Policy

Data Protection & Privacy Policy

This page presents SEQHER’s internal standards for secure communication, responsible data handling, password protection, device security, incident response, staff training, and compliance.

Policy Overview

This policy guides how SEQHER manages communication, information, devices, passwords, travel security, protest-related security, incident response, staff training, and compliance. It is designed to reduce risk, strengthen accountability, and protect sensitive data across the organization.

All staff are expected to handle organizational information responsibly, use approved systems, and apply good security judgment in their daily work.

Core Focus Areas

Secure communication and official account usage
Risk-aware information creation, sharing, storage, and access
Strong password and device protection standards
Alternative security guidance for travel and protests
Rapid incident response and recovery procedures
Training, review, and policy compliance

1. Communications & Official Channels

Official communication must happen through approved channels, protected accounts, and secure methods that reduce exposure of sensitive information.

Approved Communication Standards

All official communication should use approved channels only.
Messaging, texting, and calling should use end-to-end encrypted tools.
Sensitive information should not be shared through unencrypted communication or standard mobile text messages.
Approved messaging applications include WhatsApp and Signal.
When using Signal or WhatsApp, staff should verify identities using Safety Number and enable expiring messages for sensitive conversations.

Email & Social Media Rules

Official communication should use encrypted official email accounts only.
Internal emails containing sensitive information should be encrypted.
Emails and official accounts should be password protected and secured with 2FA.
Staff must use caution with unknown attachments and report suspicious emails.
Official social media accounts are the only accounts permitted for official communication.
Personal social media accounts may only repost or promote official messages with awareness of associated risks.

2. Data, Information & Access Management

SEQHER’s policy requires thoughtful handling of organizational information from creation through storage, duplication, sharing, and access.

Risk Assessment & Sharing

Risk assessment should be part of planning activities and data collection.
Staff should consider adversaries, weaknesses, and the physical, social, economic, financial, or psychological harm that could arise.
New activities and data collection should undergo at least an informal risk assessment.
Where risk is moderate, high, or uncertain, a formal risk assessment should be completed.
Files and information should follow Traffic Light Protocol definitions and sharing boundaries.
TLP labels include RED, AMBER, GREEN, and CLEAR depending on disclosure limits.

Duplication, Storage & Access

Data duplication and access should follow confidentiality requirements and agreed sharing limits.
Only authorized staff should have access to organizational information and files.
Files should be stored on official organizational drives and official mobile devices only.
Organizational files should be shared using official email accounts.
Storage on personal mobile devices is discouraged.
All organizational data remains under the ownership of SEQHER and must be protected accordingly.

3. Passwords, Devices & Alternative Security

Strong credentials and secure device practices are central to reducing preventable risk across the organization.

Passwords & Devices

Work-related passwords should be strong, unique, and at least 12 characters long.
Users must not reuse work passwords for personal accounts.
Approved password managers may be used, and official passwords should be stored in the organization-approved manager.
Passwords should only be changed when compromise is suspected or requirements are not met.
Passwords must not be shared through email, calls, or other insecure channels.
Organizational devices should not be used for personal purposes and must be updated regularly, checked for malware, locked with password protection, and kept secure from third-party access.
Staff must promptly report theft, loss, or unauthorized disclosure involving any device.

Travel, BYOD & Protest Guidance

Staff using personal devices for official work must apply the same security standards.
When traveling, devices should be updated, carry minimal sensitive data, avoid public Wi-Fi, and use VPNs where lawful.
End-to-end encrypted communication tools should be used during travel.
External drives and sensitive devices should be encrypted, and devices should never be left unattended.
Protest planning should include security analysis, role allocation, route planning, liaison coordination, and emergency preparedness.
Demonstrations should include trained stewards, legal readiness, medical awareness, and the ability to safely abort if risk escalates.

4. Incident Response, Training & Compliance

The policy also defines how SEQHER responds to incidents, maintains staff readiness, and monitors compliance.

Incident Response & Recovery

Any security incident should be reported to the organization immediately before action is taken.
If a device is seized or compromised, all connected accounts should remotely log out the device.
Recovered devices must be checked for compromise or malware before reuse.
If access to an account is lost, recovery procedures should begin immediately.
If device compromise caused loss of access, another secure device should be used for account recovery.

Training, Review & Enforcement

All staff should have access to the policy and receive updates when it changes.
Staff should be trained periodically on the contents of the policy.
New staff should receive the policy during orientation.
Reviews and updates should be undertaken periodically by the Communications Team with input from other teams.
Compliance may be verified through reports, audits, and feedback.
Exceptions require advance approval from the Communications Team.
Non-compliance may result in disciplinary action.