Web Site Download Carol Johnston

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "www.neelb.org.uk Web Site Download Carol Johnston"

Transcription

1 What I need to know about data protection and information security when purchasing a service that requires access to my information by a third party. Web Site Download Carol Johnston Corporate Development November 2012

2 All Schools are separate legal entities for Data Protection purposes (known as Data Controllers) rather than a collective part of the North Eastern Education and Library Board. This document is intended to act as a general guide. Data Protection can be complicated so it should not be taken as an absolute statement of the law and obligations covered by the Data Protection Act It is a criminal offence to break any conditions of the Act. It is essential that you follow the procedures you have adopted within your school on handling and releasing information. Further information is available via The Information Commissioners Office via: a Data Protection Help Line: Tel or their web-site: h t t p : / / w w w. n e e l b. o r g. u k Page 1

3 Introduction Schools collect and process personal information to deliver educational services. The school is the Data Controller as it determines the purpose and manner in which personal information is processed. For the individual or Data Subject, personal privacy and confidentiality is expected. The school is responsible for controlling the amount of information collected, its accuracy; security; what it is used for; who it is shared with and that it is not kept for longer than necessary. Schools are adopting new technologies such as: contact by text or ing services; attendance/behaviour management reporting; cashless catering systems or virtual learning environments or online assessment environments, to deliver services, communicate with parents and help teachers collaborate. With such advancements, schools often employ external companies or Data Processors to support the delivery of services. Anyone who has access to a school s information (including anyone employed by an external company) must be made aware of the school s procedures for handling personal information. It should never be assumed that because of their occupation, they fully understand their responsibilities. You need to show that you are managing any risk which could be associated with allowing third party access to the information you hold. The aim of this guide is to offer general data protection advice and it contains guidance from C2K on the technical issues around granting access to the SIM system. For technical guidance on SIM access, please contact your local C2K Support Manager. Any school considering buying goods or services should contact the boards Procurement Office for advice and support. For advice on Data Protection Subject Access Requests you can refer to: The Claims and Legal Administrator: Wendy Nelson by Further information is available from The Office of the Information Commissioners website: h t t p : / / w w w. n e e l b. o r g. u k Page 2

4 School s Responsibility The School is the Data Controller (School Principal) and decides on the level of access to anyone (Data Processor) who processes their information. Although a Data Processor may have their own view on the access they require, the Data Controller must satisfy itself that this is not excessive. NB: The School Principal and Board of Governors are accountable for any breach of the Data Protection Act by the Data Processor where the school isn t able to demonstrate that proper assurances were obtained at the beginning and managed throughout the process. It is recommended the school obtains these assurances, in writing, before any access is granted. This will provide evidence of the school complying with its obligations as a Data Controller under the Data Protection Act. It will also mean that the detail supplied by the Data Processor can be revisited from time to time to make sure it is still accurate. Any person/company/organisation wishing to access information should complete and sign a questionnaire and return it to the school before any agreement on the level of access is made. Questions you should consider asking are included in the Appendix to this document. This is a checklist of assurances a school should obtain from a Data Processor before allowing access to personal information. Depending on the service a school is purchasing, it may not be necessary to ask all of the questions listed or there may be additional questions which will be apparent when you examine the process. h t t p : / / w w w. n e e l b. o r g. u k Page 3

5 Data Protection Relevant Principles to Consider The First Data Protection Principle states that personal data must be processed fairly and lawfully. This means that personal data must be used in a way the data subjects would expect or to which they have agreed. Schools must consider if data subjects need to be informed before using personal data in any new way. In a school context, if it is something the school has always done, but simply intends to do in a new way, then informing data subjects (pupils, parents or staff) of the school s intentions and providing reassurance around security/privacy etc., may be sufficient. If the data is to be used for a completely new purpose the school should consider informing those involved. There are special conditions if sensitive person data is involved. Details are contained in Schedule 3 of the Data Protection Act. The Second Data Protection Principle requires that personal information obtained for one or more specified and lawful purposes must not be processed in any way incompatible with that purpose. (Unless the data subject gives permission). For example, if phone numbers are collected for the purpose of contacting parents they must not be used for any other purpose such as target marketing from a company offering services. The Fifth Data Protection Principle requires that personal data is not kept for longer than it is needed for its specific purpose. This means making sure that information is destroyed when it is no longer required. The Seventh Data Protection Principle requires that appropriate security is in place to safeguard personal information. Assurances must be obtained from the Data Processor that information is held and processed securely. Breaches of the Act by a Data Processor could leave the school liable to fines and penalties. A part of this principle which is often overlooked is that it conveys the responsibility of making sure staff are aware of security procedures and their obligations under the Data Protection Act and importantly they appreciate that they can be individually liable for any breach they commit. Security is not only about having procedures to protect computer systems or locking filing cabinets, clearing sensitive paperwork from desks and making sure that waste containing personal data is disposed of by shredding etc., but one of the most important requirements is ensuring that personal data is not disclosed to someone who does not have a right to receive it. h t t p : / / w w w. n e e l b. o r g. u k Page 4

