Today’s technology age means that there are many tools available to us all when it comes to the management of our day-to-day jobs and activities.
This situation exists within local Scouting and in most cases, you will opt to use the tooling you are familiar with or makes your operation as easy as possible. The below guidance draws out these technologies and provides guidance on the security measures that should be considered:
Paper
Whilst not strictly a technology, paper is still used to capture and retain data. This is the case within Scouting and as such needs to be considered, for example paper-based records could exist for the following:
- New joiners form
- New joiners waiting lists
- Events consent from parents
- Annual health records updates
- Events coordination with events companies
- Award notifications/nominations
The following should be considered when using paper:
- Not digitally searchable – not easy to find specific information
- If lost or damaged it’s not recoverable
- Not easy to transfer
- Prone to error or misinterpretation
- Requires physical storage and security
In some cases, paper-based records are justified or are the only means of data capture, where this is the case then duty of care needs to be considered, such as:
- Minimise the use of paper to only what is required.
- Transfer of paper is secure, such as physical hand-to-hand transfer or registered post.
- Paper forms are securely destroyed after use, if possible.
- Secure destruction should be through a shredding machine.
- Keep the paper records secure always, especially when in transit, consider using:
- A lockable brief case.
- A lockable filing cabinet if long term stored.
- If transferred to somebody, audit that they return them when complete.
Paper should be considered transient wherever possible and not for longer-term storage, meaning that the data should ideally be transferred as soon as possible to a digital system and then the paper medium securely destroyed.
Digital forms
Digital forms offer the ability to capture data in a digital means via a website link. The form is presented to the person entering the details as designed by yourself.
The following should be considered when using web forms/online surveys:
- Digital forms can be from your own website, online survey tool or a membership database.
- Digital forms are widely used and accepted as means of gathering data.
- They need to be carefully created to capture only the data required and offer a clear capture flow, see Step 5: Gathering data
- Digital forms reduce mistakes of data capture.
Where web forms or digital surveys are being used the following best practices should be considered:
- The presentation of the form is easy to understand and follow.
- The form itself is using a secure transfer mechanism, the link to it should start with ‘HTTPS://’.
- You understand how the data is used after the form is completed, is it emailed to yourself, is it retained within a database where the form is located?
- If the detail is emailed to yourself post it being completed, this email should be treated with care and deleted when not required any further.
- If the data is retained in a forms database, then ensure access to this database is protected by a strong username and password and the access to it is limited to only those that require the data.
- Delete any data that is not needed from the locations it is stored.
Digital forms are a good way to gather accurate data in a secure way.
E-Mail
The most common communication tool used today is e-mail. This can be either personal or corporate e-mail from a large variety of providers. E-mail is used commonly to transfer all types of data and can be used to transfer documents with information in or the data directly in the body of the e-mail itself. It is worth being aware that 85% of all reported data breaches in the UK come from sending e-mail to the wrong recipient.
The following should be considered when using e-mail to gather or transfer data:
- E-mails are sent in clear text, this means that if they are intercepted the contents can be read.
- Most e-mail systems retain lots of copies of the data sent and received, for example in:
- Inbox folder
- Sent items folder
- Deleted folder
- It is easy to mistype an e-mail address or select an incorrect pre-populated address.
- The security of an e-mail system varies depending on the service provided.
- E-mails can be stored locally on your laptop/desktop.
Where e-mail is being used the following best practices should be considered:
- Free e-mail services generally lack a level of security appropriate for sending lots of sensitive personal data.
- Review the e-mail service you have; good service add-ons include:
- Anti-virus scanning
- Anti-malware scanning
- Encrypted e-mail
- Delete e-mails when they are no longer required, especially if they contain data within attachments, this should be from the folders highlighted above.
- Add a delay to the sending of your e-mails by 2 minutes. Most email clients allow this as a ‘Rule’, any mis-typed email can then be stopped before it leaves.
- Don’t store your e-mails locally on your laptop/desktop to minimise the data you store.
- Minimise the use of e-mail to what is necessary when it comes to gathering or transferring data.
- Take care when replying to all in the email chain, you may not want all email participants to be part of any ongoing communications.
- If you are looking to email multiple individuals and don’t want everybody to see the email addresses on the distribution list, then simply add all of their email addresses to the ‘BCC’ field. You can then add your own email address in the ‘TO’ field, this will mask all addresses except yours.
Additionally, e-mail mass mailers may be used to communicate with members for group updates, events and other operational means. When looking at a service like this you should consider the following:
- Is the service with a reputable provider?
- Does that provider align to the GDPR?
- Is the data set you are providing minimised to only what is required?
- Does the data get stored with the provider, if so, can you delete it when finished with?
- E-mail is an effective way to communicate but can lead to lots of data across lots of folders.
Laptop/Desktop/Tablet
Laptops/desktops/tablets are common place in most households as well as in people’s place of work. As volunteers within the Scouts you will probably have access to or be using this type of technology to manage the operations for local Scouting.
Security of laptops/desktops/tablets is key when gathering/storing or transferring data, the security already in place for the physical device could vary depending on whether this is company or personal asset and your line of work.
The following should be considered when using a laptop/desktop/tablet to gather, store or transfer data:
- Is the laptop/desktop/tablet a shared resource?
- Who owns the laptop/desktop/tablet and is ultimately responsible for it?
- How is the laptop/desktop/tablet to be used?
- Is data stored locally on the device or is it located within an online system?
Where a laptop/desktop/tablet is being used, the following best practices should be considered:
- The laptop/desktop/tablet is protected by a username and strong password, strong is defined as:
- Consists of at least eight characters.
- Combination of letters, numbers and symbols (@, #, $, %, etc.).
- Contains letters in both uppercase and lowercase.
- Does not include whole words that are unique to you.
- The laptop/desktop/tablet includes hard disk encryption – Check your operating system provider and search for options of hard disk encryption.
- Software packages such as anti-virus and anti-malware are included.
- Software on the laptop/desktop/tablet is up-to-date.
- Implement a digital password safe to store all passwords you must remember, there are many free tools available.
- Storage of data locally is minimised to only what is required.
Laptops especially are very useful for mobile management of local Scouting, but the mobile element introduces a loss or theft risk. Reduce the exposure by considering the measures above.
In addition to this guidance there is a Template Data Security Register that you can use to help maintain a list of the types of media used in local Scouting. This register can also act as a risk register for any media types that need to be reviewed or tracked as a risk.
Useful resources for Step 8