E-SAFETY POLICY 2014/15 Including:

Transcription

1 E-SAFETY POLICY 2014/15 Including: Staff ICT policy (Corporation approved) Data protection policy (Corporation approved) Staff guidelines for Data protection Data Security, awareness raising Acceptable use declaration

2 DATA SECURITY PRACTICALITIES - AWARENESS RAISING For any information that may harm or distress staff or students: Don t keep records if you don t have to; keep it secure Give access on a reasonable need to know basis with explicit confidentiality requirements For paper based information: 1. Keep it locked and transport it responsibly. 2. SHRED see The Executive Office Manager for secure shredding or shred it yourself especially with the end of term throw out. NB we do not keep much highly sensitive data that would really cause issues with our students or staff. However, anything found outside College with names etc could be reported in the press in a way that could damage our reputation. For electronic based information: 1. Password protect Word, Excel and Access files as appropriate; see any IT staff if you cannot do this. 2. Don t leave data on computer hard drives (the C drive on the computer you are working on) unless you have to use College servers which are secure and backed up (R/G drive which can also be accessed from home). Less preferably use your own removable media (eg pen drives). 3. If you find yourself disposing of old computers be careful to ensure any sensitive information is deleted from the hard drive. 4. Please don t pin your password/s to the wall of your office or give it to students for convenience. 5. Change your passwords and make them harder to crack (longer, alphanumeric, different cases and non-alphanumeric characters eg # ). 6. Be very careful with loaned College laptops (what you put on the hard drive and what would happen if it was lost); see 7 below for your responsibilities. 7. Pen drives: we are currently looking at supplying encryption and password protection of pen drives but it is expensive or surprisingly difficult. For the foreseeable future, pen drive data and its backup is the responsibility of individual staff. It needs to be the case that if you lose your pen drive on a Huddersfield station platform, we would not be compromised by a stranger finding it who had malicious intentions. 8. Sending s with personal or sensitive information: zip the information as an attachment with encryption and password protection before adding it to an ; phone the password for unlocking to the recipient. If you do not know how to do this or do not understand the last statement network support will do this for you. Under such circumstances, be sure you are sending a file to the right address and that you have a confidentiality/data protection statement as a signature on your PLEASE read the College s data protection policy available on the Staff intranet and the College web site.

3 DATA PROTECTION POLICY Data Controller (1): Data Controller (2): Mr Peter Gordziejko Mr Phil Rumsey Introduction Greenhead College (the college) needs to keep certain information about its employees, students and other users to allow it to monitor performance, achievements and health & safety, for example. It is also necessary to process information so that staff can be recruited and paid, courses organised and legal obligations to funding bodies and government complied with. To comply with law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully. To do this, the college must comply with the Data Protection Principles which are set out in the Data Protection Act In summary these state that that personal data shall: Be obtained and processed fairly and lawfully and shall not be processed unless certain conditions are met Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose Be adequate, relevant and not excessive for those purposes Be accurate and kept up to date Not be kept for longer than is necessary for that purpose Be processed in accordance with the data subject s rights Be kept safe from unauthorised access, accidental loss or destruction Not be transferred to a country outside the European Economic Area, unless that country has equivalent levels of protection for personal data. The college and all staff or others who process or use any personal information must ensure that they follow these principles at all times. In order to ensure that this happens, the college has developed the Data Protection Policy. Status of the Policy The policy does not form part of the formal contract of employment, but it is a condition of employment that employees will abide by the rules and policies made by the college from time to time. Any failures to follow the policy can therefore result in disciplinary proceedings. Any member of staff who considers that the policy has not been followed in respect of personal data about themselves should raise the matter with the designated data controller initially. If the matter is not resolved it should be raised as a formal grievance. Responsibilities of Staff All staff are responsible for Checking that any information that they provide to the college in connection with their employment is accurate and up to date. Informing the college of any changes to this information, e.g. change of address. Informing the college of any errors in their information.

4 Data Security All staff are responsible for ensuring that: Any personal data which they hold is kept securely. Personal information is not disclosed either orally or in writing or accidentally or otherwise to any unauthorised third party. Personal information should be kept in a locked filing cabinet; or in a locked drawer; or if it is computerised, be password protected; or kept only on a disk which is itself kept securely. Student Obligations Students must ensure that all personal data provided to the college is accurate and up to date. They must ensure that changes of address, etc are notified to their tutor. If they are using college computer facilities to process their personal data, they are responsible for its security. Rights to Access Information Staff, students and other users of the college have the right to access personal data that is being kept about them either on computer or in certain files. Any person who wishes to exercise this right should complete the college Access to Information form, which is available on the college intranet, and give it to their line manager / personal tutor. The college will make a charge of 10 on each occasion that access is requested, although the college has the discretion to waive this. The college aims to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within 21 days unless there is a good reason for delay. In such cases, the reason for delay will be explained in writing to the person making the request. Publication of College Information Information that is already in the public domain is exempt from the 1998 Act. It is the college s policy to make as much information public as possible, and in particular the following information will be available to the public. Names of college governors List of all staff Photographs of staff Student examination results Student destinations Photographs of students