6 School Data Notification A school should ensure its Data Protection notification shows the processing of information with the service provider. If it isn t, the registration must be amended. h t t p : / / w w w. n e e l b. o r g. u k Page 5

7 Data Processor Assurances With regard to Data Processor Assurances, please consider: Certain information from any third party company wishing to extract information from Sims database held within the C2K network should be obtained in the first instance. Written assurance should be obtained before any agreement on the level of information extraction is agreed. Suppliers should have a clear understanding of what standards they need to meet. Have standards been communicated clearly? Are the consequences of failure clear and contractually robust? Has a rigorous process for monitoring Suppliers performance against such Standards been established? Are you sufficiently confident that the Supplier is managing their information risks? School staff should be aware of the information that Suppliers can legally request from your school. Suggested questions for the Supplier are in the Appendix to this document. Depending on the service you are purchasing, it may not be necessary to ask all of the questions or there may be additional questions which will become apparent when you examine the process or the product details published by the Supplier. Unless the Supplier will be handling sensitive information e.g. Special Education, Education Welfare or Child Protection Records etc., or their staff are required to physically enter the school without supervision; you may not need to determine if they have a criminal record. For continuity purposes you should determine from the Supplier the name of a nominated person who will be your Schools key contact. h t t p : / / w w w. n e e l b. o r g. u k Page 6

8 TECHNICAL STANDARDS AND CONTROLS ADVICE FROM C2K ACCESS LEVELS AND PASSWORD MANAGEMENT The minimum level of access should be granted. Usernames should be unique and details should never be passed to another user. A recommended approach is to create a dedicated MIS user account for the purpose of data extraction. A third party service provider must not share C2K network user accounts between schools. If a username is compromised the password must be changed immediately. In the event of any service disruption due to third party software, C2K managed service providers may charge for service restoration. PHYSICAL SECURITY Clear details must be provided as to the method of data access. The Data Controller should be aware if the Data Processor will need onsite access and or remote access to school systems. Some remote access methods take over the user desktop and have access to all areas on the user desktop. C2K have a remote access solution which can be requested. (Other methods are not recommended). A120 should be completed by the Data Processor if this method of access will be required. It is recommended that the Data Processor has obtained an accreditation in information security (ISO 27001/BS 7799). Such accreditations provide extra assurances that the Data Processor (or sub-contractor) has considered data security in all its processes and procedures. EXTRACTION FORMAT Clear details must be provided on the format in which any data will be extracted. The Data Controller should ensure it has a general understanding of the extraction format and should seek further details or explanation of any technical terms where necessary. h t t p : / / w w w. n e e l b. o r g. u k Page 7

9 The Data Controller must be able to view the data in this format if, at any stage, it wishes to verify the data being transferred. The Data Controller should understand the method being used to extract the data e.g. CSV file spread sheet, automated software routine and the frequency of the extraction process. The Data Controller may wish to view a sample of the data being extracted. SECURING THE TRANSFER Data containing personal information should be transferred using a secure encrypted method. Transfer via removable media or attachment is not recommended, especially where sensitive personal information is involved. The Data Controller should be satisfied that data is transferred to either an external destination or internally within the school using a secure method using e.g. HTTPS, SSL, VPN and Encryption. This is important as data could be intercepted on the internet if it is not sent using a secure method. If data is copied to a mobile storage device e.g. USB pen drive, the data should not leave the site on that device unless the device is encrypted. HARDWARE OR SOFTWARE INSTALLATION/OPENING PORTS Sometimes third party software requires specific ports to be opened. C2K must be informed as this will be subject to security and performance testing. If hardware will be connected to the managed network, information sheet A065 will need to be completed by the Data Processor. This can be obtained from C2K. If software requires changes i.e. a port opened, firewall changes, proxy or browser changes; details will have to be recorded on information sheet A065. This will begin a process which will allow C2K and managed service partners to evaluate requested changes and determine if they will have any impact on the schools managed service. If this will incur a cost it should be determined whether the school or Data Processor will be responsible for the cost. h t t p : / / w w w. n e e l b. o r g. u k Page 8

10 TRANSIENT DATA If third party software is used to transfer information, software can keep a copy on a local PC hard drive. The Data Controller needs to know if this is likely in order to prevent any unauthorised access. When a Data Processor exports data from a school site, there is often a data export file stored on either a fileserver or PC hard drive. Data Processor should identify this in order that steps can be taken to reduce the risk of accidental discovery by unauthorised staff or pupils. Software which is exporting sensitive data should never be installed on a machine pupils have access to. If more than one member of staff has physical access to a PC, it should be noted that all teachers will have access to the C drive and so could view an export data file if it is in a readable format. The data file should be deleted once exported to minimise accidental discovery. LOCATION OF DATA AND ANY BACKUPS The Data Controller should know where any data (including backups) are physically stored. The Data Controller should also be aware how and when stored data and backups are deleted in the event that the contract is terminated. If the Data Processor has hard copy information, the Data Controller needs to be satisfied that it will be destroyed in a safe and secure manner. This should include details of any planned use of mobile devices, capable of storing or transporting your school data. The use of firewalls, anti-hacking and antivirus software should be viewed as an essential part of a provider s network. The Data Processor should provide details of how access to the information is controlled at their site. h t t p : / / w w w. n e e l b. o r g. u k Page 9

