Cybersecurity — Keeping data safe



With a significant increase in home working, it is essential to consider what security measures you have in place.

The ICO (Information Commissioner’s Office) has addressed the top three GDPR compliance challenges as follows:

Own devices

Remote working will increase the amount of personal data held on personal laptops or mobile phones and use non-council email addresses by councillors and clerks instead of the council’s email system.

Data audits

Retaining information just because it might be helpful in the future doesn’t mean it’s necessary to keep it. Councils should cleanse their records by deleting or destroying old data that is no longer relevant and has accumulated over time. Councils often don’t have formal handover processes whereby the ‘old’ clerk hands over relevant data to the new clerk and deletes or destroys old data.

Data sharing

Councils may struggle with knowing how to share data appropriately. The worry about potential conflicts between different pieces of legislation and whether to publish residents’ names in council minutes or how to redact them.

Our tips to help you stay safe and secure

  • Use virtual private networks (VPNs) – ensure that all the data passing between the remote worker and the office network is encrypted and protected.
  • Consider Cyber Insurance – BHIB Cyber for Councils is our Cyber Insurance offering to protect against a range of cybersecurity threats.
  • Ensure your email protection is up-to-date and raise awareness of “phishing” emails – stay particularly vigilant for malicious emails which use the pandemic as a means to steal money or personal information. Reported scams from CFC Underwriting (an insurer specialising in cyber insurance) include:
    • Impersonating airlines and travel companies.
    • Fake charitable donations.
    • Fake emails are claiming to sell masks and medical supplies.
    • Impersonating the World Health Organisation.
  • Use updated versions and latest patches – ensure all devices, operating systems and software applications are up to date.
  • Consider web filtering – applying web filtering rules on devices will ensure users can only access content appropriate for ‘work’.
  • Enable use of cloud storage for files and data – but don’t leave files and data in the cloud unprotected and accessible by anyone.
  • Train your employees on Cybersecurity – At BHIB, we have a Cyber Risk Management Bundle that is a ready-made cyber awareness pack for Councils to reinforce compliance and raise cyber awareness.
  • Manage employee privileges – limit the number of people who have access to personal and/or sensitive data and regularly monitor their activity.
  • Establish a cyber incident response plan – make sure your plan addresses various potential cyber risks and allows for a smooth and efficient recovery as soon as practical.
  • Enforce a cyber risk management policy on staff members – this should include a safe internet use and email policy, BYOD (Bring Your Own Device) policy, mobile working policy, data privacy policy and a data breach policy.

GDPR compliance

Following GDPR (General Data Protection Regulations) is crucial to ensure data protection and avoid fines for non-compliance.

Consider the below guidance:

  • Please make sure all staff fully understand what is covered by GDPR and what they need to comply with.
  • Review your existing data processing practices and policies and ensure that your council conforms with at least one of the six lawful bases for processing.
  • Depending on your position in local government, you may be subject to registration and payment of a data protection fee. Check with the ICO here to see if this applies to you.
  • Review the existing data-sharing agreements and ensure they comply with GDPR standards.

Social media

Social media is an increasingly popular way for local councils to communicate with residents. Please ensure you have procedures in place to manage related risks effectively.

Guidance for social media accounts should include (but are not limited to):

  • Be responsible and respectful during all social media interactions. Ensure your social posts follow any relevant local council HR policies.
  • Only share content and links from reliable sources, and always provide credit to the source. If in doubt, don’t post.
  • Establish a routine and schedule for your social communications. Try to make sure the content you share is designed to engage your audience, e.g. by asking questions and offering feedback to comments.
  • Use social media as a platform to be transparent with your community – be open and honest.

Find out more about Cyber Insurance for your council

Any views or opinions expressed in this briefing are for guidance only and are not intended as a substitute for appropriate professional guidance. We have taken all reasonable steps to ensure the information contained herein is accurate at the time of writing. In relation to any particular insurance-related issues, readers are advised to seek specific advice.

Ordinary people, extraordinary communities 
It’s all app’ening with Microsoft 365