This policy describes how officials must use digital systems, services and devices within Aniridia Network. Before accessing any of the systems covered by this policy, you must first confirm that you have read and understood it by clicking on the button at the end of this page.
For more information contact firstname.lastname@example.org
Who this policy applies to
This policy applies to anyone accessing Aniridia Network systems or data, including:
- Aniridia Network’s Gmail and instance of Google Suite
- using devices owned by individuals, contractors or companies
- using devices provided by Aniridia Network
- services provided by or contracted by Aniridia Network, for example: Charityemail, Eventzilla, Facebook, JustGiving, Salesforce, Survey Gizmo, Twitter, YouTube
- digital development, test or production environments
This policy does not apply to systems intended to be publicly available, such as the Aniridia Network website.
Misuse of equipment and services
You must not misuse Aniridia Network services, devices or networks. This includes:
- any activity that is illegal under national or international law
- introducing malicious programmes or codes
- allowing your account to be used by others
- using other people’s accounts or passwords
- monitoring or intercepting the files or electronic communications of other officials or third parties
- breaching, testing or monitoring computer or network security measures other than those required by your role
- hacking or obtaining access to systems or accounts you are not authorised to use
- sending email or other electronic communications in a way that attempts to hide the identity of the sender, or represent the sender as someone else
- using the Aniridia Network systems in a way that is likely to cause network congestion or hamper the ability of other people to access and use services
- storing Aniridia Network information on internet services other than those approved by Aniridia Network
- copying, retrieving, modifying or forwarding copyrighted materials, unless allowed by the copyright owner
- storing or circulating anything inflammatory, obscene, sexually explicit, sexist, racist, homophobic, religiously offensive or which amounts to harassment
- use for gambling (except lawful raffles/lotteries organised or approved by Aniridia Network)
All personal data must be handled in accordance with the Aniridia Network privacy and data protection policy and by the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. It and all other information belonging to Aniridia Network must be kept safe commensurate with its nature and status, for example, reputationally or commercially sensitive.
This includes considering who can the screen of your device and taking steps to not expose information they are not meant to see.
Where possible you should avoid using public wifi, 3G and 4G for Aniridia Network business. If you use public wifi, make sure it is from a reputable provider and that it is encrypted (look for a padlock symbol on your wifi connection).
You must use an official Aniridia Network email address @aniridia.org.uk for Aniridia Network business. Personal email addresses must not be used. You must not set up rules to automatically forward emails to non @aniridia.org.uk email addresses.
You can email personal or sensitive information to addresses externally to Aniridia Network for business reasons only and must:
- make sure the email address is correct and that they have a need to know the information
- encrypt or password protect it, if appropriate
- include instructions about who is allowed to access it, and how it must be circulated, forwarded and stored.
When using email attachments you must:
- check them with antivirus and malware software
- remove tracked changes, comments and properties from files, unless they’re explicitly required for collaborative working
You can make reasonable use of Aniridia Network email for personal reasons as long as it doesn’t interfere with:
- the work of the Aniridia Network
- your own or other officials duties
- the effective operation of the email system
Email and the law
Email has the same status as any other business communication. You should not include anything in an email that you’re unable to account for or wouldn’t be willing to disclose by other means.
Email is classed as recorded information. Under the Data Protection Act 1998 it is potentially disclosable and could be used as evidence in a dispute.
Email can also create a binding contract – any inaccurate or misleading statement could lead to legal claims of misrepresentation.
You must not send any email that includes:
- libellous remarks
- copyright infringement or computer misuse
- anything inflammatory, sexually explicit, sexist, racist, homophobic, religiously offensive or which amounts to harassment.
Whenever possible, information should be worked on within the Aniridia Network’s Google Suite (for example in Google Drive and Gmail).
You may share some data to non-Aniridia Network Google Suite users, either by email or by links to the Aniridia Network Google Drive.
You are responsible for making sure that any information you upload or share is adequately protected. You must:
- make an informed decision on what to share and the editing rights you set
- not share information with anyone who doesn’t need to know it
- avoid unnecessarily sharing personal data
- only share data with named users where feasible
- consider using links that expire after a period of time
See social media policy
Devices and equipment
In relation to any computer, tablet, smartphone or other device used to access Aniridia Network systems, services and information (including digital storage devices):
- avoid storing Aniridia Network information on it as much as possible
- it should ideally be encrypted
- it must have anti-virus and anti-malware protection with updates (including signatures) installed as soon as possible.
- don’t open suspicious emails and attachments, even if you know the sender – check that they intended to send it.
- it must be locked (and lock automatically) if left unattended
- do not leave it unattended in a public place or in plain sight in a vehicle, or with an unauthorised person
- if you send it for repair you must ensure that Aniridia Network data can’t be accessed by third parties
- if it is lost, tell us as soon as possible in writing
- if it is stolen, tell the police, get a crime reference number and then tell Aniridia Network as soon as possible in writing
- if you plan to no longer be in charge of the device (for example selling it) you must remove all Aniridia Network information from the device
- if you think someone may have tampered with it, turn it off immediately and contact us.
- when you stop volunteering/working with/for us you must remove all Aniridia Network information from the device and provide written confirmation of this.
Aniridia Network will not cover the cost of any software you install on your device.
Aniridia Network is not liable for personal devices. You will not be compensated by Aniridia Network if your device is lost, stolen or damaged.
Authentication for devices and services
Any device used for Aniridia Network business must have a user account uniquely for and identifiable as you. For example, jsmith not user5.
The device/user account must be set up with access control (PIN, password, pattern or facial/fingerprint/iris recognition),
Set strong passwords and use 2-factor authentication when available.
Your accounts for Aniridia Network services must only be used by you, and you are responsible for all actions performed using your accounts.
If a password is compromised in any way, you must immediately change it and report the incident to us in writing.
You may only store login details in reputable password management software.
If you (know of someone who) no longer requires access to an Aniridia Network device or service, tell us as soon as possible.
Monitoring and reporting
When you’re logged into an Aniridia Network system, your IP address and/or MAC address may be used to generate an audit trail for every action you perform.
Audit records may be used to provide evidence of:
- unauthorised access or download of Aniridia Network systems or data
- inappropriate use of Aniridia Network systems or data
You may be committing an offence and could face disciplinary or legal action if you:
knowingly access or modify information that isn’t for an authorised purpose
By confirming that you have read and understood this policy you agree that:
- devices not owned by Aniridia Network may be independently audited by Aniridia Network from time to time – notice will be given of any audit and it will take place in your presence
- devices provided by Aniridia Network, remain the property of the Aniridia Network at all times and may be spot checked, audited, wiped or removed at any time, manually or by automated software.
- devices may be required for inspection by Aniridia Network in the event of a suspected security incident, or if an information request is received under data protection legislation.
Reports and queries
If you know of or suspect non-compliance with this policy, or another security issue/breach you must report it immediately.
To report issues, get more information or request any change or exception to this policy contact email@example.com
Date adopted: 2 April 2019