Available in large font and other formats on request

Transcription

1 ALL STAFF Framework Area: Information, Communication & Business Technology Policy: IT Security Framework Quality Assurance Document Version Control Date of Origination: February 2007 Date of Revision: July 2010 April 2013 Author: Information, Communication & Business Technology Status: Current Consultation with Trade Unions: May 2013 Approved by: Corporation Reviewed and agreed: May 2013 Supersedes: July 2010 Impact Assessment Completed: Active From: February 2007 For Review on: Spring 2016 Available in large font and other formats on request This record may be out of date if printed

2 INFORMATION & TECHNOLOGY SECURITY FRAMEWORK

3 CONTENTS Page 1. FRAMEWORK INTRODUCTION 1 2. e-safety POLICY 6 3. IT SECURITY AND ACCEPTABLE USE POLICY INFORMATION SECURITY POLICY 18

4 1. INTRODUCTION Good practice in Information Technology (IT) security is an essential element in providing the technical applications and infrastructure that underpin and support the teaching, learning, and administrative activities of the College. The College must:- i. ensure that its learners and staff remain safe in their use of technology; and ii. protect its information assets defined for the purposes of this framework as computers, hardware, mobile devices, networks, software and all of the data they contain In doing this, the college will:- Ensure that a high quality technical service is offered to staff, learners and other customers. Maintain and improve its reputation and meet its legal obligations and strategic business and professional goals. Prevent data loss and criminality. Ensure that learners and staff are fully aware of their personal responsibilities for protecting themselves and the college s information assets in accordance with College or any external organisation s guidelines. Protect itself from any financial loss arising from security breaches. 2. SCOPE & STRUCTURE This framework applies to all learners, staff, customers and other stakeholders who access and use the College s IT systems. The framework is designed around a series of policies aimed at protecting:- PEOPLE: ensuring that learners, staff and others who access college systems both on site and remotely remain safe in doing so, DATA & INFORMATION ASSETS: ensuring that all the information that the College collects, processes and stores is held securely and that the risk of unauthorised access or innaproprate disclosure is minimised NETWORK & INFRASTRUCTURE: ensuring that technical infrastructure and physical assets are secure from theft, damage, unauthorised access or malicious attack. 1

5 PROTECTING PEOPLE NETWORK & INFRASTRUCTURE DATA & INFORMATION ASSETS E-SAFETY POLICY IT SECURITY & ACCEPTABLE USE POLICY INFORMATION SECURITY POLICY 3. RESPONSIBILITIES Adherence to the policies included within this framework is the personal, professional and legal responsibility of all staff (including contractors, short term, voluntary staff and anyone with a College IT account) and students. Every person handling information or using the College s IT systems is expected to have proper awareness of and observe the policies and procedures noted within these policies, both during and, where appropriate, after their time at the College and to act in a responsible and professional way. This Policy shall apply to all locations from which College IT systems, data or information are stored or accessed and shall extend to home use and all other off-college sites where applicable. 4. SECURITY BREACHES & INCIDENT REPORTING The College will ensure that adequate incident reporting is maintained which will detail all incidents which are deemed to have breached the policies included within this framework. The reporting will contain: The nature of the incident Details of investigations carried out into the cause of the breach Actions required to reduce the risk of re-occurrence Each incident should be investigated and reported within 7 days of occurrence or notification of the incident. If criminal action is suspected, the College may consider contacting the police immediately. Any security breach will be subject to the college s Disciplinary policy, Anti-Fraud Policy or the learners Code of Conduct 2

6 It is the responsibility of all staff to report known security breaches as follows: Policy e-safety IT Security & Acceptable Use Information Security Reporting Manager Heads of Learner Services (Safeguarding Officers) Head of ICT Manager (Information Services) Contact Crosskeys: Newport: Ebbw Vale: Pontypool & Usk: 5. TRAINING & AWARENESS The College is committed to providing timely, appropriate and relevant training to all users and systems support staff to ensure that they have the knowledge and skills to adhere to the policies included within this framework. 6. MONITORING In accordance with the Regulation of Inv estigatory Powers Act 2000 and the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 the College carries out monitoring for the following purposes: To ensure the effective operation of IT systems To investigate or detect unauthorised use of IT systems To establish the existence of facts relevant to the business of the College To determine whether or not the communications are relevant to the business of the College To prevent or detect crime The following logs will be retained for monitoring purposes: Internet Access Log Time, Date, URL, Workstations IP Address, User Name Usage Log Time, Date, Server, To Address, From Address, Subject, Size. Firewall log including user activity and security alerts Workstation Event Logs 3

