillor support line on 020 3880 2430. You should always follow the instructions that the service desk issues about malware attacks.
Members need to be aware that criminals frequently seek to exploit persons in positions of authority via fraudulently assuming identities. For example, a member may receive an apparently legitimate email from a Director asking for information, in reality the email is faked and from a fraudster seeking to steal data. Other common types of attack include requests to transfer money, or for assistance for someone stranded in a foreign country.
The Council has protections against phishing attacks, but these cannot be perfect. If you receive an apparently unusual mail, it is good practice to check by calling or emailing (do not use reply to the email - that may be fake) the sender to confirm the message.
If you are uncertain about whether you should give information in response to an email, please contact the Monitoring Officer.
Passwords and security measures
All users are given a unique Username and Password. Passwords should not be written down, kept where others might find them and must not be shared with anyone else. Members must change their passwords every 60 days. Should a member be locked out their account or forget their password, a self-service password reset is available. Members should not repeat the same password within a cycle of 20 password changes.
Additional security measures such as multi-factor authentication are also required which will ensure that in the event a password is discovered the risk of anyone being able to access Council data using it is minimised.
The strength of your password will depends on the different types of characters that you use, the overall length of the password, and whether the password can be found in a dictionary.
The kinds of dictionary used by people attempting to guess your password are very different to the kind found on a library shelf. They will contain words from every language, including fictional ones. They include substitutions such as 'P455w0rd.' and large numbers of phrases such as 'It’sAS3cret.' People are generally very poor at picking good passwords that avoid this kind of attack.
For this reason, the council is now enforcing multi-factor authentication. This requires that in addition to your password, from outside the Council network you also have access to either your mobile phone which will be sent a code or authentication request, or enter a code from a device.
In addition to the multi-factor authentication, to ensure that passwords have a reasonable level of complexity, passwords must be a minimum of 8 characters and contain the following:
- At least one Numeric ( 0 1 2 3 4 5 6 7 8 9 )
- At least one upper case ( A B C D E F G H I J K L M N O P Q R S T U V W X Y Z )
- At least one lower case ( a b c d e f g h I j k l m n o p q r s t u v w x y z )
- At least one special character ( * ! # . @ # $ % ^ & * , )
It is the councillor’s responsibility to ensure their password and multi-factor authentication device for accessing any Council IT service is not shared with any other person and that connection to such services is ended by logging off the system, as soon as work is completed or the connection is left unattended. This is to prevent unauthorised access to information.
It is recommended that members register to reset their own passwords in case of passwords being forgotten or accidentally locked out. Guidance on this is given on the intranet.
If it suspected that someone else may know their password, the multi-factor device is lost or compromised, or any security problem has occurred, councillors must report this to the Digital Services Councillor support line on 020 3880 2430 immediately so it can be rectified.
Further information on passwords can be found on the Access Control Policy, available on The Member’s Portal.
Information is a valuable asset and aids a local authority to carry out its legal and statutory functions. The information that the Council processes can be highly confidential and very personal and therefore the Council has a legal duty to take care of it. Like any other strategic asset, information must be protected appropriately depending on the level of sensitivity of the information.
The new government classification scheme has three levels of classification. These are TOP SECRET, SECRET and OFFICIAL.
The Council will only be using the OFFICIAL classification and only OFFICIAL information may be stored on Council devices and networks.
The OFFICIAL classification also includes a handling caveat of OFFICIAL-SENSITIVE to identify information that must be strictly need to know basis and may need additional measures of protection. These classifications should be applied to all information including emails, paper documents, electronic documents, systems etc.
Further information about information classification can be found in the Information Classification and Handling Policy available on The Member’s Portal.
Security of equipment
Users are required to screen-lock their devices when moving away from their computer for any length of time.
To lock your screen:
- Windows laptop - press the Windows key + L key at the same time.
- iPad/phone – tap the power button
Unsecured devices should never be left unattended. You should lock your laptop using a laptop security cable lock when left unattended but it is good practice to lock it at all times to help prevent it from being stolen. It is your responsibility to ensure that adequate safeguards are taken to protect your equipment.
All confidential or sensitive information held in paper form, should be shredded or ripped up and placed in the ‘confidential waste bins’ located in Council buildings, when they are no longer required. Personal or sensitive information must not be disposed of in the black general waste sacks. These sacks are not held or disposed of securely and can be accessible to the public.
All confidential documents that have been sent to a shared printer should be collected immediately, to ensure they are not picked up or read accidentally or deliberately by someone not authorised to see the information. Documents sent to a multi-function device (MFD) which incorporates follow-me printing can be collected using the appropriate identification card.
Further information about using security of equipment and information can be found in the Acceptable Use Policy, available on The Member’s Portal.
