RCHM Information Security and Data Protection Policy

Introduction

This document outlines the RCHM's commitment to ensuring the security and confidentiality

of all information accessed by employees during their tenure. The aim is to safeguard the

organisation’s data in compliance with the UK General Data Protection Regulation (GDPR)

and uphold best practices for information handling within the RCHM office.

By following this policy, all RCHM employees are responsible for securing RCHM information

and ensuring compliance with data protection laws. Breaches of this policy may result in

disciplinary action.

1. Definitions

• Confidential Information: Any data or information that is proprietary, sensitive, or

otherwise not intended for public disclosure. This includes personal data, client details,

RCHM internal communications, and business strategies.

• Personal Data: Any information relating to an identified or identifiable natural person (e.g.

names, email addresses, health data).

• Data Breach: A breach of security leading to the accidental or unlawful destruction, loss,

alteration, unauthorised disclosure of, or access to, personal data.

2. Secure Handling of Information

All information accessed by employees, whether in digital or physical format, is classified as

confidential RCHM office information. Employees must ensure:

• Information is stored securely behind locked doors and/or in encrypted digital systems.

• Access to confidential information is restricted to authorised personnel only.

• No public access is permitted to any sensitive or internal documents or databases.

3. Access Control

Access to RCHM information is restricted based on role and authority within the

organisation. Employees will be granted access to information strictly necessary for their

role, and access levels will be reviewed regularly. Any request for additional access must be

formally approved by management.

4. Communication Protocols

• RCHM Email Accounts: All RCHM email communications, whether via personal or shared

inboxes, are to be used for business purposes only. Personal communications must not occur

through RCHM accounts.

• Retention of Communications: Emails and any other form of communication conducted

through RCHM accounts are subject to data retention policies. As such, they remain the

property of the organisation and must be retained as required by RCHM’s internal retention

schedule.

5. Data Protection and GDPR Compliance

RCHM complies fully with GDPR and expects employees to follow these guidelines:

• Personal data must only be used for its intended purpose and never shared without

explicit consent unless required by law.

• Employees must be aware of, and manage, risks associated with sharing, storing, and

handling personal data.

• Data minimisation: Employees should only collect, use, and retain the minimum amount of

personal data necessary to fulfil their duties.

• Any data breach or security concern must be reported immediately to the Data Protection

Officer (DPO) or relevant manager. [note – the DPO is not yet in position – Council have been requested to

consider this November 21st 2025 by email – MM]

• Employee data rights: Employees have the right to access, correct, or request deletion of

their personal data in accordance with RCHM’s Data Subject Access Request (DSAR)

procedure [Document in process, once completed will be available in the Intranet].

6. Data Breach Procedure

In the event of a data breach:

• The employee must immediately report the incident to the DPO or a designated manager.

• The DPO will assess the breach, notify the relevant authorities (if required), and take steps

to mitigate the impact.

• All breaches must be documented, and any lessons learned will be applied to prevent

future incidents.

• Breaches involving employee or HR data will be managed confidentially and, where

appropriate, in accordance with RCHM’s disciplinary or grievance procedures.

7. Relinquishing Access Upon Termination of Employment

Upon leaving the organisation, employees must:

• Relinquish all access to RCHM office information, including physical files, digital systems,

and email accounts.

• Return any physical documents or materials related to RCHM business.

• Not store, save, or transfer any RCHM information to personal devices, accounts, or

locations.

Access to RCHM systems will be terminated on the employee’s last working day, and all

digital access (e.g. logins, passwords) will be disabled. Former employees are prohibited

from retaining or using any RCHM information once their employment has ended.

RCHM may retain basic employment information (e.g. job title and employment dates) for

reference, verification, or legal purposes in accordance with the retention schedule.

8. Data Retention

RCHM is committed to maintaining appropriate data retention schedules in line with legal

obligations and operational needs. Employees must adhere to these schedules and ensure

that communications and records are retained as necessary for RCHM’s purposes.

RCHM retains HR and employment records as follows (unless legal requirements specify

otherwise):

• Recruitment records – 6 months for unsuccessful candidates

• Employment records – 6 years after employment ends

• Payroll, pension, and tax data – 6 years

• Health and safety and accident records – in line with statutory requirements

• Disciplinary or grievance records – 1 year after resolution unless otherwise required

A full retention schedule will be available on the RCHM intranet.

9. Physical and Digital Security

• All physical documents containing sensitive information must be stored securely in locked

cabinets or rooms with limited access.

• Electronic data must be stored securely, using appropriate encryption and password

protection.

• Employees are responsible for ensuring that their devices (e.g. computers, phones) are

secured against unauthorised access, especially when working remotely.

• Employees working remotely must use RCHM-approved devices or secure access methods

(such as VPNs) and must not store RCHM data on personal or unencrypted devices.

10. Monitoring and Auditing

RCHM reserves the right to monitor and audit its data protection and information security

practices regularly. Employees are expected to cooperate fully with any audits or

investigations into data protection practices.

11. Third-Party Sharing

RCHM may share information with third parties, such as suppliers, contractors, or auditors.

In such cases, RCHM ensures that third parties are subject to appropriate agreements, such

as Data Processing Agreements (DPAs), to protect the confidentiality and integrity of the

data.

12. Training and Awareness

All employees, contractors and volunteers will receive mandatory training on data protection

and GDPR upon joining RCHM and periodically thereafter. This ensures that everyone

handling RCHM information understands their responsibilities and how to manage data

securely.

13. Disciplinary Action

Failure to adhere to this policy may result in disciplinary measures, up to and including

termination of employment. RCHM takes breaches of data protection and information

security seriously, and violations will be addressed accordingly.

14. Policy Ownership, Review and Further Guidance

Policy owner: Chief Executive Officer / Data Protection Officer [tbc see note above]

Review cycle: Annually, or sooner if legislation or operational needs change.

For detailed information on your rights and responsibilities regarding GDPR and workplace

data protection, please refer to:

• ACAS Guidance on Data Protection

• ACAS Guidance on Handling Employee Information

For any queries or concerns about this policy, or to report a potential breach, please contact

the RCHM Data Protection Officer.

RCHM Management

Date: November 21st 2025

This policy will be reviewed and updated periodically to ensure ongoing compliance with

data protection law and best practice