7 Server Event Logs Network Traffic Logs including the levels of traffic between routers and switches The logs are retained for the following reasons: Monitoring of System Use and Misuse Protection of all users Protection of Network and College Systems Protection of College Capacity Planning and Maintenance Strategic Planning There are specific obligations on the College which are: Keep recorded data secure Comply with legislations and regulations Maintain and review monitoring Procedures Inform Users that such monitoring takes place Duty of Care to Staff and Students Bearing these points in mind the justification for such monitoring is: Duty of Care to protect the College, its Staff and Students Maintain System Security Compliance with College Policies Prevent Misuse of College Systems 7. CONSEQUENCES OF NON COMPLIANCE The College reserves the right to withdraw user access where there is a breach of security or an alleged or significant risk of a security breach. In such cases user accounts may be disabled or services shutdown or withdrawn pending an investigation. The College will collate and report any evidence of misuse to the appropriate authority. Where members of staff are involved, the College Disciplinary Policy and Procedure will be followed. Where students are involved the Learner Disciplinary Process and Policy will be followed. 8. FEEDBACK Coleg Gwent welcomes all constructive feedback on the policies included within this framework. If you would like further information, or wish to send 4

8 us your comments then please contact Hazel Gunter, PA to the Vice Principal (Resources & Financial Planning) via at Useful Links for Further Information: e-safety Child Exploitation & Online Protection Centre Internet Watch Foundation DirectGov- Staying Safe Online fe/dg_ Get Safe Online IT & Acceptable Use policy JISC Information Security Information Commissioners Office Welsh Government 5

9 e-safety In line with the College s duty to safeguard learners and to satisfy our wider duty of care, we will do all that we can to make our learners and staff remain safe online. This e-safety policy should be read in conjunction with other relevant college policies e.g. Safeguarding Children, Protection of Vulnerable Adults, Anti Bullying, and Disciplinary Policy & Procedures. 1. SAFE USE OF COLLEGE IT SYSTEMS AND MOBILE DEVICES Learners, staff and other users are responsible for using the college IT systems and mobile devices in accordance with the college s IT Security and Acceptable Use Policy which staff should actively promote through embedded good practice. 2. SAFE BEHAVIOUR The college will not tolerate any abuse of IT systems. Whether offline or online, communications by staff and learners should be courteous and respectful at all times. Any reported incident of bullying or harassment or other unacceptable conduct will be treated seriously and in line with the relevant college policies. Where conduct is considered illegal, the college will report the matter to the police. 3. SAFE USE OF IMAGES AND VIDEO The use of images or photographs is popular in teaching and learning and should be encouraged where there is no breach of copyright or other rights of another person. This includes images, video, and audio (spoken word & music) downloaded from the internet and images belonging to staff or learners. All learners and staff should receive training and support on the risks in downloading these media as well as posting them online and sharing them with others. Copyrighted music files should never be stored on the college network (e.g. your documents folder of student / staff areas) as it is a form of file sharing without permission. This could be illegal even if you legally downloaded or copied the music in the first place. If learners and staff are being photographed, audio recorded or filmed for ANY purpose during their time at college, then consent must be sought beforehand. Where tutors photograph, record or film learners, the attached consent form must be completed and held on file. 6

