The ICO exists to empower you through information.

Information management

Share Download options

Pages

Format

Assign appropriate security classifications to your information and label your information to reflect your agreed information classification scheme.

Options to consider: 

  • Take into account the requirements of confidentiality, integrity and availability of personal information when you assign classifications. 
  • Document security classifications within an applicable policy that you communicate to all staff.
  • Assign accountability for classifications to Information Asset Owners. 
  • Review classifications to ensure they remain appropriate and keep a record of reviews.
  • Conduct dip sampling to check whether you apply security classifications appropriately and feed results back to staff.
  • Provide detailed guidance for staff on how to assign security classifications, including examples.
  • Implement a procedure for information labelling that covers both physical and electronic information.
  • Ensure electronic information records sufficient metadata that helps to identify, manage and control personal information.
  • Provide training to staff on how to correctly label information.
  • Conduct dip sampling to check whether you are labelling information correctly and feed results back to staff.

 

Use appropriate methods for deletion when disposing of electronic data containing personal information you no longer require. 

Options to consider: 

  • Have a retention schedule for all electronic data and review it on a regular basis.
  • Implement safeguards for technical changes that may prevent future access to long-term data (eg obsolete formats and the potential deterioration of storage media). 
  • Include clauses in contracts and agreements with third parties that cover the secure deletion of information when terminating the contract.
  • Securely store and lock down information that you cannot delete due to system functionality restrictions. 
  • Use deletion software to ensure information is deleted securely and cannot be recovered by specialist recovery or forensic tools.

 

Have procedures in place to protect personal information processed through your employees’ own devices (BYOD). 

Options to consider: 

  • Have a separate policy that covers the secure configuration and acceptable use of your employees’ own devices. 
  • Provide staff with clear instructions on the physical security of their devices and rules about:
    •  installing software; 
    • using endpoint device software; 
    • applying security updates; and 
    • connecting to public networks. 
  • Risk assess the use of BYOD before you implement it.
  • Train all your staff on using BYOD.

 

Ensure all staff (including temporary staff and contractors) return mobile devices when their employment or contract is terminated.

Options to consider: 

  • Develop a leavers’ checklist which includes steps to ensure that staff return mobile devices. 
  • Carry out periodic sampling of historical leavers to check they returned their devices. 
  • Revoke access and remotely block devices automatically after the leavers’ last day of employment.
  • Require line managers to physically collect devices from staff at the end of their last day of employment. 

 

Put appropriate governance arrangements in place for using removeable media. 

Options to consider: 

  • Document procedures for managing removable media (eg USBs, external hard drives and CDs). 
  • Keep a record of all removable media approved for use. 
  • Check that users of removable media are doing so in a secure manner and in line with security procedures. 
  • Conduct dip sampling for the use of removable media to check it is still used by approved personnel.
  • Define within procedures how long you should retain personal information on removable media.
  • Implement port controls on applicable hardware assets to prevent unauthorised use of removeable media. 
  • Record and regularly risk assess any ports that are uncontrolled.
  • Store removable media in locked cabinets when not in use.
  • Ensure all data stored on removable media is encrypted.
  • Use technologies that prevent unauthorised data transfers to removable media.

 

Implement security measures to protect personal information that staff are processing when working remotely or at home. 

Options to consider: 

  • Protect systems through virtual private networks or multi-factor authentication.
  • Ensure staff are able to store hardware assets securely. 
  • Include remote working and working from home in business continuity and incident management procedures. 
  • Train staff on their responsibilities for keeping personal information secure when working remotely or at home.
  • Develop guidance for staff to follow when working in a public place.
  • Enable remote wipe capabilities to protect personal information if devices are lost or stolen.