1. Introduction

1.1 The effective and secure use of information is integral to the work of innov8 Workshops. We hold and use sensitive data and information relating to staff, customers, finances, and funders that needs to be protected in order to guard against the undesirable consequences of information falling into the wrong hands.

1.2 This policy should be reviewed regularly by the Information Governance Officer in order to account for new threats and changes in technology.

2. Policy objectives

2.1 The main objectives of this policy are to:

• protect our information and prevent data losses.
• protect our IT systems and information assets from threats that compromise their effectiveness.
• ensure that users are aware of and fully compliant with all relevant legislation.
• create and maintain a level of awareness of the need for information security to be an integral part of daily operations, so that all users of IT systems understand the need for information security and their own responsibilities.
• ensure the security of data we share both in transit through the use of encryption and through due diligence on the organisations we share with.

3. Scope

3.1 This information security policy is relevant to all services irrespective of the equipment or facility in use and applies to:

• all employees, members, consultants, agency workers, volunteers, casual workers, and agents of other organisations who directly or indirectly support innov8 Workshops.
• all users of information throughout innov8 Workshops, in the field and at home or in other organisations when engaged on innov8 Workshops’ business.

4. Responsibility for security

4.1 Information security is the responsibility of innov8 Workshops and of all members of staff. The Information Governance Officer has the responsibility for managing our information governance. The Trustees of innov8 Workshops have approved this information security policy.

4.2 This policy applies to all individuals who use any form of information, data or computer facilities that are connected to our network or contain our data. All users of innov8 Workshops’ IT systems have access to e-learning materials which highlight their responsibilities and draw attention to the possible consequences of not complying with the instructions.

4.3 All senior and line managers in all areas are responsible for the implementation and monitoring of the information security policy.

4.4 All third party providers of services are responsible for ensuring the security, integrity and availability of information within the service provided.

5. Legislation

5.1 innov8 Workshops must abide by all UK legislation affecting the information assets that we hold. All users of IT systems must comply with the following acts and guidelines, and they may be held personally responsible for any breach of guidelines, current legislation (as listed below) and any future legislation that may be enacted.

• General Data Protection Regulation 2018
• Copyright Designs and Patents Act 1988
• Computer Misuse Act 1990
• Freedom Of Information Act 2000
• Requirements and advice of the Information Commissioner on data handling and storage
• Public Services Network (PSN) connection compliance
• National Cyber Security Centre (NCSC) Cyber Essentials Plus
• Payment Card Industry (PCI) guidelines governing the taking of electronic payments. Information about the above acts can be found on the government website www.legislation.gov.uk/ukpga and guidelines on information security can be found on ico.org.uk or from innov8 Workshops’ Data Protection Officer. The key points of relevance to innov8 Workshops are covered in the e-learning materials available to all IT users.

6. Standards and procedures

6.1 Physical access to information resources

6.1.1 Precautions must be taken to ensure that access to desktop and laptop PCs, tablets and smart phones is restricted at all times to authorised personnel.

6.1.2 Equipment should be sited to reduce the risk of damage, interference and unauthorised access.

6.1.3 When equipment is left unattended for an extended time, such as overnight, it must be powered off. Mobile equipment, such as laptops, tablets and smart phones, must be locked away in offices and never left on view in unattended vehicles.

6.1.4 All appropriate computer equipment will be identity tagged and be recorded on the innov8 Workshops IT inventories. It is the responsibility of line managers to notify the Information Governance Officer of any movements or changes.

6.1.5 Where computer equipment is to be used away from innov8 Workshops, for example when mobile working or using at home:

• all of the provisions of this policy document apply.
• innov8 Workshops’ homeworking policies must be adhered to
• any individual using a device at home or in the field is responsible for ensuring the safety and security of both the equipment and any data contained thereon.
• equipment must only be used outside the UK with the agreement of the Information Governance Officer. When using any equipment outside the UK, confidential data should not be handled.

6.1.6 No equipment purchased, leased or hired may be connected to innov8 Workshops’ network or attached to any equipment connected to the network without authorisation from the Information Governance Officer. The Information Governance Officer should be asked to review the specification of any technology that requires additional devices or software to be connected or run on innov8 Workshops’ network before it is ordered. The restriction also applies to any equipment not owned, leased or hired by innov8 Workshops. This includes, but is not limited to, USB memory sticks, MP3 players, tablets, digital cameras, smart phones and other devices. Where permitted, all such equipment must be supplied or confirmed as suitable by the Information Governance Officer. Email and calendar functions are available to personal iPhone/iPad and Android phone and tablet users.

