Clear desk and clear screen policy

Purpose

To improve the security and confidentiality of information, and where possible a clear desk policy for papers and removable storage media and clear screen policy for information processing facilities shall be adopted.

This should reduce the risk of unauthorised access, loss of, and damage to information during and outside normal working hours or when areas are unattended.

The purpose of this policy is to set the requirements to ensure that all work areas are clear of the council's information, whether in electronic or paper form.

Introduction

London Borough of Enfield (LBE) stands committed to the development of secure policies and practices and ensures it complies with the Data Protection Legislations, and in doing so, we have implemented this Clear Desk Policy to increase physical and electronic security whilst remote working and when working from LBE offices.

This policy ensures that all sensitive and confidential information, whether it be on paper, a storage device, or a hardware device, is properly locked away or disposed of in accordance with the retention schedule.

Scope

This policy applies to all employees, contractors, and third-party employees, who have access to IT assets and may be bound by contractual agreements.

The policy shall be made available to all the employees covered in the scope; All changes and new release of this document shall be made available to the persons concerned.

Policy

Whenever you are away from their desk, or if desk is unattended the following will apply:

• Material that contains sensitive or confidential information must be placed in the designated confidential waste bins
• Digital devices shall not be left logged on and unlocked when unattended and shall be password protected. Users must also log off applications containing sensitive information.
• Users should log off and shut down the devices when leaving for extended periods of time, or at the end of the day when finishing work. Simply locking the device is not a suitable option for this control.
• Users should carefully review all data on the screen before proceeding with any virtual meeting and possible screen sharing, to ensure no disclosure of sensitive information happens
• Users should not save any personal or confidential information on the desktop; files may not be protected so you should save your files on OneDrive or the relevant business storage area, such as in SharePoint
• Laptops, tablets, and other hardware devices must be removed from the desk and locked in a drawer or locker
• During work hours (8am to 6pm) desks should be maintained in a clear manner following above steps
• Out of hours - physical media, paper records, removable media, should be put away. If not physically secured (no lock), stored in a secure cabinet.
• When working remotely, devices must be shut down properly and locked away where possible
• Keys for accessing drawers or filing cabinets should not be left unattended at a desk, keys must be locked away in the secure key box at the end of the day
• ID badges must be worn whilst at work. Do not leave your ID badge on desks or other locations for someone else to take. Lost ID badges must be reported to Facilities Management immediately to deactivate their privileges.
• Printers and fax machines should be treated with the same care under this policy:
  • Any print jobs containing sensitive, personal identifiable and confidential paperwork should be retrieved immediately
  • All paperwork left over overnight will be properly disposed of
• There shall be no personal screen savers set on for the individuals’ desktops / laptops. You should only use screen savers approved by council.
• Enfield devices are configured with automatic inactivity timers and lockdown mechanisms to ensure devices will logged out after a period of inactivity, requiring the user to log back into the device to continue work
• Working remotely your computer, screens shall be angled away from the view of unauthorised persons. When possible, computer screens should face away from other employees or external viewers to ensure privacy. Council supplied privacy screens must be used when using a laptop in public spaces.
• Passwords must not be written or posted on your device or in any other accessible location
• Doors should be locked outside business working hours, or properly managed with secure access
• Enfield Council is responsible for ensuring physical safeguards are in place to protect user’s devices that access confidential information

Compliance

This policy will be officially monitored for compliance by the Service Management and Governance Teams (SMG), Information Governance Manager and may include random and scheduled inspections. The Information and Data Governance Board will be the owner of this policy.

Non-compliance

All policies require the participation of staff and contractors to be successful. Any employee or contractor found to have violated this policy may be subject to disciplinary action and in line with the HR policies.

Policy details

Author – Information Governance Team
Owner – Information and Data Governance Board
Version – 1.0
Reviewer – Information and Data Governance Board
Classification – Official
Issue status – Final
Date of first issue – April 2023
Date of latest re-issue – 30.05.2024
Date approved by IGB – 19.05.2024
Date of next review – 30.04.2025