• Attend Privacy and Security training when requested
• Read, understand and comply with the Inspired Privacy and Information Security Policies and these SPURS
• Handle and protect Inspired information in accordance with its classification. (See “Information Classification” below)
• When you create a document, mark it with the appropriate classification: Highly Confidential, Confidential or Internal
• Protect Inspired Confidential and Personal Information
• Protect Inspired equipment issued to you
• Report any loss, unauthorised access or inappropriate handling of Inspired information
• Report any loss of or damage to Inspired equipment.

As a Manager, you are responsible for ensuring compliance with the Inspired Villages Privacy, Information Security and related policies in relation to the collection, use, disclosure, retention and disposal of Personal and Confidential Information by members of your team.

You are responsible for ensuring that:

• Members of your team are familiar with and adhere to these SPURS.
• Providing your team with the training they need to ensure adherence to SPURS.
• Assessing the resource needs of each member of your team and taking appropriate action to provide only such equipment and access to systems and information as is necessary for them to fulfil their respective roles and responsibilities.
• Ensuring that the resource needs of members of your team who move to a different role within Inspired Villages are reviewed and that appropriate action is taken to withdraw equipment and access to systems and information that is not needed for the new role.
• Ensuring that members of your team who leave Inspired Villages return all company equipment and information in their possession and that their access to Inspired systems is withdrawn prior to, or as soon as possible after, their leaving.

Key Terms

See the Glossary of Terms on Inspired World for the meaning of “Privacy Incident” and “Privacy Breach”.

Your Personal Responsibilities

• Accidents happen and we all make mistakes.  The most important thing is that you act quickly because the sooner we can respond, the more chance we have of reducing – or even preventing – damage, loss or harm to people.
• Report incidents, breaches and near misses to your Manager and/or the Nexus Helpdesk WITHOUT DELAY.
• DO NOT contact the Information Commissioner’s Office (ICO), affected individuals, the Press or any third party, or post on social media. To do so may impact Inspired Villages’ ability to fulfil its legal obligations and mitigate the damage to affected individuals.
• Failure to report an Incident is a breach of company policy and may result in disciplinary action up to and including dismissal.

Common examples of Incidents and Breaches

• Clicking on a link or attachment in an email that may look authentic but is, in fact, a scam (“phishing”)
• Being tricked by a fraudulent caller or emailer into disclosing Personal Information, including passwords (“social engineering”)
• Misaddressing an email or letter containing Personal Information
• Sharing Personal Information with someone without confirming that they are authorised to receive it – even if it’s your manager, a member of the individual’s family, or a police officer.  See the “Sharing Information” section below
• Sharing Inspired Intellectual Property, such as designs and plans, with unauthorised third parties 
• Leaving a file unattended on your desk or not picking up a print-job immediately from a printer
• Leaving your monitor or laptop screen unlocked when you leave your desk – even just for a minute
• Keeping keys for filing cabinets and drawers in insecure places like desk-tidies 
• Using Personal Information for a new purpose that individuals may not know about or expect
• Throwing away a document containing Personal or Confidential Information in a recycling or mixed waste bin instead of shredding it or using a Confidential Waste bin
• Loss or theft of a paper document or a laptop or other device containing Personal or Confidential Information.

Reporting an Incident or Breach

• Accidents happen and we all make mistakes
• If you discover or cause an Incident or Breach, you must report it to your manager and the Nexus Help Desk immediately 
• The sooner we know, the better chance we have to reduce or even prevent damage or harm to the people affected.

As an Executive Member, you are accountable for ensuring compliance with the Inspired Villages Privacy, Information Security and related policies in relation to the collection, use, disclosure, retention and disposal of Personal and Confidential Information by members of your Department.

You are responsible for ensuring that:

• All personnel in your Department, including contractors, who have use of or access to Inspired property, systems, equipment or information are made aware of and adhere to these SPURS
• All your Department’s processes involving Personal Information are recorded in the Privacy and Information Security Assessment tool (“PISA”)
• All third parties involved in processing, or having access to, Inspired Personal Information are recorded in PISA
• Privacy and Information Security Assessments are performed on all such processes and that, for each identified risk, either:
  • The control(s) recommended in the PISA Report, or equivalent controls approved by you, are implemented, or
  • You sign off a Risk Acceptance, which will be reviewed periodically by the Risk Committee in line with the Risk Acceptance Process 
• Privacy and Information Security risks are reported to the Risk Committee in line with the Committee’s requirements
• Your Process Managers monitor their risks and controls and review them when prompted to do so by PISA
• All Security and Privacy Incidents, Breaches and near misses are:
  • reported and logged in Excenta
  • responded to promptly and, where appropriate, in accordance with the Data Incident Response Plan
  • where appropriate, investigated and action is taken to remediate and to prevent recurrence.

