English
T H E   O R D E R   O F   T H E   K N I G H T S   O F   S T   C O L U M B A
English
Serve God by Serving Others

DATA PROTECTION & PRIVACY POLICY
Data Security - IT Security 

I. The Organisation shall ensure that the following measures are taken with respect to IT and information security: 
 
a) All passwords used to protect personal data should be changed regularly and should not use words or phrases that can be easily guessed or otherwise compromised. All passwords must contain a combination of uppercase and lowercase letters, numbers, and symbols. 
 
b) Under no circumstances should any passwords be written down or shared between any employees, agents, contractors, or other parties working on behalf of the Organisation, irrespective of seniority or department. If a password is forgotten, it must be reset using the applicable method. IT staff do not have access to passwords; 
 
c) All software (including, but not limited to, applications and operating systems) shall be kept up-to-date. The Organisation's IT staff shall be responsible for installing any and all security-related updates as soon as reasonably and practically possible unless there are valid technical reasons not to do so; and 
 
d) No software may be installed on any Organisation-owned computer or device without the 
prior approval of the Knights of St Columba Data Protection Officer. 
 
e) All data held in IT systems shall be encrypted for security purposes using industry standard encryption software. 
 
II. Where the Organisation is acting as data processor in the provision of services to the data controller, access to personal data stored in the controller's account shall be restricted to nominated personnel only. Those personnel shall have their access controlled by user name and passwords that shall meet minimum standards and will change regularly. Access shall be recorded in log files. 
 
 
Organisational Measures 

The Organisation shall ensure that the following measures are taken with respect to the collection, holding, and processing of personal data: 
 
All employees, members, agents, contractors, or other parties working on behalf of the Organisation shall be made fully aware of both their individual responsibilities and the Organisation’s responsibilities under the GDPR and under this Policy, and shall be provided with a copy of this Policy; 
a) Only employees, agents, sub-contractors, or other parties working on behalf of the Organisation that need access to, and use of, personal data in order to carry out their assigned duties correctly shall have access to personal data held by the Organisation; 
b) All employees, agents, contractors, or other parties working on behalf of the Organisation handling personal data will be appropriately trained to do so; 
 
c) All employees, agents, contractors, or other parties working on behalf of the Organisation handling personal data will be appropriately supervised;