INTRODUCTION. For technical guidance on SIM access, your local C2k support manager.
|
|
- Griselda Lloyd
- 7 years ago
- Views:
Transcription
1
2
3 INTRODUCTION Data Protection and Information Security Guidance Schools collect and process personal information to deliver educational services. The school is the Data Controller as it determines the purpose and manner in which personal information is processed. For the individual or Data Subject, personal privacy and confidentiality is expected. The school is responsible for controlling the amount of information collected, its accuracy, security, what it is used for, who it is shared with and that it is not kept for longer than necessary. Schools are adopting new technologies such as contact by text or ing services; attendance/behaviour management reporting; cashless catering systems or virtual learning environments or online assessment environments, to deliver services, communicate with parents and help teachers collaborate. With such advancements, schools often employ external companies or Data Processors to support the delivery of services. Anyone who has access to a school s information (including anyone employed by an external company) must be made aware of the school s procedures for handling personal information. It should never be assumed that because of their occupation, they fully understand their responsibilities. You need to show that you are managing any risk which could be associated with allowing third party access to the information you hold. The aim of this guide is to offer general data protection advice. C2k have provided guidance on the technical issues around granting access to the SIM system. For advice on Data Protection you can refer either to: Liz Johnston BELB Phone liz.johnston@belb.co.uk The Office of the Information Commissioner For technical guidance on SIM access, your local C2k support manager. Any school considering buying goods or services should contact the boards Procurement Office. They may have knowledge based on previous experience of the service you are interested in. 1
4 Data Protection and Information Security Guidance SCHOOL S RESPONSIBILITY The School is the Data Controller (School Principal) and decides on the level of access to anyone (Data Processor) who processes their information. Although a Data Processor may have their own view on the access they require, the Data Controller must satisfy itself that this is not excessive. NB: The School Principal and Board of Governors are accountable for any breach of the Data Protection Act by the Data Processor where the school isn t able to demonstrate that proper assurances were obtained at the beginning and managed throughout the process. NB: It is recommended the school obtains these assurances, in writing, before any access is granted. This will provide evidence of the school complying with its obligations as a Data Controller under the Data Protection Act. It will also mean that the detail supplied by the Data Processor can be revisited from time to time to make sure it s still accurate. Any person/company/organisation wishing to access information should complete and sign a questionnaire and return it to the school before any agreement on the level of access is made. Questions you should consider asking are included in the Appendix. Basically this is a checklist of assurances a school should obtain from a Data Processor before allowing access to personal information. Depending on the service a school is purchasing, it may not be necessary to ask all of the questions listed or there may be additional questions which will be apparent when you examine the process. 2
5 DATA PROTECTION- PRINCIPLES TO CONSIDER. Data Protection and Information Security Guidance The First Data Protection Principle states that personal data must be processed fairly and lawfully. This means that personal data must be used in a way the data subjects would expect or to which they have agreed. Schools must consider if data subjects needs to be informed before using personal data in any new way. In a school context, if it is something the school has always done, but simply intends to do in a new way, then informing data subjects (pupils, parents or staff) of the school s intentions and providing reassurance around security / privacy etc should be enough If the data is to be used for a completely new purpose the school should consider informing those involved. There are special conditions if sensitive person data is involved. Details are contained in Schedule 3 of the Data Protection Act. The Second Data Protection Principle requires that personal information obtained for one or more specified and lawful purpose must not be processed in any way incompatible with that purpose. (Unless the data subject gives permission). For example, if phone numbers are collected for the purpose of contacting parents they must not be used for any other purpose such as target marketing from a company offering services. The Fifth Data Protection Principle requires that personal data is not kept for longer than it is needed for its specific purpose. This means making sure that information is destroyed when it is no longer required. The Seventh Data Protection Principle requires that appropriate security is in place to safeguard personal information. Assurances must be obtained from the Data Processor that information is held and processed securely. Breaches of the Act by a Data Processor could leave the school liable to fines and penalties. A part of this principle which is often overlooked is that it conveys the responsibility of making sure staff are aware of security procedures and their obligations under the Data Protection Act and importantly they appreciate that they can be individually liable for any breach they commit. Remember, security is not only about having procedures to protect computer systems or locking filing cabinets, clearing sensitive paperwork from desks and making sure that waste containing personal data is disposed of by shredding etc, but one of the most important requirements is ensuring personal data is not disclosed to someone who does not have a right to receive it. 3
