Do report the loss of KPC personal data immediately to the KPC Data Protection coordinator, stating whether or not passwording and/or encryption and/or physical security measures were in use to protect the personal data, and whether it was lost or stolen (if known). Include any police incident number if a police report has already been submitted.
Do inform the KPC Data Protection coordinator (in addition to the owners of the website if not a KPC web page or email) if you receive an unsolicited email, letter, text or phone call asking for personal information
Do ensure that manually held personal data is held securely, for example in a locked drawer or cupboard for storage and marked ‘confidential’
Do ensure that personal data transferred manually is handed over personally to the intended recipient, appropriately enveloped or in a secure container, marked ‘confidential’
Do encrypt or password-protect personal data before it is transferred electronically. Add a passworded document as an email attachment or when using FTP (file transfer protocol) software
Do use SFTP (secure FTP software) rather than FTP if not using email to transfer personal data
Do encrypt or password-protect personal data when it is stored electronically.
Do change passwords periodically, typically every few months if not more frequently
Do use blind copy (Bcc) for emails when emailing a large number of people, unless everyone has agreed for their details to be shared amongst ‘the group’
Do include a rider at the end of emails which have been distributed using Bcc to show who has been included in distribution ( no email addresses here, only first or full names please – initials may be acceptable in small groups)
Do use email address book distribution lists for established groups which have been appropriately maintained e.g. by a KPC team leader and/or the KPC Admin Team
Do, if a KPC Team Leader, share any distribution lists (securely) with the KPC Admin Team, and check regularly with the admin team that changes have been shared bilaterally
Do read the reference material contained herein and, if in any doubt, contact the KPC GDPR coordinator for more help
Don’t reveal any full passwords, login details or account numbers if you receive an unsolicited email, letter, text or phone call asking for personal information.
Don’t click on any links you do not recognise on web pages or emails
Don’t use work email addresses for sending or receiving personal information (other than an @churchofscotland.org address)
Don’t use joint shared email addresses for convenience (e.g. family or husband/wife) when sending or receiving personal information even if for ‘legitimate purposes’
Don’t write passwords or PIN codes down on paper, ever.
Don’t leave keys for locked manual storage holding personal data (drawers or cupboards) in plain sight or easily accessible – use key cupboards where possible
Don’t use free unsecured public WIFI connections for internet connection with devices holding personal data
Don’t view personal data on electronic or manual media in public places where there is a risk of inadvertently sharing data as a result of ‘shoulder surfing’ by unwanted people
Don’t share passwords or PINs or security codes verbally in public places
Don’t use the same password across many documents just because it is easier to remember