INTRODUCTION. For technical guidance on SIM access, your local C2k support manager.

Transcription

1

2

3 INTRODUCTION Data Protection and Information Security Guidance Schools collect and process personal information to deliver educational services. The school is the Data Controller as it determines the purpose and manner in which personal information is processed. For the individual or Data Subject, personal privacy and confidentiality is expected. The school is responsible for controlling the amount of information collected, its accuracy, security, what it is used for, who it is shared with and that it is not kept for longer than necessary. Schools are adopting new technologies such as contact by text or ing services; attendance/behaviour management reporting; cashless catering systems or virtual learning environments or online assessment environments, to deliver services, communicate with parents and help teachers collaborate. With such advancements, schools often employ external companies or Data Processors to support the delivery of services. Anyone who has access to a school s information (including anyone employed by an external company) must be made aware of the school s procedures for handling personal information. It should never be assumed that because of their occupation, they fully understand their responsibilities. You need to show that you are managing any risk which could be associated with allowing third party access to the information you hold. The aim of this guide is to offer general data protection advice. C2k have provided guidance on the technical issues around granting access to the SIM system. For advice on Data Protection you can refer either to: Liz Johnston BELB Phone liz.johnston@belb.co.uk The Office of the Information Commissioner For technical guidance on SIM access, your local C2k support manager. Any school considering buying goods or services should contact the boards Procurement Office. They may have knowledge based on previous experience of the service you are interested in. 1

4 Data Protection and Information Security Guidance SCHOOL S RESPONSIBILITY The School is the Data Controller (School Principal) and decides on the level of access to anyone (Data Processor) who processes their information. Although a Data Processor may have their own view on the access they require, the Data Controller must satisfy itself that this is not excessive. NB: The School Principal and Board of Governors are accountable for any breach of the Data Protection Act by the Data Processor where the school isn t able to demonstrate that proper assurances were obtained at the beginning and managed throughout the process. NB: It is recommended the school obtains these assurances, in writing, before any access is granted. This will provide evidence of the school complying with its obligations as a Data Controller under the Data Protection Act. It will also mean that the detail supplied by the Data Processor can be revisited from time to time to make sure it s still accurate. Any person/company/organisation wishing to access information should complete and sign a questionnaire and return it to the school before any agreement on the level of access is made. Questions you should consider asking are included in the Appendix. Basically this is a checklist of assurances a school should obtain from a Data Processor before allowing access to personal information. Depending on the service a school is purchasing, it may not be necessary to ask all of the questions listed or there may be additional questions which will be apparent when you examine the process. 2

5 DATA PROTECTION- PRINCIPLES TO CONSIDER. Data Protection and Information Security Guidance The First Data Protection Principle states that personal data must be processed fairly and lawfully. This means that personal data must be used in a way the data subjects would expect or to which they have agreed. Schools must consider if data subjects needs to be informed before using personal data in any new way. In a school context, if it is something the school has always done, but simply intends to do in a new way, then informing data subjects (pupils, parents or staff) of the school s intentions and providing reassurance around security / privacy etc should be enough If the data is to be used for a completely new purpose the school should consider informing those involved. There are special conditions if sensitive person data is involved. Details are contained in Schedule 3 of the Data Protection Act. The Second Data Protection Principle requires that personal information obtained for one or more specified and lawful purpose must not be processed in any way incompatible with that purpose. (Unless the data subject gives permission). For example, if phone numbers are collected for the purpose of contacting parents they must not be used for any other purpose such as target marketing from a company offering services. The Fifth Data Protection Principle requires that personal data is not kept for longer than it is needed for its specific purpose. This means making sure that information is destroyed when it is no longer required. The Seventh Data Protection Principle requires that appropriate security is in place to safeguard personal information. Assurances must be obtained from the Data Processor that information is held and processed securely. Breaches of the Act by a Data Processor could leave the school liable to fines and penalties. A part of this principle which is often overlooked is that it conveys the responsibility of making sure staff are aware of security procedures and their obligations under the Data Protection Act and importantly they appreciate that they can be individually liable for any breach they commit. Remember, security is not only about having procedures to protect computer systems or locking filing cabinets, clearing sensitive paperwork from desks and making sure that waste containing personal data is disposed of by shredding etc, but one of the most important requirements is ensuring personal data is not disclosed to someone who does not have a right to receive it. 3

