If you need to print this document click here.
When you are recording or obtaining information about individuals, make sure you are not breaking data protection legislation. When you are using Petra, make sure your actions are in the interest of CAB Gwynedd.
Information Asset Owner and Administrator for Petra are nationally recognised roles which in CAB Gwynedd are performed by George Williams, Quality Manager. Issues arising from this policy should be raised with George in the first instance.
Access to client data. Only access client data, when you have a business reason to do so. Only access the minimum amount of data that you need to carry out the business task. Petra has an audit trail for usage to ensure that people are accessing Petra to fulfil required business needs only. Only view, create or add to client records if you have a valid business need. Regular reports will highlight usage of Petra within CAB Gwynedd. Any client record of another bureau viewed or accessed will be registered and reported, a regular audit of these reports will be undertaken to ensure appropriate use.
Collaborating bureaux – when CAB Gwynedd has a recognised partnership e.g. Adviceline, and there is a valid business need to view, create or add to the client record that belongs to other bureau in the group it is permissible to do so.
Instances of misuse will be investigated and dealt with appropriately. Any breaches of policy or confidentiality will be taken very seriously indeed: for staff, this may result in disciplinary action; for volunteers or contractors, if the impact is serious enough, this may mean it is no longer appropriate for them to work in the bureau. Some breaches of confidentiality are criminal offences under Section 55 of the Data Protection Act.
Sensitive data. You should be aware of sensitive data and always seek advice from the Quality Manager when dealing with sensitive data. Ensure that sensitive data is always stored securely; do not hold copies of sensitive information away from Petra unless you have the permission of the Quality Manager.
Sharing data. Do not discuss or release data into the public domain. If there is a business need to share data, seek agreement from the Quality Manager. Any data shared will need to be done in accordance with the Data Sharing Agreement.
Conflict of interest checks on clients. You are permitted to search for a client across the whole service database if there is a business need. Finding the client does not create a conflict of interest. You should not open the enquiry record to check whether a conflict exists after finding the relevant client – please refer to Policy on accessing case records on Petra for guidance.
Reports. If you are responsible for Petra reports, ensure that you only download the minimum amount of data needed. If the reports contain personal data and are exported to another document, you need to make sure that this document is kept in a secure location which can only be accessed by people who have a business need to use it and is preferably encrypted or password protected.
Printing. If you have access to printing within Petra, only print the minimum amount of data needed; ensure that you are near the printer to be able to pick it up immediately. Store the printed information securely until you can dispose of it securely (see Golden rules of keeping data safe).
Petra user names and passwords. Users must only access Petra using their own user identification and password. Do not tell anybody else your username and password. Do not write your username and password down. Change your password when prompted. Seek agreement from the Quality Manager if you have a business need to share your details. Ensure your password is changed immediately afterwards.
Locking your computer. In all instances it is recommended that your screen is locked if you leave your workstation. If Petra is available you must lock your screen if you are not present (Ctrl, Alt, Del).
Logging out of Petra. Ensure that you log out of Petra when you are away from your workstation for a significant amount of time. You should ensure that all browser windows are closed before logging out.
Training and awareness. All members of CAB Gwynedd should complete annual information assurance training appropriate to their role in the bureau and be familiar with bureau policies. Management will support you in this, and any concerns should be raised with a manager. Golden rules of keeping data safe is available on CABlink and BMIS and provides practical guidance on keeping data secure.
Awareness: you must remain aware of who may see your screen when dealing with client information. Always be aware of the physical location you are working in and report any unexpected visitors or instances. When working away from the bureau, ensure your device is encrypted if it contains personal data. Keep your equipment with you at all times.
Information assurance incidents. All incidents involving client or bureau sensitive data should be reported to the Quality Manager. If you are aware of another member of staff behaving inappropriately concerning Petra (and anything else) speak to your manager or use the bureau whistleblowing policy.
Updated: 8 November 2016
Gwynedd Citizens Advice 