As an appointed Process Manager, you are responsible for ensuring compliance of your process(es) with the Inspired Villages Privacy, Information Security and related Inspired policies in relation to the collection, use, disclosure, retention and disposal of Personal and Confidential Information.

You are responsible for:

• Documenting your process(es) in PISA
• Performing a Privacy and Information Security Assessment on your process(es) to identify the risks
• Either:
  • Implementing the controls recommended in the PISA Report or equivalent controls approved by your Executive Member, or
  • Obtaining a Risk Acceptance signed off by your Executive Member
• Updating your process details on PISA and performing a new PISA assessment if there is any change to your process or the third parties involved
• Monitor your risks and controls when prompted to do so by PISA.

You are personally responsible for all activity performed using your Inspired User ID, so:

• Keep passwords secret. Do not write them down. Use password generators where available
• Do not permit anyone else to use your User ID (executives may grant delegated access to their Personal Assistants when needed)
• Do not use your Inspired User ID or passwords for personal accounts, e.g. online shopping or social media, including LinkedIn.

• Keep your desk clear of information when left unattended
• Lock your screen when you leave your PC, laptop, tablet or phone unattended (Press the Windows key and L key)
• Dispose of all hard-copy information in designated Confidential Waste bins by shredding if Confidential Waste bins are not available.

All information in Inspired Villages systems, files and documents is classified as follows.  You must observe the requirements for each classification:

Highly Confidential

• May be shared/disclosed strictly in accordance with Inspired processes and procedures and with utmost care. 
• May be shared/disclosed outside of Inspired processes and procedures,internally or externally, only with written approval of ExCo or, in the case of Sensitive Personal Information, with the written approval of the accountable Executive Member.
• All recipients must be under a contractual obligation of confidentiality, e.g., the confidentiality clause in an employment or service contract or a free-standing non-disclosure agreement (NDA)
• Highly Confidential Information includes:
  • Commercially sensitive information: 
  • Sensitive Personal Information (see Glossary of Terms)
  • Inspired Intellectual Property.

Confidential

• May be shared/disclosed internally only on a need-to-know basis. 
• May be shared/disclosed externally only on a need to know basis and with written approval of a Director.
• All recipients must be under a contractual obligation of confidentiality, e.g., the confidentiality clause in an employment or service contract or a free-standing non-disclosure agreement (NDA).

Internal Use

• May be shared or circulated internally.  
• May be shared externally only:
  • Where necessary for performance of an authorised audit, or
  • Where necessary to provide a third party with due diligence information or assurance preparatory to entering into a contract, or
  • With written approval of a Director.

Unclassified

• Documents that do not bear a classification must be treated as Confidential unless they are publicly available and/or manifestly not Inspired Villages’ Confidential Information.

• You are only authorised to access information and systems for which you have a specific business need
• If you discover that you can access Confidential or Personal Information that you do not need to perform your duties, notify your Manager and the IT department to access
• Where possible use a privacy screen to prevent unauthorised disclosure, e.g. to someone shoulder-surfing.

• Inspired has the right to monitor activity on its systems and equipment, including use of internet access, email and communications, to maintain the effective operation and security of our networks and systems, to protect Confidential and Personal Information, and to prevent inappropriate and unlawful use
• Inspired-issued computers and phones, and services such as internet access, email and messaging services, are designed for Inspired business use only. There is no official provision for protecting the privacy of individuals who use them for their personal use
• Monitoring will be carried out in accordance with audited, controlled internal processes and applicable laws.

• You are the “Owner” of every document you create that contains Inspired Villages business information or Personal Information unless ownership is formally assigned by Inspired Villages to someone else
• You are personally responsible for:
  • Marking the document with the appropriate classification (e.g. “Confidential”)
  • Ensuring it is deleted when the purpose for which you created it has been fulfilled or when the retention period of any Personal Information it contains has expired.

The following rules apply to all company-owned equipment issued to you or provided for general use in offices, including PCs, laptops, tablets, mobiles and fixed line phones:

• Keep Inspired equipment safe from theft, loss, damage and destruction
• Do not attempt to tamper with, bypass or disable any security controls or software
• Do not download copyrighted media files such as music, photographs or video without appropriate approval
• Do not in any way infringe any copyright, database rights, trademarks or other intellectual property
• Do not download any software from the internet without obtaining approval via the Nexus Help Desk
• Do not connect systems (e.g. laptops) to the internet using non-standard connections (e.g Open Wifi).

