top of page
u3a_Logo_SHORT_Dark Blue_Transparent bg_1.png

Created: July 2020

Updated: July 2024

   Login and Password Policy   

Thameside Wallingford u3a (hereafter ‘the u3a’) treats your privacy rights seriously.

 

This  policy sets out how we will deal with login’s and passwords for software and hardware used for the administration of the organisation and which holds your details.

 

Context

The u3a has number of computers used for the organisation and running of your u3a. These machines use a variety of software for:

  • Administering the organisations finance

  • Accurate membership details

  • Emailing members

  • Newsletter production

 

These computers contain information which must be held under GDPR guidelines. For this purpose  all computers owned by the u3a require a password to start and only authorised users are able to access the device. All software requires a password before any files can be opened. 

This policy sets out who has access to these devices, logins and passwords and is responsible the safe storage of the device.

 

Who has access

The three computers owned by the u3a are used by

  • Database Manager

  • Treasurer

  • Speaker Committee

 

These are delegated as primary users, deputies for the role are designated as secondary users.

 

The Database Manager has responsibility for membership data and uses appropriate software to manage this task. The manager is responsible for physical security of the device. The device is kept at home except when required at authorised u3a meetings. The device is secured with a secure login and software requires a different password to access files. 

 

The Treasurer has responsibility for financial data and uses appropriate software to manage this task. The manager is responsible for physical security of the device. The device is kept at home except when required at authorised u3a meetings. The device is secured with a secure login and software requires a different password to access files. 

 

The Speaker computer can be kept by any Committee member authorised by the Committee to do so. This computer is only used at speaker meetings and therefore contains / stores no data so is not required to be compliant with any GDPR rules. A login is required before it can be used.

 

The primary and  secondary users both hold the login and password required to access their device. For added security the Chair must also be given paper copies of all the access details for the device and any software on the device. These can be in a sealed envelope that the Chair can hold and used with the authorisation of the Committee if required.

 

Essential user

There may be times when other Committee members require live access to data not held on a physical computer but on a cloud computing storage device. This data will be protected with a user login and password. If requested by the Committee the primary user will pass on the login information to the designated essential user.

 

NOTE:

THE ESSENTIAL USER MAY VIEW AND USE THE DATA BUT MUST NOT CHANGE THE DATA.

IF DATA IS FOUND TO BE INACCURATE THEN THE PRIMARY USER MUST BE INFORMED OF THE ERROR IN ORDER FOR CORRECTIONS TO BE MADE.

 

Login - Password changes

It is not necessary for frequent changes of login details but if there is a suspicion that details have been compromised then:

  • If the primary or secondary user agree then they may change user logins and password

  • If there is no secondary user then they must seek permission of the Committee before any change is made email permission is acceptable for this

  • If a change is made the person making the change must notify the Committee as soon as possible by email that changes have been made and ensure copies of the new login details are given to the Chair for safe keeping

  • If there are any essential users they must also be informed of the changes

 

In case of emergency?

If a delegated user is incapacitated for any reason and is no  longer able to perform their role then the following procedure will be set in place:

  • Committee to authorise deputy to assume the role

  • Authorised deputy or Chair to collect the computer

  • If no authorised deputy is available the Committee can appoint another member of the Committee to carry out role. If this is not possible then the Committee can co-opt new person from membership to cover the role

  • With the approval of the Committee the Chair can give a new primary or secondary user the access details required to perform their role

 

Availability and changes to this policy

This policy may change from time to time. If we make any material changes we will make members aware of this via the newsletter and the monthly members’ meetings. 

Contact and complaints

If you have any questions about this policy or have any concerns about our security practices, please contact the Chair.

 

Author: Ian Shipton - June 2024

bottom of page