Check 7 – Security
Review your data security
This section is asking that you make sure that the data is kept as secure as possible. Whilst this may be fairly straight forward in the church office, it is not as easy when people hold data at home.
Poor data security is one of the main causes of data breaches which could be very costly to the Methodist Church from a financial perspective and a reputational one.
Things to be looked at might include:
- Are all computers kept on the latest level of software update?
- Do all computers have virus protection software?
- Is the information on the computer either backed up regularly or kept on the cloud?
- If a printed directory is produced, are those who hold a copy reminded to keep it where a member of the public cannot access it (for example, in a drawer rather than on a table by the phone)? Are they also reminded of what they can and cannot do with this information?
- Are paper records (eg Room booking forms) kept in a locked filing cabinet?
Other things to consider:
- Do you have job specific email addresses that are only used for that job and are used by successive job holders?
- Membership of church councils and circuit meetings change on a continuing basis. Are new members (especially people new to a managing trustee role) given any induction?
- Does that include their responsibilities with regard to GDPR?
Suggested Process:
- Watch the 5 minute video on Sutton Circuit about data security
Email those holding data (identified in column 7 of your data mapping form) and ask that they review their data security in particular the following areas:
- Ensure all software updates are installed as soon as it becomes available;
- Ensure all Antivirus software is updated and installed as soon as available;
- Ensure all electronic devices are password protected and/or encrypted at all times;
- Ensure a 'clean desk' policy is in place where all paper files are locked away when not in use;
- Ensure that work/church emails are kept separate from their own personal emails and accounts.
The use of personal email accounts, especially those which are shared with other people, should be actively discouraged.