11 SECURE DESTRUCTION/OBSOLETE HARDWARE Manual data should be shredded and electronic data erased in a way which makes it unrecoverable. If the Data Processor upgrades or replaces equipment on which school data is stored, the Data Controller should be informed how the old equipment will be cleared down before disposal. Assurances should be given that all data will be removed from obsolete hardware. It is recommended that data destruction should adhere to ISO 27001:2005 (International Information Security Standard). h t t p : / / w w w. n e e l b. o r g. u k Page 10

12 Appendix Suggested Questions for any Data Processor Data Processor - Suggested Questions Purpose of the product. What information will be accessed or extracted? How will you use the information? How long will you keep the information? Have you notified, for the purposes of processing information with the Information Commissioners Office. Do you have a Data Protection Policy or Information Security Policy? If yes, how has this been implemented in your company. Are Data Processors staff checked by the Criminal Records Bureau /Access NI? Purpose/Detail What the product does. This can normally be obtained from any marketing literature supplied by the supplier Information should be identified i.e. names, tel. numbers of parents etc. Determine if this is minimum amount of information required to provide the service. If it is subsequently discovered that additional data is being extracted, the data processor could be in breach of any agreement. Confirm that the information will only be used to deliver the service purchased and not for any other purpose Data Processor should confirm that information will be confidentially destroyed as directed by the School. This may take place when the contract ends, when a pupil or member of staff leaves the School or when otherwise instructed by the School. State your registration number issued by the ICO Data Controller can check the Data Protection register Copy of policy if applicable Where sensitive pupil information is involved (see DPA schedule 3) or Data Processors employees have unsupervised physical access to the school, clearance through a criminal record check should be made. It is the DP s responsibility to ensure such clearance is obtained and evidence provided and that access to information will be restricted to such staff. h t t p : / / w w w. n e e l b. o r g. u k Page 11

13 Data Processor - Suggested Questions Where a subcontractor or intermediary is involved, can you provide assurances on behalf of this third party in relation to data protection/ data security compliance and any necessary criminal record checks. Incident Management Do you carry insurance cover in the event of liability incurred in any breach of the DPA 1998? Will any data be sent outside the European Economic Area? Purpose /Detail Written assurance. What measure is in place in the event of an information security breach? Details of insurance cover. If yes - refer to the web site of the office of the information commissioner for advice. h t t p : / / w w w. n e e l b. o r g. u k Page 12

14 Technical Standard and Controls - Suggested Questions. How is the information held on the School Management Information System (MIS) to be accessed by the Data Processor? In what format will the information be extracted e.g. CSV file, spread sheet etc.? How will this transfer be secured? Purpose/Detail Full details must be provided to include method and frequency. Must also include subcontractor activities Data Processor should provide full details which include method and frequency. Must also include any subcontractor activities Data Processor should provide full details. Acceptable methods include SSL, HTTPS or Encryption method. Must also include any subcontractor activities Will the software require any ports to be opened? During the transfer process will any transient information be stored locally within the School and if so what arrangements will be in place to ensure deletion when transfer is complete? Please give details of port and direction. Must also include any subcontractor activities. h t t p : / / w w w. n e e l b. o r g. u k Page 13

15 Technical Standard and Controls - Suggested Questions. Where will the data and any backups be stored? How will information be secured at your site? How will both manual and electronic information be destroyed when no longer required? How is information erased from obsolete hardware? Purpose/Detail Must also include any subcontractor activities Must also include subcontractor sites. It is recommended that data destruction should adhere to ISO 27001: the International Information Security Standard. This can be verified by providing the certificate number and name of awarding body. Such accreditations provide extra assurances that the Data Processor has considered data security in all its processes and procedures. Must also include subcontractor activities It is recommended that hardware should be wiped in line with ISO 27001: 2005This can be verified by providing the certificate number and name of awarding body. Such accreditations provide extra assurances that the Data Processor has considered data security in all its processes and procedures. Has the Data Processor accreditation or alignment with ISO 27001/BS 7799 Information Security Standard? Although not mandatory, it is recommended that the Data Processor has obtained an accreditation in information security. This can be verified by providing the certificate number and name of awarding body. Such accreditations provide extra assurances that the Data Processor (or sub-contractor) has considered data security in all its processes and procedures h t t p : / / w w w. n e e l b. o r g. u k Page 14

So the security measures you put in place should seek to ensure that:

So the security measures you put in place should seek to ensure that: Guidelines This guideline offers an overview of what the Data Protection Act requires in terms of information security and aims to help you decide how to manage the security of the personal data you hold.