10 e-safety 4. SAFE USE OF SOCIAL NETWORKING The following statements are applicable regardless of whether staff and learners are using facilities in college, offsite or at home, at any time. Staff and learners should be aware that social networking websites are a public forum, particularly if the user is part of a "network". They should not assume that their entries on any website will remain private. Staff or learners should never send abusive or defamatory messages. Staff should take care and be aware that online discussions or photographs displayed on social networking sites could be deemed to bring the college into disrepute. Staff should not be friends with Coleg Gwent learners on Facebook or any other social media where there is, or has been, a lecturer/learner relationship in place, as this has the potential to compromise their duty of care to learners and their professional relationship with other college staff. Staff should apply discretion if they are 'friends' with any post compulsory learner in any other capacity e.g. as a personal friend. Staff must not use their college address when registering on social networking websites. They should refrain from entering details on their profile that allow people to identify them as college staff (job status, or comments about named friends/colleagues, etc.). This does not apply if social networking technologies are required for a member of staff to fulfil their job role, as long as these have been agreed with their line manager prior to commencement. Staff and learners must also be security conscious and should take steps to protect themselves from identity theft, for example by restricting the amount of personal information that they give out. Social networking websites allow people to post detailed personal information such as date of birth, place of birth and favourite football team, which can form the basis of security questions and passwords. Staff must complete a risk assessment form (which is available on the Health & Safety page of the intranet) before using any site not hosted by the college but involving social interaction. Any groups set up by tutors to communicate with learners must be private groups and by invitation only. Staff who set these groups up must take action to ensure that none of their personal details are available to other group members (the learners). This can be done by reviewing personal security and information sharing settings regularly for the particular site(s) being used. Staff in any doubt as to how to manage groups and privacy settings should contact the College s e-learning manager for advice. 7

11 e-safety Staff must be aware that learners have a choice in whether they register to an external site/platform. It cannot be a compulsory element of their course/learning In addition, staff and learners should: Ensure that no information is made available on social networking sites that could provide a person with unauthorised access to the college systems and/or any confidential information; and Not record any confidential information regarding the college on any social networking website. 5. SAFE USE OF PERSONAL INFORMATION No personal information can be posted to Moodle, the college intranet or website without the permission of a CMT member or unless as part of a previously approved College administrative process. Only names and work addresses of the Corporate Management Team will appear on the college website. Full details on members of the Corporation and documents relating to the business of the corporation are held on the Coleg Gwent website. Staff must keep learners and staff personal information safe and secure at all times. When using an online platform, all personal information must be password protected. No personal information of individuals is permitted offsite unless provided for in the Coleg Gwent Data Protection Policy. Every user of IT facilities is required to log off on completion of any activity, or where they are physically absent from a device. Any mobile device (laptop, USB) should be used securely in line with the Coleg Gwent Data Protection Policy. Where the personal data is no longer required, it must be securely deleted in line with the Coleg Gwent Archiving /Retention of Documents Policy and Procedure 6.7 Retention of Documents. 6. REPORTING CONCERNS & RECORDING INCIDENTS Learners are expected to seek help and follow procedures where they are worried or concerned, or where they believe an e-safety incident has taken place involving them or another member of the college community. Where an e-safety incident is reported to the college this matter will be dealt with very seriously. The college will act immediately to prevent as far as reasonably possible any harm or further harm occurring. If a learner wishes to report an incident, they can do so to their tutor or to the Head of Learner Services (Safeguarding Officer). Where a member of staff wishes to report an incident, they must contact their line manager. Following any incident, the 8

12 e-safety college will review what has happened and decide on the most appropriate and proportionate course of action. Sanctions may be put in place, external agencies may be involved or the matter may be resolved internally depending on the seriousness of the incident. This is in line with the college Acceptable Use Policy. Serious incidents will be dealt with by senior management, in consultation with appropriate external agencies. All staff should apply relevant college policies and understand the incident reporting procedures. Any incident that is reported to or discovered by a staff member must be reported to the Head of Learner Services (Safeguarding Officer). 7. EDUCATION & TRAINING With the current unlimited nature of internet access, it is impossible for the college to eliminate all risks for staff and learners. Therefore, the college will support staff and learners through training and education, which will provide them with the skills to be able to identify risks independently and manage them effectively. For learners: Learners will attend Internet Watch sessions through their tutorial programme. All learners must receive a Think B4U Click leaflet as part of their induction. Issues associated with e-safety apply across the curriculum and learners will receive guidance on what precautions and safeguards are appropriate when making use of the internet and technologies. Learners should also know what to do and who to talk to where they have concerns about inappropriate content, either where that material is directed to them, or where it is discovered as part of a random search. A link to the college e-safety rules will appear when users log on to the college network and these rules are highlighted in posters and leaflets around IT areas and work stations. Within classes, learners will be encouraged to question the validity and reliability of materials researched, viewed or downloaded Learners will be encouraged to respect the copyright of other parties and to cite references properly to demonstrate that they appreciate the issues surrounding plagiarism. Learners must also appreciate the nature of online communications and be coached by tutors to ensure that they understand the issues of posting messages and other materials (such as photographs) online. The world wide web can create a permanent record of activity and 9

