Overview
There are many occasions when information is transferred between departments, to third-party service providers, to other public bodies, commercial organisations and individuals. This is done using a wide variety of media and methods, in electronic and paper format. In every transfer there is a risk that the information may be lost, misappropriated or accidentally released. XXX has a duty of care in handling information. For legal reasons such as confidentiality or data protection, and to maintain the trust of our service users and partners it is essential that the transfer is performed in a way that adequately protects the information. It is the role of the Sender to assess the risks and ensure that adequate controls are in place. This policy outlines the responsibilities attached and the minimum security requirements for transfer.
Scope
This procedure states the minimum security requirements for physical transfer of information into, across and out of the organisation, in any format. For the purpose of this document, Information refers to both textual information (e.g. word-processed documents, reports and spreadsheets), and raw unformatted data (e.g. backup tapes), in any format and on any medium. This policy applies to all employees of the XXX and any Third-party that processes the organisation
information.
Procedure
4.1. The sender’s responsibility
With each information transfer there is a risk that the information may be lost, misappropriated or accidentally released. It is the responsibility of the sender to assess all risks and ensure that adequate controls are in compliance with this policy. This section contains some of the things that must be considered before transferring information.
4.2. Is the transfer legal and necessary?
It is dangerous to assume that because someone asks for information that they are necessarily authorized or legally entitled to have it. If you are in doubt then you should check with your manager. Once you are sure that the transfer is legal and necessary then you must decide what kind of information you are dealing with. This will determine what security is appropriate. To transfer personal or confidential information without these checks may leave XXX open to Legal and Reputational damage and the sender may be subject to disciplinary action.
4.3. Is it Personal information?
Personal information is about a living, identifiable individual. If it contains details of racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health, sexual life, commission of offences, court appearances and sentences it is further classified as sensitive personal information. Anything we do with personal information must comply with the Data Protection Act. Before you make any transfer you must:
- Ensure transfers to Media organisations are approved by the Communications Department.
- Obtain and document the approval of the Information Owner for transfer
- Ensure that the transfer is legal (in particular under the Data Protection Act. See Appendix below)
- Ensure that the transfer is necessary (is there a less intrusive way)
- Remove or blackout anything that is not essential for the recipient’s purpose
- Have a documented agreement in place to ensure the recipient understands their responsibilities under the law, particularly what to do with the transfer file after they have extracted the information to their system
4.4. Is it confidential information?
Confidential information is that for which the XXX has a duty of confidentiality. This may include information that affects the business interests of a third party, or for which the sender does not hold copyright e.g. bank details, salary details, contracts, agreements. Unauthorised release of confidential information can leave the XXX open to legal sanction or litigation. It can also erode the trust of the Public and its Partners in the XXX itself. Before you transfer you must:
- Obtain and document the approval of the information owner for transfer
- Ensure that you are not breaching a Duty of Confidentiality
- Ensure that the transfer is necessary (is there a less intrusive way)
- Remove anything that is not essential for the recipient’s purpose
- Have a documented agreement in place to ensure the recipient understands their responsibilities under the law, particularly what to do with the transfer file after they have extracted the information to their system
4.5. Does Public information need any special controls?
Public information is any information that is freely released or exchanged and presents minimal risk to the organization in terms of content, quality or timeliness e.g. promotional brochures. In general there are no special security requirements for transfer of Public information because their release represents no special risk. Public information will be transferred in the most cost-effective method available. Before you transfer you must seek the permission of the Department that produced or owns this information before making any transfer, even if the transfer appears harmless.
4.6 Transfer Principles
The following principles apply to all Information transfer in, out and within the XXX scope:
- Formal arrangement and agreements that surround the sharing must be set up prior to data transfer
- Agreements should, where it is not covered by other arrangements, define ‘type’, ‘fair processing’, ‘usage – what for and how’, ‘accuracy’, ‘handling duration’, and the ‘remit for transfer’
- Information transfer must be in accordance with any ethical, legal, or governance requirements held upon the data, and justifiable in this context. CISO/ Dept Heads will make all reasonable attempts to ascertain and log these requirements prior to transfer
- Transfer of personal Information must be undertaken in line with data protection legislation.
- Transfer volume and frequency must be in accordance with the minimum required.
