Jesus Youth JY UK Safeguarding
Section 8

Data Security

Technical and organisational security measures implemented by Jesus Youth UK to protect personal data.

Our Commitment to Data Security

Jesus Youth UK takes the security of personal data seriously. We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, destruction, or damage, as required by Article 32 of the UK GDPR.

Technical Measures

Passwords and Authentication

  • All systems containing personal data are protected by strong passwords
  • Passwords must be unique and not shared between individuals
  • Where available, two-factor authentication (2FA) is enabled on accounts that hold personal data
  • Passwords are changed promptly if a breach is suspected

Device Security

  • Devices used to access personal data (laptops, phones, tablets) must have screen locks enabled
  • Devices must have up-to-date operating systems and security patches
  • Anti-virus and anti-malware software must be installed and kept current
  • Personal data should not be stored on removable media (USB drives) unless encrypted

Encryption

  • Emails containing sensitive personal data are sent securely where possible
  • Portable devices and removable media containing personal data are encrypted
  • Cloud storage services used for personal data employ encryption at rest and in transit

Access Controls

  • Access to personal data is restricted to those who need it to carry out their role
  • User accounts are set up with appropriate access levels
  • Access rights are reviewed when individuals change roles or leave the organisation
  • Former staff and volunteers have their access revoked promptly upon departure

Organisational Measures

Training

  • All staff and volunteers who handle personal data receive data protection training as part of their induction
  • Refresher training is provided at least annually
  • Training covers the principles of data protection, recognising a data breach, and how to handle data securely
  • Training records are maintained by the Data Protection Lead

Clear Desk and Clear Screen

  • Personal data in paper form is not left unattended on desks
  • Computer screens displaying personal data are locked when unattended
  • Paper documents containing personal data are stored in locked cabinets when not in use

Data Handling Procedures

  • Personal data is only shared internally on a need-to-know basis
  • Emails containing personal data are sent only to intended recipients, with care taken to avoid accidental disclosure
  • Where personal data is discussed verbally, conversations take place in private settings

Paper Records

Despite operating primarily in digital formats, Jesus Youth UK also handles some paper records containing personal data. These are managed as follows:

  • Storage — paper records containing personal data are stored in locked filing cabinets or secure locations
  • Access — only authorised individuals have access to paper records
  • Transport — paper records are transported securely and not left in vehicles or public places
  • Disposal — paper records are disposed of securely using a cross-cut shredder when no longer needed

Disposal Procedures

When personal data is no longer required and has reached the end of its retention period:

  • Electronic data is permanently deleted from all systems, including email, cloud storage, and local devices
  • Paper records are cross-cut shredded
  • Hardware being disposed of or repurposed is securely wiped to remove all personal data
  • A record of disposal is maintained, noting what was destroyed and when

Remote and Home Working

Where staff or volunteers access personal data while working remotely:

  • They must use secure, password-protected internet connections
  • Personal data must not be accessed on shared or public computers
  • Paper documents containing personal data must be kept secure and returned or shredded after use
  • Any loss or theft of devices containing personal data must be reported immediately