6 Data Protection and Information Security Guidance SCHOOL DATA NOTIFICATION A school should ensure its Data Protection notification shows the processing of information with the service provider. If it isn t, the registration must be amended. DATA PROCESSOR ASSURANCES You need to obtain certain information from any third party company wishing to extract information from Sims database held within the C2K network. It s better to get these assurances on paper before any agreement on the level of information extraction is agreed. Suppliers should have a clear understanding of what standards they need to meet. Have you spelt out the standards? Are the consequences of failure clear and contractually robust? Do you have a vigorous process for assessing suppliers performance against these standards? Are you sufficiently confident that the supplier is managing their information risks? School staff should know what suppliers can/can t do and can/can t request from you in terms of information SUGGESTED QUESTIONS FOR THE SUPPLIER ARE IN THE APPENDIX. Depending on the service you are purchasing, it may not be necessary to ask all of the questions or there may be additional questions which will be apparent when you examine the process or the product details published by the supplier. For example, unless the supplier will be handling sensitive information e.g. health, special education, welfare or child protection records, etc or their staff are required to physically enter the school without supervision, you may not need to determine if they have a criminal record. 7 7 If you need to contact the supplier, for continuity you should ask for the contact details of a person in the company who can be contacted quickly. 4

7 Data Protection and Information Security Guidance TECHNICAL STANDARDS AND CONTROLS- ADVICE FROM C2K ACCESS LEVELS AND PASSWORD MANAGEMENT The minimum level of access should be granted. Usernames should be unique and details should never be passed to another user. A recommended approach is to create a dedicated MIS user account for the purpose of data extraction. A third party service provider must not share C2K network user accounts between schools. If a username is compromised the password must be changed immediately. In the event of any service disruption due to third party software, C2k managed service providers may charge for service restoration. PHYSICAL SECURITY Clear details must be provided as to the method of data access. Data Controller should be aware if the Data Processor will need onsite access and or remote access to school systems. Some remote access methods take over the user desktop and have access to all areas on the user desktop. C2k have a remote access solution which can be requested. (Other methods are not recommended. A120 should be completed by the Data Processor if this method of access will be required. It is recommended that the Data Processor has obtained an accreditation in information security (ISO 27001/BS 99). Such accreditations provide extra assurances that the Data Processor (or sub- contractor) has considered data security in all its processes and procedures EXTRACTION FORMAT. Clear details must be provided on the format in which any data will be extracted. Data Controller should ensure it has a general understanding of the extraction format and should seek further details or explanation of any technical terms where necessary. Data Controller must be able to view the data in this format if, at any stage, it wishes to verify the data being transferred. Data Controller should understand the method being used to extract the data e.g. CSV file spreadsheet, automated software routine and the frequency of the extraction process. Data Controller may wish to view a sample of the data being extracted. 5

8 Data Protection and Information Security Guidance SECURING THE TRANSFER Data containing personal information should be transferred using a secure encrypted method. Transfer via removable media or attachment is not recommended, especially where sensitive personal information is involved. Data Controller should be satisfied that data is transferred to either an external destination or internally within the school using a secure method using e.g. HTTPS, SSL, VPN and Encryption. This is important as data could be intercepted on the internet if it is not sent using a secure method. If data is copied to a mobile storage device e.g. USB pen drive, the data should not leave the site on that device unless the device is encrypted. HARDWARE OR SOFTWARE INSTALLATION / OPENING PORTS Sometimes third party software requires specific ports to be opened. C2k must be informed as this will be subject to security and performance testing. If hardware will be connected to the managed network, information sheet A065 will need to be completed by the Data Processor. This can be obtained from C2K. If software requires changes i.e. a port opened, firewall changes, proxy or browser changes; details will have to be recorded on information sheet A065. This will begin a process which will allow C2k and managed service partners to evaluate requested changes and determine if they will have any impact on the schools managed service. If this will incur a cost it should be determined whether the school or Data Processor will be responsible for the cost. TRANSIENT DATA If third party software is used to transfer information, software can keep a copy on a local PC hard drive. Data Controller needs to know if this is likely in order to prevent any unauthorised access. When a Data Processor exports data from a school site, there is often a data export file stored on either a fileserver or PC hard drive. Data Processor should identify this in order that steps can be taken to reduce the risk of accidental discovery by unauthorised staff or pupils. Software which is exporting sensitive data should never be installed on a machine pupils have access to. If more than one member of staff has physical access to a PC, it should be noted that all teachers will have access to the C drive and so could view an export data file if it is in a readable format. The data file should be deleted once exported to minimise accidental discovery. 6

