Embrace the similarities, Love the differences, In all our affairs

Information Security Policy

The sixth data protection principle requires that organisations employ appropriate technological and organisational measures to ensure the security of personal data. In this policy Region 9 has set out the processes which must be followed to keep data secure (organisational measures), and the technological measures which must be adopted.

Scope of this policy

This policy applies to everyone who processes personal data from or on behalf of Region 9. This includes Officers, Trustee Liaisons, Committee Chairs, Committee members, Service Coordinators or Assembly Representatives, , annual Assembly and Convention hosts, and other OA service members. All are responsible for ensuring that if they handle any personal data, it is kept securely and is not disclosed (either orally or in writing or accidentally) to any unauthorised third party.

General principles

OA is an anonymous fellowship, and our 12th Tradition states that: “Anonymity is the spiritual foundation of all these Traditions, ever reminding us to place principles before personalities”. We hold information about other fellows in confidence. This policy upholds the 12th Tradition. Personal information must not be shared informally, nor disclosed to people who are not authorised to see it. Data must be kept secure, and if it is no longer required, it must be securely deleted or destroyed. If data is lost or stolen then this must be reported as soon as this is realised, following the procedure in this document. Particular care must be taken when data is transferred from one place to another to ensure that it is not lost in transit.

Hard copy documents

When personal data is stored on paper (for example: a register of meeting attenders), it must be kept in a secure place where unauthorised people cannot see it.

Paper or files must be kept in a locked drawer or filing cabinet, or destroyed appropriately if no longer needed for our purposes or auditing requirements. Paper copies must be securely shredded or burned when no longer required. Tearing or screwing up paper is not a secure means of disposal.

Assembly attendance lists should be destroyed when no longer required, in accordance with the Privacy Policy.

Electronic data

Computers and devices used to access personal data must have current software installed, as legacy software is not supported by security patching. Security updates should be installed.

Devices should always have anti-virus / anti-malware software installed, and kept updated. This will be provided by the Region if required.

Strong passwords must be used to secure electronic devices and also services used to access data (email, Google Suite etc). Passwords must not be reused, shared, saved to file, or saved to non-secure password key chains or browsers. Password management software should ideally be used, and protected with a strong password. Guidance on choosing and using passwords can be found here.

If using a shared computer, password protected services must be closed down when work is finished. Files and folders must not be left open, and the screen must be locked when away from it.

Home Wi-Fi must be encrypted to the highest standard available (ideally WPA2). Suggestions for securing home Wi-Fi are:

  • Change your router admin username and password so that they are not the standard for your router.
  • Change the broadcast name for your Wi-Fi (the SSID) so that it does not describe the router.
  • Activate firewalls and turn off guest networks.
  • Keep firmware updated.
  • Unless your router is locked away, turn off WPS (the one-push button to connect to your router).

Open Wi-Fi networks must not be used to access personal data.

Mobile devices

Particular care must be taken to keep mobile devices secure: they must be password protected, and ideally encrypted. Unencrypted USB devices are especially insecure as they are so easy to lose. Ideally devices should have remote wiping agents installed so that they can be erased if stolen.

Google Suite

Region 9 Officers, Trustee Liaisons, Committee Chairs, Committee members, Service Coordinators or Assembly Representatives, and other OA Members make use of Google Suite to save information. Two-step verification must be activated, and a strong password used.

Documents must be saved in the correct location, and multiple copies of the same documents are not allowed. Any document which contains personal data must be saved using a filename with the suffix PD, for example: ‘Website Invoices (PD)’. Each Officer, Trustee Liaison, Committee Chair, and Service Coordinator is responsible for their own Google Suite  Shared Drive and other folders.

Documents must be deleted in line with the archiving and retention rules set out in the Privacy Policy.

The Region 9 Digital Officer and Digital Committee Chair are the Google Suite  Administrators. They will manage access to Google Suite Shared Drives and other folders, ensuring that access is only granted to current Officers, Trustee Liaisons, Committee Chairs, Committee members, Service Coordinators or Assembly Representatives, and other OA Members, and outgoing members conducting a handover. Once a handover has been completed, then they will be removed or access downgraded from shared drives and folders.

Email

Region 9 Officers, Trustee Liaisons, Committee Chairs, Committee members, Service Coordinators or Representatives, and other OA Members will use Region 9 email accounts when handing personal data for Region 9 , these email accounts will be provided as part of their Google Suite license.