6.1.7 The following precautions should be taken to ensure that only authorised personnel have admission to office areas where there is access to IT systems or sensitive data. Such precautions include:

• only admitting known or expected visitors to the Workshops.
• visitor procedures for the building you are working in should be followed innov8 Workshops visitor procedures.
• staff should challenge anyone within the workshops if they suspect that they may be unauthorised visitors.
• Staff should adhere to any relevant clear desk policies to ensure sensitive data is protected when desks are left unattended.

6.2 System access

6.2.1 Requests to provide access to the IT systems should be made initially through your line manager.

6.2.2 Network passwords will be set to prevent unauthorised access to data held on IT devices. The use of initial logon passwords and multi-factor authentication is especially important in the case of laptop or notebook PCs, tablets, smart phones and other devices that are portable and therefore less physically secure. Users must not disclose their personal password to anyone.

6.2.3 Unique usernames will be allocated by the Information Governance officer. Likewise, access to any shared resource on the network – for example, printers – should be given by the Information Governance Officer.  

6.2.4 If staff know they are leaving sight of their desk for any period, they should lock their workstation, which not only blocks any sensitive information from view, but also prevents access without the relevant password to unlock the device. If the screen is not locked by the user, an automatic screen saver should be set to lock the screen after 5 minutes of inactivity.

6.2.5 A innov8 Workshop screensaver will be provided giving immediate complete screen confidentiality and should be used in conjunction with a password. This will automatically be set after a maximum duration of 5 minutes. Unauthorised screensavers are not permitted.  6.2.6 Passwords must be used to protect all systems and should not be written down or disclosed to others. All users of IT systems will be held liable for any misuse of a computer resulting from use of their personal password or username. Passwords must be changed to a previously unused password at least 6 months in line with the policy as set out in Appendix A. Passwords will automatically expire if not changed within this frequency which prevents access to the network.

6.2.7 The Information Governance Officer must be notified immediately by the leaver’s line manager of all leavers to enable the timely removal of all access rights.

6.2.8 All remote access to the network will be authenticated via Multi Factor Authentication (MFA).

6.3 Information and data

6.3.1 Information held on our IT facilities or subsequent output, for example printed letters or tabulations, is the property of innov8 Workshops and is governed by the provisions of the Data Protection Act. Any purpose for which personal information is held must be registered by innov8 Workshops’ Data Protection Officer.

6.3.2 Information and data held or transmitted, for example through email, is subject to the Protective Marking Scheme as explained in Appendix E. Data marked confidential must not be sent outside innov8 Workshops unless encrypted.

6.3.3 Information held should only be released to authorised persons or where an information sharing agreement is in place. IT facilities supplied must only be used for authorised purposes. IT facilities should normally only be used for work-related purposes. However, occasional and reasonable personal use is permitted. Such activity must not prejudice or interfere in any way with innov8 Workshops’ IT facilities or its business activities. Any such use should be carried out in staff’s own time. Excessive use or any use for personal commercial gain is not permitted. No additional software will be loaded to facilitate personal use.

6.3.4 Any personal or sensitive data displayed upon unattended equipment must be protected, particularly in a public area, to ensure it may not be seen by anyone unauthorised to do so. This is applicable to information displayed on monitors and printed output.

6.3.5 All portable devices supplied by innov8 Workshops or owned by innov8 Workshops must be encrypted to the latest National Cyber Security Centre (NCSC) standards using 256bit AES encryption. However, users should still avoid storing confidential data on local devices, such as C:\ drives, mobile devices such as laptops, smart phones or USB memory sticks, where possible. Writing to unencrypted removable media is blocked by default on all innov8 Workshops’ devices. Further guidance is provided in Appendix B.

6.3.6 No information of a personal or sensitive nature shall be sent outside innov8 Workshops unless authorised and encrypted.

6.3.7 Documents containing confidential or sensitive information should never be sent to a home email address. All staff should be home-enabled.

6.3.8 Care should be taken when using social media such as Facebook and Twitter as information entered on this type of site is readily available in the public domain. Further information and guidance can be found in innov8 Workshop’s separate Social Media Policy.

6.3.9 No confidential information should be provided in response to online surveys (for example sales surveys) sent to innov8 Workshops by other agencies as the software used may be hosted outside the EU and therefore not be bound by the same data protection rules as the UK.

6.3.10 All data held on innov8 Workshops’ network or on any device used by staff and agents should only be held for a period appropriate to its relevance and erased or destroyed in line with the innov8 Workshops’ Data Retention Policy.

6.3.11 Security of data and data protection rules apply equally to paper based documents, therefore sensitive documents and those containing personal information:

• should not be left unattended and should be locked away at the end of the day.
• should be disposed of in the bins marked as specifically allocated for confidential items or shredded.
• if taken out of the office or worked on at home, should be stored in a lockable cabinet or case at home. In addition, all workstations should be left clear at the end of the day.

