Advisory GDPR Do and Don’t Reminders

DO…

  • Do report the loss of KPC personal data immediately to the KPC Data Protection coordinator, stating whether or not passwording and/or encryption and/or physical security measures were in use to protect the personal data, and whether it was lost or stolen (if known).  Include any police incident number if a police report has already been submitted.
  • Do ensure that manually held personal data is held securely, for example in a locked drawer or cupboard for storage and marked ‘confidential’
  • Do ensure that personal data transferred manually is handed over personally to the intended recipient, appropriately enveloped or in a secure container, marked ‘confidential’
  • Do  encrypt or password-protect personal data before it is transferred electronically.  Add a passworded document as an email attachment or when using FTP (file transfer protocol) software
  • Do use SFTP (secure FTP software) rather than FTP if not using email to transfer personal data
  • Do  encrypt or password-protect personal data when it is stored electronically.
  • Do change passwords periodically, typically every few months if not more frequently
  • Do use blind copy (Bcc) for emails when emailing a large number of people, unless everyone has agreed for their details to be shared amongst ‘the group’
  • Do include a rider at the end of emails which have been distributed using Bcc to show who has been included in distribution ( no email addresses here, only first or full names please – initials may be acceptable in small groups)
  • Do use email address book distribution lists for established groups which have been appropriately maintained e.g. by a KPC team leader and/or the KPC Admin Team
  • Do, if a KPC Team Leader, share any distribution lists (securely) with the KPC Admin Team, and check regularly with the admin team that changes have been shared bilaterally
  • Do read the reference material contained herein and, if in any doubt, contact the KPC GDPR coordinator for more help

DO NOT…

  • Don’t use work email addresses for sending or receiving personal information (other than an @churchofscotland.org address)
  • Don’t use joint shared email addresses for convenience (e.g. family or husband/wife) when sending or receiving personal information even if for ‘legitimate purposes’
  • Don’t write passwords or PIN codes down on paper, ever.
  • Don’t leave keys for locked manual storage holding personal data  (drawers or cupboards) in plain sight or easily accessible – use key cupboards where possible
  • Don’t use free unsecured public WIFI connections for internet connection with devices holding personal data
  • Don’t view personal data on electronic or manual media in public places where there is a risk of inadvertently sharing data as a result of ‘shoulder surfing’ by unwanted people
  • Don’t share passwords or PINs or security codes verbally in public places
  • Don’t use the same password across many documents just because it is easier to remember