Handling Personal and Sensitive Information Procedures


This document sets out the operational instructions and guidance for dealing with personal and sensitive information. We all have legal duties and responsibilities in relation to security and confidentiality of personal and sensitive information and this document sets out to ensure that as a Service we comply with these.

General Principles and Operational Instructions

  1. All personal, sensitive information must be kept secure at all times. When records are not actively being used they should be “locked” in accordance with specific advice and instructions.
  2. Personal sensitive information may only be processed on approved, normally Council owned equipment. RES can be accessed using other equipment. Staff must not use their own personal devices to store information. Devices or equipment includes laptops, USB memory sticks or any other electronic media to create, copy or update personal identifiable information. The use of BSU remote access service is permitted when using non Revo devices.
  3. Paper records and portable storage devices must be kept secure when not actively used. This includes secure transit.
  4. Records must not be left unattended on desks, printers, faxes or copiers.
  5. Information being transferred around BSU or being shared outside the system must be kept secure.
  6. Information being transferred around the council or being shared outside the council must be labelled or marked to indicate any restrictions on use.
  7. Any loss of personal sensitive information must be reported to the ITU Service Desk or the Data Protection Officer immediately.


Taking Paper Files Away From BSU Office / Project Base

  1. Records taken away from your project base should be stored in the lockable bag that you have been supplied with*. Keep the records with you, or locked in the boot of the car whilst in transit. Ensure that the following label is attached on the outside of any folders:


“Private & Confidential. The contents of this file are the property of BSU Ltd. If you are not an employee or representative of Revo, do not view, disclose or use the information. Please contact BSU Ltd on 07575294917 if you have found this file.”

  1. Ensure that when records are taken away from your project base this is documented (checked-in / checked-out).
  2. If despite these precautions, the records are lost or stolen, report this to your line manager and the Data Protection Officer immediately.
  3. If possible, avoid taking more than 20 client records away from your project base at one time without carrying out a risk assessment.
  4. Do not discuss the contents of the records with anyone other than those who have a legitimate need to know.

*lockable bags are provided to staff who are required to carry personal sensitive information relating to their clients e.g.  to and from youth clubs, schools, offsite trips.

References and Training

There is further information on information governance and data protection on the intranet:

There are also e-learning courses available on the subjects above which can be access via the Learning Pool: