Other policies
Data retention
A requirement under GDPR, you need to set out the categories of information that you hold and the length of time that you intend to keep that information. This does not need to be very detailed, but should give a clear indication to any individual how long their information will be kept.
CCTV
This policy should cover where cameras are sited, who has access to footage, where footage is stored, for how long footage is kept and how individuals can request access to that footage.
ICT/social media
You will be using and storing personal information on your IT systems, so
any IT policy should refer to the data protection implications of this, and as a minimum, should set out what security requirements you wish to impose. As an example, you may want individuals to change their password on a regular basis and not to give that password to anyone else.
Social media policies will also need to set out what is and is not acceptable use of social media, in terms of the individual’s role, and may need to refer back to your data protection policy.
220 Chapter 11