More information

Data Security and Extranet

Data Security and Extranet Data Security and Extranet Derek Crabtree Schools ICT Support Manager derek.crabtree@merton.gov.uk Target Operating Model 2011 Merton Audit Organisation name: London Borough of Merton Periodic plan date:

More information

Data Protection Policy

Data Protection Policy Data Protection Policy September 2015 Contents 1. Scope 2. Purpose 3. Data protection roles 4. Staff training and guidance 5. About the Data Protection Act 1998 6. Policy 7. The Information Commissioner's

More information

Data Protection and Information Security Policy and Procedure

Data Protection and Information Security Policy and Procedure Data Protection and Information Security Policy and Procedure Document Detail Category: Data Protection Authorised By: Full Governing Body Author: School Business Manager Version: 1 Status: Approved May

More information

Human Resources Policy documents. Data Protection Policy

Human Resources Policy documents. Data Protection Policy Policy documents Aims of the Policy apetito is committed to meeting its obligations under data protection law. As a business, apetito handles a range of Personal Data relating to its customers, staff and

More information

Cloud Software Services for Schools. Supplier self-certification statements with service and support commitments

Cloud Software Services for Schools. Supplier self-certification statements with service and support commitments Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Supplier name Address Contact name Contact email Meritec Limited Meritec House, Acorn Business

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY Title Author Approved By and Date Review Date Mike Pilling Latest Update- Corporation May 2008 1 Aug 2013 DATA PROTECTION ACT 1998 POLICY FOR ALL STAFF AND STUDENTS 1.0 Introduction 1.1 The Data Protection

More information

PROPOSED PROCEDURES FOR AN IDENTITY THEFT PROTECTION PROGRAM Setoff Debt Collection and GEAR Collection Programs

PROPOSED PROCEDURES FOR AN IDENTITY THEFT PROTECTION PROGRAM Setoff Debt Collection and GEAR Collection Programs PROPOSED PROCEDURES FOR AN IDENTITY THEFT PROTECTION PROGRAM Setoff Debt Collection and GEAR Collection Programs The Identity Theft and Fraud Protection Act (Act No. 190) allows for the collection, use

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

Merthyr Tydfil County Borough Council. Data Protection Policy

Merthyr Tydfil County Borough Council. Data Protection Policy Merthyr Tydfil County Borough Council Data Protection Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of the

More information

DATA AND PAYMENT SECURITY PART 1

DATA AND PAYMENT SECURITY PART 1 STAR has teamed up with Prevention of Fraud in Travel (PROFiT) and the Fraud Intelligence Network (FIN) to offer our members the best advice about fraud prevention. We recognise the increasing threat of

More information

Data protection. Report on the data protection guidance we gave schools in 2012

Data protection. Report on the data protection guidance we gave schools in 2012 Data protection Report on the data protection guidance we gave schools in 2012 Contents 1. Background 2. Summary of recommendations 3. tification 4. Personal data 5. Fair processing 6. Information security

More information

Cloud Software Services for Schools

Cloud Software Services for Schools Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Please insert supplier details below Supplier name Address Contact name Contact email Contact

More information

Data Protection Policy

Data Protection Policy Data Protection Policy CONTENTS Introduction...2 1. Statement of Intent...2 2. Fair Processing or Privacy Statement...3 3. Data Uses and Processes...4 4. Data Quality and Integrity...4 5. Technical and

More information

EASTERN OKLAHOMA STATE COLLEGE ACCEPTING AND HANDLING CREDIT AND DEBIT CARD PAYMENTS POLICIES AND PROCEDURES

EASTERN OKLAHOMA STATE COLLEGE ACCEPTING AND HANDLING CREDIT AND DEBIT CARD PAYMENTS POLICIES AND PROCEDURES EASTERN OKLAHOMA STATE COLLEGE ACCEPTING AND HANDLING CREDIT AND DEBIT CARD PAYMENTS POLICIES AND PROCEDURES This document describes Eastern Oklahoma State College s policy and procedures for the proper

More information

IT asset disposal for organisations

IT asset disposal for organisations ICO lo Data Protection Act Contents Introduction... 1 Overview... 2 What the DPA says... 3 Create an asset disposal strategy... 3 How will devices be disposed of when no longer needed?... 3 Conduct a risk

More information

43: DATA SECURITY POLICY

43: DATA SECURITY POLICY 43: DATA SECURITY POLICY DATE OF POLICY: FEBRUARY 2013 STAFF RESPONSIBLE: HEAD/DEPUTY HEAD STATUS: STATUTORY LEGISLATION: THE DATA PROTECTION ACT 1998 REVIEWED BY GOVERNING BODY: FEBRUARY 2013 EDITED:

More information

Secure Mobile Shredding and. Solutions

Secure Mobile Shredding and. Solutions Secure Mobile Shredding and Data Erasure Solutions SECURE MOBILE SHREDDING & DATA ERASURE SERVICES... NCE s mobile shredding and data erasure service permanently destroys your data in a secure and controlled

More information

REQUEST FOR QUOTE Department of Children and Families Office of Child Welfare National Youth in Transition Database Survey Tool January 27, 2014

REQUEST FOR QUOTE Department of Children and Families Office of Child Welfare National Youth in Transition Database Survey Tool January 27, 2014 REQUEST FOR QUOTE SUBJECT: Request for Quotes, State Term Contract #973-561-10-1, Information Technology Consulting Services TITLE: National Youth in Transition Database (NYTD) Survey Tool Proposal Software