• Always check that the auto-fill feature has entered your intended email addresses in the To, Cc and Bcc fields
• When using Reply All or Forwarding an email, always check whether the email thread contains any Confidential or Personal Information and, if so, ensure that all the recipients are authorised to receive that information
• Do not forward Inspired information to your personal (non-Inspired) email address or use a personal email account for Inspired business
• Do not forward “scam alerts” – contact the Nexus Help Desk.  Many scam alerts are hoaxes designed cause confusion
• If the use of email to share Confidential or personal Information is unavoidable, encrypt the attachment (click File > Info > Protect Document, Encrypt with Password) and encrypt the email (click Options > Encrypt)
• Do not use your personal email service to send or receive Inspired Villages work-related information, including Personal Information.  

External communications (Internet, Social Media, Email, Messaging)

Be professional at all times and DO NOT:

• Harass, bully or abuse
• Use profanity, obscenities or derogatory remarks
• Do, say or write anything that might harm the reputation of Inspired Villages
• Access, download, send or receive any information, including images, which may be considered offensive, including sexually explicit, discriminatory, violent, defamatory or libellous material
• Use Inspired systems, equipment or information to make personal gains or conduct a personal commercial business
• Use Inspired systems, equipment or information to gamble or invest.

General Rules

Unless authorised or required to do so by virtue of your role at Inspired Villages:

• Do not upload, publish or post:
  • any information, images or opinions relating to Inspired Villages
  • any views that could be taken to represent the views of Inspired Villages
  • anything that may be seen to commit Inspired Villages
  • any classified Highly Confidential, Confidential or Internal Use Only 
  • any Personal Information relating to an Inspired colleague, resident, supplier or other business-related contact
  • the Inspired logo without written permission from a Director
• You may identify Inspired Villages as your employer and describe your role and achievements in your LinkedIn profile.

Inspired Internal Social Media

Approved internal social media channels are open to all personnel where available. It is hoped these communities will help you work, develop working relationships, connect with like-minded colleagues and network online. All we ask is that you remain respectful and follow the House Rules for use of approved social media channels:

• Complete your profile – Use your real name and photograph to enhance communication with your colleagues. Remember the more complete your profile the more useful it will be
• Information for internal use only – Information posted on approved social media channels is for internal purposes only and must not be shared outside of Inspired
• File upload – Use a common sense approach and don’t upload sensitive and confidential content (e.g. resident details); only share files you are happy for a wide audience to see such as images or whitepapers
• Personal responsibility - You are responsible for what you write. Be mindful of how your comments might be read by other and ensure it is appropriate for the audience
• Criticism & customer service comments – Do not reply online unless you are authorised to do so as part of your role.  Notify your manager and/or the Inspired Communications Manager
• Active participation – Take an active role, join conversations and groups, but before creating a new group, look at what already exists and see if there is anything similar already
• Tone of voice – Refer to our ‘How to write like us’ guide for tone of voice guidelines to help you craft content for work related social media channels  
• Keep it professional – Just as we moderate what we say in the office, so we should apply similar moderation to our posts on approved social media channels
• And finally – Be sensible, be nice, no haters, no trolling, no hijacking posts, share and like good content.

Video-Conferencing

• As a matter of courtesy, please turn your video camera on when attending a business VC – the purpose of video-conferencing is to replicate a physical meeting as closely as possible, including important non-verbal communication
• CHECK BEHIND YOU to ensure there is nothing embarrassing or confidential (e.g. unmade bed, flipchart with sales targets)
• Make sure you are unlikely to be disturbed, e.g. by pets, children, background noise
• If you wish to record a meeting, notify all attendees.

Phone cameras and microphones

Unless authorised in writing by a Director, do not use phone cameras or make recordings in:

• Inspired offices 
• Offices of organisations you visit on Inspired business
• Residents’ homes

In exceptional circumstances, e.g. where there is risk to people or property, images and sound may be recorded and authorisation from a Director may be granted retrospectively.

• USB Memory Sticks, CDs & HDDs and similar portable storage media are inherently insecure
• Do not copy or store information on any storage media device that is not issued by Inspired Villages.

Reasonable personal use is permitted where such use:

• Does not affect your business performance
• Does not breach the terms of your employment contract
• Is not detrimental to Inspired in any way
• Does not place you or Inspired in breach of legal or contractual obligations.

