Policy for the Secure Handling of Protected Information

The Greater Manchester Safeguarding Children Partnerships (GGMSCP) are committed to ensuring the availability, confidentiality and integrity of Protected Information, irrespective of whether this is held electronically, on paper or in other formats.

The purpose of this policy is to set out:

• The principles guiding GMSCP's approach in ensuring secure data handling of Protected Information;
• The incident reporting procedures GMSCP has adopted;
• The expectations on partners with whom GMSCP necessarily closely works with in discharging its statutory functions.

This policy relates to:

• Information generated directly by GMSCP; the purpose of which is to inform the members of the Boards and partner organisations e.g. policies and procedures, business plans;
• Information shared with GMSCP by others to facilitate the discharge of GMSCP functions;
• Information shared by GMSCP with others to facilitate the discharge of GMSCP functions.

This policy applies to employees of GMSCP; the GMSCP and Executive; and all Subgroups and other multi-agency fora of the Board. The policy also applies to any third parties appointed under the terms of a contract to provide professional and/or other services (i.e. data processors) for GMSCP involving Protected Information under the control of GMSCP.

The expectations on Partner Organisations who support the functions of the GMSCP are set out in Section 6, Partner Organisations - GMSCP Expectations.

Protected Information is defined as:

1. Protected Information about people.
   
   All people-related information enabling a child or a living person to be identified (for example family members and non-publicly available information about employees, such as full name in combination with home address or other identifiers);
   
   
2. Protected Information which is not about people.
   
   This includes information whether in draft or final form which in the wrong hands has the potential to cause harm, including but not limited to the following examples:
   • By damaging the reputation of GMSCP and/or any of its partners;
   • By disclosing information of a confidential nature whether or not it is protected by common law (e.g. legally privileged information);
   • Revealing the internal operations/investigating practices of partner bodies not otherwise in the public domain.

GMSCP undertakes to ensure that it implements organisational and technical security measures appropriate to the nature and sensitivity of the Protected Information and the degree of harm which may be caused if the Protected Information were to become compromised.

Specifically, GMSCP will ensure that:

• Protected Information is communicated with members of the GMSCP Executive, the Board, Sub-Groups; Independent Consultants; and with external bodies by secure electronic means;
• All communications and documents containing Protected Information are protectively marked to draw attention to the level of security the recipient must observe (see Section 7, Security Classification for an explanation of the levels used by GMSCP and the appropriate electronic methods for distribution);
• Any Protected Information distributed in paper form at meetings convened by GMSCP is returned to GMSCP officers on conclusion of the meeting and is not in any circumstances physically removed from secure GMSCP premises.

GMSCP is committed to ensuring it reacts appropriately to any actual or suspected security incident.

A security incident occurs whenever there is reason to believe that security has been compromised resulting in unauthorised access, misuse, modification, corruption, loss or theft of Protected Information assets.

Anyone acting under the auspices of GMSCP who knows, or suspects, a security breach involving Protected Information assets under the control of GMSCP has occurred must:

• Take any obvious safe steps to reduce the harm/risk by preventing any further loss of the data, system intrusion or unauthorised access;
• Assess whether any lost or stolen data is potentially recoverable and what reasonable steps may be necessary to achieve this;
• Report the incident quickly and no later than 24 hours after discovery to the relevant LSCP Business Manager; or the Independent Chair of the LSCP; (or out of hours in an emergency the police).

An urgent assessment will be undertaken by the Independent Chair and/or the Business Manager to determine:

• The severity of the breach;
• The process for investigating what has happened;
• How and why it has happened;
• Who was involved;
• The actions required to contain the incident;
• Who needs to be informed of the breach and by whom;
• Any learning lessons to reduce the risk of a similar event in the future.

If the incident is severe and/or requires a multi-agency response, an incident response team will be urgently convened to risk assess the actions required to recover from and contain the incident. The nature and severity of the incident will determine the team members and timeframe for the meeting.

Where compromised information originates from a partner organisation, GMSCP undertakes to notify the partner organisation on a timely basis.

GMSCP has resolved to report any incident involving the loss or theft of Protected Information with the potential to cause an individual harm to GMP for investigation; this will be facilitated through the Force Duty Officer.

The GMSCP recognises that Partner Organisations are separate data controllers and will have their own policies relating to secure data handling and incident reporting.

However, as a minimum GMSCP expects that Partner Organisations will adhere to the following:

• Accept responsibility for safeguarding Protected Information once it has been securely communicated by GMSCP and ensure that it remains at all times on a secure network or in a secure environment;
• Ensure employees handling GMSCP received Protected Information have received appropriate data handling and information security training;
• Ensure that Protected Information is securely communicated to GMSCP and is protectively marked;
• Ensure that Protected Information is securely destroyed once it is no longer required, observing the principle that the primary record holder is the body responsible for meeting the relevant retention periods;
• Notify GMSCP on a timely basis if Protected Information received from GMSCP is compromised; and likewise inform any other partners from whom the Protected Information may have originated;
• Cooperate with GMSCP and any other affected partners, in determining the actions necessary to recover from and contain a security incident, including notification of the Information Commissioner or any other regulatory bodies.

UNCLASSIFIED PROTECT RESTRICTED

Unclassified information is data which does not meet any of the criteria which would require the information to be categorised as protected or restricted.

The loss, or compromise information or material likely to result in any of the following:

• Cause substantial distress to individuals;
• Breach proper undertakings to maintain the confidence of information provided by third parties;
• Breach statutory restrictions on the disclosure of information;
• Cause financial loss or loss of earnings;
• Unfair advantage for, individuals or companies;
• Prejudice the investigation or facilitate the commission of crime; and/or
• Disadvantage government in commercial or policy negotiations with others.

All information should be shared on a strict 'need to know' principle.

Material classified as PROTECT includes sensitive information (e.g. commercial or personal) that needs to be protected and one that does not have the higher level security dimension, and where the use of RESTRICTED would be excessive.

The PROTECT classification must be used for the transmission of personal sensitive data, particularly when several records are aggregated.

The highest level of security necessary for local government issues is RESTRICTED information.

If unauthorised access would be likely to meet one or more of the following criteria:

• Cause substantial distress to individuals;
• Breach proper undertakings to maintain the confidence of information provided by third parties;
• Undermine the proper management of the public sector and its operations;
• Disadvantage government in commercial or policy negotiations with others;
• Impede the effective development or operation of government policies;
• Cause financial loss or loss of earnings potential to, or facilitate improper gain or advantage for, individuals or companies;
• Prejudice the investigation or facilitate the commission of crime;
• Adversely affect diplomatic relations (this is least likely to affect most Council staff in their day-today activities); and/or
• Make it more difficult to maintain the operational effectiveness of security of UK or allied forces (this again is least likely to affect most Council staff in their day-to-day activities).

PROTECT RESTRICTED

Clear desk policy

Protectively marked information must not be left unattended during working hours.

Protectively marked documents must not be taken out of the office unless appropriate security measures are in place and without the permission of the data owner, either through explicit permission or approved procedures.

Protectively marked information must not be left unattended during working hours.

Protectively marked documents must not be taken out of the office unless appropriate security measures are in place and without the permission of the data owner, either through explicit permission or approved procedures.

Hard Copy Storage

Can be stored in any lockable furniture.

Protectively marked documents should not be stored out of the office unless appropriate security measures taken.

Electronic storage

Stored in directories which are only accessible to personnel authorised to read documents

Portable devices

Information on computer disk, CD, memory-stick or other electronic media must be marked with the security classification of the most highly classified data stored on the device and it must be encrypted.

Protectively marked information must be stored on the corporate network; not saved on personal electronic devices.

Mobile devices should be equipped with software to enable the device to be tracked and remotely wiped of data in the event of loss/theft.

Email when sending sensitive personal data (especially in aggregate) or material marked "PROTECTED" by email over the public internet then this data must be to the standard or AES 256 bit encryption.

Material classified as RESTRICTED must not be made available via a website, or sent over non-secure email.

RESTRICTED may only be sent using the GCSx secure email system and to an email address which is capable of receiving the email, without it passing over the public internet.

PROTECT RESTRICTED

Telephone information designated UNCLASSIFIED and PROTECT may be discussed / sent over non-secure telephone / fax lines.

Information protectively marked RESTRICTED must not be:

• Discussed over a non-secure telephone line or non-secure mobile phone;
• Sent over a non-secure fax line; and/or sent to a pager.

Post /courier

To send documents classified as PROTECT and RESTRICTED by post, envelopes must be addressed to an individual by name or job title and marked 'Addressee only'.

Do not include the classification on the envelope.

Consideration should also be given to using couriers and registered post.

Disposal All documents/ records must be linked to an approved retention and disposal schedule, see Retention of Records.

Once the document/record has reached the end of its lifecycle it should be reviewed and if no longer needed destroyed using approved secure processes, see below.

If data needs to be retained for a further period its review cycle established should be periodically reviewed.

Documents/records should be confidentially destroyed in a way that ensures the information can not be put back together and read/used. An entry should be made of its existence, the date it was destroyed and by whom in a "destruction manual". A confidential destruction certificate should be obtained and retained in a secure location.

Record Retention Period Commences

Serious Case Review Documents
100 years Date agreement given to commence review

Management Review Documents
100 years Date agreement given to commence review

Multi Agency File Audit Documents
100 years Date agreement given to commence review

GMSCP Board and Subgroup records and procedures; Child Protection Register; list of children subject of a Child Protection Plan; Adult or Child electronic or written records.

Electronic records to be subject to review every 10 years Permanent - review 70 years and offer to archive service Date of meetings / start date of procedure.

Click here to view Appendix 1: GMSCP Secure Data Handling Policy.