More information

HERTSMERE BOROUGH COUNCIL

HERTSMERE BOROUGH COUNCIL HERTSMERE BOROUGH COUNCIL DATA PROTECTION POLICY October 2007 1 1. Introduction Hertsmere Borough Council ( the Council ) is fully committed to compliance with the requirements of the Data Protection Act

More information

Data Protection Policy

Data Protection Policy Data Protection Policy This policy applies to the national office of Special Olympics GB; athletes, volunteers, and paid staff its clubs and regions; all Special Olympics GB donors, sponsors, and supporters;

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Document Ref: DPA20100608-001 Version: 1.3 Classification: UNCLASSIFIED (IL 0) Status: ISSUED Prepared By: Ian Mason Effective From: 4 th January 2011 Contact: Governance Team ICT

More information

Data Protection Avoiding Information Commissioner Fines. Caroline Egan 5 June 2014

Data Protection Avoiding Information Commissioner Fines. Caroline Egan 5 June 2014 Data Protection Avoiding Information Commissioner Fines Caroline Egan 5 June 2014 Why is data protection a hot topic in pensions? Pension schemes hold large amounts of personal data Individuals more aware

More information

Somerset County Council - Data Protection Policy - Final

Somerset County Council - Data Protection Policy - Final Organisation Title Author Owner Protective Marking Somerset County Council Data Protection Policy - Final Peter Grogan Information Governance Manager Unclassified POLICY ON A PAGE Somerset County Council

More information

Data Protection Act 1998. Guidance on the use of cloud computing

Data Protection Act 1998. Guidance on the use of cloud computing Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered

More information

A practical guide to IT security

A practical guide to IT security Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or

More information

Information Circular

Information Circular Information Circular Enquiries to: Brooke Smith Senior Policy Officer IC number: 0177/14 Phone number: 9222 0268 Date: March 2014 Supersedes: File No: F-AA-23386 Subject: Practice Code for the Use of Personal

More information

Name: Position held: Company Name: Is your organisation ISO27001 accredited:

Name: Position held: Company Name: Is your organisation ISO27001 accredited: Third Party Information Security Questionnaire This questionnaire is to be completed by the system administrator and by the third party hosting company if a separate company is used. Name: Position held:

More information

Policy and Procedure for approving, monitoring and reviewing personal data processing agreements

Policy and Procedure for approving, monitoring and reviewing personal data processing agreements Policy and Procedure for approving, monitoring and reviewing personal data processing agreements 1 Personal data processing by external suppliers, contractors, agents and partners Policy and Procedure

More information

Cloud Software Services for Schools

Cloud Software Services for Schools Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Supplier name Address Contact name Contact email Contact telephone Parent Teacher Online

More information

Scottish Rowing Data Protection Policy

Scottish Rowing Data Protection Policy Revision Approved by the Board August 2010 1. Introduction As individuals, we want to know that personal information about ourselves is handled properly, and we and others have specific rights in this

More information

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY Originated by: Data Protection Working Group: November 2008 Impact Assessment: (to be confirmed) Recommended by Senate: 28 January 2009 Approved by Council:

More information

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS Mat Wright www.britishcouncil.org CONTENTS Purpose of the code 1 Scope of the code 1 The British Council s data protection commitment and

More information

PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE

PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE ADOPTED ON 9 th January 2008 TABLE OF CONTENTS Page No. 1 Introduction...3 2 Glossary...3 3 Types of Personal Data held by Us...3 4 Obligations

More information

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy ) EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy ) Background Due to increased threat of identity theft, fraudulent credit card activity and other instances where cardholder

More information

Everyone in the workplace has a legal duty to protect the privacy of information about individuals. AEP/BELB/LJ/2010 Awareness Session

Everyone in the workplace has a legal duty to protect the privacy of information about individuals. AEP/BELB/LJ/2010 Awareness Session Everyone in the workplace has a legal duty to protect the privacy of information about individuals AEP/BELB/LJ/2010 Awareness Session During 2007 alone, 36,989,300 people in the UK have had their private

More information

Policy Document Control Page

Policy Document Control Page Policy Document Control Page Title Title: Data Protection Policy Version: 3 Reference Number: CO59 Keywords: Data, access, principles, protection, Act. Data Subject, Information Supersedes Supersedes:

More information

Information Security Policies. Version 6.1

Information Security Policies. Version 6.1 Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access

More information

Corporate ICT & Data Management. Data Protection Policy

Corporate ICT & Data Management. Data Protection Policy 90 Corporate ICT & Data Management Data Protection Policy Classification: Unclassified Date Created: January 2012 Date Reviewed January Version: 2.0 Author: Owner: Data Protection Policy V2 1 Version Control

More information

Little Marlow Parish Council Registration Number for ICO Z3112320

Little Marlow Parish Council Registration Number for ICO Z3112320 Data Protection Policy Little Marlow Parish Council Registration Number for ICO Z3112320 Adopted 2012 Reviewed 23 rd February 2016 Introduction The Parish Council is fully committed to compliance with