Email is not secure. Most emails transmitted over the internet are sent in plain text, which makes them vulnerable to interception. Consider what information is sent via email. For example, use encrypted forms to send banking information instead of email.

It is strongly suggested that generic email addresses are used wherever possible, at all levels of OA service in Region 9 (please see OA Region 9 Policy Manual). Email accounts must be securely password protected, and security features enabled.

Great care should be taken when opening email attachments, in case they contain a virus, Trojan, spyware or other malware. It is now commonplace for ransomware attacks to be launched by ‘spoof’ emails which appear to come from a legitimate organisation (for example HMRC) attaching an invoice or order form, which, if opened, installs malware which encrypts all data on the attacked device. A ransom is then charged for the decryption key. Under the GDPR ‘corruption of data’ is a data breach, and therefore a ransomware attack should be reported as such to the Region 9 Chair, as per the policy below.

When sending emails to a distribution list, or several recipients,  the sender’s email is used  in the ‘To’ field with the recipients listed in the ‘BCC’ (blind carbon copy) field. This means that email addresses are not shared between the whole list.

Documents containing personal data may be attached to emails, either sent or received. These must be saved securely. The emails with the attachments must also be kept secure, and themselves deleted in accordance with the archiving and retention rules set out in the Privacy Policy.

Use of Anonymised Information on the Website and in Publications

Personal names will not be used in any website content, printed materials, or other publications produced by OA Region 9, unless a waiver is completed at the point of submission. This approach minimises the processing of personal data, reduces the risk of accidental disclosure, and supports our commitment to GDPR principles of data minimisation, privacy, and safeguarding individual rights.

Data breach

Reporting to Region 9 Chair

The GDPR requires that OA Region 9 notify the relevant national authority if there is a data breach, without undue delay, and not later than 72 hours after having become aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of data subjects. Region 9 has chosen the UK Information Commissioners Office as our relevant national authority.

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. This might include loss of a USB stick with OA members’ contact details, or accidental email of contact details to anyone not authorised to receive them.

Anyone handling personal data in connection with OA (Officers, Trustee Liaisons, Committee Chairs, Committee members, Service Coordinators or Assembly Representatives, and other OA service Members) must notify the Region 9 Chair as soon as they become aware of a data breach (chair@oaregion9.org). Anyone who has concerns about data privacy or the risk of a breach should notify the Chair of their concerns.

Notification to Information Commissioner’s Office

The Chair will consider whether the breach is likely to result in a risk to the rights and freedoms of data subjects. If such a risk is unlikely then the breach will not be reported to the Information Commissioner’s Office, but will be recorded in the data breach template. Remedial action will be identified, and a timetable for completion will be drawn up.

If there is a risk to data subjects, the Chair will notify the Information Commissioner’s OfficeI of the breach, describing:

  1. the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned
  2. the name and contact details of the person from whom more information can be obtained. This may be the Chair, or it may be some other person assigned responsibility for handling the data breach
  3. the likely consequences of the personal data breach
  4. the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects

This notification will take place within 72 hours of the Chair being notified of the breach, unless this is not possible, in which case it will take place as soon as possible, and reasons given for the delay.

Where it is not possible to provide all of the above information at the same time, the information may be provided in phases without undue further delay.

The Chair will record the breach in the template, stating the nature of the breach, when and how it was reported, when it was noticed to the Information Commissioner’s OfficeI, the breach’s  effects and the remedial action taken, and any response from the Information Commissioner’s OfficeI, including any mandated action.

Notification to data subject(s)

When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, and it is not possible to prevent this risk from materialising, the Chair will inform the data subject(s) without undue delay. The following information will be communicated, using clear and plain language:

  1. The nature of the personal data breach
  2. the name and contact details of the person from whom more information can be obtained. This may be the Chair, or it may be some other person assigned responsibility for handling the data breach
  3. the likely consequences of the personal data breach
  4. the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects

The notice must be sent directly to the data subject, unless this would involve disproportionate effort, in which case it can be published on the website.

Delegation

The Chair may delegate their responsibilities under this section to a named person, but will continue to hold ultimate responsibility for ensuring that any breach is properly recorded and (if relevant) notified.

Version

This policy was drafted on 5th May 2020, and approved by the Region 9 Assembly In October 2021.

The policy was revised and approved on 16th January 2026..

Any questions about this policy or any queries concerning data protection matters should be raised with the Region 9 Chair (chair@oaregion9.org)

Back to top