A list of cookies used by this website.
Name	Provider	Description	Expiry	Type
PHPSESSID	Website	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.	session	Necessary
sg-cookies	Website	This cookie simply stores your preferences on the website and allows you to continue viewing the website under your terms	1 year	Necessary
sg-popup	Website	This cookie stores whether you have already seen the sitewide popup or not	session	Necessary
sg-expiry	Website	Checks when to expire your accessibility preferences. After an hour, all the 'ch-' cookies are reset	1 hour	Necessary
ch-font-sizes	Website	Controls the preferences set within the accessibility options. This specifically remembers your font-size choices.	1 hour	Necessary
ch-font-times	Website	Controls the preferences set within the accessibility options. This specifically remembers how big you needed your font sizes.	1 hour	Necessary
ch-prefs	Website	Controls the preferences set within the accessibility options	1 hour	Necessary
__cfduid	.bootstrapcdn.com	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.	1 month	Necessary
__cfduid	.fontawesome.com	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.	1 month	Necessary
rc::a	google.com	This cookie is used to distinguish between humans and bots. This is beneficial for the website, in order to make valid reports on the use of their website.	1 day	Statistics
rc::c	google.com	This cookie is used to distinguish between humans and bots. This is beneficial for the website, in order to make valid reports on the use of their website.	none	Statistics
_ga	google.com	Registers a unique ID that is used to generate statistical data on how the visitor uses the website.	2 years	Statistics
_ga_#	google.com	Used by Google Analyitics to collect data on the number of times a user has visited the website as well as dates for the first and most recent visit.	2 years	Statistics
_gat	google.com	Used by Google Analytics to throttle request rate	1 day	Statistics
_gid	google.com	Registers	1 day	Statistics
collect	google-analytics.com	Used to send data to Google Analytics about the visitors device and behaviour. Tracks the visitor across devices and marketing channels	session	Statistics
NID	googe.com	Registers a unique ID that identifies a returning user's device. The ID is used for targeted ads.	6 months	Marketing
CONSENT	youtube.com	Used to detect if the visitor has accepted the marketing category in the cookie banner. Th is cookie is necessary for GDPR-compliance of the website.	195 Months	Necessary
aka_debug	akamaized.net (vimeo)	Used by Vimeo to track usage of their embedded video player	session	Statistics
_p_hfp_client_id	apps.elfsight.com	Used to implement social platforms on the website. Enables the social platforms to track the users by assigning them a specific ID.	1 day	Marketing
OlivieClientCacheYottie#Requests	apps.elfsight.com	Sets a unique ID for the visitor, that allows third party advertisers to target the visitor with relevant advertisement. This pairing service is provided by third party advertisement hubs, which facilitates real-time bidding for advertisers.	persistent	Marketing
VISITOR_INFO1_LIVE	youtube.com	Tries to estimate the users bandwith on pages with intergrated YouTube videos	179 days	Marketing
YSC	youtube.com	Registers a unique ID to keep statistics of what videos from YouTube the user has seen	session	Marketing
yt_cid	youtube.com	registers a unique ID to keep statistics of what videos from YouTube the user has seen	persistent	Marketing

Access Control Policy

Home » Access Control Policy

Version No.	Date Change Made	New Version No.	Changes Made By (initial)	Comment
1	March 2025		NM	New Policy

toc goes in here

Purpose

The objective of this policy is to minimise accidental or unauthorised access to the town council systems, networks, drives, applications, electronic folders and electronic information. It is therefore applicable to all forms of logical access. The council requires that all employees and members comply with the directives presented within this policy. This document supports the council’s IT and Data Protection Policies. It provides direction and support for the implementation of access controls and is designed to help council employees carry out the business of the council in a secure manner.

Introduction

Individuals who are not explicitly granted access to council information or information systems are prohibited from using such systems.

Individuals employed by or under contract to the council shall be granted access only to information and information systems that are required to fulfil their duties.

Access will be granted only to those individuals who have formally agreed to comply with the council’s Information Security Policy

This policy applies to:

all employees including temporary and agency workers, independent consultants and contractors
members
third party organisations who require access to the council’s information systems and facilities should also be aware of the contents of this policy

The policy is not designed to be obstructive. If you consider that any element of this policy hinders or prevents you from carrying out your duties, please contact the council clerk

This policy should be read in conjunction with all other IT and Data Protection policies

Access to IT network and drives

Access to information and information systems will be controlled on the basis of business and security requirements.

Each business application run by, or on behalf of the council, will have a nominated system administrator who is responsible for managing and controlling access to the application and associated information.

Access to information must be based on roles and responsibilities, ‘need to know’ and segregation of duties and roles. The appropriate information, system, database, or application owner is the only individual that can authorise a systems administrator to grant or update access via the formal access management process.

Special attention is given, where appropriate, to the need to control the allocation of privileged access rights, which allow users to override system controls.

