DO…

• Do report the loss of KPC personal data immediately to the KPC Data Protection coordinator, stating whether or not passwording and/or encryption and/or physical security measures were in use to protect the personal data, and whether it was lost or stolen (if known).  Include any police incident number if a police report has already been submitted.
• Do inform the KPC Data Protection coordinator (in addition to the owners of the website if not a KPC web page or email) if you receive an unsolicited email, letter, text or phone call asking for personal information
• Do ensure that manually held personal data is held securely, for example in a locked drawer or cupboard for storage and marked ‘confidential’
• Do ensure that personal data transferred manually is handed over personally to the intended recipient, appropriately enveloped or in a secure container, marked ‘confidential’
• Do  encrypt or password-protect personal data before it is transferred electronically.  Add a passworded document as an email attachment or when using FTP (file transfer protocol) software
• Do use SFTP (secure FTP software) rather than FTP if not using email to transfer personal data
• Do  encrypt or password-protect personal data when it is stored electronically.
• Do change passwords periodically, typically every few months if not more frequently
• Do use blind copy (Bcc) for emails when emailing a large number of people, unless everyone has agreed for their details to be shared amongst ‘the group’
• Do include a rider at the end of emails which have been distributed using Bcc to show who has been included in distribution ( no email addresses here, only first or full names please – initials may be acceptable in small groups)
• Do use email address book distribution lists for established groups which have been appropriately maintained e.g. by a KPC team leader and/or the KPC Admin Team
• Do, if a KPC Team Leader, share any distribution lists (securely) with the KPC Admin Team, and check regularly with the admin team that changes have been shared bilaterally
• Do read the reference material contained herein and, if in any doubt, contact the KPC GDPR coordinator for more help

DO NOT…

• Don’t reveal any full passwords, login details or account numbers if you receive an unsolicited email, letter, text or phone call asking for personal information.
• Don’t click on any links you do not recognise on web pages or emails
• Don’t use work email addresses for sending or receiving personal information (other than an @churchofscotland.org address)
• Don’t use joint shared email addresses for convenience (e.g. family or husband/wife) when sending or receiving personal information even if for ‘legitimate purposes’
• Don’t write passwords or PIN codes down on paper, ever.
• Don’t leave keys for locked manual storage holding personal data  (drawers or cupboards) in plain sight or easily accessible – use key cupboards where possible
• Don’t use free unsecured public WIFI connections for internet connection with devices holding personal data
• Don’t view personal data on electronic or manual media in public places where there is a risk of inadvertently sharing data as a result of ‘shoulder surfing’ by unwanted people
• Don’t share passwords or PINs or security codes verbally in public places
• Don’t use the same password across many documents just because it is easier to remember