Working remotely can pose several security risks. To help reduce these risks, you should ensure you carry out the following:
- Position yourself so that your work cannot be overlooked by others not authorised to see the information
- Take precautions to safeguard the security of any computer equipment on which you do Enfield Council business, and keep your passwords secret
- Inform the Police, the Digital Services Councillor support line and the DS Security Manager as soon as possible if any sensitive paperwork or computer equipment has been stolen or lost and complete the Information Security Incident / Risk Reporting Form, available from The Member’s Portal
- Ensure that any work you do remotely is saved on Enfield Council’s network or is transferred to it as soon as possible
- Ensure that memory sticks are kept separately from computer equipment when not in use. If you use your mobile phone as the multi-factor authentication device, this should also be stored separately
- Devices should not be left on view in vehicles, public transport or hotels or left in vehicles overnight
Remember that these rules apply equally when you working at home. Not even a member of your family should have access to Enfield Council’s information.
Disclosure of information
Personal or sensitive business information held by Enfield Council must not be disclosed to anyone internally or externally, unless the person disclosing the information is fully satisfied that the enquirer or recipient is authorised in all respects and is legally entitled to the information. Verification can be sought from the Council’s Information Governance Board when this is not clear. To learn more about sharing information, refer to the Information Handling and Protection Policy, available on the Member’s Portal.
If you have received a request for information from a member of the public, or another organisation and they mention the Freedom of Information Act 2000 or the privacy law, contact the Council’s Monitoring Officer for further advice if it involves Council information.
Further information about this can be found in the Freedom of Information Policy and the Data Protection Policy available on The Member’s Portal.
Council office areas are protected by appropriate entry controls to ensure that only authorised personnel are allowed access. All members are required to wear visible identification.
Further information about this can be found in the Physical and Environmental Security Policy available on The Member’s Portal.
Disposal of computer equipment
If you have any redundant, faulty or unused hardware or software, contact the Enfield DS Service Desk on 020 8379 4357. Do not dispose of this yourself. The disposal of all IT equipment, for example, PC’s, printers, laptops, tablet PCs, PDAs etc. must be carried out in a secure manner to ensure that no data is left on devices that can be retrieved after disposal.
London Borough of Enfield
Privacy, confidentiality, and information security agreement
As a user of Enfield Council’s IT systems and data, I understand that I am responsible for the security of my User ID (login) (s) and Password(s) to any computer system for which I am granted access. I understand that I have the following responsibilities:
- Adhere to the Council’s information security policies and processes
- Follow security procedures for the information systems I access
- Use only software authorised for use and prevent the introduction of unauthorised software
- Choose effective passwords and log on to Council systems using my own ID and passwords only
- Not give my password to anyone else to log into the network or business systems and ensure that the password is not written and accessible to anyone else
- Ensure that I lock my computer screen when it is left unattended
- Accept accountability for all activities associated with the use of my individual user accounts and related access privileges
- Ensure the security of any computer equipment taking appropriate measures such as cable locks and storage in lockable cupboards to secure equipment at work location and off site
- Not to change the computer configuration unless specifically approved to do so
- Take appropriate precautions against viruses
- Use email, public networks and the Internet in a professional manner
- Maintain the confidentiality of information disclosed to me as part of my duties, even when I am no longer an elected Member
- Report policy violations, security breaches or weaknesses to the appropriate person
- Not download any personal information about staff or customers to any unencrypted removable media
- Maintain an awareness of UK information legislation and ensure that all information is processed in accordance with the privacy law
- If I am about to leave the Council, I will inform Democratic Services prior to departure of any important information held in my account and manage my account in accordance with the Council’s email and records management policy
- I acknowledge that my use of the network may be monitored for lawful purposes
I understand that where I have access to or use of information classified as OFFICIAL - MEMBERS, OFFICIAL - RESTRICTED ACCESS or OFFICIAL - SENSITIVE, additional protections are expected.
I understand that I must maintain and safeguard the confidentiality of any and all sensitive information accessed or obtained in the performance of my authorized duties or activities. I will not access, use, and/or disclose information for any purpose other than the performance of authorized activities or duties. I will limit my access, use and disclosure to the minimum amount of information necessary to perform my authorized activity or duty.
I have been given access to all of Enfield Council’s Information Security Policies and Guides relevant to my role as an elected Member.
In order to fully understand my responsibilities with respect to Privacy, Confidentiality and Information Security I undertake to complete the following training course:
- General data protection regulation
I understand that failure to comply with the above Privacy, Confidentiality, and Information Security agreement may result in denial of access to information and termination of my access to the London Borough of Enfield’s Digital Services.
Author - Information Governance Manager
Owner - Information and Data Governance Board
Version - 2.9
Reviewer - Information and Data Governance Board
Classification - Official
Issue status - Final
Date of first issue - 28.05.2014
Date of latest re-issue - 30.05.2023
Date approved by IGB - 19.04.2023
Date of next review - 30.04.2024