More information

ESTRO PRIVACY AND DATA SECURITY NOTICE

ESTRO PRIVACY AND DATA SECURITY NOTICE ESTRO PRIVACY AND DATA SECURITY NOTICE This Data Privacy and Security Policy is a dynamic document, which will reflect our continuing vigilance to properly handle and secure information that we are trusted

More information

G-CLOUD IIII FRAMEWORK SERVICE DEFINITION: SCHOOLS HOSTED SERVICE FOR SIMS

G-CLOUD IIII FRAMEWORK SERVICE DEFINITION: SCHOOLS HOSTED SERVICE FOR SIMS G-CLOUD IIII FRAMEWORK SERVICE DEFINITION: SCHOOLS HOSTED SERVICE FOR SIMS Capita Division / Supplier: Service Name: Capita Business Services Ltd SIMS OVERVIEW OF THE SERVICE The hosted service for SIMS

More information

Data Access Request Service

Data Access Request Service Data Access Request Service Guidance Notes on Security Version: 4.0 Date: 01/04/2015 1 Copyright 2014, Health and Social Care Information Centre. Introduction This security guidance is for organisations

More information

Guidance on Personal Data Erasure and Anonymisation 1

Guidance on Personal Data Erasure and Anonymisation 1 Guidance on Personal Data Erasure and Anonymisation Introduction Data users engaged in the collection, holding, processing or use of personal data must carefully consider how to erase such personal data

More information

Information Security

Information Security Information Security A staff guide to the University's Information Systems Security Policy Issued by the IT Security Group on behalf of the University. Information Systems Security Guidelines for Staff

More information

Cloud Software Services for Schools. Supplier Self Certification Statements with Services and Support Commitments

Cloud Software Services for Schools. Supplier Self Certification Statements with Services and Support Commitments Cloud Software Services for Schools Supplier Self Certification Statements with Services and Support Commitments Supplier Name One Team Logic Limited Address Unit 2 Talbot Green Business Park Heol-y-Twyn

More information

Information Security Policy for Associates and Contractors

Information Security Policy for Associates and Contractors Policy for Associates and Contractors Version: 1.12 Status: Issued Date: 30 July 2015 Reference: 61418080 Location: Livelink Review cycle: Annual Contents Introduction... 3 Purpose... 3 Scope... 3 Responsibilities...

More information

Cloud Software Services for Schools. Supplier self-certification statements with service and support commitments. SafeGuard Software Limited

Cloud Software Services for Schools. Supplier self-certification statements with service and support commitments. SafeGuard Software Limited Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Supplier name Address Contact name Contact email Contact telephone SafeGuard Software Limited

More information

Data and Information Security Policy

Data and Information Security Policy St. Giles School Inspire and achieve through creativity School Policy for: Date: February 2014 Data and Information Security Policy Legislation: Policy lead(s) The Data Protection Act 1998 (with consideration

More information

Recommendations for companies planning to use Cloud computing services

Recommendations for companies planning to use Cloud computing services Recommendations for companies planning to use Cloud computing services From a legal standpoint, CNIL finds that Cloud computing raises a number of difficulties with regard to compliance with the legislation

More information

HOW WE USE YOUR INFORMATION

HOW WE USE YOUR INFORMATION HOW WE USE YOUR INFORMATION This privacy notice tells you what to expect when University of Essex Students Union (referred to as the SU herein) collects personal information. It applies to information

More information

MRS Guidelines for Online Research. January 2012

MRS Guidelines for Online Research. January 2012 MRS Guidelines for Online Research January 2012 MRS is the world s largest association for people and organisations that provide or use market, social and opinion research, business intelligence and customer

More information

b. Contact for contract issues/requests (Including billing)

b. Contact for contract issues/requests (Including billing) 1. Responsibilities of the customer a. Appointed contact(s) The customer is required to provide a named contact with E-Mail address and phone contact for each of the following roles (they can be the same

More information

1. Introduction... 3. 2. Statement of Policy. 3. 3. The Eight Principles of Data Protection... 4. 4. Scope... 5. 5. Roles and Responsibilities.

1. Introduction... 3. 2. Statement of Policy. 3. 3. The Eight Principles of Data Protection... 4. 4. Scope... 5. 5. Roles and Responsibilities. Data Protection Policy 2011 Contents Page 1. Introduction... 3 2. Statement of Policy. 3 3. The Eight Principles of Data Protection...... 4 4. Scope.... 5 5. Roles and Responsibilities. 5 6. Development

More information

Data Protection Policy

Data Protection Policy Data Protection Policy 1. Introduction and purpose 1.1 Children s Hearings Scotland (CHS) is required to maintain certain personal data about individuals for the purposes of satisfying our statutory, operational

More information

Data Protection Policy

Data Protection Policy Data Protection Policy 1. Introduction to the Data Protection Policy Everyone who works for Chorley Council uses personal data in the course of their duties. Chorley Council must gather and process personal

More information

UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C

UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C This Attachment addresses the Contractor s responsibility for safeguarding Compliant Data and Business Sensitive Information

More information

BOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February 2006. Title: Information Security Policy

BOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February 2006. Title: Information Security Policy BOARD OF DIRECTORS PAPER COVER SHEET Meeting date: 22 February 2006 Agenda item:7 Title: Purpose: The Trust Board to approve the updated Summary: The Trust is required to have and update each year a policy