6 Data Protection and Information Security Guidance SCHOOL DATA NOTIFICATION A school should ensure its Data Protection notification shows the processing of information with the service provider. If it isn t, the registration must be amended. DATA PROCESSOR ASSURANCES You need to obtain certain information from any third party company wishing to extract information from Sims database held within the C2K network. It s better to get these assurances on paper before any agreement on the level of information extraction is agreed. Suppliers should have a clear understanding of what standards they need to meet. Have you spelt out the standards? Are the consequences of failure clear and contractually robust? Do you have a vigorous process for assessing suppliers performance against these standards? Are you sufficiently confident that the supplier is managing their information risks? School staff should know what suppliers can/can t do and can/can t request from you in terms of information SUGGESTED QUESTIONS FOR THE SUPPLIER ARE IN THE APPENDIX. Depending on the service you are purchasing, it may not be necessary to ask all of the questions or there may be additional questions which will be apparent when you examine the process or the product details published by the supplier. For example, unless the supplier will be handling sensitive information e.g. health, special education, welfare or child protection records, etc or their staff are required to physically enter the school without supervision, you may not need to determine if they have a criminal record. 7 7 If you need to contact the supplier, for continuity you should ask for the contact details of a person in the company who can be contacted quickly. 4
7 Data Protection and Information Security Guidance TECHNICAL STANDARDS AND CONTROLS- ADVICE FROM C2K ACCESS LEVELS AND PASSWORD MANAGEMENT The minimum level of access should be granted. Usernames should be unique and details should never be passed to another user. A recommended approach is to create a dedicated MIS user account for the purpose of data extraction. A third party service provider must not share C2K network user accounts between schools. If a username is compromised the password must be changed immediately. In the event of any service disruption due to third party software, C2k managed service providers may charge for service restoration. PHYSICAL SECURITY Clear details must be provided as to the method of data access. Data Controller should be aware if the Data Processor will need onsite access and or remote access to school systems. Some remote access methods take over the user desktop and have access to all areas on the user desktop. C2k have a remote access solution which can be requested. (Other methods are not recommended. A120 should be completed by the Data Processor if this method of access will be required. It is recommended that the Data Processor has obtained an accreditation in information security (ISO 27001/BS 99). Such accreditations provide extra assurances that the Data Processor (or sub- contractor) has considered data security in all its processes and procedures EXTRACTION FORMAT. Clear details must be provided on the format in which any data will be extracted. Data Controller should ensure it has a general understanding of the extraction format and should seek further details or explanation of any technical terms where necessary. Data Controller must be able to view the data in this format if, at any stage, it wishes to verify the data being transferred. Data Controller should understand the method being used to extract the data e.g. CSV file spreadsheet, automated software routine and the frequency of the extraction process. Data Controller may wish to view a sample of the data being extracted. 5
8 Data Protection and Information Security Guidance SECURING THE TRANSFER Data containing personal information should be transferred using a secure encrypted method. Transfer via removable media or attachment is not recommended, especially where sensitive personal information is involved. Data Controller should be satisfied that data is transferred to either an external destination or internally within the school using a secure method using e.g. HTTPS, SSL, VPN and Encryption. This is important as data could be intercepted on the internet if it is not sent using a secure method. If data is copied to a mobile storage device e.g. USB pen drive, the data should not leave the site on that device unless the device is encrypted. HARDWARE OR SOFTWARE INSTALLATION / OPENING PORTS Sometimes third party software requires specific ports to be opened. C2k must be informed as this will be subject to security and performance testing. If hardware will be connected to the managed network, information sheet A065 will need to be completed by the Data Processor. This can be obtained from C2K. If software requires changes i.e. a port opened, firewall changes, proxy or browser changes; details will have to be recorded on information sheet A065. This will begin a process which will allow C2k and managed service partners to evaluate requested changes and determine if they will have any impact on the schools managed service. If this will incur a cost it should be determined whether the school or Data Processor will be responsible for the cost. TRANSIENT DATA If third party software is used to transfer information, software can keep a copy on a local PC hard drive. Data Controller needs to know if this is likely in order to prevent any unauthorised access. When a Data Processor exports data from a school site, there is often a data export file stored on either a fileserver or PC hard drive. Data Processor should identify this in order that steps can be taken to reduce the risk of accidental discovery by unauthorised staff or pupils. Software which is exporting sensitive data should never be installed on a machine pupils have access to. If more than one member of staff has physical access to a PC, it should be noted that all teachers will have access to the C drive and so could view an export data file if it is in a readable format. The data file should be deleted once exported to minimise accidental discovery. 6