13 e-safety learners need to be able to appreciate the consequences of this, even in terms of the effect on future prospects of employment. For staff: All staff are required to take part in e-safety training and engage with regular updates. For new staff this will be part of the induction process. General e-safety training will be offered during at least one INSET day each year. The Manager for Learning & Development will liaise with the e- Learning Manager to identify suitable internal or external experts to carry out the annual training at INSET. Online resources will be made available and the e-learning Manager will issue updates in guidance via electronic means when required. Each member of staff must record the date and details of all e-safety training that has been training attended. This should be done via Passport to Success. 10

14 IT Security & Acceptable Use The College will ensure that the network, network equipment and other IT equipment is secure, fit for the purpose and used appropriately 1. AUTHORISATION TO USE COLLEGE IT SERVICES All Students who have enrolled at the College and all staff employed by Coleg Gwent are entitled to a unique personal user account that provides them with appropriate access to IT resources based on their course of study or role. These accounts are always password protected. Users are required to take responsibility for the account that is provided to them and should be aware of the following points: User passwords should remain confidential. If users suspect that their password is known to others they should change their password immediately. Users must not share or divulge account details such as username and password. User passwords should be changed regularly and passwords need to conform to the minimum length and complexity rules. Users should ensure that they logout or lock their workstations if they leave their workstations unattended. Users should not store data on the workstation. Workstation disks (C:\ drive) are not backed up and are liable to fail or be stolen. Data should be stored on appropriate server based shared drives. User Workstations should be logged out before users leave College premises. The IT Department will make appropriate backups of user data held in the appropriate locations on College servers. Redundant user accounts will be disabled within 24 hours of receipt of information and removed by the IT Department in accordance with the Windows Domain User Account Removal and Deletion policy, currently available on the IT pages of the college intranet. 2. GENERAL GUIDANCE ON ACCEPTABLE USE Users will not use company resources for commercial activity, such as creating products or services for sale. Users will not send inappropriate mass mailings not directly associated with, or in the performance of, the routine course of duties or assignments. This includes multiple mailings to newsgroups, mailing lists, or individuals, e.g. "spamming," "flooding," or "bombing." 11

15 IT Security & Acceptable Use Users will not forge the identity of a user or machine in an electronic communication, e.g. spoofing. 3. USE OF WORKSTATIONS With a valid username and password, users are granted access to workstations (P.Cs and laptops) on which recognised, legitimate and appropriate software is installed (including the operating system and appropriate Anti-Virus software). Users must accept that:- Installation of System or application software can only be performed by IT Support staff or with the authorisation and permission of the IT Department and users must not install their own software. Access to local system settings will be restricted where appropriate and users must not attempt to bypass or override any security measures in place. 4. NETWORK SECURITY The IT Department is responsible for all networking at Coleg Gwent and the security of networked devices and user, all measures will be taken to ensure this security by implementing up to date security systems and adopting best practises. The College IT Network consists of switches, routers, servers and firewalls. Access to Switches, routers, servers and other networking equipment is password protected and restricted to appropriate users. Up-to-date backups of device configurations will be made by the IT Department. Access to network resources will require a valid username and password. Access to, and the performance of, networks is heavily dependent upon the number of other client connections to the network and their usage. Misuse of the network. Users must not access or run any utilities of services, either deliberately or inadvertently, which might negatively impact on the overall performance of the network or deny access to the network, e.g. RF jamming, Denial of Service (DoS). Misuse of the network will be taken extremely seriously. Such misuse may lead to: 12