6.3.12 All computer output no longer required by innov8 Workshops should be disposed of with due regard to its sensitivity. Confidential output should be disposed of in secure bins. All forms of electronic storage media, including but not limited to Microfiche, CD or DVD-ROM, memory sticks and other magnetic or optical media, should be disposed of appropriately or be securely erased. Data on inbuilt hard disks will be erased before any re-use or disposal as defined in section 6.8.

6.3.13 Any queries relating to the provisions of the Data Protection Act and how it affects your operations should be directed to innov8 Workshops’ Data Protection Officer.

6.3.14 All users are responsible for setting file or folder permissions to ensure data is only accessible to the relevant authorised staff. Training and advice on this are coordinated by the Information Governance Officer.

6.4 Virus protection (including malware and ransomware)

6.4.1 All PCs (including laptops and tablets) are protected by virus protection software which is upgraded and monitored regularly by the Information Governance Officer and by Reflective IT. Any detected or suspected malicious activity must be reported to the Information Governance Officer or Reflective IT immediately.

6.4.2 All disks, CD-ROMs, USB memory sticks or other USB devices will be virus checked automatically prior to use in any of innov8 Workshops’ computers. This is especially relevant where disks have been received from an external source.

6.4.3 Disks, CD-ROMS, USB memory sticks or other USB devices must not be inserted into PCs until after the logon or initial password has been entered and the computer has reached:

• the point where you log into the network.
• the Windows screen on stand-alone PCs.

6.5 Software copyright

6.5.1 The copying of proprietary software programs or associated copyrighted documentation is prohibited and is an offence that could lead to personal criminal liability with the risk of a fine or imprisonment.

6.5.2 The loading of proprietary software programs for which a licence is required but not held is prohibited and this is also an offence which could lead to a fine or imprisonment. All software system disks and licences must be held by innov8 Workshops under the control of the Information Governance Officer.

6.5.3 Personal software (for example games) must not be installed or run on innov8 Workshops’ computers under any circumstances. If the software is deemed to be of use to innov8 Workshops, then it should be duly acquired under licence once approval from the Information Governance Officer is confirmed. All software must be approved by the Information Governance Officer and Reflective IT before purchase to ensure compatibility with innov8 Workshops’ IT systems.

6.5.4 Spot checks may be conducted by the Information Governance Officer and/or auditors to ensure software licensing compliance. Authorised personnel from innov8 Workshops have rights of access to all systems, the power to seek explanations from members of staff concerned and the right to remove any unauthorised software found to have been installed.

6.6 Computer misuse

6.6.1 All employees should be aware of the access rights they need and are assigned to conduct their duties and must not attempt to experiment or attempt to access hardware, software or data for which they have no approval or need to conduct their duties.

6.6.2 All IT users are required to comply with innov8 Workshops’ email and Internet usage policy.

6.7 Contingency planning

6.7.1 Security copies (backups) should be taken at regular intervals dependent upon the importance and quantity of the data concerned. In the case of systems and data residing on network servers, Reflective IT will take them on behalf of users at appropriate intervals.

6.7.2 In the case of networked personal computers, the prime copy of all data files must be held on the appropriate network drive. it is the responsibility of individual members of staff to place their data files in the correct location.

6.7.3 Arrangements are in place and procedures specified to ensure critical systems/operations are able to continue in the event of complete computing failure. These are noted in innov8 Workshops business continuity plans.

6.7.4 Security copies should be stored away from the system to which they are related in a restricted access fireproof location. Security copies should be regularly tested to ensure that they enable the system or relevant file to be reloaded in an emergency.

6.7.5 Security copies should be clearly marked as to what they are and when they were taken. Depending on the importance of the system concerned, they should provide for system recovery at various different points in time over a period of several weeks.

6.8 Acquisition and disposal of IT products

6.8.1 All acquisitions should be with agreement from the Information Governance Officer and in accordance with innov8 Workshops’ financial controls. Any queries should be directed to the Information Governance Officer.

6.8.2 The disposal of IT equipment must be coordinated through the Information Governance Officer who will arrange for the permanent removal of all data and software licensed to innov8 Workshops.

6.8.3 The disposal or permanent handover of equipment, media or output containing personal or sensitive data must be arranged in a way that ensures confidentiality.

6.8.4 Wherever possible, consideration will be given by the Information Governance Officer to the reallocation of equipment within innov8 Workshops.

6.9 Suspected security incidents, loss or theft of equipment and data

6.9.1 All staff have a duty to report immediately any suspected security incidents. Such information shall be regarded as confidential by all employees involved and should be reported to the Data Protection Officer and Information Governance Officer.

6.9.2 Loss or theft of any innov8 Workshops device must be reported to the Information Governance Officer and Reflective IT. The Reflective IT Helpdesk is available from 8 am to 6 pm, Monday to Friday. Outside these hours, Reflective IT can be contacted on any device that has remote access to innov8 Workshops’ systems will immediately have its remote access disabled.

6.9.3 When such an incident is reported, Reflective IT and the Data Protection Officer will conduct an immediate investigation to establish whether any data lost is of a personal or sensitive nature and to assess any consequential business risk it poses. They will also conduct an investigation to establish whether there has been a breach of this policy or any other relevant rules or statute and whether appropriate action must be taken.

6.9.4 Where a data breach is identified to have compromised an individual(s), those individuals must be notified by the Operations Director as soon as possible and steps taken to minimise the risk of potential fraud or loss to the individuals affected.  

6.9.5 Any data breach shall also be investigated and, if necessary, the office of the Information Commissioner informed by the Data Protection Officer. A full report of the incident with a list of actions taken, together with a plan of steps required to be taken to reduce risk of recurrence.

6.9.6 All breaches of information security (whether stolen or by accident) must be reported to the Data Protection Officer. The penalties for a data breach can be severe, with innov8 Workshops risking six-figure fines for data losses.

6.9.7 A checklist of the actions in section 6.9 can be found in Appendix C.

7. Violations

Violations of this information security policy may include, but are not limited to, any action that:

• exposes innov8 Workshops, its Trustees, staff or customers to actual or potential monetary loss, or loss of reputation, through the compromise of information security.
• involves the disclosure of confidential information or the unauthorised use of data.
• involves the use of data for illicit purposes, which may include violation of any law, regulation, policy, or any reporting requirement of any law enforcement or government body.
• falls within the terms of computer misuse in section 6.6 above.

8. Disciplinary process

innov8 Workshops takes information security seriously and any breach of this policy could lead to disciplinary or legal action being taken against anyone who commits a breach. Violations such as the use of unauthorised software, the use of data for illicit purposes or the copying of software which breaches copyright agreements will be investigated in accordance with innov8 Workshops Policies and serious or wilful actions taken in breach of these policies are likely to be treated as gross misconduct and appropriate action taken, which can include summary dismissal.

Appendix A

Policy use and control of passwords

Wherever possible, innov8 Workshops follows the latest guidance on password policy issued by the National Security Centre (NCSC). The following password rules should therefore be adhered to on all systems in use at innov8 Workshops.

1. Network passwords must be a minimum of 14 characters.
2. Network passwords must contain characters from four of the following four categories:

• English uppercase characters (A to Z)
• English lowercase characters (a to z)
• base 10 digits (0 to 9)
• non-alphabetic characters (for example, !, $, #, %).

3. Your password must not contain your username or parts of your full name.
4. Your password must not contain three consecutive identical characters.
5. Names that are likely to be easily associated with the user – spouses’, children’s or pets’ names for example – should be avoided. Passwords must not include the word ‘password’ itself.
6. You will not be allowed to re-use any of your previous 24 network passwords.
7. Personal passwords must never be written down either on hard copy or in plain text electronic versions. Shared passwords must never be written down and left in insecure locations. Where shared passwords need to be written down, they should be stored in a secure location such as a fire safe.
8. Personal and system passwords must be changed at least every 6 months. The system will prompt you to change your network password every 6 months. Where possible, systems should be set to force a change of password at regular intervals.
9. Managers must ensure that passwords known to staff who leave innov8 Workshops employment are changed immediately on their departure.
10. innov8 Workshops regularly monitors passwords exposed in public data breaches. You may be requested to change your password at any time if we believe it has been compromised.

Notes For the majority of systems, the ability to change passwords lies directly with the end user; this allows you to change your own password. Where this is not the case, this function is carried out by the system controller who will ensure that passwords are changed for you. Some systems are set to force users to change passwords after a set period of time; the time period can be varied with the assistance of Reflective IT. All managers are responsible for ensuring compliance with this policy.

Appendix B – Advice on storage of computer files

Where should I NOT store files?

On the local hard disc on a desktop PC (Drive C). This includes:

• ‘My Documents’ (unless you have set it to be redirected to a network drive)
• the ‘Windows Desktop’. Although normally encrypted, these locations are not as secure as network drives and, if the IT device is lost or stolen, data could be misused. These locations are not routinely backed up centrally. Therefore, if the hard drive on your device was to fail, or you delete a file, we will not be able to recover them from the central backups. If you want to access files from your desktop, create a shortcut to the file on the network drive. To create a shortcut,, right click on the file, select SEND TO, then left click on Desktop (Create Shortcut). If necessary, it is possible to create copies of files or folders. To do this, laptop users can set up offline synchronisation. You can select folder contents to be available when you are not connected to the network. When you are connected to the main network and log on or off, these files will synchronise in both directions. Under no circumstances must this be used for personal or confidential data. If you are in any doubt about what is classed as confidential data, seek guidance from your line manager or innov8 Workshops’ Data Protection Officer.

