Walsall Community Active Projects CIC

Company number 17051741

IT and Cyber Security Policy

Document titleIT and Cyber Security Policy
Version1.0
Date adopted14 February 2026
Next review dateFebruary 2027
Approved byBoard of Directors
Responsible officerFounder / Director

1. Statement of Intent

Walsall Community Active Projects CIC relies on IT systems to deliver our work, manage participant information and run our organisation. This policy sets out how we keep our IT systems, data and people safe online.

It supports our Data Protection Policy and Safeguarding Policy.

2. Who This Policy Applies To

This policy applies to:

  • All staff and volunteers using our IT systems or accessing our data
  • Trustees who use email, documents or other systems
  • Contractors and partners with access to our systems
  • Anyone using their own device for organisational work ('bring your own device')

3. Key Principles

  • Use strong, unique passwords and turn on two-factor authentication where possible
  • Keep devices and software up to date
  • Be cautious with emails, links and attachments
  • Store and share information securely
  • Report problems and suspected incidents promptly
  • Use the internet professionally and safely

4. Passwords

Passwords must be:

  • At least 12 characters long, or longer for accounts with sensitive data
  • Made up of a mix of words, letters, numbers and symbols
  • Unique to each account, never reused
  • Stored in a reputable password manager, not on sticky notes or unprotected files
  • Changed straight away if there is any reason to suspect they have been compromised

5. Two-Factor Authentication (2FA)

Two-factor authentication will be turned on for:

  • All email accounts
  • Online banking
  • Cloud storage (such as Google Drive, OneDrive, Dropbox)
  • Social media accounts
  • Any system holding personal data of participants

6. Devices

Devices used for organisational work (whether owned by us or by the user) must:

  • Be password or PIN protected
  • Have up-to-date operating systems and security updates
  • Run reputable anti-virus and anti-malware software
  • Be encrypted where possible
  • Be kept physically secure, especially in public places, vehicles and at home
  • Be logged out or locked when not in use
  • Have all organisational data removed before disposal, sale or return to a third party

7. Email

Staff and volunteers will:

  • Use organisation-approved email accounts for organisational business wherever possible
  • Be alert to phishing emails (suspicious requests, urgent payments, unexpected links and attachments)
  • Check the sender's full address, not just the display name
  • Hover over links before clicking, and avoid clicking links in suspicious emails
  • Verify any payment or banking request by phoning the supplier on a known number
  • Not share login details by email
  • Report suspected phishing to the Founder and to the Suspicious Email Reporting Service (report@phishing.gov.uk)

8. Cloud Storage and File Sharing

We use approved cloud platforms for storing and sharing files. When using cloud services:

  • Share files only with people who need access
  • Use 'view only' access where editing is not needed
  • Avoid open or public sharing links for files containing personal data
  • Review who has access to shared folders regularly
  • Remove access when a person leaves or no longer needs it

9. Personal Devices

Where staff or volunteers use personal devices for organisational work, they must:

  • Follow this policy in full
  • Keep organisational data separate from personal data where possible
  • Be willing to delete organisational data on request
  • Not give other family members access to organisational accounts or files

10. Wi-Fi and Networks

Staff and volunteers will:

  • Use trusted, secured Wi-Fi networks for work that involves personal data
  • Avoid open public Wi-Fi for accessing organisational systems; if essential, use a VPN
  • Keep home Wi-Fi protected with a strong password and up-to-date router firmware

11. Social Media and Online Behaviour

See our Social Media Policy for full guidance. Key points:

  • Keep professional and personal accounts separate
  • Do not share organisational login details on personal devices used by others
  • Be careful about what you share publicly that could compromise our security or participants' safety

12. Backups

We will:

  • Back up important data regularly to a secure, separate location
  • Test backups periodically to confirm they can be restored
  • Keep at least one backup offline or in a separate cloud environment, to protect against ransomware

13. Use of AI and Online Tools

When using AI tools (such as ChatGPT, Claude or Microsoft Copilot) or other third-party online services:

  • Do not paste personal data of participants, staff or volunteers into public AI tools
  • Check the privacy and data terms before using a new service
  • Treat AI-generated content as a starting point, not a final product, and check facts
  • Be aware that AI tools may make mistakes or 'hallucinate'

14. Incidents and Breaches

Examples of incidents include:

  • Lost or stolen devices
  • Suspected hacking or unauthorised access
  • Data sent to the wrong recipient
  • Ransomware or virus infection
  • Suspected phishing that has succeeded

All incidents must be reported to the Founder immediately. We will follow our Data Protection Policy for any breach of personal data.

15. Leavers

When a staff member, volunteer or trustee leaves, we will:

  • Disable their accounts on the day they leave
  • Recover any devices or data
  • Change shared passwords or remove their access from any shared systems
  • Reassign their files to a new owner where needed

16. Training and Awareness

All staff, volunteers and trustees will receive basic cyber security awareness training as part of induction. Free training resources from the National Cyber Security Centre (NCSC) and 'Cyber Aware' campaign will be used. Refresher training will be provided at least every two years.

17. Compliance

Failure to follow this policy may put participants, colleagues and the organisation at risk. Breaches may be treated as a disciplinary matter and, in serious cases, may lead to dismissal or removal from a role.

Policy Review

This policy was adopted on 14 February 2026 and will be reviewed annually, with the next scheduled review in February 2027. It will also be reviewed earlier if there are significant changes in legislation, guidance, or our activities.

All staff, volunteers and trustees will be made aware of any updates and asked to confirm they have read and understood the revised version.

Signed on behalf of the Board

Name: Martin O'Connor

Role: Founder and Director

Date: 14 February 2026