Clean Desk Policy

1. Policy Statement

 

1.1. The Society is mindful of the rights and obligations established by data protection legislation in relation to the management and processing of personal data. 

 

1.2. This Policy should be read in conjunction with other key Society’s policies. In particular, colleagues may refer to the Data Protection Policy and the Acceptable Use of IT Facilities Policy, both available on Colleagues Connect.

 

1.3. This policy does not form part of any contract of employment or other contract to provide services, and we may amend it at any time.

 

2. Purpose

 

2.1. This Policy has a dual purpose:

 

2.1.1.    Ensure data protection compliance

To ensure that any personal data colleagues work with in their day-to-day job is treated in accordance with data protection legislation, and in the respect of the individuals whose personal data they process.   These can be other colleagues, members, customers, contractors or any other third party whose personal data the Society processes.

The Policy aims to reduce the risk of data protection breaches in the workplace, and to increase colleagues’ awareness about protecting and respecting people’s personal data.

 

2.1.2.    Improve working standards

To maintain good professional standards for colleagues and visitors and help promote respect for each other in our shared working environment.

 3. Scope

 

3.1. The Policy applies equally to full-time and part-time colleagues on a substantive or fixed term contract, and to any associated persons who uses the Society’s facilities such as agency staff, contractors and others employed under a contract of service.

 

3.2. The Policy applies to desk areas as well as other surrounding areas in colleagues’ workspaces, ie. cabinets, meeting rooms and tables, photocopiers’ areas etc.

 

3.3. All colleagues are responsible for making their affiliates or visitors aware of the guidelines in this Policy, and should check that hot desks have been cleared once their affiliates or visitors have left the Society’s premises.

 

4. Policy Guidelines – Data Protection compliance

 

4.1. Colleagues are required to ensure that any personal data in hardcopy or electronic format is stored securely at the end of the working day, and when they are expected to be gone from their work area, or desk, for any length of time.

 

4.2. Computer workstations must be locked (CTRL + ALT + DELETE) when workspaces are unoccupied, or when the person using the computer/laptop is absent from the area.

 

4.3. Computer workstations must be shut down completely at the end of the working day.

 

4.4. File cabinets containing personal data must be kept closed and locked when not in use or when not attended.    Keys used to access cabinets and drawers containing personal data must not be left at unattended desks.

 

4.5. Passwords must not be left on sticky notes posted on or under a computer, nor may they be left written down in an accessible location.  Equally, people’s personal data (names/contact details etc.) must not be written on sticky notes and placed on computer screens.

 

4.6. All printers and fax machines should be cleared of papers containing personal data as soon as these are printed, to avoid being interjected or accidentally disposed of in ordinary bins.

 

4.7. Once no longer needed, documents containing personal data should only be shredded or placed in confidential disposal bins, where available.  Colleagues should check with their line manager if unsure.

 

4.8. Whiteboards used during meetings or during the working day must be erased after use if they contain any type of personal data.

 

4.9. Portable computing devices such as laptops and tablets which aren’t secured with a lockable cable at a desk should be stored in lockable cabinets or drawers when not in use.

 

4.10.               Where their use is permitted by Society policy (see below), mass storage devices such as CDROM, DVD or USB drives containing personal data must be secured in locked drawers or cabinets when not in use.

 

4.11.               By default, all USB ports on Society’s computers and laptops are disabled.  Colleagues who need to use USB ports on a regular basis to carry out their day-to-day job must contact the IT department for further guidance, and to be granted the necessary permissions.

 

5. Complying with the Policy

 

5.1. All colleagues are responsible for complying with the Policy.  Line managers should monitor that these guidelines are enforced within their departments at all times.

 

5.2. Each business group’s Data Protection Champion (“DPC”) should routinely verify compliance with this Policy through spot-checks and end-of-day checks in their business areas, and keep a record of any breaches of this Policy.

 

6. Policy Enforcement

 

6.1. In the event of a breach of this Policy, found either by a line manager or a DPC in the course of routine checks, the colleague responsible for the breach may be verbally warned that they are not adhering to the Policy, and reminded of the importance of handling personal data appropriately.

6.2. If several breaches reoccur and relate to the same colleague, or where the breach is of a particularly serious nature, it may result in disciplinary action being taken.

 

7. More information?

 

7.1. For further information, or if you become concerned about potential risks in your business areas, or you have any other queries relating to data protection, please contact the relevant DPC in the first instance.   A contact list of all the Society’s DPCs can be found on Colleagues Connect.

 

Alternatively, colleagues may contact directly the Society’s Data Protection Manager (DPM) at data-protection@midcounties.coop)

 

8. Changes to this Policy

 

8.1. This Policy will be reviewed at least every two years by the Society’s Data Protection Manager (DPM).