16 IT Security & Acceptable Use Immediate permanent disconnection of any unapproved networking equipment. Disciplinary action under current college regulations and policies. The IT Department is responsible for maintaining the availability of the College network. In order to better manage, monitor and to identify rogue devices and possible misuse of the network, the IT Department will make periodic sweeps of the College network and make use of passive monitoring devices and intrusion detection software. Any unauthorised devices operating within the College network will be considered Rogue Devices. As such, depending upon configuration, these devices may present a substantial security threat and will be subject to removal from the network. It is expressly forbidden to activate within the College, any Rogue Device that may conflict with the College Network. A rogue device is one which is not authorised by the College and which conflicts or interferes with legitimate College business. 5. INTERNET SECURITY & ACCEPTABLE USE Internet Access is provided for the educational, business and training needs of learners and staff and users should be aware that such access may be withdrawn on the recommendation of the Line Manager, Head of Learner Service or a member of the college senior management team. Limited personal use of the internet is permitted provided it is not excessive, illegal or contravenes the College code of conduct for learners or staff, or has a negative effect on the user s performance. The line manager, tutor or any other member of staff or learner has the responsibility to stop, prevent or report any such internet access breach Users should be aware that: All internet access is subject to filtering. Appropriate filtering policies are implemented to ensure the Colleges compliance with legal requirements and appropriate usage policies of third party organisations such as JANET. The College has a duty of care to its learners and staff and must protect its own image and reputation. To this end the College will block content that may be violent, racists, illegal or inappropriate. College staff should maintain high professional standards when participating in Social Networking environments (including blogs and message boards). Communicating with current, past or potential Learners 13

17 IT Security & Acceptable Use via these sites carries a risk and staff should consider the consequences of sharing personal information or thoughts via such sites. This is covered in more detail in the college e-safety policy. Unless otherwise noted, all software on the Internet should be considered copyrighted work. Therefore, employees are prohibited from downloading software and/or modifying any such files without permission from the copyright holder. 6. SECURITY & ACCEPTABLE USE s generated on college computers and information contained in such e- mails are the property of the college. accounts should be used in a responsible and professional manner by College staff and learners. Users need to be aware that: s can be used in legal and contractual proceedings in the same way as hard copy documentation. Deletion from a user s mailbox does not mean that the is permanently removed and all s should be treated as potentially retrievable. Staff using Coleg Gwent accounts are acting as representatives of the College and as such, should act accordingly to avoid damaging the reputation of the College. All users should adhere to the Coleg Gwent Etiquette guidance which is available on the Marketing & Communications pages of the college Intranet Any publishing of malicious, defamatory or discriminatory material on , twitter, facebook etc. is equivalent to publishing and therefore illegal with possible consequences of fines or prison If a user feels that they have been harassed, bullied or offended by material sent to them by a Learner or member of staff via , they should inform their line manager or course tutor who will consider whether the College s policies should be applied s sent outside the College must bear the College disclaimer, which is automatically generated on leaving the organisation If an employee is absent and communications need to be checked to ensure the smooth running of the college, then access to an employee s account will be provided to the line manager when authorised in writing by a senior manager. Additionally, access to user accounts may be required in the course of criminal or disciplinary investigations. Such access will be authorised by the VP (F,E&IS) and the VP (HR&OD). Limited personal use of is permitted provided it is not excessive or has a negative effect on the user s performance. Discretion is placed on the line manager, tutor or other appropriate authority. The 14

18 IT Security & Acceptable Use line manager, tutor or any other member of staff or learner has the responsibility to stop, prevent or report any such abuse Staff should not use their College address to register on personal website accounts 7. WIRELESS NETWORK SECURITY AND ACCEPTABLE USE The College is committed to providing comprehensive and secure wireless access to College systems. The IT Department is responsible for all wireless networking at Coleg Gwent and users should be aware of the following: Access to Wireless network resources will require a valid username and password The Wireless Network shall be treated in the same way as the wired network with the following additions. Users must not: i. Intercept or attempt to intercept other wireless transmissions for the purposes of eavesdropping ii. Access or run any utilities or services, either deliberately or inadvertently, which might negatively impact on the overall performance of the network or deny access to the network, e.g. RF jamming, Denial of Service (DoS) Misuse of the wireless network or College wireless spectrum will be taken extremely seriously. Such misuse may lead to: i. Immediate permanent disconnection of any unapproved wireless networking equipment ii. Disciplinary action under current College regulations and policies Due to possible interference from other sources, the College wireless spectrum should be kept clear of unauthorised transmissions. The IT Department will make periodic sweeps of the College wireless coverage area and in strategic locations, make use of passive monitoring devices and intrusion detection software. Any unauthorised wireless devices operating within the College wireless spectrum will be considered Rogue Devices. As such, depending upon configuration, these devices may present a substantial security threat and will be subject to removal from the network. The IT Department must be notified of any existing or proposed wireless installations. All wireless installations must comply with the wireless network architecture and standards developed through the IT Department. It is expressly forbidden to activate within the College, any Rogue Device that may conflict with the College Network. A rogue device is one which is not authorised by the College and which conflicts with legitimate College business 15

