The Vale of Glamorgan Council
Cabinet Meeting: 2 November, 2015
Report of the Leader
ICT Security Policies for Mobile Phones and Removable Media Devices
Purpose of the Report
To obtain approval of the two policy documents attached.
That Cabinet approve the introduction of the Mobile Device Security Policy (Appendix A) and Removable Media Policy (Appendix B).
Reasons for the Recommendations
To have formal approval of the policies by Cabinet.
The Council takes its duty to protect personal and sensitive information, which has been entrusted to it, very seriously. The Information Commissioner's Office (ICO) expects the Council to take all procedural and technological measures to reduce the risk of data loss.
Two policies attached, namely the Mobile Devices Security Policy (Appendix A) and the Removable Media Policy (Appendix B) which together cover the use of removable media devices such as USB memory sticks and the use of corporately supplied mobile devices. All such devices have the ability to store significant amounts of data by connecting to PCs or laptops and copying data over to the attached device. At present there are no physical controls in place to monitor data that is being copied in this way or to prevent it from happening.
The Council has acquired a solution that will monitor and where appropriate prevent data being transferred onto removable media devices and mobile devices and these policies will introduce a new set of requirements for staff to adhere to when considering taking data outside of Council's network and when using corporately supplied mobile phones.
The policies have been considered and approved by the Information Governance Board, Corporate Management Team and the Legal Services Division. In addition the Trade Unions have been consulted and raised no objections to their introduction. A draft removable media policy was circulated to staff for consultation and the feedback from that consultation has been included in the policy document.
Relevant Issues and Options
The number of removable media devices has risen considerably as departments use mobile technology to improve the efficiency of their staff and help them to achieve the savings they have to make and to reshape their services.
However the rise in the use of these connected devices has also increased the risk of data being copied to them and then taken outside of the Council's control. The data storage capacity of these devices has increased enormously over recent years and now has the potential to store thousands of documents or records.
In order to reduce the risk of data theft and protect data that has been transferred in accordance with Council policies, the ability to control access to removable media devices and manage mobile devices is essential.
When staff are issued with a mobile/smart phone they will be required to sign a copy of the Mobile Devices Security Policy.
Resource Implications (Financial and Employment)
The systems that manage mobile and removable media devices have been procured through the use of existing capital and revenue budgets so there are no additional financial implications that arise as a result of this report.
However ICT staff will be required to monitor and report on any breaches of these policies and whilst some of that work can be automated by the systems that have been put in place, there will be some increase in the workload of a few individuals.
Sustainability and Climate Change Implications
The introduction of these policies will allow staff to be more mobile and increase the flexibility for mobile, remote and home working whilst protecting the data held on these devices.
Legal Implications (to Include Human Rights Implications)
Failure to follow the policies may result in disciplinary action being taken against staff.
Crime and Disorder Implications
There are no crime and disorder implications for this report.
Equal Opportunities Implications (to include Welsh Language issues)
There are no Equal Opportunities implications for this report.
This project comes under the priority outcome of Community Leadership.
Policy Framework and Budget
This is a matter for Executive decision.
Consultation (including Ward Member Consultation)
No ward member consultation has taken place.
Relevant Scrutiny Committee
Corporate Resources Scrutiny Committee.
ICT Code of Conduct
David Vining - Head of Strategic ICT
Corporate Management Team
Information Governance Board
Evelyn Morgan - Legal
Rob Thomas - Managing Director