Key terms

Personal data relates to an identified or identifiable living individual, or different pieces of information which, collected together, can lead to the identification of a particular person.

Official information is that which, if shared inappropriately, could be used to cause reputational or commercial damage to Barnardo’s or a partner organisation.

You should read this guidance in conjunction with our wider Information Security Policy.

Purpose

During the Covid-19 Pandemic it is important that we maintain essential links between staff, service users, carers and key third party organisations, when you are working from home. 

This guidance is to enable everyone across Barnardo’s to understand what you may and may not do during this period - particularly where this diverges from “usual practice”.  It aims to keep yourself, service users, carers and other stakeholders safe, while maintaining critical contact.

This is evolving guidance. It will be regularly updated in response to issues you identify, and the development of practice, guidance and support.  We will notify you of changes through Workplace

If you have an issue which is not covered in this document, or to let us know how well this guidance works for you, please complete this short form.  We’ll use your feedback to continuously improve this page.

Using Barnardo’s equipment

Barnardo’s systems may only be accessed through Cisco VPN with a username and password. See our Passwords and signing in page for more information.  And use this guide to accessing systems from home.

If you download personal data to a Barnardo’s laptop or other device, you must save it to the secure system as soon as possible and delete it from the device.

To reduce pressure on our systems, you should use Workplace or Google Meet for communication within teams, rather than email. You can also access Workplace using personal devices. Find out more about connecting with colleagues.

Using non-Barnardo’s equipment

If you do not have access to Barnardo’s mobile devices, you may use your own devices in order to work from home, where this is agreed by your line manager.

Barnardo’s systems may only be accessed with a username and password. See our Passwords and signing in page for more information.

If you use a computer, tablet or mobile phone for work involving personal data, you must have sole use of the device or always be able to securely separate your access from other members of your household.

Devices used for work must be protected by a password or pin known only to you.

You should be able to complete all your work in one or more of the systems available online. See this guide to accessing systems from home.

If there is a business critical reason why personal data must be downloaded to a personal device, you must secure approval with the Data Protection Officer through your line manager. 

If you are using your own phone to contact service users or carers, ensure your number is not visible to the user. Prefix the number with 141 when using a landline and most mobile phones. But check your specific smartphone settings (usually Settings > Apps > Phone > More > Caller ID > Block). This does not work for a smartphone's in-built messaging app.

To automatically divert calls to a service telephone to a personal device, contact the Service Desk. The number may only be diverted to one number at any one time.

Communicating with service users, carers and other external stakeholders

You must not record audio or video using any of these systems, or using other applications and software available for personal devices.  Recording must always be switched off before you communicate with service users or carers.

You must make a record of all contact with service users in their case record as soon as possible after the contact, and within 5 working days maximum. Any messages must be deleted.

You may only use personal equipment with the express permission of your service manager.  

You must have clear guidance about what you may use and how.

As a manager, you should consider: 

- The nature of the service and the appropriateness of one to one or group communication;

- Actions required to safeguard your staff and service users when using digital communication. This includes:

  • providing service users with clear guidance at the beginning of the new means of communication, including instructions about what to do if the child or young person feels unhappy or uncomfortable with the method of communication;
  • the maintenance of regular supervision;
  • recording of all contacts within 5 working days; and 
  • regular sign off of recording by the line manager.

Applications for digital communication

Google Meet is our supported, enterprise-level platform for  video and audio meetings with service users and other external stakeholders. Our systems administrators hold a record of the Meets, who joins and when, and termination / leaving the Meet which can be requested, if required, for up to 6 months after the event.  This provides additional assurance from a safeguarding perspective. 

Meetings are free (unless dialled into using the phone number - individual account charges will apply), and a maximum of 250 people can be invited.