What are the default network drives?

Default network drives are where users can conceivably store files but the decision as to which drive is appropriate must be taken according to the nature, sensitivity and need to enable access to other users – not all drives are appropriate for all types of data. Drive names may vary for different organisations.

[MW Team/Admin] Drive – also known as the team area. If you wish to share work amongst staff from several areas you may create a folder here and place work in it. Remember to set the folder permissions to allow access only to those staff to whom you wish access it; by default everyone can access data.

The MW Team/Admin Drive –  is where the majority of your work should be stored and as such you should set the Microsoft applications to default to this location.

[Directors] Drive –  (for example, Resources and Performance, Operations, HR Legal and Democratic Services and confidential information). This will allow you, dependent upon the folder permissions, to access the section folders. This is mainly there for Trustees and staff who work for several sections to easily move about between the section folders.

Personal One Drive  – also known as the User’s private drive. This is where you should keep personal files (CVs, PRs and so on). Only someone logged on as yourself will be able to access this area. You should not store any files here that might require access by other members of staff. These must be stored within your personal drive.

Appendix C – Checklist of actions for suspected security breach

Report any suspected security incidents immediately. Such information shall be regarded as confidential by all employees involved and should be reported to The Information Security Officer and Reflective IT who will inform the following as appropriate:

• Data Protection Officer
• Finance manager
• your line manager

If any mobile device has been lost or stolen which allows remote access to the network or systems, immediately ensure that the device account is disabled, and no replacement issued before next step (below) is completed.

Reflective IT Help desk between 8:00 am and 6:00pm, Monday to Friday; Emergency Out of Hours Service

Conduct an immediate investigation with the Information Security Officer to establish whether any data lost is of a personal or sensitive nature and any consequential business risk it poses to innov8 Workshops.

Conduct an investigation to establish whether there has been a breach of this policy or any other relevant rules or statute and whether appropriate action must be taken.

Where it has been established that a data breach has compromised an individual or set of individuals, those individuals must be notified as soon as possible, and steps taken to minimise the risk of potential fraud or loss to the individuals affected. If staff, then the Operations Director, If members of the public, then the Data Security Officer should Investigate any data breach and if necessary inform the Office of the Information Commissioner with a full report of the incident and a list of actions taken. Data Protection Officer should also submit a proposal of future preventative steps required to be taken to reduce risk of recurrence.

Appendix D – ICT security dos and don’ts Do:

• keep passwords to yourself
• change passwords regularly
• keep your files on network drives
• lock your IT device when leaving your desk
• lock your mobile IT devices away in a secure location if you leave them in an office overnight
• lock your laptop out of sight in your boot (if you have to leave it in your car at all)
• log off then switch off your PC at the end of each day before you leave
• report suspected data loss or theft immediately to your line manager
• when travelling away from the office, make sure your laptop is secure and not left unattended.

Don’t:

• tell anyone your password
• write your personal password down
• respond to suspicious emails (spam)
• store files on ‘desktop’, ‘C:’ drive or ‘My Documents’
• send personal or sensitive data via email without encryption
• leave your mobile ICT devices on your desk overnight
• leave your mobile ICT device on view in unattended vehicles
• leave your mobile ICT device on view in public places
• use USB memory sticks or other easy to lose devices to store sensitive data.

Appendix E – Protective marking schemes

1.innov8 Workshops Protective Marking Scheme

• Confidential Data that contains sensitive information relating to staff, customers, policy development, financial information.
• Unmarked All other non-confidential data.

2. Government Protective Marking Scheme: Users who exchange information with government departments such as the DWP should familiarise themselves with the National Protective Marking Scheme. Staff should review the current guidance and standards published on Gov.uk https://www.gov.uk/government/publications/governmentsecurity-classification

Appendix F – Social Media Policy

1. Introduction

1.1.The widespread availability and use of social networking applications bring opportunities to understand engage and communicate with the world around us in new ways. It is important that we are able to use these technologies and services effectively and flexibly. However, it is also important to ensure that we balance this with our duties to our customers and partners, our legal responsibilities and our reputation.

1.2. innov8 Workshops is seeking to enable you to make sensible use of social media whilst at all times protecting your professional reputation and that of innov8 Workshops and its standing in the community. Most forms of social media are easily accessed from work but remember that all such usage can be traced back to you. The approach outlined below is designed to enable sensible use of social media for work purposes. It is deliberately restrictive in some respects to protect innov8 Workshops’ public reputation, and this may cause some to perceive restrictions on their private use of such media. If you do not wish to be bound by those restrictions you must not use social media at work nor identify yourself as a innov8 Workshops employee in private on your own personal social media.

2. Scope

This policy applies to all employees and workers at innov8 Workshops including agency workers, casual workers and volunteers.