9 LOCATION OF DATA AND ANY BACKUPS Data Protection and Information Security Guidance Data Controller should know where any data (including backups) are physically stored. Data Controller should also be aware how and when stored data and backups are deleted in the event that the contract is terminated. If Data Processor has hard copy information, Data Controller needs to be satisfied that it will be destroyed in a safe and secure manner. This should include details of any planned use of mobile devices, capable of storing or transporting your school data. The use of firewalls, anti-hacking and antivirus software should be viewed as an essential part of a provider s network. Data Processor should provide details of how access to the information is controlled at their site. SECURE DESTRUCTION / OBSOLETE HARDWARE Manual data should be shredded and electronic data erased in a way which makes it unrecoverable. If Data Processor upgrades or replaces equipment on which school data is stored, Data Controller should be informed how the old equipment will be cleared down before disposal Assurances should be given that all data will be removed from obsolete hardware 7 7 It is recommended that data destruction should adhere to ISO 27001:2005 (International Information Security Standard). 7
10 Data Protection and Information Security Guidance APPENDIX SUGGESTED QUESTIONS FOR ANY DATA PROCESSOR Data Processor - Suggested Questions Purpose of the product. What information will be accessed or extracted. How will you use the information? How long will you keep the information? Have you notified, for the purposes of processing information with the Information Commissioners Office. Do you have a Data Protection Policy or Information Security Policy? If yes, how has this been implemented in your company. Are Data Processors staff checked by the Criminal Records Bureau / Access NI Where a subcontractor or intermediary is involved can you provide assurances on behalf of this third party in relation to data protection/ data security compliance and any necessary criminal record checks Incident Management Do you carry insurance cover in the event of liability incurred in any breach of the DPA 1998? Will any data be sent outside the European Economic Area? Purpose/Detail What the product does. This can normally be obtained from any marketing literature supplied by the supplier Information should be identified i.e. names, tel. numbers of parents etc, Determine if this is minimum amount of information required to provide the service. If it is subsequently discovered that additional data is being extracted, the data processor could be in breach of any agreement. Confirm that the information will only be used to deliver the service purchased and not for any other purpose Data Processor should confirm that information will be confidentially destroyed as directed by the School. This may take place when the contract ends, when a pupil or member of staff leaves the School or when otherwise instructed by the School. State your registration number issued by the ICO Data Controller can check the Data Protection register Copy of policy if applicable. Where sensitive pupil information is involved (see DPA schedule 3) or Data Processors employees have unsupervised physical access to the school, clearance through a criminal record check should be made. It is the DP s responsibility to ensure such clearance is obtained and evidence provided and that access to information will be restricted to such staff. Written assurance. What measure is in place in the event of an information security breach? Details of insurance cover. If yes - refer to the web site of the office of the information commissioner for advice. 8
11 Data Protection and Information Security Guidance Technical Standard and Controls - Suggested Questions. How is the information held on the School Management Information System (MIS) to be accessed by the Data Processor? In what format will the information be extracted e.g. CSV file, spreadsheet etc? Purpose/Detail Full details must be provided to include method and frequency. Must also include subcontractor activities Data Processor should provide full details which include method and frequency. Must also include any subcontractor activities How will this transfer be secured? Data Processor should provide full details. Acceptable methods include SSL, HTTPS or Encryption method. Must also include any subcontractor activities Will the software require any ports to be opened? Please give details of port and direction. During the transfer process will any transient Must also include any subcontractor activities. information be stored locally within the School and if so what arrangements will be in place to ensure deletion when transfer is complete? Where will the data and any backups be stored? Must also include any subcontractor activities How will information be secured at your site? Must also include subcontractor sites. How will both manual and electronic information be destroyed when no longer required? It is recommended that data destruction should adhere to ISO 27001: the International Information Security Standard. This can be verified by providing the certificate number and name of awarding body. Such accreditations provide extra assurances that the Data Processor has considered data security in all its processes and procedures. How is information erased from obsolete hardware? Has the Data Processor accreditation or alignment with ISO 27001/BS 99 Information Security Standard? Must also include subcontractor activities It is recommended that hardware should be wiped in line with ISO 27001: 2005 This can be verified by providing the certificate number and name of awarding body. Such accreditations provide extra assurances that the Data Processor has considered data security in all its processes and procedures. Although not mandatory, it is recommended that the Data Processor has obtained an accreditation in information security. This can be verified by providing the certificate number and name of awarding body. Such accreditations provide extra assurances that the Data Processor (or sub- contractor) has considered data security in all its processes and procedures BELB/FOI/LJ/
12
www.neelb.org.uk Web Site Download Carol Johnston
What I need to know about data protection and information security when purchasing a service that requires access to my information by a third party. www.neelb.org.uk Web Site Download Carol Johnston Corporate
More informationSo the security measures you put in place should seek to ensure that:
Guidelines This guideline offers an overview of what the Data Protection Act requires in terms of information security and aims to help you decide how to manage the security of the personal data you hold.