Google Meet should be used unless there is a clear business case to use another platform. Use the following checklist:

  • recognise that other platforms are not supported by Barnardo’s;
  • undertake an assessment of each child or young person under the age of 16 and choose a solution which offers the best combination - in your judgment - of safeguarding and information security;
  • ensure that you (and the service user) are using the most up to date and secure version of the software;
  • ensure that the settings deliver the optimum levels of security (such as password protection, personal data sharing set to Off).​​​​

Other applications

The following applications are not supported by our Service Desk. Where available, we provide a link to a risk profile of the app from the Uk Safer Internet Centre, to support any risk assessment that you need to undertake.

For any applications not listed here, please consult with your Data Protection Manager.

WhatsApp

WhatsApp may be used to communicate with individuals where they are already an active WhatsApp user.

16 and over:  Please read our guides for Android or iPhones on using WhatsApp for supporting children and young people.

Under 16: Use our guides for over 16s, above, and please complete the WhatsApp risk assessment and read this specific guidance on the use of WhatsApp with under-16s.

Risk to service users: WhatsApp Groups must not be used for meetings involving more than one service user, because it provides access to other service users’s phone numbers within the group.

Risk to staff: WhatsApp is linked to and shares your mobile number.  Therefore, you should only use a Barnardo’s phone for WhatsApp. You should not use a personal phone.

Microsoft Teams

Microsoft Teams is used by some Commissioners.  You can join a Teams meeting without a Microsoft account through your web browser and/or phone.  

If a Commissioner asks you to set up a meeting using Teams, let them know that we use Meet.  It provides equivalent standards of security and functionality, and they (or our service users) will be able to join the meeting through their browser or an app.

Safeguarding and privacy overview.

Skype

Skype may be used to communicate with children and young people using an account set up with your Barnardo’s email address.  Ensure you are logged into the Barnardo’s account before communicating with a child or young person if using a personal device. 

Risk to staff: You should ensure your Skype account is set to block unwanted calls and consider hiding personal information that can be shared by Skype.​​​​​

Safeguarding and privacy overview.

Facebook Messenger

Facebook Messenger can only be used with an authorised Barnardo’s Facebook account. It should only be used for informal engagement (e.g. “The youth club starts at 7pm” or “Here is a great link to help you feel positive about your day.”) and must not share any personal information.

Risk to service users: Facebook Messenger is not encrypted by default. Facebook Messenger shares data such as location unless specific sharing settings are turned off.

Risk to staff: If using a personal device to login to a Barnardo’s Facebook account, review your Facebook privacy settings.

Zoom

Zoom has not been subject to a data protection assessment by Barnardo’s and, following a recent increase in popularity, has been criticised for its security standards.

Risk to service users: The Children’s Commissioner for England updated guidance for schools for Zoom, on 2 April 2020, with some helpful advice on setting appropriate security standards.Zoom events are not end-to-end encrypted. Zoom can be subject to “bombing” if not password protected, where others join the event and share content that could harm service users. Some reports suggest that some versions of Zoom also share data with Facebook and install software which can access microphones and cameras on devices without the user’s knowledge.

Risk to staff: As for service users, above. 

Safeguarding and privacy overview.

Data Protection and maintaining data security

Subject Access Requests (SARs)

The current situation may impact on the speed with which we can respond to SARs or receive responses from 3rd parties about sharing their data. Please use this Letter informing subjects of possible delays to SARs if you receive requests during this period.

General security

Where it is necessary for hard copy containing personal data to be kept at home, the usual guidance applies in relation to keeping it locked away when not in use and not leaving it unattended.

The usual guidance also applies to ensuring screens are not overlooked and are locked when not in use, and ensuring that work related phone calls involving personal data are conducted in private.

Be aware that Alexa, Nest, smartphones and other smart devices can listen over long distances in homes and gather audio and, in some cases, video of conversations. Consider taking steps to ensure this doesn’t happen during contact with service users and carers. 

Supporting guidance

General Covid-19 guidance from the Office of the Information Commissioner. The ICO is the UK’s independent body to uphold information rights.

Covid-19 information security guidance from the NHS.

Guidance on supporting the mental health and wellbeing of young people during the Covid-19 pandemic.