2.1. Business and Professional Use

2.1.1. Social networking and blogging sites, such as Instagram, Facebook and Twitter are acknowledged as important methods of communication between innov8 Workshops, our partners and the community. We seek to use such media to increase engagement of the public with our services, increase feedback, communicate key messages to the community and generally increase two-way interaction between innov8 Workshops and our stakeholders.

2.1.2. We want to encourage services to use social media where it is appropriate to interact         with our partners, employees, funders, or distinct communities, such as businesses. innov8            Workshops is seeking to take a pragmatic position on social media whilst preserving our            reputation. At all times before using social media at work employees need to be clear about                 how the activity is helping stakeholders and improving service delivery. Services need to                             refer to the Social Media Guidance (Appendix 1) before using these communication                methods.

2.1.3. Using this type of media to communicate with our customers and partners is no                     different from other forms of official communication and therefore in using these channels,            innov8 Workshops’ normal standards, policies and practices regarding communication will   apply.

2.1.4. This Policy applies to the use of social media in your professional capacity regardless of whether it is being done using innov8 Workshops or your own equipment or whether                the                                                         activity is taking place in or outside of normal working hours.

              2.2. Personal Use

2.2.1. Many staff use social networking sites such as Instagram, Facebook and twitter in their       private life in their own time. This may be as part of a professional forum or purely for social    activities. We recognise that for many people this is an important part of everyday life but as    a innov8 Workshops’ employee you are expected to maintain certain standards of                        behaviour and not bring innov8 Workshops into disrepute as a result of your personal                                 activities.

2.2.2. The immediacy and far-reaching potential of social media means that comments, statements, pictures or information posted are accessible on a far wider basis than ever before and therefore the potential to impact on an individual’s reputation or that of innov8 Workshops can be significant, immediate and indelible.

2.2.3. When using social media it can be easy to forget normal communication standards and legal requirements, such as the Data Protection Act, especially when off duty. However, if you talk about work matters when using social media in your personal life innov8 Workshops expects you to be conscious of your position as a representative of the Council and apply the same socially acceptable and professional standards as you would if you were using it for work purposes.

2.2.4. We acknowledge fully the right to exercise personal freedom of expression but would expect those using social media to observe socially acceptable standards of behaviour in the ‘virtual’ world in the same way that you would in the ‘real’ world. Therefore, in Appendix 1 we have set out some advice, which we feel will help you protect yourself and the reputation of innov8 Workshops.

2.2.5. People can be subject to bullying and harassment through social networking websites and blogs and this is considered to be unacceptable behaviour. Anyone who feels that the behaviour of another is unacceptable should contact their line manager.

2.2.6. Use of social media for personal purposes at work is only permitted in accordance with the personal use conditions of the IT Usage Protocol. It is worth noting that e-mails and other posts sent from a personal account accessed at work can be easily identified as coming from innov8 Workshops. For that reason, and for the purposes of this Policy, the Council expects the same standards of behaviour in personal use as in professional use where innov8 Workshops equipment is being used, or where you are identifiable as a innov8 Workshops employee.

3. Breach of Responsibilities

3.1. It must be noted that disciplinary action may be taken if your use of social media, through work or personal usage, has a negative, or potentially damaging, impact on your job, your reputation as an innov8 Workshops’ employee or on innov8 Workshops’ reputation, in accordance with the Disciplinary Policy and Procedure. Depending upon the severity of the issue, this could result in dismissal. Access to the internet may also be withdrawn in any cases of misuse of this facility.

3.2. The final and overall legal responsibility for any comment, statement or information made by you through social media, or any other communication routes, rests with you personally.

3.3. Those using social networking websites must take care not to allow their interaction on these websites to damage working relationships between members of staff or service users. Should this occur, the situation would be handled as a potential misconduct issue and could lead to disciplinary action.

4. The Role of the Management Team

4.1. innov8 Workshops is looking to continually improve the way we interact with those who live or work in, or visit, the district or borough. The Management team has developed guidance on the use of social media (Appendix 2 to help you improve your communications).

5. Related Documents

ICT Usage Policy

Disciplinary Policy and Procedures;

Social Media Guidance;

Code of Conduct

Anti-harassment and Bullying Policy

6. Law relating to this Policy

Equality Act 2010;

Defamation Act 1996;

Data Protection Act 1998;

Human Rights Act 1998;

Employment Equality (Sexual Orientation) Regulations 2003 (SI 2003/1661);

Employment Equality (Religion or Belief) Regulations 2003 (SI 2003/1660);

Employment Equality (Age) Regulations 2006 (SI 2006/1031);

Regulation of Investigatory Powers Act 2000;

Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (SI 2000/2699);

Employment Practices Data Protection Code (PDF format, 5.5MB) (Guidance on Information Commissioner’s website).

