Data Use and Security Guidelines

• Double check your recipient when sending emails.
• Password-protect email attachments containing personal data and confidential business information. Additionally, the document sharing facilities in Office 365 / MS Teams can be used to share files. Do not email the password. Communicate it by a different means e.g. text message or phone call.
• Do not collect personal data unless it is required e.g. make surveys anonymous.
• Official records should be kept in the College’s electronic or manual systems.
• Use College devices, where possible.
• If it is necessary to use a personal device, particularly a shared device, ensure that College records are kept securely and confidentially.
• Do not use personal accounts to create or store official records.
• If personal accounts/devices must unavoidably be used, copy records to College systems/devices as soon as possible and delete them from personal accounts/devices.
• Keep personal data up to date and make requested changes promptly e.g. change contact details on request.
• While straightforward updates may be made e.g. change of address on a system, do not alter a document created by another employee without their permission.
• Personal data is not to be posted on public noticeboards or other public spaces.
• When recording personal data, check back with data subjects that what you have recorded is accurate, when appropriate e.g. send them a copy or read it back.
• Ensure that your communications are written in an objective, truthful, responsible and accurate manner.
• Pseudonymise or anonymise personal data, as appropriate, when it is no longer required to identify individuals.
• Carry out a Data Protection Impact Assessment (DPIA), where required.
• Consider data protection issues early in a new project and contact the DPO.
• Carry out audits on data quality e.g. check for errors.
• Design forms to collect the minimum personal data necessary to fulfil your purpose.
• Collect personal data in a privacy friendly manner e.g. sign-in books used by multiple persons to record their contact details might be replaced with individual use forms in paper or electronic formats.

• Access permissions for both manual and IT systems should align with employee duties.

• Do not access records that you have not been authorised to view i.e. records unrelated to your duties or for which you have not been granted access permissions.
• Employees may have access to personal data in systems that they do not require e.g. about learners that they do not teach. Employees should only access personal they require to carry out their duties.
• Keep your password secure and private to you.
• Use robust passwords. They should contain a mixture of letters and other characters (see advice under ‘Access Control’ here).
• Change your passwords regularly.
• Do not use the same password for multiple accounts.

• Photographs may be personal data. Ensure that you only use photographs in a manner allowed by Data Protection law. This may vary on the circumstances, but photographs require either consent or a legitimate interest (e.g. people would likely not be surprised to be photographed at a conferring ceremony). However, care should still be taken when deciding how to use photographs, and consideration given to what people might expect photographs would be used.
• If holding an event, inform attendees if photographs will be taken or the event recorded. This can be done by posting notices in the area, informing people when inviting them or during the booking process etc. Such notices can suggest that people speak to the photographer if they do not wish to be photographed. Notices should also indicate if it is intended to make photographs available e.g. on social media. The DPO can assist event organisers to draw up such notices.If an individual objects to the publication or other use of their photograph, comply with their wishes.
• Consider the data protection and privacy rights of others before you share an image or video of a video call that includes the image, voice or contact details of participants. Such sharing is discouraged.
• Covert recording of employees, learners or any other person with whom employees or learners come into contact in the workplace or through the course of duties of studies is not permitted.

• Double check your recipient when sending an email.
• Password-protect email attachments containing personal data and confidential business information. Do not email the password. Communicate it by a different means e.g. text message or phone call.
• Send group emails via ‘bcc’ where it is not appropriate that recipients see each other’s email address e.g. external email addresses; marketing mailing lists; where membership of a group should not be disclosed to others e.g. Counselling clients.
• In general, employees are only to disclose learner personal to parents/guardians or other family members with the learner’s written consent. This applies to all data including about fees, attendance, grades etc. There are extremely limited exceptions to this i.e. in a life-and-death situation.
• References about learners should only be provided to prospective employers, other educational institutions etc with the learner’s consent.
• Student ID numbers are personal data as they are linkable to an individual. They cannot be used to anonymise information about learners.
• Share personal data and other records with colleagues on a need to know basis only.
• If authorised employees from other departments need to borrow files from your office, implement a sign in/out book. Agree a borrowing period and issue a reminder if not returned on time.
• Do not share personal data or other confidential information acquired through your official duties on social media.

• Dispose of personal data and other confidential records securely. Shred paper records.
• Paper records are not to be disposed of in wastepaper or recycling bins.
• Return devices to IT Services for secure deletion of data and disposal.
• Dispose of records in accordance with the Records Retention Schedules.
• Some records are designated ‘archival’, which means that they are kept on an ongoing basis. Transfer them to the Delany Archive.

• All personal data and non-personal business records are confidential. Employees are to maintain and protect this confidentiality.
• Notify the DPO immediately of any incident where data has been put at risk or you suspect a potential or actual personal data breach or incident.
• Take appropriate methods to secure records when leaving your workspace e.g. lock your screen; lock the door; store paper records securely.
• Do not leave the key in your office door.
• Do not leave unauthorised people alone with personal data or other confidential business records.
• Keep records out of arm’s reach to visitors.
• Do not allow your computer screen to be viewable from a public area or to an unauthorised person.
• Locked storage units are ideal for paper records.
• Do not remove records from the College premises unless necessary.
• Return borrowed records to the College as soon as you are finished with them.
• Do not leave records on view in your car or in your car overnight.
• Assignments and examination scripts are not to be corrected in a public place.
• Do not store records on removable devices, such as memory sticks, unless necessary
• Do not print unnecessary paper copies of documents.
• Do not leave personal data or other confidential records unattended at photocopiers or other public locations.
• Employees who are changing position or leaving the College’s employment are to ensure that they leave all relevant records for their successor.

