Information security policy
Information security involves preserving confidentiality, preventing unauthorised access and disclosure, maintaining the integrity of information, safeguarding accuracy and ensuring access to information when required by authorised users.
In addition to complying with this policy, all users must comply with the Data Protection Legislation and the Data Protection Policy. ‘Church data’ means any personal data processed by or on behalf of Crockenhill Baptist Church.
Information security is the responsibility of every member of staff, trustee, office holder, church member and volunteer using Church data on but not limited to the Church information systems. This policy is the responsibility of the church administrator, Jill Clarridge, who will undertake supervision of the policy.
Our IT systems may only be used for authorised purposes. We will monitor the use of our systems from time to time. Any person using the IT systems for unauthorised purposes may be subject to disciplinary and/or legal proceedings. We will take appropriate technical and organisational steps to guard against unauthorised or unlawful processing. In particular:
- All data will be stored in a secure location and precautions will be taken to avoid data being accidentally disclosed.
- Manual records relating to church members or staff will be kept secure in locked cabinets. Access to such records will be restricted.
- Access to systems on which information is stored must be password protected with strong passwords and these should be changed at once if there is a risk they have been compromised. Passwords must not be disclosed to others.
- We will ensure that staff and members who handle personal data are adequately trained and monitored to ensure data is being kept secure.
- We will ensure that only those who need access will have access to data.
- We will take particular care of sensitive data and security measures will reflect the importance of keeping sensitive data secure (definition of sensitive data is set out above in the Data Protection Policy), e.g. password protection for documents and encryption.
- Where personal data needs to be deleted or destroyed adequate measures will be taken to ensure data is properly and securely disposed of. This will include destruction of files and back up files and physical destruction of manual files. Particular care should be taken over the destruction of manual sensitive data (written records) including shredding or disposing via specialist contractors (who will be treated as data processors -see below).
- We will ensure that any data processor engaged to process data on our behalf (e.g. for payroll) will act under a written contract and will give appropriate undertakings as to the security of data.
- Appropriate software security measures will be implemented and kept up to date.
- We will ensure that if information has to be transported or transferred, this is done safely using encrypted devices or services.
- Where personal devices are used to store or process personal data, they must be subject to appropriate security.
All breaches of this policy must be reported to the administrator, Jill Clarridge.
This policy will be regularly reviewed and audited.