Washwood Heath Academy Use by staff of private communication devices policy

Transcription

1 As a learning community, Washwood Heath Academy wants all staff and students to be able to be safe users of ICT and all data storage. The development of responsible, independent users is a prime aim of our Academy in developing people and helping them to be safe, happy and successful. Washwood Heath Academy grants its staff the privilege of using smartphones and tablets at work for their convenience. Washwood Heath Academy reserves the right to revoke this privilege if users do not abide by the policies and procedures outlined below. This policy should be read in conjunction with those relating to e-safety and data protection. This policy is intended to protect the security and integrity of Washwood Heath Academy s data and technology infrastructure. Limited exceptions to the policy may occur due to variations in devices and platforms. Staff must agree to the terms and conditions set forth in this policy in order to be able to connect their devices to the Academy network. Acceptable Use The Academy defines acceptable use as activities that directly or indirectly support the teaching and learning of Washwood Heath Academy. Devices may not be used at any time to: o Photograph students at Washwood od Heath Academy or any other educational establishments visited on behalf of the Academy, unless a professional decision is made that a photograph should be taken, for example: of a moment to celebrate or the image may assist the investigation of a misdemeanour. In such cases, personal devices should not be used if at all possible. In the event staff do take photographs of students on their own device, they must: remove the data/photo at the first opportunity and inform the Senior Information Risk Officer immediately. o Store or transmit illicit materials o Harass others o Engage in outside business activities. Employees may use their mobile device to access the following Academy owned resources: o o Calendars o Whoodle o eportal Ratified FGB Page 1 of 6

2 Streaming Media (You Tube, BBC iplayer, NetFlixetc) are bandwidth intensive and will affect the performance of the wireless network for the whole Academy. Therefore, staff are asked to avoid using these tools during teaching hours, unless absolutely necessary. Devices and Support Personal electronic devices and other valuables are brought into Academy at owner s risk. Smartphones including iphone, Android, Blackberry and Windows phones are allowed. Tablets including ipad and Android are allowed Academy Network Connectivity issues are supported by IT; employees should contact the device manufacturer or their carrier for operating system or hardware-related issues. Before the device is handed to any third party supplier for repair, all Academy data must be wiped using a Mobile Device Management (MDM) tool Staff are reminded that electrical items (including chargers) must be PAT tested for safety by Site Services before they can be used in Academy If device is sold, scrapped or given away, the device must be wiped of all Academy data through Mobile Device Management (MDM). When a colleague leaves the Academy, as part of the procedures, they will sign a document to confirm that they no longer have school data on their device (s). Reimbursement Staff are personally liable for all costs associated with his or her device. As the Academy provides a Microsoft Windows Laptop to all Curriculum Staff, it will not contribute toward the cost of additional devices. The Academy will not reimburse staff for roaming costs, mobile phone tariffs, etc. Security Personal electronic devices and other valuables are brought into Academy at your own risk. The device must lock itself with a password or PIN if left idle for five minutes. Rooted (Android) or jail broken (ios) devices are strictly forbidden from accessing the network. Staff must be able to remotely wipe all device that contain Academy personal data on it if o the device is lost o the employee terminates his or her employment o IT Support department detects a data or policy breach, a virus or similar threat to the security of the academy s data and technology infrastructure. Staff will be expected to install a Mobile Device Management Product (MDM) product to allow them to remotely wipe the device. In the event of a data a breach/loss of device the IT staff will remotely wipe through accessing the users own Client Ratified FGB Page 2 of 6

3 o This will remove ALL data not just Academy data o The users password may need to be reset to perform this action Risks/Liabilities/Disclaimers The Academy reserves the right to disconnect devices or disable services without notification. The employee is expected to use his or her devices in an ethical manner at all times and adhere to the Academy s acceptable use policy as outlined above. Washwood Heath Academy reserves the right to take appropriate disciplinary action up to and including termination of employment for non-compliance with this policy Lost or stolen devices must be reported to the Strategic ICT Manager as soon as possible and within 24 hours. Staff are responsible for notifying their mobile carrier immediately upon loss of a device. Ratified FGB Page 3 of 6

