CROWLAND PARISH COUNCIL

Security Compliance Policy

1. Purpose

This Security Compliance Policy establishes the framework through which Crowland Parish Council (“the Council”) ensures the protection of its information, systems, assets, councillors, staff, contractors, and members of the public.

The policy aims to:
• Protect confidential, personal, and sensitive information
• Ensure compliance with applicable UK legislation and regulatory requirements
• Safeguard physical and digital assets
• Maintain service continuity
• Reduce the risk of security incidents and data breaches

2. Scope

This policy applies to:
• All Councillors
• All employees (permanent, temporary, and agency staff)
• Contractors and third-party service providers
• Volunteers acting on behalf of the Council
• All Council-owned or managed systems, equipment, premises, and data

3. Legal and Regulatory Compliance

Crowland Parish Council will comply with all relevant UK legislation including:
• UK General Data Protection Regulation (UK GDPR)
• Data Protection Act 2018
• Freedom of Information Act 2000
• Computer Misuse Act 1990
• Health and Safety at Work etc. Act 1974

The Council will monitor legislative changes and update this policy accordingly.

4. Governance and Responsibilities

The Council has overall responsibility for ensuring appropriate security controls are implemented and maintained.

The Clerk / Responsible Financial Officer (RFO) is responsible for:
• Implementing this policy
• Monitoring compliance
• Reporting security incidents
• Ensuring appropriate training
• Maintaining risk assessments

All Councillors and staff must comply with this policy and report any incidents immediately.

5. Information Security

• Information shall be classified appropriately (Public, Internal, Confidential, Sensitive).
• Access will be granted on a least-privilege basis.
• Unique user accounts must be used.
• Passwords must meet complexity requirements and not be shared.
• Multi-factor authentication (MFA) should be enabled where available.
• Data retention schedules must be applied.
• Secure disposal methods must be used.

6. Cyber Security

The Council shall:
• Use supported and updated software
• Install anti-virus and endpoint protection
• Enable firewalls
• Apply security patches promptly
• Maintain encrypted backups
• Promote phishing awareness and email security

7. Physical Security

• Premises must be secured when unattended.
• Sensitive documents stored in locked cabinets.
• Visitor access supervised.
• Keys and access credentials controlled.

8. Incident Management

All suspected or actual security incidents must be reported immediately to the Clerk.

The Council will:
• Assess severity
• Contain and mitigate impact
• Notify the ICO within 72 hours if required
• Inform affected individuals where necessary
• Record incidents in an incident log

9. Third-Party and Supplier Security

• Contracts must include data protection clauses.
• Due diligence conducted before engaging IT or data processors.
• Data processing agreements implemented where required.

10. Business Continuity and Backup

• Maintain regular backups of critical data.
• Store backups securely and test restoration.
• Maintain a Business Continuity Plan.
• Identify critical services and recovery priorities.

11. Training and Awareness

Councillors and staff shall receive:
• Data protection training
• Cyber security awareness training
• Incident reporting guidance

Training will be refreshed periodically.

12. Monitoring and Review

• Policy reviewed annually.
• Risk assessments updated regularly.
• Audit findings reported to the Council.

13. Breach of Policy

Non-compliance may result in:
• Disciplinary procedures
• Termination of contracts
• Legal action where appropriate

14. Policy Review

This policy will be reviewed annually or sooner if:
• There is a significant legislative change
• A major security incident occurs
• There are substantial operational changes

Approved by: Crowland Parish Council

Date: 2nd March 2026

Review Date: 2nd March 2027