We provide fun, challenge and adventure to
over 400,000 girls and boys across the UK
a a a  A A
Member resources

GDPR Step 8: Check your security

Version 1, September 2018

Today’s technology age means that there are many tools available to us all when it comes to the management of our day to day jobs and activities.

This situation exists within local Scouting and in most cases, you will opt to use the tooling you are familiar with or makes your operation as easy as possible. The below guidance draws out these technologies and gives advice on the security measures that should be considered:

Paper

Whilst not strictly a technology, paper is still widely used to capture and retain data. This is the case within Scouting and as such needs to be considered, for example paper-based records could exist for the following:
• New joiners form
• New joiners waiting lists
• Events consent from parents
• Annual health records updates
• Events coordination with events companies
• Award notifications/nominations

The following should be considered when using paper:
• Not digitally searchable – not easy to find specific information
• If lost or damaged it’s not recoverable
• Not easy to transfer
• Prone to error or misinterpretation
• Requires physical storage and security

In some cases, paper-based records are justified or the only means of data capture, where this is the case then duty of care needs to be considered, such as:
• Minimise the use of paper to only what is required.
• Transfer of paper is secure, such as physical hand to hand transfer or registered post.
• Paper forms are securely destroyed post use if possible.
• Secure destruction should be through a shredding machine.
• Keep the paper records secure always, especially when in transit, consider using:
• A lockable brief case.
• A lockable filing cabinet if long term stored.
• If transferred to somebody, audit that they return them when complete.

Paper should be considered a last resort for data gathering/storage or transfer.

Digital forms

Digital forms offer the ability to capture data in a digital means via a website link. The form is presented to the person entering the details as designed by yourself.

The following should be considered when using web forms/online surveys:
• Digital forms can be from your own website, online survey tool or a membership database.
• Digital forms are widely used and accepted as means for gathering data.
• They need to be carefully created to capture only the data required and offer a clear capture flow, see Step 5: Gathering data
• Digital forms reduce mistakes of data capture.

Where web forms or digital surveys are being used the following best practices should be considered:
• The presentation of the form is easy to understand and follow.
• The form itself is using a secure transfer mechanism, the link to it should start with ‘HTTPS://’.
• You understand how the data is used after the form is completed, is it emailed to yourself, is it retained in the website?
• If the detail is emailed to yourself post it being completed this email should be treated with care and deleted when not required any further.
• If the data is retained on the website, then ensure access to this website is protected by a strong username and password and the access to it is limited to only those that require the data.
• Delete any data that is not needed from the locations it is stored.
Digital forms are a good way to gather accurate data in a secure way.

E-Mail

The most common communication tool used today is e-mail. This can be either personal or corporate e-mail from a large variety of providers. E-mail is used commonly to transfer all types of data and can be used to either transfer forms with information in or the data directly in the body of the e-mail itself.

The following should be considered when using e-mail to gather or transfer data:
• E-mails are sent in clear text, this means that if they are intercepted the contents can be read.
• Most e-mail systems retain lots of copies of the data sent and received, for example in:
- Inbox folder
- Sent items folder
- Deleted folder
• It is easy to mistype an e-mail address or select an incorrect pre-populated address.
• The security of an e-mail system varies depending on the service provided.
• E-mails can be stored locally on your laptop/desktop.

Where e-mail is being used the following best practices should be considered:
• Free e-mail services generally lack a level of security appropriate for sending lots of Sensitive Personal Data.
• Review the e-mail service you have; good service add-ons include:
- Anti-virus scanning
- Anti-malware scanning
- Encrypted e-mail
• Delete e-mails when they are no longer required, especially if they contain data-based attachments, this should be from the folders highlighted above.
• Add a delay to the sending of your e-mails by 2 minutes. Most email clients allow this as a ‘Rule’, any mis-typed email can then be stopped before it leaves.
• Don’t store your e-mails locally on your laptop/desktop to minimise the data you store, guidance can be found here.
• Minimise the use of e-mail to what is necessary when it comes to gathering or transferring data.
• Take care when replying to all in the email chain, you may not want all email participants to be part of any on-going communications.
• If you are looking to send an email to multiple individuals and don’t want everybody to see the email addresses on the distribution list, then simply add all of their email addresses to the ‘BCC’ field. You can then add your own email address in the ‘TO’ field, this will mask all addresses except yours.

Additionally, e-mail mass mailers may be used to communicate with members, if this is required for updates, events and other operational means. When looking at a service like this you should consider the following:
• Is the service with a reputable provider?
• Does that provider align to the GDPR
• Is the data set you are providing minimised to only what is required?
• Does the data get stored with the provider, if so can you delete it when finished with?
• E-mail is an effective way to communicate but can lead to lots of data across lots of folders. 85% of all reported data breaches in the UK come from e-mail to the wrong recipient.

Laptop/Desktop/Tablet

Laptops/desktops/tablets are common place in most households as well as in peoples place of work. As volunteers within the Scouts you will probably have access to or be using this type of technology to manage the operations for local Scouting.
Security of laptops/desktops/tablets is key when gathering/storing or transferring data, the security already in place for the physical device could vary depending on if this is company or personal asset and your line of work.

The following should be considered when using a laptop/desktop to gather, store or transfer data:
• Is the laptop/desktop a shared resource?
• Who owns the laptop/desktop and is ultimately responsible for it?
• How is the laptop/desktop/tablet to be used?
• Transient, data comes in and out but is not stored on it.
• Data is stored locally.

Where a laptop/desktop is being used the following best practices should be considered:
• The laptop/desktop is protected by a username and strong password, strong is defined as:
- Consists of at least eight characters.
- Combination of letters, numbers and symbols (@, #, $, %, etc.).
- Contains letters in both uppercase and lowercase.
• The laptop/desktop includes hard disk encryption – Check your operating system provider and search for options of hard disk encryption.
• Software packages such as anti-virus and anti-malware are included.
• Software on the laptop/desktop is up to date.
• Implement a digital password safe to store all passwords you must remember, there are many free tools available.
• Storage of data locally is minimised to only what is required.

Laptops especially are very useful for mobile management of local Scouting, but the mobile element introduces a loss or theft risk. Reduce the exposure by considering the measures above.

In addition to this guidance there is a GDPR Security Register that helps maintain a list of the types of media used in local Scouting. This register also acts as a risk register for any media types that need to be reviewed or tracked as a risk.

 

CEOP
© Copyright The Scout Association 2019. All Rights Reserved.
Charity Numbers 306101 (England and Wales) and SC038437 (Scotland).
Registered address: The Scout Association, Gilwell Park, Chingford, London, England E4 7QW