More informationData Protection Policy
Data Protection Policy Document Ref: DPA20100608-001 Version: 1.3 Classification: UNCLASSIFIED (IL 0) Status: ISSUED Prepared By: Ian Mason Effective From: 4 th January 2011 Contact: Governance Team ICT
More informationData Protection Policy
Data Protection Policy CONTENTS Introduction...2 1. Statement of Intent...2 2. Fair Processing or Privacy Statement...3 3. Data Uses and Processes...4 4. Data Quality and Integrity...4 5. Technical and
More informationData Protection Policy
Data Protection Policy September 2015 Contents 1. Scope 2. Purpose 3. Data protection roles 4. Staff training and guidance 5. About the Data Protection Act 1998 6. Policy 7. The Information Commissioner's
More informationCorporate ICT & Data Management. Data Protection Policy
90 Corporate ICT & Data Management Data Protection Policy Classification: Unclassified Date Created: January 2012 Date Reviewed January Version: 2.0 Author: Owner: Data Protection Policy V2 1 Version Control
More informationSomerset County Council - Data Protection Policy - Final
Organisation Title Author Owner Protective Marking Somerset County Council Data Protection Policy - Final Peter Grogan Information Governance Manager Unclassified POLICY ON A PAGE Somerset County Council
More informationHERTSMERE BOROUGH COUNCIL
HERTSMERE BOROUGH COUNCIL DATA PROTECTION POLICY October 2007 1 1. Introduction Hertsmere Borough Council ( the Council ) is fully committed to compliance with the requirements of the Data Protection Act
More informationData Protection and Information Security Policy and Procedure
Data Protection and Information Security Policy and Procedure Document Detail Category: Data Protection Authorised By: Full Governing Body Author: School Business Manager Version: 1 Status: Approved May
More informationData Security and Extranet
Data Security and Extranet Derek Crabtree Schools ICT Support Manager derek.crabtree@merton.gov.uk Target Operating Model 2011 Merton Audit Organisation name: London Borough of Merton Periodic plan date:
More informationLittle Marlow Parish Council Registration Number for ICO Z3112320
Data Protection Policy Little Marlow Parish Council Registration Number for ICO Z3112320 Adopted 2012 Reviewed 23 rd February 2016 Introduction The Parish Council is fully committed to compliance with
More informationEveryone in the workplace has a legal duty to protect the privacy of information about individuals. AEP/BELB/LJ/2010 Awareness Session
Everyone in the workplace has a legal duty to protect the privacy of information about individuals AEP/BELB/LJ/2010 Awareness Session During 2007 alone, 36,989,300 people in the UK have had their private
More informationData Protection Act 1998. Guidance on the use of cloud computing
Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered
More informationHuman Resources Policy documents. Data Protection Policy
Policy documents Aims of the Policy apetito is committed to meeting its obligations under data protection law. As a business, apetito handles a range of Personal Data relating to its customers, staff and
More informationData Protection Procedures
Data Protection Procedures PROCEDURE OVERVIEW: This Procedure outlines Down District Council s ( the Council ) commitment to the Data Protection Act 1998 ( the Act ) and provides a framework for the Council
More informationDATA PROTECTION POLICY
DATA PROTECTION POLICY DATA PROTECTION POLICY Document Control Information Title Data Protection Policy Version V1.0 Author Diana Watt Date Approved 21 February 2013 Review Date Annually, on the anniversary
More informationDATA PROTECTION POLICY
Reference number Approved by Information Management and Technology Board Date approved 14 th May 2012 Version 1.1 Last revised N/A Review date May 2015 Category Information Assurance Owner Data Protection
More informationMONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY
MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY Page 1 of 16 Contents Policy Information 3 Introduction 4 Responsibilities 7 Confidentiality 9 Data recording and storage 11 Subject Access 12 Transparency
More informationDATA AND PAYMENT SECURITY PART 1
STAR has teamed up with Prevention of Fraud in Travel (PROFiT) and the Fraud Intelligence Network (FIN) to offer our members the best advice about fraud prevention. We recognise the increasing threat of
More informationA practical guide to IT security
Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or
More informationInformation Security Policy September 2009 Newman University IT Services. Information Security Policy
Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms
More informationMerthyr Tydfil County Borough Council. Data Protection Policy
Merthyr Tydfil County Borough Council Data Protection Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of the
More informationCloud Software Services for Schools. Supplier self-certification statements with service and support commitments
Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Supplier name Address Contact name Contact email Meritec Limited Meritec House, Acorn Business
More informationData Protection Policy
1 Data Protection Policy Version 1: June 2014 1 2 Contents 1. Introduction 3 2. Policy Statement 3 3. Purpose of the Data Protection Act 1998 3 4. The principles of the Data Protection Act 1998 4 5 The
More informationEAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )
EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy ) Background Due to increased threat of identity theft, fraudulent credit card activity and other instances where cardholder
More informationBRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS
BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS Mat Wright www.britishcouncil.org CONTENTS Purpose of the code 1 Scope of the code 1 The British Council s data protection commitment and
More informationCloud Software Services for Schools
Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Please insert supplier details below Supplier name Address Contact name Contact email Contact
More informationPROPOSED PROCEDURES FOR AN IDENTITY THEFT PROTECTION PROGRAM Setoff Debt Collection and GEAR Collection Programs
PROPOSED PROCEDURES FOR AN IDENTITY THEFT PROTECTION PROGRAM Setoff Debt Collection and GEAR Collection Programs The Identity Theft and Fraud Protection Act (Act No. 190) allows for the collection, use
More informationData protection. Report on the data protection guidance we gave schools in 2012
Data protection Report on the data protection guidance we gave schools in 2012 Contents 1. Background 2. Summary of recommendations 3. tification 4. Personal data 5. Fair processing 6. Information security
More informationInformation Circular
Information Circular Enquiries to: Brooke Smith Senior Policy Officer IC number: 0177/14 Phone number: 9222 0268 Date: March 2014 Supersedes: File No: F-AA-23386 Subject: Practice Code for the Use of Personal
More informationRECORDS MANAGEMENT POLICY
[Type text] RECORDS MANAGEMENT POLICY POLICY TITLE Academic Year: 2013/14 onwards Target Audience: Governing Body All Staff and Students Stakeholders Final approval by: CMT - 1 October 2014 Governing Body
More informationHow To Protect School Data From Harm
43: DATA SECURITY POLICY DATE OF POLICY: FEBRUARY 2013 STAFF RESPONSIBLE: HEAD/DEPUTY HEAD STATUS: STATUTORY LEGISLATION: THE DATA PROTECTION ACT 1998 REVIEWED BY GOVERNING BODY: FEBRUARY 2013 EDITED:
More informationSecure Mobile Shredding and. Solutions
Secure Mobile Shredding and Data Erasure Solutions SECURE MOBILE SHREDDING & DATA ERASURE SERVICES... NCE s mobile shredding and data erasure service permanently destroys your data in a secure and controlled
More informationScottish Rowing Data Protection Policy
Revision Approved by the Board August 2010 1. Introduction As individuals, we want to know that personal information about ourselves is handled properly, and we and others have specific rights in this
More informationName: Position held: Company Name: Is your organisation ISO27001 accredited:
Third Party Information Security Questionnaire This questionnaire is to be completed by the system administrator and by the third party hosting company if a separate company is used. Name: Position held:
More informationData Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk
Data Protection Act 1998 The for the Borough Council of King's Lynn & West Norfolk 1 Contents Introduction 3 1. Statement of Intent 4 2. Fair Obtaining I Processing 5 3. Data Uses and Processes 6 4. Data
More informationData Protection and Community Councils Briefing Note
Data Protection and Community Councils Briefing Note This briefing note has been prepared in response to specific queries raised by Community Councils in Marr in relation to their Data Protection requirements.
