Web Site Download Carol Johnston
|
|
- Juniper Wilson
- 8 years ago
- Views:
Transcription
1 What I need to know about data protection and information security when purchasing a service that requires access to my information by a third party. Web Site Download Carol Johnston Corporate Development November 2012
2 All Schools are separate legal entities for Data Protection purposes (known as Data Controllers) rather than a collective part of the North Eastern Education and Library Board. This document is intended to act as a general guide. Data Protection can be complicated so it should not be taken as an absolute statement of the law and obligations covered by the Data Protection Act It is a criminal offence to break any conditions of the Act. It is essential that you follow the procedures you have adopted within your school on handling and releasing information. Further information is available via The Information Commissioners Office via: a Data Protection Help Line: Tel or their web-site: h t t p : / / w w w. n e e l b. o r g. u k Page 1
3 Introduction Schools collect and process personal information to deliver educational services. The school is the Data Controller as it determines the purpose and manner in which personal information is processed. For the individual or Data Subject, personal privacy and confidentiality is expected. The school is responsible for controlling the amount of information collected, its accuracy; security; what it is used for; who it is shared with and that it is not kept for longer than necessary. Schools are adopting new technologies such as: contact by text or ing services; attendance/behaviour management reporting; cashless catering systems or virtual learning environments or online assessment environments, to deliver services, communicate with parents and help teachers collaborate. With such advancements, schools often employ external companies or Data Processors to support the delivery of services. Anyone who has access to a school s information (including anyone employed by an external company) must be made aware of the school s procedures for handling personal information. It should never be assumed that because of their occupation, they fully understand their responsibilities. You need to show that you are managing any risk which could be associated with allowing third party access to the information you hold. The aim of this guide is to offer general data protection advice and it contains guidance from C2K on the technical issues around granting access to the SIM system. For technical guidance on SIM access, please contact your local C2K Support Manager. Any school considering buying goods or services should contact the boards Procurement Office for advice and support. For advice on Data Protection Subject Access Requests you can refer to: The Claims and Legal Administrator: Wendy Nelson by Wendy.Nelson@neelb.org.uk Further information is available from The Office of the Information Commissioners website: h t t p : / / w w w. n e e l b. o r g. u k Page 2
4 School s Responsibility The School is the Data Controller (School Principal) and decides on the level of access to anyone (Data Processor) who processes their information. Although a Data Processor may have their own view on the access they require, the Data Controller must satisfy itself that this is not excessive. NB: The School Principal and Board of Governors are accountable for any breach of the Data Protection Act by the Data Processor where the school isn t able to demonstrate that proper assurances were obtained at the beginning and managed throughout the process. It is recommended the school obtains these assurances, in writing, before any access is granted. This will provide evidence of the school complying with its obligations as a Data Controller under the Data Protection Act. It will also mean that the detail supplied by the Data Processor can be revisited from time to time to make sure it is still accurate. Any person/company/organisation wishing to access information should complete and sign a questionnaire and return it to the school before any agreement on the level of access is made. Questions you should consider asking are included in the Appendix to this document. This is a checklist of assurances a school should obtain from a Data Processor before allowing access to personal information. Depending on the service a school is purchasing, it may not be necessary to ask all of the questions listed or there may be additional questions which will be apparent when you examine the process. h t t p : / / w w w. n e e l b. o r g. u k Page 3
5 Data Protection Relevant Principles to Consider The First Data Protection Principle states that personal data must be processed fairly and lawfully. This means that personal data must be used in a way the data subjects would expect or to which they have agreed. Schools must consider if data subjects need to be informed before using personal data in any new way. In a school context, if it is something the school has always done, but simply intends to do in a new way, then informing data subjects (pupils, parents or staff) of the school s intentions and providing reassurance around security/privacy etc., may be sufficient. If the data is to be used for a completely new purpose the school should consider informing those involved. There are special conditions if sensitive person data is involved. Details are contained in Schedule 3 of the Data Protection Act. The Second Data Protection Principle requires that personal information obtained for one or more specified and lawful purposes must not be processed in any way incompatible with that purpose. (Unless the data subject gives permission). For example, if phone numbers are collected for the purpose of contacting parents they must not be used for any other purpose such as target marketing from a company offering services. The Fifth Data Protection Principle requires that personal data is not kept for longer than it is needed for its specific purpose. This means making sure that information is destroyed when it is no longer required. The Seventh Data Protection Principle requires that appropriate security is in place to safeguard personal information. Assurances must be obtained from the Data Processor that information is held and processed securely. Breaches of the Act by a Data Processor could leave the school liable to fines and penalties. A part of this principle which is often overlooked is that it conveys the responsibility of making sure staff are aware of security procedures and their obligations under the Data Protection Act and importantly they appreciate that they can be individually liable for any breach they commit. Security is not only about having procedures to protect computer systems or locking filing cabinets, clearing sensitive paperwork from desks and making sure that waste containing personal data is disposed of by shredding etc., but one of the most important requirements is ensuring that personal data is not disclosed to someone who does not have a right to receive it. h t t p : / / w w w. n e e l b. o r g. u k Page 4