For your own protection, you are required to delete any Personal or Sensitive Personal Information about you or a family member that you include in emails or SMS messages sent from your Inspired account as quickly as possible.

Personal communications during working hours

• Personal calls, messaging and social media activity are permitted only during breaks or for dealing with urgent personal or family matters.

Mobile Phones

Wherever you are:

• Lock screen when not in use and when left unattended
• See also Personal Devices

When you leave Inspired Villages

• You must return all Inspired property, equipment and information, at termination of contract.
• All information or intellectual property developed or gained during the period of employment remains the property of Inspired and must not be retained beyond termination or reused for any other purpose.

Sharing Personal Information with a person who does not have authority to access it by themselves presents a risk of unauthorised disclosure.

• Only share information with individuals who you know are authorised to receive it.  
• If you are unsure, ask them for proof of authorisation – it’s not rude, it’s professional.  

  For example:
   

  • Family members of residents should be able to show you a signed letter of authority from the resident or a Power of Attorney
  • Police officers should provide you with a completed form, detailing the information requested and signed by the requesting officer and the authorising officer.

• Inspired Villages equipment, including laptops and mobile phones, must not be left unattended in public places unless stored in a locked and out of sight place, e.g. a safe, locked cupboard/drawer/cabinet/pedestal or boot of a car, or hotel safe.
• Information should be protected against loss or compromise when working remotely. In particular, printed information is only permitted off-site when there is a business justification.
• Only use authorised methods to connect to systems e.g. using VPN when connecting remotely.

Risks

• When you create copies of a document containing Personal or Confidential Information by printing, photocopying or attaching to email, you:
  • Reduce our ability to protect the Information
  • Increase the risk of loss, theft, unauthorised disclosure and unlawful retention
• Before you print, copy or email containing Personal or Confidential Information, ask yourself:
  • Can I realistically recover and destroy ALL copies when the information is no longer needed by the recipients?
  • Do I need to create paper copies – could I share the information equally effectively AND more securely, e.g. by granting limited access to the document on SharePoint or by screen-sharing on a video call?
  • EMAILING: Have I accidentally mis-addressed the email?
• If printing, copying or emailing is unavoidable:
  • PRINTING: Do not leave the printer/copier unattended while printing or copying documents 
  • COPYING: Check that you have collected all pages of your copy/copies AND all pages of your original document
  • EMAILING: Instruct recipients:
• To open the attachment from the email
• Not to save it to their device and
• To “double delete” the email after reading the attachment, to ensure that it is also deleted from their “Deleted” folder
• All paper documents containing Personal or Confidential Information must be disposed of using the Confidential Waste bins or shredders.

Scanning – good practice

• Electronic documents are easier to protect, share remotely and destroy than paper documents.
• Wherever possible, scan paper documents, save them to an appropriate, access-controlled folder on Inspired Villages SharePoint and securely dispose of the original.  
• Consult your manager before scanning and disposing of any document bearing a signature.

Printing & Photocopying safely

Before you print or photocopy:

• Always consider whether it is necessary to print a document containing Personal or Confidential Information. Do not print unless it is impractical to share the information via more secure means, e.g. granting limited access to the document on SharePoint or displaying it via a video call
• Consider the environment – avoid printing if you can
• Check your printer settings to be sure that you do not accidentally send it aprinter in another location
• Collect your printing IMMEDIATELY
• Check that you have collected ALL pages – and the original document when photocopying
• Collect and shred all distributed copies of printed documents containing Personal or Confidential Information immediately after use.

Do not purchase or procure any IT equipment, software or services without first:

• Consulting Nexus to determine whether your business needs can be met using existing Inspired Villages equipment, software or services
• Consulting the Data Protection Officer (DPO)
• Performing a Privacy & information Security Assessment (PISA) and completing the required control actions
• Completing the Supplier Contract Requirements Checklist to ensure that the supplier’s contract contains all the clauses mandated by Article 28 of the GDPR.

• Consult the Data Protection Officer (DPO)
• Perform a Privacy & information Security Assessment (PISA) and complete the required control actions
• Complete the Supplier Contract Requirements Checklist to ensure that the supplier’s contract contains all the clauses mandated by Article 28 of the GDPR.

• Drones with cameras collect Personal Information in the form of video images of people, their location and what they are doing.
• The use of drones by Inspired Villages is therefore subject to the Privacy and Information Security Policies and other related company policies.
• To ensure compliance, you must follow the ICO Guidance on Drones.