Information Technology Policy

This Information Technology Policy was reviewed and adopted by the council at its meeting held on 26 March 2026, Minute Ref: 25/26.16d)

Review: March 2027

Introduction

Water Orton Parish Council recognises the importance of effective and secure information technology (IT) and email usage in supporting its business, operations, and communications. This policy outlines the guidelines and responsibilities for the appropriate use of IT resources and email by council members, clerk, volunteers, and contractors.

Purpose of the IT Policy

The purpose of an IT policy is to establish clear parameters for how councillors, staff, and other authorised users use council-provided technology or equipment in the course of their duties. A well-defined policy helps to:

  • Set expectations for appropriate use of equipment and systems;
  • Raise awareness of risks associated with IT use;
  • Safeguard the council’s data and digital assets;
  • Clarify what constitutes acceptable and unacceptable use;
  • Outline the consequences of policy breaches.

Scope

This policy applies to all councillors, staff, and other authorised users, who use Water Orton Parish Council’s IT resources, including computers, networks, software, devices, data and email accounts, regardless of their working location or pattern, including those who are home-based, office-based, or work on a flexible or part-time basis. The Council acknowledges members may be using their own personal devices. It sets out the expectations for the appropriate use of IT equipment and systems provided by the council.

Monitoring of IT Use

As an IT provider, the council has the right to monitor the use of its IT equipment and systems, provided there is a legitimate reason for doing so and councillors, employees and other authorised users are informed that such monitoring may take place. Any monitoring must be proportionate and comply with relevant data protection and privacy laws. Other persons may be included if they access or use council systems e.g. if they have a council e-mail address.

1.Device and software usage

1.1 Where possible, authorised devices, software, and applications will be provided by Water Orton Parish Council for work-related tasks. Unauthorised installation of software on authorised devices, including personal software, is strictly prohibited due to security concerns.

2.Acceptable use of IT resources and email

2.1 Water Orton Parish Council’s IT resources and email accounts are to be used and is provided for official council-related activities, tasks and purposes only. All users must adhere to ethical standards, respect copyright and intellectual property rights, and avoid accessing inappropriate or offensive content.

2.2 All councillors, staff, and other authorised users must lock their computers when leaving them unattended to prevent unauthorised access. This applies to all council and personal
devices used for work. Failure to comply may lead to disciplinary action. All computer and other electronic equipment supplied should be treated with good care at all times. Computer equipment is expensive, and any damage sustained to any equipment will have a financial impact on the council.

2.3 Computer and electronic hardware should be kept clean, and every precaution taken to prevent food and drink being dropped or spilled onto it

2.4 Equipment should not be dismantled or reassembled without seeking advice.

2.5 Councillors, staff, and other authorised users are not to purchase any computer or mobile equipment (including software), unless previously authorised and within Financial
Regulations.

2.6 Personal disks, USB stick, CDs, DVDs, data storage devices etc cannot be used on council computers without the prior approval of the clerk.

3.Equipment

3.1 Portable equipment includes laptop computers, netbooks, tablets, mobile and smart phones with email capability and access to the internet etc.

3.2 It is particularly emphasised that council back-up procedures specific to portable equipment should be followed at all times. All smartphones or tablets that hold council data, including emails and files, must be protected with a pin code.

3.3 All portable computers must be stored safely and securely when not in use and when working from home. Portable equipment should not be left unattended be kept with or near the user at all times, should not be left unattended in parked vehicles and not at any other premises.

3.4 If an item of portable equipment is lost or damaged this should be reported to the Clerk or the Council.

4.Use of own devices

4.1 The Council recognises that councillors, staff, and other authorised users may use their own smartphones, tablets, laptops etc to access our servers, private clouds or networks for normal council purposes, including, but not limited to, reading their emails, accessing documents stored on the council’s network. Any such use of personal devices will be at the discretion of the council, but consent for standard systems (MS Windows, Mac OS X, Linux – in commercial configurations) will normally be permitted. Such devices should be kept up to date so that any vulnerabilities in the operating system or other software on the device are appropriately patched or updated, and using anti-virus software.