• Appoint a ‘buddy’ to new employees to explain procedures for handling personal data and other records.

• Volunteers and people on work experience should have limited or no access to personal data and other confidential records.

• Privacy Policies or Notices are available for many systems/software that are in use in Carlow College. They are generally found on the login page.
• Some systems/software allow users some user control over privacy settings e.g. what information is in a public profile. These controls are often found under the ‘settings’ tab.
• Further information may be sought from the relevant system administrator or the Data Protection Officer (DPO).

Purpose 

The purpose of these guidelines is to inform members of the Carlow College community about appropriate video conferencing use and etiquette. The terms ‘meeting’/‘business meeting’ and ‘event’ are used throughout.  The term ‘meeting’/‘business meeting’ refers to any meeting that concerns the official business of Carlow College, and ‘event’ might refer to conferences, lectures, colloquia, open days, information sessions etc. Events may be attended by the College community and/or invited guests, and the general public.  

Platforms 

• Employees are to use Microsoft Teams for internal meetings. 
• It may be more appropriate to use webinar rather than meeting settings for some events (e.g. public events), and Carlow College has a Zoom account that employees can avail of. 
• Caution should be exercised when subscribing to any virtual platform, in particular, think about what permissions you are being asked for and whether they are necessary (e.g. your location; access to your contacts). The minimum information should be shared with platforms.
• Avoid sharing organisational data, document locations or hyperlinks when using any platform other than Microsoft Teams.
• Do not forward meeting invitations to other individuals. Instead, contact the meeting organiser to arrange the sharing of invitations.

Your device 

• Ensure that your device has the necessary updates, including operating system and software updates. 
• Ensure that your device is protected by antivirus software.
• Be conscious of what and who can be seen and heard from your camera. Protect the privacy of other people around you and those on the call. As appropriate, wear a headset if you are in a shared space or where others may hear your call, or ensure that you are in a private space.
• If screen sharing, ensure that confidential data is not visible on screen and choose settings to ensure that pop ups such as emails do not appear on screen. 
• Ensure that that you log out, mute your mic or turn off your camera (as appropriate) when leaving a meeting or taking a break from it. 
• Consider the data protection and privacy rights of others before you share an image or video of a video call that includes the image, voice or contact details of participants. Such sharing is discouraged.

Recording business meetings 

• In general, business meetings are not to be recorded. Where this is proposed, there should be an identified legitimate reason for recording, which should be notified in advance to all participants, as well as the intended uses and sharing of the recording. 
• Covert recording refers to recording, audio or visual, carried out without the knowledge and consent of an individual(s). It includes recording on devices and systems of all types, including but not limited to, CCTV, phones and virtual meeting platforms. Employees and learners are not permitted to carry out covert recording of employees, learners or any person with whom they come into contact in the workplace or through the course of their duties or studies.
• Any covert recordings must have the prior approval of a representative group of senior management. 
• Inform participants when beginning/ending recording.
• Recordings should not be kept for longer than is necessary to fulfil the purpose for which they were created.
• Recordings are potentially accessible under Data Protection and Freedom of Information laws, and via other legal processes.

Recording events  

• It may be proposed to record events and make the recording available online. In such cases, recording and sharing are to be notified to participants when booking the event, and to speakers when they are invited to participate. There should always be a legitimate reason for recording an event and sharing that recording, whether online or by some offline means. 
• Recordings should be reviewed by the event organiser prior to sharing the recording or making it available online. Where special category data is disclosed by any participant or where there may be legal implications (e.g. defamation), the recording should be edited to redact the data or a decision made not to share or publish the recording should be taken. 
• Recordings are potentially accessible under Data Protection and Freedom of Information laws, and via other legal processes. 
• Recordings should not be kept for longer than is necessary to fulfil the purpose for which they were created.

Hosting events 

• It is the responsibility of the event organiser to make data protection information available to participants.
• Carlow College has an Events Privacy Notice, which should be made available to all participants at the time of booking (i.e. not after booking). 
• The Events Privacy Notice should also be made available to proposed speakers when they are invited to participate in an event. 
• The Events Privacy Notice is generic and cannot take account of details specific to individual events. Therefore, the event organiser should supplement the Events Privacy Notice with any further relevant information (e.g. if it is proposed to record the event; or make the recording available on the internet). This further information should be made available at the same time as the Events Privacy Notice. 
• Instruct participants not to share invitations sent to them.
• Video conferencing platforms have various functionalities. Settings should be chosen to promote data security and data protection rights:
  • Restrict access to video calls to those who need to present. Do not publish meeting IDs or passwords. 
  • If sensitive topics are being discussed, consider whether participants can ask questions anonymously. Do not mention the names of participants when answering their questions. 
  • Mute participant mics and turn off participant cameras unless they require such permissions. 
  • Control when people can join the call and who is allowed to share their screen.