eric-whitehead
01538 755 761
Introduction
Information, in whatever form it takes, is a valuable asset to the firm and, consequently, needs to be suitably protected. Protecting information is not only a corporate responsibility; it is a professional and legal obligation which we must all take seriously.
Objectives
The objective of this policy is to ensure that all paper and electronic records containing personally identifiable information or any confidential/sensitive information (including corporate or commercially sensitive information) is suitably secured when not in use and is not left visible on an unattended desk.
This policy applies in particular to working areas, such as desks or tables which should not have confidential, sensitive, commercially sensitive or personally identifiable information left on them whilst unattended for an extended period.
The objective of this policy is also to ensure that we adhere to the obligations placed upon us by legislation such as the Data Protection Act 2018 (DPA) and relevant provisions of the Data (Use and Access) Act 2025 (DUAA).
Key principles
The key principles for adhering to this policy are to:
- reduce the risk of a security breach or information theft;
- reduce the risk of confidential or sensitive information being stolen or accessed by unauthorised individuals which could seriously harm the firm;
- help demonstrate compliance with the DPA and DUAA; and
- create a culture of accountability and responsibility in relation to the handling and care of personal data and confidential information.
Scope
All of us at the firm, along with contractors, are required to comply with this policy.
Responsibilities
Line managers are responsible for monitoring compliance and providing guidance to staff on the implementation of the policy.
All of us along with elected members, contractors and agency staff have a responsibility to report security incidents and breaches of this policy as quickly as possible to the firms’ Data Protection Manager who is Timothy Halliday.
We will take appropriate measures to remedy any breach of this policy through the relevant framework and may take disciplinary action, as appropriate. Internal reviews, including spot checks will take place in order to identify potential breaches of this policy.
Secure desk procedure (office working) – protecting information
Confidential or sensitive information, whether held electronically or on paper records and other valuable resources should be secured appropriately when staff are absent from their desk and at the end of each working day.
To facilitate this, the following guiding principles have been produced which cover both non-electronic (e.g. manual/paper files) as well as electronic forms of information.
In addition, reference is made to the display of information on computer/laptop screens as well as to the security of personal property.
Desks must be cleared at the end of each working day of any confidential or personally identifiable information. Files containing confidential or personally identifiable information must be locked securely in desks, filing cabinets or designated secure rooms at all times, other than when being used. All efforts must be made to keep this information secure and not readily accessible to non-authorised people.
To reduce the risk of a breach of confidentiality and adherence to the DPA, when disposing of confidential or personally identifiable information, ensure that it is destroyed securely using approved methods of waste disposal.
Desks and other workspaces should be sufficiently tidy at the end of each working day.
Electronic storage devices
For the purposes of this policy, electronic data and equipment will not be treated differently from manual records and equipment if they contain the same type of confidential, sensitive and/or personal information. Computing devices and all other equipment containing data will therefore be treated with the same level of security as paper-based resources.
To ensure the security of information, held electronically, lock away portable computing devices such as laptops or personal digital assistants (PDA) devices when not in use and where appropriate.
To ensure the security of information held on mass storage devices such as CD-ROM, DVDs or USB drives, lock these away in a secure drawer at the end of the working day.
USB drives and other such items must be locked away even if they are encrypted.
Personal computers, laptops and PDAs
Computers and laptops must be locked or logged off when unattended. If you have to leave your desk, for any reason, you must lock your computer by using the ‘Control, Alt, Del’ keys simultaneously or by pressing the ‘Windows’ key and the letter ‘L’. Access to your computer/laptop must be protected by passwords, in line with our Information Management and Security Policy.
As far as practicable, when sensitive or confidential information is being worked on, a privacy screen should be used, the window must be closed or minimised, or your computer locked when unauthorised persons are in close proximity to the screen.
If sensitive or confidential information is visible to an unauthorised person standing in close proximity to your computer/laptop screen, they should be asked to move away to protect the confidentiality of this information.
Similarly, if the contents of your computer/ laptop screen are visible through a window, you should move them away or use a privacy screen or blinds to preserve confidentiality.
Video conferencing and virtual meetings
When participating in video calls, protect confidential information from unauthorised viewing:
- Position your camera to avoid showing confidential documents, screens, or whiteboards
- Use virtual backgrounds or blur effects when confidential materials are visible behind you
- Close confidential documents before starting calls or sharing screens
- Mute microphones when discussing confidential matters off-camera
- End screen sharing immediately after presenting to prevent accidental disclosure
- Be aware that others may be recording – treat all calls as potentially recorded
- Use waiting rooms and passwords for sensitive client meetings
Printers, photocopiers and fax machines
To avoid accidentally printing to an unintended network device, you should check that your default printer is correct before printing any documents.
Where documents are scanned using photocopiers or multi-functional devices, ensure that scanned documents are correctly rooted to you.
Personal data must be cleared from printers, photocopiers and fax machines immediately on completion. If these are no longer required, the items must be shredded or sent for secure disposal.
It is your responsibility to ensure you collect documents sent to a central copier/printer. If information is of a confidential/sensitive nature and it is misplaced or missing, this should be reported to the Data Protection Manager immediately.
Remote working
Where staff are working from home, or otherwise remotely and away from the office, there is arguably a much higher risk of security breaches or loss of confidential data. As such, it is important for the firm to outline and for all staff to understand the additional considerations expected of staff in order to achieve a secure desk environment when working remotely.
The following are examples of additional considerations we expect staff to familiarise and equip themselves with:
- Ensure you have read our Flexible, Remote and Hybrid Working Policy for employees. These documents, amongst other things, outline expectations of employees for secure remote working;
- Ensure you use a strong password
- Ensure you use secure VPN. Using public Wi-Fi means that your network is not secure. A VPN (an encrypted barrier protecting your network and its data from outside access) is a far more secure method by which to join the firm’s network from a remote location.
- Ensure you treat any documents the way you would in the office. When working remotely, you must treat hard copy documents as you would whilst working in the office, so keep a clear desk and lock documents away when you are not working on them to ensure that other household members/ visitors cannot access them. Please see the Security and data protection section of the Flexible, Remote and Hybrid Working Policy for guidance on the use of printers whilst working remotely.
Further information
This document should be read in conjunction with the Data Protection Policy, Information Management and Security Policy, Flexible, Remote and Hybrid Working Policy and BYOD Policy.
Review of this policy
This policy will be reviewed at least annually by Timothy Halliday (Data Protection Manager)
September 2025