4 APPENDIX 1: Glossary of Terms What is Bring Your Own Device (BYOD) Bring your own device (BYOD) is when staff, students and visitors use their own electronic devices on premises to access and store corporate information as well as their private data. Data Protection and BYOD The Data Controller (Washwood Heath Academy) must remain in control of the personal data regardless s of ownership of the device. What are the Risks? As the owns the device they are responsible for maintaining and supporting the device. So the Data Controller has less control than with Academy Issued Devices. The security of the data should be accessed. What data is being held? Where is the data stored? How will the data be transferred? How can data be lost (data leakage)? Personal and Professional Usage? What happens when device owner leaves the Academy How to deal with loss, theft, failure and support of device What is Personal Data? Does the data relate to the identifiable living? - If so, it is personal data Curriculum resources are not personal data and so do not need encryption Mark Books/Assessment/Pastoral ssessment/pastoral Records are all personal data and should be stored and transferred on the Academy Network or using encrypted devices. What is Sensitive Personal Data? Personal Data as identified above, but also contains a) the racial or ethnic origin of the data subject b) his religious beliefs or other beliefs of a similar nature c) his physical or mental health or condition The Academy is asked to analyse student data using ethnicity so most Academy reports are Sensitive Personal Data and should be marked as such. Curriculum Resources o PowerPoint Slides o Hand outs o Tools that help you educate students Ratified FGB Page 4 of 6

5 APPENDIX 2: Data risk of BYOD - How is the data transferred? How will users transfer data between the Academy network and their device? Storage/transfer System Public Accounts On-line Public Storage Academy accessed through Mail Apps VPN USBs Recordable DVD/CD Camera Automated Backup Example Hotmail, Gmail, Yahoo SkyDrive, Dropbox, GDrive IOS Client, Android Client, BlackberryClient Cisco Client through Link2ICT Portable USB External Hard Drives Smart Phone, Digital Camera icloud Data Allowed Curriculum Only Note: Data not stored on Academy equipment, and may be outside EU. Curriculum Only Note: Data not stored on Academy equipment, and may be outside EU. All s held within your Academy must be assumed to be personal data. The Academy would prefer staff to use the web client to access Academy remotely. Provide direct link to Academy resources from home.client only works on Windows XP and Windows 7 devices Un-encrypted: By default all USBs are unencrypted so Curriculum Resources only Encrypted: Personal Data should only be stored on encrypted devices. You can use Truecrypt to convert some devices or buy devices with encryption pre-installed. Curriculum Only: do not store personal data as cannot be encrypted Personal Devices No student photos taken on personal equipment. Academy Devices Clear down the SD card/camera Hard Drive after each use. Academy equipment that uses SD cards should be checked to ensure SD card remains with the camera. Lost SD cards/cameras should be reported to IT in the first instance, where you will be asked what is stored. Curriculum Only Data is stored outside the Academy and maybe outside the UK, so no personal data Ratified FGB Page 5 of 6

6 APPENDIX 3 - Mobile Device Management (MDM) Staff should subscribe to a MDM Tool. There are a number of different tools on the market, examples below: MDM System Find My iphone (ipad) Android Device Manager BlackBerry Protect Outlook web Access Meraki System Manager Managed By Academy Description Apple provides Find My iphone to allow users to manage their Apple devices Once logged in to the icloud website s can remote wipe the phone/ipad Google provide Android Device Manager to allow users to manage their Android devices Individuals can remote wipe the device. Research In Motion provide BlackBerry Protect to allow users to manage their Blackberry devices Individuals can remote wipe the device. Individuals can remote wipe the device using Outlook Web Client From Outlook Web Client, Select Options, Phone, you will see all devices that have access to your Academy and the option to remote wipe. In the event of data breach or misconduct the Academy reserves the right to change your password and perform a remote wipe from your account to remove Academy data. This will cause your device to lose all data. The Academy has a Meraki System Manager Account that can load remote management software on Academy owned and privately owned devices. This allows the Academy to remote wipe the device and will remove ALL data not just Academy data. Ratified FGB Page 6 of 6