5 It is the college s policy to make as much information public as possible. Access to public information is to be available under the Freedom of Information Act The college internal phone list will not be a public document Any individual who has good reason for wishing details in these lists or categories to remain confidential should contact the designated data controller. Subject Consent In many cases the college can only process personal data with the consent of the individual. In some cases, if the data is sensitive, express written consent must be obtained. Agreement to the college processing some specified classes of personal data is a condition of acceptance of a student onto any course, and a condition of employment for staff. This includes information about previous criminal convictions. College staff will be in contact with young people between the ages of The college has a duty under the Children Act and other enactments to ensure that staff are suitable for the job, and students for the course offered. The college has a duty of care to all staff and students and must therefore make sure that employees and those who use the college facilities do not pose a threat or danger to other users. The college will also ask for information about particular health needs, such as allergies, or conditions such as asthma or diabetes. The college will only use the information in the protection of the health and safety of the individual, but will need consent to process in the event of a medical emergency, for example. Therefore, all prospective staff will be asked to sign a consent to process form and students will be asked to sign a declaration on their learning agreement. Processing Sensitive Information Sometimes it is necessary to process information about a person s health, criminal convictions, race and gender and family details. This may be to ensure the college is a safe place for everyone, or to operate other college policies, such as the sick pay policy or equal opportunities policy. Because this information is considered sensitive, and it is recognised that the processing of it may cause particular concern or distress to individuals, staff and students will be asked to give express consent for the college to do this. Offers of employment or course places may be withdrawn if an individual refuses to consent to, this without good reason. The Data Controller The college as a corporate body is the data controller under the Act, and the board is therefore ultimately responsible for implementation. However, the designated data controllers will deal with day-to-day matters. The college has two designated data controllers. document. They are named on the top of this

6 Retention of Data The college will keep some forms of information for longer than others. Because of storage problems, information about students cannot be kept indefinitely, unless there are specific requests to do so. In general, information about students will be kept for a maximum of 10 years after they leave college. This will include name and address academic achievements copies of any reference written copies of job/course application forms progress reports. All other information, including any information about health, race or disciplinary matters will be destroyed within 6 months of the course ending, except in instances where this data is retained by the Equal Opportunities Co-ordinator for statistical purposes. The college will also need to keep information about staff for longer periods of time. In general, all information will be kept for 10 years after a member of staff leaves the college. Some information will be kept for much longer. This will include information necessary in respect of pensions, taxation, potential or current disputes or litigation regarding the employment, and information required for job references. A full list is available from the data controller. Conclusion Compliance with the 1998 Act is the responsibility of all members of the college. Any deliberate breach of the data protection policy may lead to disciplinary action being taken, or access to college facilities being withdrawn, or even a criminal prosecution. Any questions or concerns about the interpretation or operation of this policy would be taken up with the designated data controller.

7 Staff ICT Policy The ability of employees to use external and to access the Internet provides new opportunities for the College as it facilitates the gathering of information and communication with fellow employees, customers and other contacts. However, Internet and access opens up the College to new risks and liabilities. It is therefore essential that employees read these guidelines and make themselves aware of the potential liabilities involved in using e- mail and the Internet. 1. General Points 1.1 Use of and the Internet is primarily for work-related purposes. 1.2 The College has the right to monitor any and all aspects of its telephone and computer system that are made available to you and to monitor, intercept and/or record any communications made by employees, including telephones, or Internet communications. In addition, the College wishes to make you aware that Close Circuit Television (CCTV) is in operation for the protection of employees and students. 1.3 Computers and accounts are the property of the College and are designed to assist in the performance of your work. You should, therefore, have no expectation of privacy in any sent or received, whether it is of a business or personal nature. 1.4 It is inappropriate use of and the Internet for employees to access, download or transmit any material which might reasonably be considered to be obscene, abusive, sexist, racist or defamatory. You should be aware that such material may also be contained in jokes sent by . Such misuse of electronic systems will be misconduct and will, in certain circumstances, be treated by the College as gross misconduct. The College reserves the right to use the content of any employee e- mail in any disciplinary process. 2. Use of s should be drafted with care. Due to the informal nature of , it is easy to forget that it is a permanent form of written communication and that material can be recovered even when it is deleted from your computer. 2.2 Employees should not make derogatory remarks in s about employees, students, competitors or any other person. Any written derogatory remark may constitute libel. 2.3 Try not to create congestion by sending trivial messages or unnecessarily copying s. Employees should regularly delete unnecessary s to prevent over-burdening the system. 2.4 Make hard copies of s which you need to retain for record keeping purposes. 2.5 You may want to obtain confirmation of receipt of important messages. You should be aware that this is not always possible and may depend on the external