More informationData Access Request Service
Data Access Request Service Guidance Notes on Security Version: 4.0 Date: 01/04/2015 1 Copyright 2014, Health and Social Care Information Centre. Introduction This security guidance is for organisations
More informationData Protection Policy Information for Clients
Data Protection Policy Information for Clients Foreword This document outlines Numis Securities Limited s ( the Firm or Numis ) legal obligations and policy on data protection. Further information can
More informationDATA PROTECTION POLICY
Title Author Approved By and Date Review Date Mike Pilling Latest Update- Corporation May 2008 1 Aug 2013 DATA PROTECTION ACT 1998 POLICY FOR ALL STAFF AND STUDENTS 1.0 Introduction 1.1 The Data Protection
More informationCloud Software Services for Schools
Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Supplier name Address Contact name Contact email Contact telephone Parent Teacher Online
More informationEASTERN OKLAHOMA STATE COLLEGE ACCEPTING AND HANDLING CREDIT AND DEBIT CARD PAYMENTS POLICIES AND PROCEDURES
EASTERN OKLAHOMA STATE COLLEGE ACCEPTING AND HANDLING CREDIT AND DEBIT CARD PAYMENTS POLICIES AND PROCEDURES This document describes Eastern Oklahoma State College s policy and procedures for the proper
More informationIT asset disposal for organisations
ICO lo Data Protection Act Contents Introduction... 1 Overview... 2 What the DPA says... 3 Create an asset disposal strategy... 3 How will devices be disposed of when no longer needed?... 3 Conduct a risk
More informationPolicy Document Control Page
Policy Document Control Page Title Title: Data Protection Policy Version: 3 Reference Number: CO59 Keywords: Data, access, principles, protection, Act. Data Subject, Information Supersedes Supersedes:
More informationDATA PROTECTION POLICY
DATA PROTECTION POLICY Document Management: Date Policy Approved: 29 April 2015 Date Amended: Next Review Date: April 2017 Version: 1 Approving Body: Resources Committee 1 1. Introduction The Data Protection
More informationCloud Software Services for Schools. Supplier self-certification statements with service and support commitments. SafeGuard Software Limited
Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Supplier name Address Contact name Contact email Contact telephone SafeGuard Software Limited
More informationSupplier Information Security Addendum for GE Restricted Data
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
More informationFalkirk Council Data Protection Guidelines
Falkirk Council Data Protection Guidelines Contents Contents 2 Objectives 3 What does the Data Protection Act 1998 do? 3 Who is who under the Data Protection Act 1998? 4 Definitions 4 The Eight Principles
More informationData Transfer Policy. Data Transfer Policy London Borough of Barnet
Data Transfer Policy Data Transfer Policy London Borough of Barnet Document Control POLICY NAME Data Transfer Policy Document Description Policy surrounding data transfers (electronic and paper based).
More informationHSCIC Audit of Data Sharing Activities:
Directorate / Programme Data Dissemination Services Project Data Sharing Audits Status Approved Director Terry Hill Version 1.0 Owner Rob Shaw Version issue date 20/04/2016 HSCIC Audit of Data Sharing
More informationGuidance on Personal Data Erasure and Anonymisation 1
Guidance on Personal Data Erasure and Anonymisation Introduction Data users engaged in the collection, holding, processing or use of personal data must carefully consider how to erase such personal data
More informationBOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February 2006. Title: Information Security Policy
BOARD OF DIRECTORS PAPER COVER SHEET Meeting date: 22 February 2006 Agenda item:7 Title: Purpose: The Trust Board to approve the updated Summary: The Trust is required to have and update each year a policy
More informationCHIS, Inc. Privacy General Guidelines
CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified
More informationDEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY
DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY This Plan we adopted by member, partner, etc.) on Our Program Coordinator (date). (Board of Directors, owner, We have appointed
More informationData and Information Security Policy
St. Giles School Inspire and achieve through creativity School Policy for: Date: February 2014 Data and Information Security Policy Legislation: Policy lead(s) The Data Protection Act 1998 (with consideration
More informationDATA PROTECTION IT S EVERYONE S RESPONSIBILITY. An Introductory Guide for Health Service Staff
DATA PROTECTION IT S EVERYONE S RESPONSIBILITY An Introductory Guide for Health Service Staff 1 Message from Director General Dear Colleagues The safeguarding of and access to personal information has
More informationCloud Software Services for Schools
Request for information on the document re: cloud and secure storage posted on the DfE website, response provided by DfE and Schools Commercial team: The focus of the project is on data security/safety
More informationData Protection and Information Security. Data Security - Guidelines for the use of Personal Data
Data Protection and Information Data - Guidelines for the use of Personal Data Page 1 of 10 Created on: 21/06/2013 Contents 1. Introduction... 3 2. Definitions... 3 4. Physical... 4 5 Electronic... 6 6
More informationREMOTE WORKING POLICY
Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance
More informationInformation Security Policy for Associates and Contractors
Policy for Associates and Contractors Version: 1.12 Status: Issued Date: 30 July 2015 Reference: 61418080 Location: Livelink Review cycle: Annual Contents Introduction... 3 Purpose... 3 Scope... 3 Responsibilities...