More information

Enterprise Information Security Procedures

Enterprise Information Security Procedures GHL Network Services Ltd Enterprise Information Security Procedures Prepared By Nigel Gardner Date 16/11/09 1 Contents 1. Openwork s Information Security Policy...3 2. Enterprise Information Security Procedures...3

More information

Cloud Software Services for Schools

Cloud Software Services for Schools Request for information on the document re: cloud and secure storage posted on the DfE website, response provided by DfE and Schools Commercial team: The focus of the project is on data security/safety

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Caedmon College Whitby

Caedmon College Whitby Caedmon College Whitby Data Protection and Information Security Policy College Governance Status This policy was re-issued in June 2014 and was adopted by the Governing Body on 26 June 2014. It will be

More information

Office 365 Data Processing Agreement with Model Clauses

Office 365 Data Processing Agreement with Model Clauses Enrollment for Education Solutions Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Enrollment for Education Solutions number Microsoft to complete 7392924 GOLDS03081

More information

Supplier Information Security Addendum for GE Restricted Data

Supplier Information Security Addendum for GE Restricted Data Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,

More information

We then give an overall assurance rating (as described below) indicating the extent to which controls are in place and are effective.

We then give an overall assurance rating (as described below) indicating the extent to which controls are in place and are effective. Good Practice Audit outcomes analysis Police Forces April 2013 to April 2014 This report is based on the final audit reports the ICO completed in the Criminal Justice sector, specifically of Police forces,

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY Approval date: June 2014 Approved by: Board Responsible Manager: Executive Director of Resources Next Review June 2016 Data Protection Policy 1. Introduction Data Protection Policy

More information

document destruction Our passion.

document destruction Our passion. document destruction Your office. Our passion. safeguard Our secure destruction service meets all the necessary compliances and helps to support ISO 9001, ISO 14001 and CSR objectives as well as improving

More information

REMOTE WORKING POLICY

REMOTE WORKING POLICY Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance

More information

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1 Protection of Personal Data RPC001147_EN_WB_L_1 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Responsibility of Employees

More information

Department of the Premier and Cabinet Circular. PC030 Protective Security Policy Framework

Department of the Premier and Cabinet Circular. PC030 Protective Security Policy Framework Department of the Premier and Cabinet Circular PC030 Protective Security Policy Framework February 2012 PROTECTIVE SECURITY MANAGEMENT FRAMEWORK TABLE OF CONTENTS TABLE OF CONTENTS 2 1. PURPOSE 3 2. SCOPE

More information

VMware vcloud Air HIPAA Matrix

VMware vcloud Air HIPAA Matrix goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory

More information

Protection of Computer Data and Software

Protection of Computer Data and Software April 2011 Country of Origin: United Kingdom Protection of Computer Data and Software Introduction... 1 Responsibilities...2 User Control... 2 Storage of Data and Software... 3 Printed Data... 4 Personal

More information

Please note this policy is mandatory and staff are required to adhere to the content

Please note this policy is mandatory and staff are required to adhere to the content Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY Reference number Approved by Information Management and Technology Board Date approved 14 th May 2012 Version 1.1 Last revised N/A Review date May 2015 Category Information Assurance Owner Data Protection

More information

TERMS & CONDITIONS of SERVICE for MSKnote. Refers to MSKnote Limited. Refers to you or your organisation

TERMS & CONDITIONS of SERVICE for MSKnote. Refers to MSKnote Limited. Refers to you or your organisation TERMS & CONDITIONS of SERVICE for MSKnote Definitions: "Us or Our or We or Company" You or Your or Client Refers to MSKnote Limited Refers to you or your organisation Information about us: We are MSKnote

More information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information

FINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1

More information

Data Protection. Policy and Application July 2009

Data Protection. Policy and Application July 2009 Data Protection Policy and Application July 2009 Produced for staff of the House of Commons Service by the Department of Resources Information Rights and Information Security (IRIS) Service Data Policy:

More information

Acceptable Use Guidelines

Acceptable Use Guidelines Attachment to the Computer and Information Security and Information Management Policies Acceptable Use Guidelines NZQA Quality Management System Supporting Document Purpose These Acceptable Use Guidelines

More information

RECORDS MANAGEMENT POLICY

RECORDS MANAGEMENT POLICY [Type text] RECORDS MANAGEMENT POLICY POLICY TITLE Academic Year: 2013/14 onwards Target Audience: Governing Body All Staff and Students Stakeholders Final approval by: CMT - 1 October 2014 Governing Body

More information

Working Practices for Protecting Electronic Information

Working Practices for Protecting Electronic Information Information Security Framework Working Practices for Protecting Electronic Information 1. Purpose The following pages provide more information about the minimum working practices which seek to ensure that

More information

THE OBLIGATIONS INTERCEPTION OF COMMUNICATIONS CODE OF PRACTICE

THE OBLIGATIONS INTERCEPTION OF COMMUNICATIONS CODE OF PRACTICE THE OBLIGATIONS INTERCEPTION OF COMMUNICATIONS CODE OF PRACTICE If you ve been served with a Technical Capability Notice, here are some of things that will be required of you. v 8.3 The obligations the