9 LOCATION OF DATA AND ANY BACKUPS Data Protection and Information Security Guidance Data Controller should know where any data (including backups) are physically stored. Data Controller should also be aware how and when stored data and backups are deleted in the event that the contract is terminated. If Data Processor has hard copy information, Data Controller needs to be satisfied that it will be destroyed in a safe and secure manner. This should include details of any planned use of mobile devices, capable of storing or transporting your school data. The use of firewalls, anti-hacking and antivirus software should be viewed as an essential part of a provider s network. Data Processor should provide details of how access to the information is controlled at their site. SECURE DESTRUCTION / OBSOLETE HARDWARE Manual data should be shredded and electronic data erased in a way which makes it unrecoverable. If Data Processor upgrades or replaces equipment on which school data is stored, Data Controller should be informed how the old equipment will be cleared down before disposal Assurances should be given that all data will be removed from obsolete hardware 7 7 It is recommended that data destruction should adhere to ISO 27001:2005 (International Information Security Standard). 7

10 Data Protection and Information Security Guidance APPENDIX SUGGESTED QUESTIONS FOR ANY DATA PROCESSOR Data Processor - Suggested Questions Purpose of the product. What information will be accessed or extracted. How will you use the information? How long will you keep the information? Have you notified, for the purposes of processing information with the Information Commissioners Office. Do you have a Data Protection Policy or Information Security Policy? If yes, how has this been implemented in your company. Are Data Processors staff checked by the Criminal Records Bureau / Access NI Where a subcontractor or intermediary is involved can you provide assurances on behalf of this third party in relation to data protection/ data security compliance and any necessary criminal record checks Incident Management Do you carry insurance cover in the event of liability incurred in any breach of the DPA 1998? Will any data be sent outside the European Economic Area? Purpose/Detail What the product does. This can normally be obtained from any marketing literature supplied by the supplier Information should be identified i.e. names, tel. numbers of parents etc, Determine if this is minimum amount of information required to provide the service. If it is subsequently discovered that additional data is being extracted, the data processor could be in breach of any agreement. Confirm that the information will only be used to deliver the service purchased and not for any other purpose Data Processor should confirm that information will be confidentially destroyed as directed by the School. This may take place when the contract ends, when a pupil or member of staff leaves the School or when otherwise instructed by the School. State your registration number issued by the ICO Data Controller can check the Data Protection register Copy of policy if applicable. Where sensitive pupil information is involved (see DPA schedule 3) or Data Processors employees have unsupervised physical access to the school, clearance through a criminal record check should be made. It is the DP s responsibility to ensure such clearance is obtained and evidence provided and that access to information will be restricted to such staff. Written assurance. What measure is in place in the event of an information security breach? Details of insurance cover. If yes - refer to the web site of the office of the information commissioner for advice. 8

11 Data Protection and Information Security Guidance Technical Standard and Controls - Suggested Questions. How is the information held on the School Management Information System (MIS) to be accessed by the Data Processor? In what format will the information be extracted e.g. CSV file, spreadsheet etc? Purpose/Detail Full details must be provided to include method and frequency. Must also include subcontractor activities Data Processor should provide full details which include method and frequency. Must also include any subcontractor activities How will this transfer be secured? Data Processor should provide full details. Acceptable methods include SSL, HTTPS or Encryption method. Must also include any subcontractor activities Will the software require any ports to be opened? Please give details of port and direction. During the transfer process will any transient Must also include any subcontractor activities. information be stored locally within the School and if so what arrangements will be in place to ensure deletion when transfer is complete? Where will the data and any backups be stored? Must also include any subcontractor activities How will information be secured at your site? Must also include subcontractor sites. How will both manual and electronic information be destroyed when no longer required? It is recommended that data destruction should adhere to ISO 27001: the International Information Security Standard. This can be verified by providing the certificate number and name of awarding body. Such accreditations provide extra assurances that the Data Processor has considered data security in all its processes and procedures. How is information erased from obsolete hardware? Has the Data Processor accreditation or alignment with ISO 27001/BS 99 Information Security Standard? Must also include subcontractor activities It is recommended that hardware should be wiped in line with ISO 27001: 2005 This can be verified by providing the certificate number and name of awarding body. Such accreditations provide extra assurances that the Data Processor has considered data security in all its processes and procedures. Although not mandatory, it is recommended that the Data Processor has obtained an accreditation in information security. This can be verified by providing the certificate number and name of awarding body. Such accreditations provide extra assurances that the Data Processor (or sub- contractor) has considered data security in all its processes and procedures BELB/FOI/LJ/

12