4.2 Councillors, staff, and other authorised persons that use council systems are expected to use all devices in an ethical and respectful manner and in accordance with this policy.
Accessing inappropriate websites or services on any device via the IT infrastructure that is paid for or provided by the council carries a high degree of risk, and, for employees, may result in disciplinary action, including summary dismissal (without notice). For Workers or Contractors, we may terminate the worker agreement. This is irrespective of the ownership of the device used. An example would be downloading copyright music illegally or accessing pornographic material.

4.3 In cases of legal proceedings against the council, the council may need to temporarily take possession of a device, whether council-owned or personal to retrieve the relevant data.

4.4 Wherever possible the user should maintain a clear separation between the personal data processed on the council’s behalf and that processed for their own personal use, for example, by using different apps for council and personal use. If the device supports both work and personal profiles, the work profile must always be used for work-related purposes.

4.5 Councillors, staff, and other authorised users who intend to use their own devices via the council’s infrastructure must ensure that they:

  • use a 6-digit pin, strong passwords (i.e. one which uses three random words (e.g. PurpleCandleRiver) or finger print or the use of a password manager to protect their device(s) from being accessed. For smartphones and tablets this should lock the device after 5 failed login attempts;
  • configure their device(s) to automatically prompt for a password after a period of inactivity of more than 10 minutes;
  • ensure secure WiFi networks are used, using a trusted internet connection (password protected) when carrying out official business;
  • ensure that work-related data cannot be viewed or retrieved by family or friends who may use the device;
  • inform the council or the clerk if their device(s) is/are lost, stolen, or inappropriately accessed where there is risk of access to council data or resources. To prevent phones being used, they will need to retain the details of their IMEI number and the SIM number of the device as their provider will require this to deactivate it.

4.6 Personal data relating to councillors, staff, and other authorised users, associates, residents, or stakeholders should not be saved to any personal accounts with third-party storage cloud service providers as this may breach data protection legislation or create a security risk if the device is lost or stolen. This applies especially if the passwords used to store/access data are saved onto the device, or if the service permits councillors, staff, and other authorised users to remain logged in between sessions.

4.7 Personal information and sensitive data should never be saved on councillors, staff, or other authorised users own devices as this may breach confidentiality agreements, especially if the device is used by other people from time to time

4.8 Any work done on user’s own equipment should be stored securely and password protected and should always be backed up in accordance with the council’s standard backup procedures.

4.9 Prior to the disposal of any device that has work data stored on it, and in the event of a user leaving the council, councillors, staff, and other authorised users are required to ensure to ensure passwords, user access shortcuts and any identifiable data are removed from the device.

4.10 Councillors, staff, and other authorised users must take responsibility for understanding how their device(s) work in respect to the above rules if they are accessing council servers/services via their own IT equipment. Risks to the user’s personal device(s) include data loss as a result of a crash of the operating system, bugs and viruses, software or hardware failures and programming errors rendering a device inoperable. The council will use reasonable endeavours to assist, but councillors, staff, and other authorised users are personally liable for their own device(s) and for any costs incurred as a result of the above.

5. Password and account security

5.1 Water Orton Parish Council users are responsible for maintaining the security of their accounts and passwords. Passwords should be strong and not shared with others. Regular password changes are encouraged to enhance security.

5.2 All user accounts must be protected by strong, secure passwords. The council should follow the National Cyber Security Centre (NCSC) recommendations for creating passwords using three random words (e.g. PurpleCandleRiver). This method helps create passwords that are both strong and easy to remember, while offering effective protection against common cyber threats such as brute-force attacks. This approach is endorsed in NALC guidance.

5.3 In addition to strong passwords, Multi-Factor Authentication (MFA) should be enabled wherever possible. MFA requires users to provide two or more independent forms of verification—for example, a password (something you know) and a code sent to your phone (something you have). This significantly reduces the risk of unauthorised access to systems and personal data.

6. Network and internet usage

6.1 Water Orton Parish Council’s network and internet connections should be used responsibly and efficiently for official purposes. Downloading and sharing copyrighted material without proper authorisation is prohibited.

6.2 Much of what appears on the Internet is protected by copyright. Any copying without permission, including electronic copying, is illegal and therefore prohibited. The Copyright, Designs and Patents Act 1988 set out the rules. The copyright laws not only apply to documents but also to software. The infringement of the copyright of another person or organisation could lead to legal action being taken against the council and damages being awarded, as well as disciplinary action, including dismissal, being taken against the perpetrator.