19 IT Security & Acceptable Use 8. MOBILE DEVICE SECURITY & ACCEPTABLE USE Regular Risk Assessments will be undertaken to determine the security risks of allowing College IT systems to be accessed using a mobile device such as a Smartphone or Tablet computer Any device connected to the College sy stem will be subject to a security policy that will enforce the use of a security password to protect the device All users who are allowed access to or other college systems via a mobile device will be asked to agree to a disclaimer before access is provided. The user will agree to use, maintain and protect the security password. They will also agree to report any loss or theft of their protected device to the college IT Department. This policy will apply to any mobile device that is allowed to connect to college IT systems whether it is owned by the college or personal property of the user. 9. PHYSICAL ASSET SECURITY IT assets must be kept secure from theft and damage and users should be aware of the following: Workstations (and other equipment) are to be security marked and asset tagged in accordance with the IT Support Quality Manual QM2.5 Appropriate security measures to ensure the safety and integrity of all IT equipment must be implemented. Where deemed suitable, some equipment may be physically secured by the use of brackets, Cages, or security cables Physical access to rooms containing server computers or Network equipment must be restricted to authorised personnel (IT Support Staff). Authorised visitors such as contractors must be supervised by a member of the IT Department All IT equipment items will be marked in such a way as to identify them as a Coleg Gwent asset and entered into the College Asset Database where appropriate. IT Equipment moves must only be undertaken with the co-operation and involvement of the IT Department. This is essential to maintain the accuracy of the Asset Database and to ensure that moves and changes take place without un-necessary downtime. Mobile equipment may only be taken off-site when accounted for under the provisions of the IT Mobile Device Usage Policy, IT Projector & Laptop loan policy 16

20 IT Security & Acceptable Use 10. SECURE ASSET DISPOSAL It is the responsibility of the IT department to ensure that all redundant assets are disposed of securely. In doing so: All items of equipment containing storage media (e.g. fixed hard disks) will be checked to ensure that any sensitive data and licensed software have been removed or overwritten prior to disposal Storage devices containing sensitive information will be physically destroyed or securely overwritten rather than using the standard delete function 17

21 Information Security It is the College s policy that the information that it manages (both manual and electronic) is appropriately secured to: ensure compliance with relevant legislation and guidance protect against unauthorised access ensure confidentiality is maintained, especially where third party or personal data is held ensure business continuity and the protection of assets prevent failures of integrity, or interruptions to the availability of that information 1. IDENTIFYING INFORMATION ASSETS The College will maintain an up to date inventory of all its information assets i.e. types of information that it holds electronically on college systems and in manual paper based systems. All information assets will be assigned to an Information Asset Owner who has responsibility for the information assets in their ownership. 2. DEFINITION OF CONFIDENTIALITY There are a number of data types which can be classified as confidential: (i) Confidential Personal Data Requires measures to ensure confidentiality Coleg Gwent collects and stores the personal information of learners, staff and members of the Corporation in line with the Coleg Gwent registration with the Office of the Information Commissioner. This includes for example names, dates of birth, addresses, assessment materials and so on. The college will keep that information safe and secure in accordance with the Coleg Gwent Data Protection Policy and Procedure 6.10, The Control, Processing And Accessing of Personal Data. All personal data within the meaning of the Data Protection Act Data about identifiable, living individuals which relates to an individual in any significant way, is biographical and has an individual as its focus. Examples: Staff Applications and personnel records, Pay and sickness records 18