The council has adopted common Windows-based operating systems, and predefined user profiles will be maintained to restrict access.

Remote access to systems

Work is recognised as an activity rather than a specific place. Therefore, the locations in which work is carried out can include places away from the office such as home. Or the work could involve dealing with the public and/or customers in the community or where our services are based and/or delivered. Macclesfield Town Council allow flexible working arrangements as long as the following computer set up is arranged:

Physical security of site
Appropriate anti-virus/ firewall security installed
Suitability of ISP – (this is of particular relevance if remote site is outside of UK)

User access management

User access management covers all stages of user access, from initial registration, through changes in role, to deregistration and revocation of access.

The security of systems, networks, applications and databases is heavily dependent on the level of protection of user IDs, passwords, and other credentials that provide access to it. Hence, protecting the credentials that provide access to information is indirectly protecting the information.

Identification and authentication of users and systems enables the tracking of activities to be traced to the person responsible.

All employees shall have a unique identifier (user ID) for their personal and sole use. Shared, group and generic user IDs are not permitted unless they are used to access subscribed login websites i.e: CHALC, NALC etc. Employees must be educated that they are not permitted to allow their user ID to be used by anyone else. Employees must be made aware of this and how to store them.

A process must exist for issuing and revoking the user IDs. Redundant user accounts must be monitored and managed.

User registration

A process for user registration and granting access rights exists and includes:

line managers request correct access controls for new users. A ‘New User Request’ should be completed using the council’s Service Desk
unique user IDs assigned so that access and modifications can be traced
authorised users are aware of their responsibilities for the protection of information within the application and where applicable users sign an appropriate agreement
ensuring access is granted once authorisation is obtained
maintaining a record of all registered users
Change of role

Review of access rights

The clerk should review access lists to ensure they are still applicable.
The data controller must approve access rights prior to set up by the system administrator.
The system administrator does not have the authority to decide who should have access to what information. This is a council decision.

Removal of access

On resignation of employment, the worker’s line managers, (and in conjunction with HR provider guidance where required), will undertake a risk assessment and determine whether existing access rights of an individual should be reviewed and reduced whilst working out their notice. Hostile terminations must be communicated to system administrators immediately and access immediately disabled.

Access rights should be disabled within 24 hours on the employee’s final working day.

If the leaver has been provided with any equipment and access to systems and buildings, it is important that all council assets are returned on the workers last working day and access to buildings and systems removed.

It is the responsibility of line managers to ensure that leavers return their entry ID pass at the end of their last working day.

It is important that all assets are returned to the council on the workers last working day.

Privilege management

A process is in place for the allocation and removal of system administration level access or increased user privilege. This will primarily be to provide access to systems and specific drives/folders where a staff member is off on sickness or other absence, or extended sickness absence, to permit temporary access, allowing essential council business to continue. Privilege management includes the control that every level of privilege within each application and the categories of staff to which they need to be allocated are identified and recorded:

Privileges are allocated to an individual as an event requires
Authorisation is recorded for each allocated level of privilege and only granted once authorisation is obtained
The development of system routines are identified and implemented to avoid the use of privileged access
Privileges are assigned to a different user ID from those used for normal business use and a log of increased user privilege is recorded

Exceptions

In the following exceptional cases compliance with some parts of the policy may be relaxed. The parts that may be relaxed will depend on the particular circumstances of the incident in question:

If complying with the policy would lead to physical harm or injury to a member of staff
If complying with the policy would cause significant damage to the company’s reputation or ability to operate
If an emergency arises, for instance due to staff absence/sickness access needs to be allocated to ensure council business can continue uninterrupted – see’ Privilege’ section above

In such cases, the staff member concerned must take the following action:

Ensure that their manager and the clerk is aware of the situation and the action to be taken
Ensure that the situation and the actions taken are recorded in as much detail as possible on a non-compliance report

Failure to take these steps may result in disciplinary action:

In addition, a list of known exceptions and non-conformities to the policy should be maintained. This list contains:

known breaches that are in the process of being rectified
minor breaches that are not considered to be worth rectifying
any situations to which the policy is not considered applicable

The council will not take disciplinary action in relation to known, authorised exceptions to the information security management system.

Non – Compliance

Non-compliance is defined as any one or more of the following:

Any breach of policy statements or controls listed in this policy
Unauthorised disclosure or viewing of confidential data or information belonging to the council or partner organisation
Unauthorised changes to information, software or operating systems
The use of hardware, software, communication networks and equipment, data or information for illicit purposes which may include violations of any law, regulation or reporting requirements of any law enforcement agency or government body
The exposure of the council or partner organisation to actual or potential monetary loss through any compromise of security

Any person who knows of or suspects a breach of this policy must report the facts immediately to the clerk

Any violation or non-compliance with this policy may be treated as serious misconduct.