- Transfer arrangements must minimise any risk associated with the loss or improper use of the information being transferred
- It is the ‘ norm’ to perform handling under a Information Sharing Agreement or Open-Use Licence
- Manual or automated steps must be in place to check that transfers are in accordance with these principles
5.0 Requirements for Transferring Personal or Confidential Information
Having decided what kind of information you have, and prepared it for transfer, the sender must consider the various methods of transfer available and whether they are appropriate. For all transfers of Personal or Confidential information it is essential that the identity and authorisation of the recipient has been appropriately authenticated by the sender.
5.1. Electronic Mail
Information must be enclosed in an attachment and encrypted using a product approved by the XXX set at an appropriate strength. Minimum standard for encryption is AES (256 bit). WINZIP 11.1 and above offer this.
- Any password must be to Organisation standard. 7 characters, mix of alpha and numeric. Further details of the password policy can be found in secure Authentication procedure. § Any password to open the attached file must be transferred to the recipient using a different method than e-mail, e.g. a telephone call to an agreed telephone number, closed letter.
- E-mail message must contain clear instructions on the recipient’s responsibilities and instructions on what to do if they are not the correct recipient.
- An accompanying message and the filename must not reveal the contents of the encrypted file.
- Check with the recipient that their e-mail system will not filter out or quarantine the transferred file.
- The sender must check at an appropriate time that the transfer has been successful, and report any issues to their line manager.
5.2. Electronic Data Transfer (FTP, Secure FTP, BACS, DCSF’s COLLECT)
Standard FTP without encryption is inherently insecure and should not be used for transmitting personal or confidential information. SFTP file transfers are acceptable but such transfers must be set up and administered by the Information Services department. External secure transmission systems such as BACS or DCSF’s COLLECT system are designed to be secure provided that they are implemented configured and used correctly. However, it is the responsibility of the sender to ensure that the use of such a system is appropriate for the use they propose. If in doubt, advice should be sought from the system owner.
5.3. Electronic memory, (CD, DVD, Floppy, USB drive, Memory Card)
Information must be enclosed in a file and encrypted using a product approved by the XXX set at an appropriate strength. Minimum standard for encryption is AES (256 bit). WINZIP 11.1 and above offer this.
- Any password must be to Organisation standard. 7 characters, mix of alpha and numeric. Further details of the password policy can be found in Chapter 7 of the Information Security policy.
- Any password to open the attached file must be transferred to the recipient using a different method than e-mail, e.g. a telephone call to an agreed telephone number, closed letter.
- An accompanying message should contain clear instructions on the recipient’s responsibilities, and instructions on what to do if they are not the correct recipient.
- An accompanying message and the filename must not reveal the contents of the encrypted file.
- The sender must check at an appropriate time that the transfer has been successful, and report any issues to their line manager.
5.4. FAX Transmission
FAX is inherently insecure and is not recommended for transfer of sensitive information. However it is acknowledged that certain circumstances demand it.
- Sender must check that the Fax number is correct and that the receiver is awaiting transmission.
- For high sensitivity information the number must be double-checked by a colleague before transmission, and telephone contact should be maintained throughout transmission.
- Both sender and receiver must have an agreed process to avoid their copy being left on the Fax machine, and a clear requirement to securely destroy the message when no longer required.
- The message should contain clear instructions on the recipient’s responsibilities and instructions on what to do if they are not the correct recipient.
- The sender must check at an appropriate time that the transfer has been successful, and report any issues to their line manager.
5.5. Delivery by Post or by Hand
It is essential that the file, whether electronic or paper is kept secure in transit, tracked during transit, and delivered to the correct individual.
- An appropriate delivery mechanism must be used.
- Package must be securely and appropriately packed, clearly labelled and have a seal, which must be broken to open the package.
- Package must have a return address and contact details.
- The label must not indicate the nature or value of the contents.
- Package must be received and signed for by addressee.
- The sender must check at an appropriate time that the transfer has been successful, and report any issues to their line manager.
5.6. Telephone/Mobile Phone
As phone calls may be monitored, overheard or intercepted either deliberately or accidentally, care must be taken as follows.
- § Transferred information must be kept to a minimum.
- § Personal or Confidential information must not be transferred over the telephone unless the identity and authorisation of the receiver has been appropriately confirmed.
5.7 Internet Based Collaborative Sites
Must not be used for Personal or Confidential information.
5.8. Text messaging (SMS), instant Messaging (IM)
Must not be used for Personal or Confidential information.