More information

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This

More information

Data Protection Policy Information for Clients

Data Protection Policy Information for Clients Data Protection Policy Information for Clients Foreword This document outlines Numis Securities Limited s ( the Firm or Numis ) legal obligations and policy on data protection. Further information can

More information

Security FAQs (Frequently Asked Questions) for Xerox Remote Print Services

Security FAQs (Frequently Asked Questions) for Xerox Remote Print Services Security FAQs (Frequently Asked Questions) for Xerox Remote Print Services February 30, 2012 2012 Xerox Corporation. All rights reserved. Xerox and Xerox and Design are trademarks of Xerox Corporation

More information

CIPFA DATA MANAGEMENT POLICY AND PROCEDURES

CIPFA DATA MANAGEMENT POLICY AND PROCEDURES INTRODUCTION These Policies and Procedures apply to all CIPFA volunteers that have access to, use, store and share significant amounts of personal data. It is critically important that this data is handled

More information

UNIVERSITY OF ABERDEEN POLICY ON DATA PROTECTION

UNIVERSITY OF ABERDEEN POLICY ON DATA PROTECTION UNIVERSITY OF ABERDEEN POLICY ON DATA PROTECTION The Data Protection Act 1998 (DPA) was passed in order to implement the EU Data Protection Directive (95/46/EC) and applies to all data relating to, and

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY Rev No. 0 New Document 1 2 3 4 5 6 7 Revision Status Details of Amendments Name Date Update of College DPA statement New Reference to Appendix 4 Staff Guidelines ESF document retention

More information

Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom

Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom Indirani 02/11/2009 Draft 2 Include JG s comments Jackie Groom

More information

Paperless World Limited

Paperless World Limited Paperless World Limited Security Policy Statement Contents Section 1: Paperless World Limited Security Policy Statement... 2 Section 2: The Data Protection Act 1998... 2 Section 3: Definitions... 2 Personal

More information

Data Protection and Community Councils Briefing Note

Data Protection and Community Councils Briefing Note Data Protection and Community Councils Briefing Note This briefing note has been prepared in response to specific queries raised by Community Councils in Marr in relation to their Data Protection requirements.

More information

Cyber Security: Are You Prepared?

Cyber Security: Are You Prepared? Cyber Security: Are You Prepared? This briefing provides a high-level overview of the cyber security issues that businesses should be aware of. You should talk to a lawyer and an IT specialist for a complete

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY DATA PROTECTION POLICY Document Control Information Title Data Protection Policy Version V1.0 Author Diana Watt Date Approved 21 February 2013 Review Date Annually, on the anniversary

More information

ECSA EuroCloud Star Audit Data Privacy Audit Guide

ECSA EuroCloud Star Audit Data Privacy Audit Guide ECSA EuroCloud Star Audit Data Privacy Audit Guide Page 1 of 15 Table of contents Introduction... 3 ECSA Data Privacy Rules... 4 Governing Law... 6 Sub processing... 6 A. TOMs: Cloud Service... 7 TOMs:

More information

Data Protection Procedures

Data Protection Procedures Data Protection Procedures PROCEDURE OVERVIEW: This Procedure outlines Down District Council s ( the Council ) commitment to the Data Protection Act 1998 ( the Act ) and provides a framework for the Council

More information

Astaro Services AG Rheinweg 7, CH-8200 Schaffhausen. Supplementary data protection agreement. to the license agreement for license ID: between

Astaro Services AG Rheinweg 7, CH-8200 Schaffhausen. Supplementary data protection agreement. to the license agreement for license ID: between Astaro Services AG Rheinweg 7, CH-8200 Schaffhausen Supplementary data protection agreement to the license agreement for license ID: between...... represented by... Hereinafter referred to as the "Client"

More information

DATA PROTECTION IT S EVERYONE S RESPONSIBILITY. An Introductory Guide for Health Service Staff

DATA PROTECTION IT S EVERYONE S RESPONSIBILITY. An Introductory Guide for Health Service Staff DATA PROTECTION IT S EVERYONE S RESPONSIBILITY An Introductory Guide for Health Service Staff 1 Message from Director General Dear Colleagues The safeguarding of and access to personal information has

More information

Data Protection and Information Security. Data Security - Guidelines for the use of Personal Data

Data Protection and Information Security. Data Security - Guidelines for the use of Personal Data Data Protection and Information Data - Guidelines for the use of Personal Data Page 1 of 10 Created on: 21/06/2013 Contents 1. Introduction... 3 2. Definitions... 3 4. Physical... 4 5 Electronic... 6 6

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY Version 1.3 April 2014 Contents 1 POLICY STATEMENT...2 2 PURPOSE....2 3 LEGAL CONTEXT AND DEFINITIONS...2 3.1 Data Protection Act 1998...2 3.2 Other related legislation.....4 3.3

More information

technical factsheet 176

technical factsheet 176 technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection

More information

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10 Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID This Microsoft Online Services Security Amendment ( Amendment ) is between

More information