Edenham, Grimsthorpe, Scottlethorpe and Elsthorpe Parish Council IT Policy

1. Introduction

The parish council recognises the importance of effective and secure information technology (IT) and email usage in supporting its business, operations, and communications. 

This policy outlines the guidelines and responsibilities for the appropriate use of IT resources and email by council members, employees, volunteers, and contractors.

2. Scope

It applies to all individuals who use the computer systems and email provided by the Council, regardless of their working pattern or location, including those who are home based or office-based, flexible or part-time, councillors or employees.

3. Cyber security responsibilities

Responsibility for the administration of the Council’s IT systems, has been delegated to the Clerk.

 The Council remains ultimately accountable for compliance with this policy. The Council aims to manage its IT systems in accordance with the principles set out in NCSC Cyber Essentials Guidance and the 2025 Practitioners’ Guide.

For further information see: Cyber Essentials: https://www.ncsc.gov.uk/cyberessentials/overview

4. Acceptable use of IT equipment and email

Council IT equipment and email accounts are to be used for official council-related activities and tasks. Limited personal use is permitted, provided it does not interfere with work responsibilities or violate any part of this policy.

All users must adhere to ethical standards, respect copyright and intellectual property rights, and avoid accessing inappropriate or offensive content.

5. Computer and software usage

Employees who need to use IT in their role will be provided with authorised, licensed computer equipment, software, and applications for work-related tasks.

All computer and mobile equipment will be logged against the current owner of that equipment.

All computers and other devices supplied should be treated with good care at all times, to avoid loss or damage that would have a financial impact on the Council.

The installation of any unlicensed software on council devices is strictly prohibited.

Regular data backups of Council devices should be performed to allow for a prompt recovery of essential services following a cyber security incident. Backups should be stored separately from live systems (ideally off-site or in a secure cloud) so that data is protected even if primary systems are compromised.

6. Email communication

All councillors and employees who need to use email as part of their role will normally be given their own email address and account on a domain owned by the Council. Email accounts provided by the Council are for official communication only.

Emails should be professional and respectful in tone and not contain material that could bring the Council into disrepute. Councillors are strongly encouraged to use their Council-provided email account for official business so that Council data remains secure and under Council control. Using personal email should be limited and only when absolutely necessary.

To reduce the risk of phishing and other email threats, users should take the following precautions:

• Be cautious of unexpected or unusual emails, particularly those asking you to click a link, open an attachment, or provide information.

• Check the sender’s email address carefully, not just the display name. Fraudulent emails often imitate familiar names but use incorrect or unusual addresses.

• If an email seems suspicious, do not reply, click links, or open attachments. Forward suspicious emails to report@phishing.gov.uk.

• Do not trust urgent or threatening wording, as this is often a sign of phishing attempts.

8. Password and account security

The parish council users are responsible for maintaining the security of their accounts and passwords. Passwords should be strong and not shared with others. Regular password changes are encouraged to enhance security.

The National Cyber Security Centre (NCSC) approach of using three random words (e.g. PurpleCandleRiver) is recommended. This method helps create passwords that are both strong and easy to remember, while offering effective protection.

In addition to strong passwords, Multi-Factor Authentication (MFA), e.g. a code to a mobile phone, should be enabled wherever possible.

Additional requirements:

(a) Default passwords must be changed immediately upon installation or setup.

(b) Passwords are personal and must not be shared under any circumstances.

(c) Passwords must not be stored in plain text or written down in insecure locations.

(d) Passwords must be changed immediately if compromised.

Administrative credentials must be stored securely and only accessible to authorised personnel with a copy provided to the Chairman of the Council, in a sealed envelope, only to be accessed in an emergency.

9. Email monitoring

The parish council reserves the right to monitor email communications to ensure compliance with this policy and relevant laws. Monitoring will be conducted in accordance with the Data Protection Act and GDPR.

When a Councillor leaves the parish council the email allocated to them will be withdrawn.

10. Retention and archiving

Emails should be retained and archived in accordance with legal and regulatory requirements. Regularly review and delete unnecessary emails to maintain an organised inbox.

Electronic records should be managed in accordance with the council’s Document Retention Policy. Where records contain personal data, they should be securely destroyed at the end of the retention period as outlined in the policy.

11. Reporting security incidents

Any incidents which could pose a risk to the council’s systems or data security should be reported to the Clerk without delay. T

his includes but is not limited to:

(a) lost devices,

(b) potential risk arising from phishing emails/websites,

(c) passwords having been shared, and

(d) unauthorised third-party access to systems.

Where a security breach affects personal data, the Council will follow the ICO guidance and its Data Protection Policy.

12. Training and awareness

The Clerk will advise councillors and staff of relevant training resources and opportunities, including those offered through the county association.

Councillors are strongly encouraged to complete basic cyber security awareness training and report completion of any relevant training to the Clerk.

14. Compliance and consequences

The Council expects its computer systems and email to be used responsibly; inappropriate and unauthorised use will be taken seriously.

Any misuse of Council IT resources by employees may lead to formal action, including disciplinary proceedings or, in serious cases, dismissal.

Compliance with this policy is part of a councillor’s responsibility and breaches may be dealt with under the Member’s Code of Conduct.

15. Policy review

This policy will be reviewed at least annually to ensure its relevance and effectiveness. Updates may be made to address emerging technology trends and security measures.

This policy was reviewed and approved at the Parish Council meeting 10th March 2026 Agenda item 7/108/1