8 system receiving your message. If in doubt, telephone to confirm receipt of important messages. 2.6 Reasonable private use of is permitted but should not interfere with your work. The contents of personal s must comply with the restrictions set out in these guidelines. Excessive private use of the system during working hours may lead to disciplinary action and may in certain circumstances be treated by the College as gross misconduct. 2.7 By sending s on the College s system, you are consenting to the processing of any personal data contained in that and are explicitly consenting to the processing of any sensitive personal data contained in that . If you do not wish the College to process such data you should communicate it by other means. The Principal and other Senior Post holders have the authority to authorise access to personal correspondence and internet sites following a grievance, complaint or in the event of any potential disciplinary action. In the case of Senior Post holders, the Chair of Governors would authorise. 3. Use of the Internet 3.1 Reasonable private use of the Internet is permitted but should be kept to a minimum and should not interfere with your work. Excessive private access to the Internet during working hours may lead to disciplinary action and may in certain circumstances be treated by the College as gross misconduct. 3.2 The sites accessed by you must comply with the restrictions set out in these guidelines. Accessing inappropriate sites may lead to disciplinary action and may in certain circumstances be treated by the College as gross misconduct. 4. Copyright and downloading 4.1 Copyright applies to all text, pictures, video and sound, including those sent by or on the Internet. Files containing such copyright protected material may be downloaded, but not forwarded or transmitted to third parties without the permission of the author of the material or an acknowledgement of the original source of the material, as appropriate. 4.2 Copyrighted software must never be downloaded. Such copyrighted software will include screen-savers. 4.3 The downloading of bit-mapped images and multimedia files is limited to the disk space limitation above. 4.4 College employees should show reasonable vigilance concerning viral threats when importing any files by any means into College systems and should seek help from IT support if in doubt. 4.6 College employees must not use computer systems to purport to speak on behalf of the College unless authorised to do so by the Principal or Governors.

9 5. General computer usage 5.1 You are responsible for safeguarding your password for the system. For reasons of security, your individual password should not be printed, stored on-line or given to others. User password rights given to employees should not give rise to an expectation of absolute privacy. 5.2 Your ability to connect to other computer systems through the network does not imply a right to connect to those systems or to make use of those systems unless authorised to do so. You should not alter or copy a file belonging to another user without first obtaining permission from the creator of the file. The Principal and other Senior Post Holders have the authority to authorise access to personal correspondence and internet sites following a grievance, complaint or in the event of any potential disciplinary action. In the case of Senior Post Holders, the Chair of Governors would authorise. 6 Network Management Department The Network Management Department is there to assist you. If you require any information or help about the use or set up of your computer you should contact any of the Department s members of staff. 7 Equal Opportunities This policy has been framed in compliance with the college s Equality and Diversity Policy. More detailed information can be found in the College s Disability Statement and the Equal Opportunities Policy, which can be viewed on the College website ( Copies are also available from the College on request.

10 STAFF GUIDELINES FOR DATA PROTECTION 1. All staff process data about students on a regular basis, when marking college work, writing reports or references, or as part of a pastoral or academic role. The college will ensure through enrolment procedures that all students give their consent to this sort of processing. The information that staff deal with on a day-to-day basis will be standard and cover categories such as: General personal details such as name and address. Details about class attendance, course work marks, grades and comments. Notes of behaviour and discipline. Ethnic information. References and examination results from former schools. 2. Information about a student s physical or mental health, sexual life, political or religious views is sensitive and can only be collected and processed with the students consent. e.g. recording information about dietary needs, for religious or health reasons prior to taking students on a field trip; recording information that a student is pregnant, as part of pastoral duties. 3. There may be occasions when it is impossible to obtain the consent of the student to pass on certain sensitive information: E.g. a student is injured and unconscious, but in need of medical attention, a staff member may have to pass on relevant medical information.

11 DATA PROTECTION ACT 1998 Guidelines for Retention of Personal Data HR files and data Application forms Redundancies Income tax / NI returns Statutory Maternity Pay Statutory Sick Pay Salary Records Accident Book Health Records Medical records (COSH) Student Records 6 years from end of employment 6 mths from the date of interview 3 years from date of redundancy minimum 3 years minimum 3 years minimum 3 years 6 years 3 years after last entry 3 years 40 years 10 years

12 TO RETURN TO HUMAN RESOURCES FOR STAFF RECORDS I agree to adhere to the guidelines stated in the E-safety framework and the safe use of ICT policy. Signed: NAME: Date: Author: P Gordziejko D Todd Date drafted: May 2010 Date reviewed: November 2014 Date of next review: Spring 2016