More informationROEHAMPTON UNIVERSITY DATA PROTECTION POLICY
ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY Originated by: Data Protection Working Group: November 2008 Impact Assessment: (to be confirmed) Recommended by Senate: 28 January 2009 Approved by Council:
More informationPolicy and Procedure for approving, monitoring and reviewing personal data processing agreements
Policy and Procedure for approving, monitoring and reviewing personal data processing agreements 1 Personal data processing by external suppliers, contractors, agents and partners Policy and Procedure
More informationDATA PROTECTION ACT 1998 COUNCIL POLICY
DATA PROTECTION ACT 1998 COUNCIL POLICY Page 1 of 5 POLICY STATEMENT Blackpool Council recognises the need to fully comply with the requirements of the Data Protection Act 1998 (DPA) and the obligations
More informationInformation Security Policies. Version 6.1
Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access
More informationINFORMATION SECURITY POLICY
INFORMATION SECURITY POLICY Rev Date Purpose of Issue/ Description of Change Equality Impact Assessment Completed 1. June 2011 Initial Issue 2. 29 th March 2012 Second Version 3. 15 th April 2013 Third
More informationData Protection Policy
Internal Ref: NELC 16.60 Review date December 2016 Version No. V04 Data Protection Policy 1 Data Protection Statement Data Protection Policy 1.1 North East Lincolnshire Council recognises that in order
More informationREQUEST FOR QUOTE Department of Children and Families Office of Child Welfare National Youth in Transition Database Survey Tool January 27, 2014
REQUEST FOR QUOTE SUBJECT: Request for Quotes, State Term Contract #973-561-10-1, Information Technology Consulting Services TITLE: National Youth in Transition Database (NYTD) Survey Tool Proposal Software
More informationRecord Keeping. Guide to the Standard for Professional Practice. 2013 College of Physiotherapists of Ontario
Record Keeping Guide to the Standard for Professional Practice 2013 College of Physiotherapists of Ontario March 7, 2013 Record Keeping Records tell a patient s story. The record should document for the
More informationInformation Security: Business Assurance Guidelines
Information Security: Business Assurance Guidelines The DTI drives our ambition of prosperity for all by working to create the best environment for business success in the UK. We help people and companies
More information1. Introduction... 3. 2. Statement of Policy. 3. 3. The Eight Principles of Data Protection... 4. 4. Scope... 5. 5. Roles and Responsibilities.
Data Protection Policy 2011 Contents Page 1. Introduction... 3 2. Statement of Policy. 3 3. The Eight Principles of Data Protection...... 4 4. Scope.... 5 5. Roles and Responsibilities. 5 6. Development
More informationPERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE
PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE ADOPTED ON 9 th January 2008 TABLE OF CONTENTS Page No. 1 Introduction...3 2 Glossary...3 3 Types of Personal Data held by Us...3 4 Obligations
More informationProtection. Code of Practice. of Personal Data RPC001147_EN_D_19
Protection of Personal Data RPC001147_EN_D_19 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Rules Responsibility
More informationWe then give an overall assurance rating (as described below) indicating the extent to which controls are in place and are effective.
Good Practice Audit outcomes analysis Police Forces April 2013 to April 2014 This report is based on the final audit reports the ICO completed in the Criminal Justice sector, specifically of Police forces,
More informationHow To Choose A Cloud Service From One Team Logic
Cloud Software Services for Schools Supplier Self Certification Statements with Services and Support Commitments Supplier Name One Team Logic Limited Address Unit 2 Talbot Green Business Park Heol-y-Twyn
More informationBusiness System Recordkeeping Assessment - Digital Recordkeeping Compliance
Introduction The following assessment will assist to identify whether the system complies with State Records Authority of NSW Standards on Records Management The broad Principles of this standard are as
More informationGuidance on the Use of Portable Storage Devices 1
Guidance on the Use of Portable Storage Devices Introduction Portable storage devices ( PSDs ) such as USB flash memories or drives, notebook computers or backup tapes provide a convenient means to store
More informationUniversity of York Policy on the Management of Debit/ Credit Card Data
University of York Policy on the Management of Debit/ Credit Card Data Version 1.0 25th February 2015 Index 1 Introduction and Policy Statement 1.1 The Payment Card Industry Data Security Standard (PCI
More informationAcceptable Use Guidelines
Attachment to the Computer and Information Security and Information Management Policies Acceptable Use Guidelines NZQA Quality Management System Supporting Document Purpose These Acceptable Use Guidelines
More informationRecords Management and Security Procedure. Approved by: Executive Management Team Version: 1.2 Date: 21.9.2015
Document: Records Management and Security Procedure Approved by: Executive Management Team Version: 1.2 Date: 21.9.2015 1. Overview Senior management of Wentworth Institute ( WINWIN ) have a legal responsibility
More informationHuddersfield New College Further Education Corporation
Huddersfield New College Further Education Corporation Card Payments Policy (including information security and refunds) 1.0 Policy Statement Huddersfield New College Finance Office handles sensitive cardholder
More informationEnterprise Information Security Procedures
GHL Network Services Ltd Enterprise Information Security Procedures Prepared By Nigel Gardner Date 16/11/09 1 Contents 1. Openwork s Information Security Policy...3 2. Enterprise Information Security Procedures...3
More informationWritten Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution.
