Information Security and Management Policy




The purpose of this policy is to provide guidance and direction on the creation and management of information and records and to clarify staff responsibilities. Bags of Taste is committed to establishing and maintaining information and records management practices that meet its business needs, accountability requirements and expectations of funders.  All data will be processed in accordance with GDPR –  article 5 requirements

Policy statement

The information and records kept by Bags of Taste are an asset of the organisation essential for ongoing operations and planning, evaluation and also in providing evidence of business decisions, activities and financial transactions.

Bags of Taste is committed to creating and keeping accurate and reliable records to meet its business obligations and obligations to its funders.

There is an expectation that Bags of Taste will not disclose any contact details or personal information kept for its staff, volunteers or students to a third party, unless it is legally required to do so.


This policy

    • Applies to all Board Members, staff, volunteers, funders and creditors
    • Applies to all aspects of the Bags of Taste’s business and all business information created and managed internally and externally.
    • Covers information and records in all formats including documents, email, voice to messages, memoranda, minutes, audio-visual materials and business syste
    • Covers all business applications used to create, manage and store information and

Part 1 – Information Security

The aim of information security is to:

  • Ensure the protection of confidentiality (ensuring that the information is accessible only to those authorised to have access), integrity (safeguarding the accuracy and completeness of information by protecting against unauthorised modification) and availability (ensuring that authorised users have access to information and associated assets when required).
  • Ensure all staff and volunteers are aware of and fully comply with all relevant
  • Ensure all staff and volunteers understand the need for information and ICT security and their own responsibilities in this respect.


Information – covers any information, including electronic capture and storage, manual paper records, video and audio recordings and any images, however created.

Personal Data – Any data which can be used to identify a living person. This includes names, birthday and anniversary dates, addresses, telephone numbers, fax numbers, email addresses and so on. It applies only to that data which is held, or intended to be held, on computers, or held in a ‘relevant filing system’. This includes paper filing systems.

Strong Password – A password which is 8 characters minimum length, contains upper and lower case alphabetical characters and numbers or punctuation characters

Encryption – Process of transforming information (referred to as plaintext) using an algorithm (called a cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key.

Sensitive information – Includes personal details and commercially confidential information.

Roles and Responsibilities

The Board of Directors is ultimately responsible for ensuring that information security is properly managed. The CEO (Alicia) is responsible for:

  • The development and upkeep of this policy
  • Ensuring that this policy is supported by appropriate documentation and procedural instructions
  • Ensuring that documentation is relevant and kept up-to-date
  • Ensuring that this policy and subsequent updates are communicated to relevant staff and volunteers.
  • Ensuring that information security arrangements are regularly reviewed to ensure that they comply with this policy and other security policies and standards in place.

Information security is everyone’s responsibility and all staff, volunteers, referring agencies and funders are required to comply with this policy. In addition:

  • Users of Bags of Taste ICT systems and data must comply with the requirements of this Information Security and Management policy.
  • Users shall be responsible for notifying the CEO of any suspected or actual breach of ICT security.
  • The CEO must inform the Board of Directors of any breach in relation to this policy.
  • Users must comply with the requirements of the Data Protection Act 2018, Computer Misuse Act 1990, Copyright, Designs and Patents Act 1988 and the Telecommunications Act 1984.
  • Users must be provided with suitable training and documentation, together with adequate information on policies, procedures and facilities to help safeguard systems and data.
  • Adequate procedures must be established in respect of the ICT security implications from personnel changes.
  • No personal data shall be taken from the main administrative office of Bags of Taste unless it is on encrypted media. This includes, but is not exclusive to, laptop computers, netbooks, external hard disks, memory sticks and Personal Digital Assistants (PDAs) & other removable media.
  • Remote access to information and personal data shall only be provided through an encrypted link and users shall require a strong password that is renewed regularly.
  • Users shall not publish spreadsheets, databases or other documents containing personal data on externally accessible web sites unless these documents are encrypted.

Physical Security:

  • Do not leave sensitive or personal data on printers, computer monitors or desk whilst away from your desk or computer.
  • Do not give out sensitive information unless the recipient is authorised to receive it.
  • Do not send sensitive/personal information via e-mail or post without suitable security measures being applied.
  • Ensure sensitive data, both paper and electronic, is disposed of properly.

 System Security:

  • Users shall not make, distribute or use unlicensed software or data.
  • Users shall not make or send threatening, offensive or harassing messages.
  • Users shall not create, possess or distribute obscene material.
  • Passwords should be memorised. If passwords must be written down they should be kept in a secure location.
  • Users who habitually access personal data shall have a unique user ID and a strong password that is renewed regularly in accordance with guidance provided in the documents listed in the introduction to this policy.
  • Passwords shall not be revealed to unauthorised persons.
  • Passwords will be changed if it is affected by a suspected or actual breach of security, e.g. when a password may be known by an unauthorised person.
  • Regular backups of data, in accordance with the recommended backup strategy, must be maintained.
  • Security copies should be regularly tested to ensure they enable data restoration in the event of system failure.
  • Security copies should be clearly marked and stored in a fireproof location and/or off site.

Virus Protection:

  • Bags of Taste will ensure suitable and up to date anti-virus software is applied to all ICT systems.

Disposal of Equipment:

  • When disposing of electronic equipment used to store or transfer electronic information, the CEO must ensure that all sensitive data has been permanently removed.

   Part 2 -Information Management

Scope of the policy

  • This policy applies to all records created, received or maintained by all staff, volunteers, funders and referring agencies in the course of promoting and carrying out         its activities.
  • Records are deemed as all those documents which facilitate the business carried out by Bags of Taste and which are thereafter retained (for differing set periods to be determined by the type of data) to provide evidence of its transactions or activities. These records may be created or received, and then stored, in hard copy or electronically.


  • The CEO has responsibility for day to day records management in the organisation and will give guidance about good records management practice so that information can be retrieved easily, appropriately and in a timely way. They will also monitor compliance with this policy by surveying at least annually to check if records are stored securely and can be accessed appropriately.
  • Individual staff and volunteers must ensure that records for which they are responsible are accurate, and are maintained and disposed of appropriately, this includes ensuring that personal records and data kept electronically is wiped from hard drives.
  • Bags of Taste shall ensure any personal data is obliterated from documents/data that is made available to funders or partners

Closure of Bags of Taste

In the event of the closure of Bags of Taste, the Board of Directors will be responsible for complying with any legal requirements for the retention of information, for example financial information.

This policy was approved by the Board of Directors on the 3rd February 2022.


If you have any questions, comments or requests regarding this policy please contact us at [email protected]