5. Do . . . and do not

• Do be civil, tasteful and relevant.
• Do not post messages that are unlawful, libellous, harassing, defamatory, abusive, threatening, harmful, obscene, profane, sexually oriented or racially offensive.
• Do not swear.
• Do not post pictures of people without their expressed approval. Posts of children attending innov8 Workshops require approval as part of the standard customer referral form and/or a GDPR form as well as approval from the child’s parents. see Appendix 
• Do not post content copied from elsewhere, for which you do not own the copyright.
• Do not post the same message, or very similar messages, more than once (also called ‘spamming’). • Do not publicise your, or anyone else’s, personal information, such as contact details.
• Do not impersonate someone else.
• Do check with your manager, if you are not sure about any aspect of social media, including responses which trouble you.

6. Derogatory Statements

Please take care not to make derogatory or defamatory statements. This means a statement that lowers the reputation of a person or organisation in the eyes of a reasonable person. By publishing such a statement both you and innov8 Workshops can get into serious trouble. We will therefore take down any statement innov8 Workshops social media that could be deemed to be derogatory or defamatory.

innov8 Workshops GDPR Permissions form

Student Name:……………………………………………

Parent / Guardian

Print Name…………………………………………………….

Signature………………………………………………………

Date……………………………………………………………..

Appendix G – E-mail and Internet Usage Policy

1. Introduction

1.1 It is vital that you read this Policy carefully. If there is anything that you do not understand, please ask innov8 Workshops Data Security Officer to explain.

1.2 This Policy contains important rules covering e-mail, internal and external, and access to the Internet. Many of the rules apply equally to innov8 Workshops’ other methods of communicating with the outside world such as letter and telephone.

1.3 This Policy explains how e-mail and Internet access should be used. It explains what you are allowed to do and what you are not allowed to do. If you have any general problems with this Policy, please contact the Operations Director.

1.4 This Introduction of the Policy describes some of the controls operated by innov8 Workshops. Next are General Rules for the use of the Council’s Internet and e-mail services and some advice on the sensible use of internet services. We have then identified six areas where legal problems might arise for you and for the Council. These are harassment, defamation, copyright, entering contracts, pornography and confidential information.

1.5 Failure to comply with this Policy: (a) may result in legal claims against you and innov8 Workshops; and (b) you may breach innov8 Workshops Code of Conduct; leading to your being reported for a breach of the Code of Conduct

1.6 innov8 Workshops routinely monitors the level and route of e-mail and Internet traffic. Logs are kept on the system. These may be inspected at any time without notice where there is just cause for suspicion of misuse. If through routine monitoring innov8 Workshops has grounds for suspecting an employee of illegal or inappropriate e-mail or internet use, further investigations, including the examination of relevant computer files, records and personal e-mails, may be carried out. This will be conducted by Information Governance Officer but will always be subject to the employee being advised that this action is to be taken. 

1.7 innov8 Workshops automatically monitors internet sites visited from its network for inappropriate content. ‘Inappropriate’ includes, but is not limited to, material that is obscene, sexually explicit, pornographic, racist, defamatory, hateful, incites or depicts violence, describes techniques for criminal or terrorist acts and any other categories as determined from time to time by the Data Security Officer. If it is found that such sites have been visited, the procedure described in 1.6 above will be followed.

1.8 innov8 Workshops’ systems are set up so that all external e-mail and files exchanged over the internet pass through innov8 Workshops’ ‘firewall’ and filtering software to prevent the spread of viruses and malicious software.

1.9 All e-mail and attachments are scanned for viruses and inappropriate content. If any are found the e-mail is withheld. A message to that effect is returned to the sender and, for incoming mail

only, to the recipient. The Information Governance Officer will be informed of any virus or inappropriate content by Reflective IT.

1.10 It must be understood that e-mail is not secure, and that no personal, confidential or sensitive material should be sent by e-mail without careful consideration. For example, it is possible that technical staff may see isolated messages just as telephone engineers may overhear telephone calls, or a hacker may intercept an e-mail. Staff are required to maintain the privacy and confidentiality of any message inadvertently viewed.

2. General rules

2.1 innov8 Workshops’ Internet and e-mail system is primarily for business use, but occasional and reasonable personal use is permitted. However, you must not allow third parties to use the system. Remember that misuse of innov8 Workshops’ resources is a breach of the Code of Conduct.

2.3 The use of web-based e-mail services such as Microsoft Hotmail is prohibited, as this bypasses innov8 Workshops’ full security system. All e-mail should be sent/received using the innov8 Workshops e-mail system.

2.4 For external e-mails, an innov8 Workshops disclaimer and standard footer should be used. However, if you send a personal e-mail sign off the e-mail with the following statement: PERSONAL E-MAIL: This e-mail is personal. It is not authorised by or sent on behalf of innov8 Workshops. This e-mail is the personal responsibility of the sender.