Written Information Security Plan (WISP) for HR Knowledge, Inc. This document has been approved for general distribution. Last modified January 01, 2014 Written Information Security Policy (WISP) for HR
More informationDATA PROTECTION POLICY
DATA PROTECTION POLICY Approval date: June 2014 Approved by: Board Responsible Manager: Executive Director of Resources Next Review June 2016 Data Protection Policy 1. Introduction Data Protection Policy
More informationWhite Paper Security. Data Protection and Security in School Management Systems
White Paper Security Data Protection and Security in School Management Systems This paper clarifies the roles and responsibilities of those dealing with the data that is central to school management systems.
More informationData Protection. Policy and Application July 2009
Data Protection Policy and Application July 2009 Produced for staff of the House of Commons Service by the Department of Resources Information Rights and Information Security (IRIS) Service Data Policy:
More informationProtection of Computer Data and Software
April 2011 Country of Origin: United Kingdom Protection of Computer Data and Software Introduction... 1 Responsibilities...2 User Control... 2 Storage of Data and Software... 3 Printed Data... 4 Personal
More informationCollege of DuPage Information Technology. Information Security Plan
College of DuPage Information Technology Information Security Plan April, 2015 TABLE OF CONTENTS Purpose... 3 Information Security Plan (ISP) Coordinator(s)... 4 Identify and assess risks to covered data
More informationData Protection Policy
Data Protection Policy Owner : Head of Information Management Document ID : ICT-PL-0099 Version : 2.0 Date : May 2015 We will on request produce this Policy, or particular parts of it, in other languages
More informationData Protection Avoiding Information Commissioner Fines. Caroline Egan 5 June 2014
Data Protection Avoiding Information Commissioner Fines Caroline Egan 5 June 2014 Why is data protection a hot topic in pensions? Pension schemes hold large amounts of personal data Individuals more aware
More informationOffice 365 Data Processing Agreement with Model Clauses
Enrollment for Education Solutions Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Enrollment for Education Solutions number Microsoft to complete 7392924 GOLDS03081
More informationSHARPCLOUD SECURITY STATEMENT
SHARPCLOUD SECURITY STATEMENT Summary Provides details of the SharpCloud Security Architecture Authors: Russell Johnson and Andrew Sinclair v1.8 (December 2014) Contents Overview... 2 1. The SharpCloud
More informationCloud Service Baseline Requirements
Cloud Service Baseline Requirements Prepared for THE CLIENT By Flexible Computing Ltd www.flexiblecomputing.co.uk Tel: 0845 5440959 @cloudrockstars @mcraddock Version V1.2 Author Mark Craddock Distribution
More informationAstaro Services AG Rheinweg 7, CH-8200 Schaffhausen. Supplementary data protection agreement. to the license agreement for license ID: between
Astaro Services AG Rheinweg 7, CH-8200 Schaffhausen Supplementary data protection agreement to the license agreement for license ID: between...... represented by... Hereinafter referred to as the "Client"
More informationData Protection Policy
Data Protection Policy This policy applies to the national office of Special Olympics GB; athletes, volunteers, and paid staff its clubs and regions; all Special Olympics GB donors, sponsors, and supporters;
More informationRecords Management Plan. April 2015
Records Management Plan April 2015 Prepared in accordance with the Public Records (Scotland) Act 2011 and submitted to the Keeper of the Records of Scotland for their agreement on 28 April 2015 (Revised
More informationIT ACCESS CONTROL POLICY
Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance
More informationMRS Guidelines for Online Research. January 2012
MRS Guidelines for Online Research January 2012 MRS is the world s largest association for people and organisations that provide or use market, social and opinion research, business intelligence and customer
More informationIT Data Security Policy
IT Data Security Policy Contents 1. Purpose...2 2. Scope...2 3. Policy...2 Access to the University computer network... 3 Security of computer network... 3 Data backup... 3 Secure destruction of data...
More informationPolicy Name: Data Protection. Nominated Lead Member of Staff: ICT Manager. Status: Review Cycle: 2 Years. Authorisation: Governing Body
Policy Name: Data Protection Nominated Lead Member of Staff: ICT Manager Status: Review Cycle: 2 Years Authorisation: Governing Body Review Date: June 2017 Data Protection Policy The Governing Body of
More informationUNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C
UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C This Attachment addresses the Contractor s responsibility for safeguarding Compliant Data and Business Sensitive Information
More information