6.3 It is easy to copy electronically, but this does not make it any less an offence. The council’s policy is to comply with copyright laws, and not to bend the rules in any way.

6.4 Councillors, staff, and other authorised users should not assume that because a document or file is on the Internet, it can be freely copied. There is a difference between information in the ‘public domain’ (which is no longer confidential or secret information but is still copyright protected) and information which is not protected by copyright (such as where the author has been dead for more than 70 years).

6.5 Usually, a website will contain copyright conditions; these warnings should be read before downloading or copying.

6.6 Copyright and database right law can be complicated. Councillors, staff, and other authorised users should check with the clerk if unsure about anything. Trademarks, links and data protection

6.7 The council does not permit the registration of any new domain names or trademarks relating to the council’s names or products anywhere in the world, unless authorised to do so. Nor should they add links from any of the council’s web pages to any other external sites without checking first with the clerk.

6.8 Special rules apply to the processing of personal and sensitive personal data. For further guidance on this, see the council’s data protection policy.

7. Trademarks, links and data protection

7.1 The council does not permit the registration of any new domain names or trademarks relating to the council’s names or products anywhere in the world, unless authorised to do so. Nor should they add links from any of the council’s web pages to any other external sites without checking first with the clerk.

7.2 Special rules apply to the processing of personal and sensitive personal data. For further guidance on this, see the council’s data protection policy.

8. Accuracy of information

8.1 One of the main benefits of the internet is the access it gives to large amounts of information, which is often more up to date than traditional sources such as libraries. Be aware that, as the internet is uncontrolled, much of the information may be less accurate than it appears.

9. Mobile devices and remote work

9.1 Mobile devices provided by Water Orton Parish council should be secured with passcodes and/or biometric authentication. When working remotely, users should follow the same security practices as if they were in the office.

10. Remote working

10.1 Increased IT security measures apply to those who work away from their normal place of work (e.g. whilst travelling, working from home or at any other different venue), as follows:

  • if logging into the council’s systems or services remotely, using computers that either do not belong to the council or are not owned by the user, any passwords must not be saved, and the user must log out at the end of the session deleting all logs and history records within the browser used. If the configuration of the devise does not clearly support these actions (for example at an internet café), council services should not be accessed from that device;
  • the location and direction of the screen should be checked to ensure confidential information is out of view. Steps should be taken to avoid messages being read by other people, including other travellers on public transport etc;
  • any data printed should be collected and stored securely;
  • all electronic files should be password protected and the data saved to the council’s system/services when accessible;
  • papers, files or computer equipment must not be left unattended at a premises unless arrangements have been made with a responsible person at a premises for them to be kept in a locked room or cabinet if they are to be left unattended at any time;
  • any data should be kept safely and should only be disposed of securely;
  • papers, files, data sticks/storage, flash drive or backup hard drives should not be left unattended in cars, except where it is entirely unavoidable for short periods, in which case they must be locked in the boot of the car. If staying away overnight, council data should be taken into the accommodation, care being taken that it will not be interfered with by others or inadvertently destroyed;
  • where possible the ability to remotely wipe any mobile devices that process sensitive information should be retained in the case of loss or theft;

10.2 Councillors, staff, and other authorised users who work away from the office with sensitive data should be equipped with a screen privacy filter for mobile devices and should use this at all times when accessing such data away from the office

11. Email

11.1 Email accounts provided by Water Orton Parish Council are for official communication only. Emails should be professional and respectful in tone. Confidential or sensitive information must not be sent via email unless it is encrypted. Be cautious with attachments and links to avoid phishing and malware. Verify the source before opening any attachments or clicking on links.

11.2 Council email facilities are intended to promote effective and speedy communication on work-related matters. Although we encourage the use of email, it can be risky. Councillors, staff, and other authorised users need to be careful not to introduce viruses onto council systems and should take proper account of the security advice below.

11.3 All councillors, staff, and other authorised users who need to use email as part of their role will normally be given their own council email address and account. The council may, at any time, withdraw email access, should it feel that this is no longer necessary for the role or that the system is being abused.

11.4 Email messages sent on the council’s account are for council use only. Personal use is not permitted.

11.5 Water Orton Parish Council reserves the right to monitor email communications to ensure compliance with this policy and relevant laws. Monitoring will be conducted in accordance with the Data Protection Act and GDPR.

12.Use of social media

12.1 Social media includes blogs; Wikipedia and other similar sites where text can be posted; multimedia or user generated media sites (YouTube); social networking sites (such as Facebook, LinkedIn, X (formerly known as Twitter), Instagram, TikTok, etc.); virtual worlds (Second Life); text messaging and mobile device communications and more traditional forms of media such as TV and newspapers. Care should be taken when using social media at any time, either using council systems or at home.

12.2 Councillors, staff, and other authorised users should be aware that parishioners or other local organisations may read councillors, staff, and other authorised users’ personal weblogs, to acquire information, for example, about their work, internal council business, and employee morale. Therefore, even if the council is not named, care should be taken with any views expressed.

12.3 To protect both the council and its interests, everyone is required to comply with the following rules about social media, whether in relation to their council role or personal social networking sites, and irrespective of whether this is during or after working hours:

  • Contacts from any of the council’s databases should not be downloaded and connected with on LinkedIn or other social networking sites with electronic address book facilities, unless this has been authorised.
  • Any employee who is developing a site or writing a blog that will mention the council, councillors, staff, and other authorised users, partners must inform the clerk/ the council that they are writing this and gain agreement before going ‘live’.
  • The council expects councillors, staff, and other authorised users to be respectful about the council and its current or potential “all staff, including employees, councillors, clerks, and authorised users and not to engage in any name calling or any behaviour that will reflect negatively on its reputation. Any unauthorised use of copyright materials, any unfounded or derogatory statements, or any misrepresentation is not viewed favourably and could constitute gross misconduct.
  • Photos or videos that include employees or other workers wearing uniforms or clothing displaying the council’s name or logo should not be posted on social media if they could reflect negatively on the individual, their role, their colleagues, or the council. Additionally, photos, videos, or audio recordings must not be taken on council premises without explicit permission unless to promote the facilities and published through Council maintained media.
  • Inappropriate conversations with external stakeholders should not take place on any social networking sites, including forums.
  • Councillors, staff, and other authorised users must be aware that they are personally liable for anything that they write or present online (including on an online forum or blog, post, feed or website). Councillors should always be mindful of the Members Code of Conduct and Nolan Principles. Employees may be subject to disciplinary action for comments, content, or images that are defamatory, embarrassing, pornographic, proprietary, harassing, libellous, or that can create a hostile work environment. They may also be sued by other organisations, and any individual or council that views their comments, content, or images as defamatory, pornographic, proprietary, harassing, libellous or creating a hostile work environment. In addition, other councillors, staff, and other authorised users can raise grievances for alleged bullying and/or harassment.
  • Postings to websites or anywhere on the internet and social media of any kind, or in any press or media of any kind, should not breach copyright or other law or disclose confidential information, defame or make derogatory comments about the council or anyone connected to it or disclose personal data or information about any individual that could breach data protection legislation.
  • Contacts by the media relating to the council, should be referred to the clerk.
  • Councillors, staff, and other authorised users who have left the council must not post any inappropriate comments about the council or its councillors, staff, and other authorised users on LinkedIn, Facebook, X.com or any other social media/networking sites.
  • During your employment/ involvement with the council, you may create or obtain access to a variety of professional contacts and confidential information. This includes, but is not limited to, contacts made through professional networking platforms such as LinkedIn, where those contacts have been established or maintained in your capacity as a councillor, member of staff, or other authorised user. All such contacts will be considered council property and may be subject to disclosure upon request.

13. Reporting security incidents

13.1 All suspected security breaches or incidents should be reported immediately to the Clerk for investigation and resolution. Report any email-related security incidents or breaches to the Clerk immediately.

14. Training and awareness

14.1 Water Orton Parish Council will provide regular training and resources to educate users about IT security best practices, privacy concerns, and technology updates. All employees and councillors will receive regular training on email security and best practices.

15. Compliance and consequences

15.1 Misuse of IT systems and equipment is not in line with the council’s standards of conduct and will be taken seriously. Breach of this IT and Email Policy may result in the suspension of IT privileges and further consequences as deemed appropriate.

16. Policy review

16.1 This policy will be reviewed annually to ensure its relevance and effectiveness. Updates may be made to address emerging technology trends and security measures.