2.5 E-mails are not to be sent nor Internet pages accessed if the contents are likely to be illegal, could bring innov8 Workshops into disrepute or could make innov8 Workshops liable to action against it. Examples include but are not limited to material that is obscene, sexually explicit, pornographic, racist, defamatory, hateful, incites or depicts violence, describes techniques for criminal or terrorist acts, or otherwise represents values which are in the opinion of the Operations Director inappropriate to innov8 Workshops’ activities or could bring innov8 Workshops into disrepute. If it is justifiable in terms of legitimate innov8 Workshops business to access a website which could fall into any of the above categories, an employee may do so, but is advised to notify their line manager of the reason for doing so.

2.6 Sending viruses and hacking into any e-mails or computer systems of innov8 Workshops or outside innov8 Workshops are strictly prohibited and is illegal.

2.7 innov8 Workshops’ Internet or e-mail facilities must not be used for personal gain.

2.8 Take advice from the Information Governance Officer or your line manager before using your innov8 Workshops’ equipment to sign up to social media, such as Instagram, Facebook or YouTube.

2.9 Keep all passwords secure and never write them down.

2.10 Access to another person’s e-mail is only allowed with the authorisation of the owner or the Data Security Officer.

2.11 All emails sent from or received by your innov8 Workshops may become public so ask yourself, before sending an e-mail, how you would feel if your message were read out in court. E-mail messages may have to be disclosed in litigation.

2.12 If your email contains information which could identify a living person, such as a name or address, this must not be disclosed without their prior consent, otherwise you will be breaking the Data Protection Act.

2.13 Take care about the style you use, be friendly, business-like and brief but not curt.

2.14 Do not:

(a) impersonate any other person (such as using another’s password) when using e-mail and        do not alter messages received.

(b) attempt to bypass innov8 Workshops’ security controls.

(c) introduce software or any electronic media onto innov8 Workshops’ system without the          prior permission of the Information Governance officer. This includes software, shareware,     and freeware available on the Internet.

(d) use bold or UPPERCASE lettering unnecessarily. This is known in e-mail terms as                           shouting.

(e) create e-mail congestion by sending trivial messages or personal messages or by copying e-mails to those who do not need to see them. Do not engage in trivial banter.

(f) misuse the ‘Reply to all’ button, or comprehensive distribution lists. The system becomes clogged with unnecessary items. Make sure only those who need to see them receive your messages.

(g) send or forward chain letters of unsolicited mail (SPAM).

2.15 Do:

(a) use appropriate language. Emails tend to be more informal than printed letters but                    always have the reader in mind – sometimes a level of formality may be more appropriate.

(b) obtain confirmation of receipt (e.g., asking the recipient to send an e-mail reply) for                   important e-mails sent. Don’t rely on “view acknowledgements” as this is not supported on   all e-mail systems.

(c) keep copies of important e-mails received and delete unwanted e-mails regularly                        including emptying your deleted items folder.

(d) check your e-mail regularly,

(e) make arrangements for your e-mail to be forwarded to, or accessed by, someone else in          your absence. Use the ‘Out of Office Assistant’ under Tools in Outlook to inform senders and     use it to make arrangements for your e-mail to be forwarded as appropriate.

(f) reply promptly to all e-mail messages requiring a reply. Where a prompt detailed                         response is not possible, send a short e-mail acknowledging receipt and giving an estimate   of when a detailed response will/should be sent.

(g) acknowledge internet derived material in Council documents. See also Copyright below.

(h) if you accidentally visit a site with inappropriate content or receive such emails,                           immediately inform the Information Governance Officer.

3. Problem areas

3.1 Harassment You could be held liable for harassment of fellow employees, customers and partners of innov8 Workshops if you send e-mails of a bullying or offensive nature. Such behaviour could also be a breach of the Code of Conduct.

3.2 Defamation Inflammatory or derogatory messages sent through the internet can be held to be defamatory if the message is likely to be available to readers other than the person referred to and the recipient. A defamed party could personally sue the sender for large sums in damages.

3.3 Copyright laws protect most material appearing on the internet and some attachments to e-mails. Both the employer and the employee could be liable under civil and criminal law for any unauthorised copying of those materials by the employee.

3.4 Pornography Displaying on screen, printing or transmitting material with a sexual content could constitute criminal offences.

3.5 Confidential information E-mails are not necessarily a secure way of sending information. Not only could it be embarrassing for the organisation if sensitive or confidential information of its own is publicly disclosed, but disclosure of a third party’s confidential information, for example that of a client, could expose it to negligence actions and commercial risk. Members are reminded that disclosure of confidential information is a breach of the Code of Conduct.