22 Information Security Student Applications and Enrolment Data. (ii) Sensitive Personal Data Requires explicit consent to collect and enhanced measures to ensure confidentiality Ethnic Origin Political Opinions Religion Trade Union membership Health (Physical and mental) Sexual orientation Offences, allegations, proceedings, sentences Examples: Staff Equal Opportunities monitoring Data Student Form B (Learning difficulty and disability assessments, From D medical questionnaire) (iii) Commercially sensitive data Data which is held by the college and relates to past, current or future transaction of a commercial nature where disclosure of information could undermine the college s interests Tender documentation containing competitive price data Documents relating to property transactions during negotiating periods 3. DATA PROCESSING SYSTEMS The College will maintain a register of all systems used to process personal data in the College. This will include: the type of system, the types of personal data held the purpose of processing. The purpose of the registers is to ensure that all processing of personal data within the College is adequately notified to the Information Commissioner. College staff are only allowed to use authorised systems for processing personal data. Any request to establish new systems for processing personal data must be made formally to the Data Protection Officer on a form available on request from the Head of Information Systems. 19

23 Information Security 4. SECURE DATA STORAGE All staff are responsible for ensuring that: Any personal data, which they hold, is kept securely i. Manual data - should be kept in a locked filing cabinet or locked drawer and/or kept in a room which is has secure access and is locked when not occupied ii. Electronic data must be password protected Personal data is only stored on appropriate systems on the college network Personal data is not be stored on standalone computer Integral Drives Unless specifically Authorised by the Data controller for a specific role (e.g laptops for work place assessors) Personal information is not disclosed either orally or in writing or accidentally or otherwise to any unauthorised third party Only college authorised devices with appropriate encryption software may used to store personal data. Members of staff must seek the approval of their manager before storing data on a portable mobile device College offices where staff are employed to process personal data should be locked when not occupied. Consideration should be given to door security systems such as key pads in multi-occupied rooms to prevent unauthorised access. Staff should take particular care with data processed while working at home. College personal data must not be stored on home PCs. Staff and Learners who use Data Storage Devices (such as a smartphone, laptop, USB memory stick, portable disk drive) that might contain College data must ensure that it is kept secure at all times, especially when travelling. Passwords must be used to secure access to data kept on such equipment to ensure that confidential data is protected in the event that the device is lost or stolen. All users should exercise the same care as when using any other means of communication. 5. SECURE DATA TRANSMISSION Personal or sensitive data must be transmitted by appropriate secure means: A risk analysis must be undertaken with respect to the nature of transmitted data, the intended recipients and the volume of data. Data transmitted outside of the college by electronic means must be encrypted or sent via secure data transmission sites. Data transmitted within the college by electronic means must be password protected or encrypted. Data must only be transferred using college approved media devices. Staff should ensure that casual disclosure does not take place by for example leaving computer printouts or manual records containing personal or sensitive data uncovered on desktops or by allowing unauthorised users to view computer screens. 20

24 Information Security 5. RETENTION OF DATA Personal data will be retained for no longer than is necessary for the purpose for which it was collected. Standard retention times are necessary to meet various contractual requirements. Standard retention times for documents relevant to the college Financial control procedures are specified in the College Retention of Documents Procedure. 6. DISPOSAL OF DATA Particular care must be taken with the disposal of personal data. Staff should be aware that the same standards should be applied to informal records, lists and printouts held by individual members of staff containing personal data as to records which are part of the formal College records system: This material must not be disposed of in ordinary office waste paper bins. Personal data must be destroyed by secure methods such as shredding or confidential waste sacks handled by authorised contractors. Specific responsibilities are outlined in the Coleg Gwent Financial Procedures Manual. Formal records may only be destroyed with the appropriate authority. 7. CCTV CCTV systems in the College are only used for the prevention and detection of crime and the college must ensure that: CCTV systems are positioned to avoid capturing images of persons not visiting College premises the recorded images must be stored safely and only retained long enough for any incident to come to light recordings will only be made available to law enforcement agencies involved in the prevention and detection of crime and to no other third party. 21