Bring Your Own Device (BYOD) for Staff and Visitors

Transcription

1 Bring Your Own Device (BYOD) for Staff and Visitors Version Created April 2015 Reviewed by Education and staffing Committee Review Cycle Triennial Next review September 2019 Source CDR/ISBA C:\Users\Paul\Documents\Crescent School\Policies\Under Review\E & S to review\bring Your Own Device (BYOD) Policy for Staff and Visitors V docx 1

2 Introduction This policy is intended to address the use of non-school owned electronic devices by staff members and visitors to the school. These include smart phones, tablets, laptops and other devices used to access and store school information as well as users' own data. This is commonly referred to as 'Bring Your Own Device' (BYOD). The school recognises that mobile technology offers valuable benefits to both staff from a teaching and learning perspective. Our school embraces this technology but requires that it is used in an acceptable and responsible way. This policy covers the use of such devices and the liability of the school for mobile devices used on school premises. The use of such devices on school grounds is at the discretion of the school. Staff and visitors to the school can be granted the right to use their mobile devices provided they adhere to the policy herewith. Related Policies Policy on Pupils' Acceptable Use of ICT, Mobile Phones and other Electronic Equipment Social Media Policy Data Protection Policy for Pupils Data Protection Policy for Staff Anti-Bullying Policy e-safety Policy 2

3 Bring Your Own Device (BYOD) Policy for Staff and Visitors 1. School Guidelines for Responsible Use of BYOD 1.1 Staff and visitors to the school may use their own devices in the following locations: In the classroom with the permission of the teacher In the school environs (libraries, hall) 1.2 Staff and visitors to the school are responsible for their device at all times. The school is never responsible for the loss of or damage to the device or storage media on the device (e.g. removable memory card) howsoever caused. 1.3 Devices must be turned off when in a prohibited area and/or at a prohibited time, unless special circumstances apply. 1.4 The camera facility on mobile devices within an educational context is encouraged (but not permitted within the school's nursery/eyfs setting). The use of the facility to take pictures of students in a social context is permitted (but not permitted within the school's nursery/eyfs setting) provided it is in accordance with the school's social media policy and anti-bullying policy. 2. Security and e-safety 2.1 The school takes no responsibility for the security, safety, theft, loss, insurance or ownership of any device brought onto the school premises which is not defined as the property of the school. If a device is stolen from school grounds the school will investigate the theft. Wilful damage to devices will also be investigated by the school. The school office must be notified immediately of any incidents and these will be logged. 2.2 Staff must take all reasonable steps to protect their own property. 2.3 Devices should be used with care and the safety of staff and others on school grounds is paramount. 2.4 Staff must take all sensible measures to protect information including but not limited to the use of authenticated access to their own device (i.e. requiring a PIN, pattern or password to be entered to unlock the device). Users should also ensure their device auto-locks if inactive for a period of time. The school reserves the right to remotely wipe a device in the event of loss or theft. 2.5 Staff must never attempt to bypass any security controls in school systems or others' own devices. 3

4 2.6 Staff are reminded to familiarise themselves with the school's e-safety, social media and acceptable use of ICT policies which set out in further detail the measures needed to ensure responsible behaviour online. 2.7 It is the device owners' responsibility to keep the software and security settings on their own devices up-to-date. 3. Access to School Systems and the Internet 3.1 Staff will be permitted to access specific school systems via their mobile devices. These are: School system School internet School Virtual learning environment (VLE) 3.2 If in any doubt a device user should seek clarification and permission from the Data Protection Officer (DPO) before attempting to gain access to a system for the first time. Users must follow the written procedures for connecting to the school systems. 3.3 Most of the information accessed via a user's own device will not be private (e.g. learning materials). If, however, information is accessed which is deemed to be private then this should be treated as such and not shared amongst the school community. 3.4 In the event that information has been accessed which is considered private or protected, the incident must be reported to the school's DPO as soon as possible. In the event that the device user receives any inappropriate information, this too must be reported to the DPO (in the same way as if a school PC had been used). 4. Security of Technical Infrastructure and Data Transfer 4.1 All BYOD devices at Crescent School will access the internet and local area network via the school wireless network. All internet access via the network is filtered, monitored and logged. 4.2 The school is not to be held responsible for the content of any Apps or updates that may be downloaded onto the user's own device whilst using the school's wireless network. This activity is taken at the owner's own risk and is discouraged by the school. The school will have no liability for any consequential loss of data or damage to the owner's device. 4.3 Users of devices are reminded that it is their responsibility to ensure they have the appropriate anti-virus, software and security settings on their device and that these are up-todate. 5. Compliance with Data Protection Obligations 5.1 The school takes its compliance with the Data Protection Act 1998 seriously and aims at all times to keep personal data secure. It takes suitable measures to prevent unauthorised or unlawful processing of personal data and accidental loss or destruction of or damage to personal data. 4

5 5.2 The DPO in the school is responsible for ensuring that personal data stored on school systems regarding staff is appropriately restricted and only accessible to designated individuals. Staff are strictly prohibited from storing pupil data on their own mobile devices. Staff are required to keep personal data and communications on their mobile devices separate from any school-related data. The school may, in certain circumstances, require access to school data on staff devices. 5.3 Staff are expected to act responsibly if using their personal mobile device for school business. They must delete sensitive or commercial s from their device once the task has been completed and also delete any attachments to s e.g. data sets/spreadsheets once finished. 6. Support 6.1 The school takes no responsibility for supporting staff's own devices; nor has the school a responsibility for conducting annual PAT testing of personally-owned devices. 7. Monitoring and Enforcement of User-Owned Devices 7.1 Crescent School reserves the right to monitor the usage of staff members' own devices and to withdraw permission to access the school network for individuals or groups at any time. The school also reserves the right to access staff-owned devices should there be a serious breach of this policy. 8. Compliance, Sanctions and Disciplinary Matters 8.1 Non-compliance of this policy exposes both staff and the school to risks. If a breach of this policy occurs the school will respond immediately by issuing a verbal then written warning to the staff member. Guidance will also be offered. If steps are not taken by the individual to rectify the situation and adhere to the policy, then the mobile device in question may be confiscated and/or permission to use the device on school premises will be temporarily withdrawn. For persistent breach of this policy, the school will permanently withdraw permission to use user-owned devices in school. 9. Incidents and Response 9.1 The school takes any security incident involving a staff member's personal device very seriously and will always investigate a reported incident. Loss or theft of the mobile device should be reported to the Headmaster in the first instance. Data protection incidents should be reported immediately to the Headmaster. 5