6 School Data Notification A school should ensure its Data Protection notification shows the processing of information with the service provider. If it isn t, the registration must be amended. h t t p : / / w w w. n e e l b. o r g. u k Page 5
7 Data Processor Assurances With regard to Data Processor Assurances, please consider: Certain information from any third party company wishing to extract information from Sims database held within the C2K network should be obtained in the first instance. Written assurance should be obtained before any agreement on the level of information extraction is agreed. Suppliers should have a clear understanding of what standards they need to meet. Have standards been communicated clearly? Are the consequences of failure clear and contractually robust? Has a rigorous process for monitoring Suppliers performance against such Standards been established? Are you sufficiently confident that the Supplier is managing their information risks? School staff should be aware of the information that Suppliers can legally request from your school. Suggested questions for the Supplier are in the Appendix to this document. Depending on the service you are purchasing, it may not be necessary to ask all of the questions or there may be additional questions which will become apparent when you examine the process or the product details published by the Supplier. Unless the Supplier will be handling sensitive information e.g. Special Education, Education Welfare or Child Protection Records etc., or their staff are required to physically enter the school without supervision; you may not need to determine if they have a criminal record. For continuity purposes you should determine from the Supplier the name of a nominated person who will be your Schools key contact. h t t p : / / w w w. n e e l b. o r g. u k Page 6
8 TECHNICAL STANDARDS AND CONTROLS ADVICE FROM C2K ACCESS LEVELS AND PASSWORD MANAGEMENT The minimum level of access should be granted. Usernames should be unique and details should never be passed to another user. A recommended approach is to create a dedicated MIS user account for the purpose of data extraction. A third party service provider must not share C2K network user accounts between schools. If a username is compromised the password must be changed immediately. In the event of any service disruption due to third party software, C2K managed service providers may charge for service restoration. PHYSICAL SECURITY Clear details must be provided as to the method of data access. The Data Controller should be aware if the Data Processor will need onsite access and or remote access to school systems. Some remote access methods take over the user desktop and have access to all areas on the user desktop. C2K have a remote access solution which can be requested. (Other methods are not recommended). A120 should be completed by the Data Processor if this method of access will be required. It is recommended that the Data Processor has obtained an accreditation in information security (ISO 27001/BS 7799). Such accreditations provide extra assurances that the Data Processor (or sub-contractor) has considered data security in all its processes and procedures. EXTRACTION FORMAT Clear details must be provided on the format in which any data will be extracted. The Data Controller should ensure it has a general understanding of the extraction format and should seek further details or explanation of any technical terms where necessary. h t t p : / / w w w. n e e l b. o r g. u k Page 7
9 The Data Controller must be able to view the data in this format if, at any stage, it wishes to verify the data being transferred. The Data Controller should understand the method being used to extract the data e.g. CSV file spread sheet, automated software routine and the frequency of the extraction process. The Data Controller may wish to view a sample of the data being extracted. SECURING THE TRANSFER Data containing personal information should be transferred using a secure encrypted method. Transfer via removable media or attachment is not recommended, especially where sensitive personal information is involved. The Data Controller should be satisfied that data is transferred to either an external destination or internally within the school using a secure method using e.g. HTTPS, SSL, VPN and Encryption. This is important as data could be intercepted on the internet if it is not sent using a secure method. If data is copied to a mobile storage device e.g. USB pen drive, the data should not leave the site on that device unless the device is encrypted. HARDWARE OR SOFTWARE INSTALLATION/OPENING PORTS Sometimes third party software requires specific ports to be opened. C2K must be informed as this will be subject to security and performance testing. If hardware will be connected to the managed network, information sheet A065 will need to be completed by the Data Processor. This can be obtained from C2K. If software requires changes i.e. a port opened, firewall changes, proxy or browser changes; details will have to be recorded on information sheet A065. This will begin a process which will allow C2K and managed service partners to evaluate requested changes and determine if they will have any impact on the schools managed service. If this will incur a cost it should be determined whether the school or Data Processor will be responsible for the cost. h t t p : / / w w w. n e e l b. o r g. u k Page 8
10 TRANSIENT DATA If third party software is used to transfer information, software can keep a copy on a local PC hard drive. The Data Controller needs to know if this is likely in order to prevent any unauthorised access. When a Data Processor exports data from a school site, there is often a data export file stored on either a fileserver or PC hard drive. Data Processor should identify this in order that steps can be taken to reduce the risk of accidental discovery by unauthorised staff or pupils. Software which is exporting sensitive data should never be installed on a machine pupils have access to. If more than one member of staff has physical access to a PC, it should be noted that all teachers will have access to the C drive and so could view an export data file if it is in a readable format. The data file should be deleted once exported to minimise accidental discovery. LOCATION OF DATA AND ANY BACKUPS The Data Controller should know where any data (including backups) are physically stored. The Data Controller should also be aware how and when stored data and backups are deleted in the event that the contract is terminated. If the Data Processor has hard copy information, the Data Controller needs to be satisfied that it will be destroyed in a safe and secure manner. This should include details of any planned use of mobile devices, capable of storing or transporting your school data. The use of firewalls, anti-hacking and antivirus software should be viewed as an essential part of a provider s network. The Data Processor should provide details of how access to the information is controlled at their site. h t t p : / / w w w. n e e l b. o r g. u k Page 9
11 SECURE DESTRUCTION/OBSOLETE HARDWARE Manual data should be shredded and electronic data erased in a way which makes it unrecoverable. If the Data Processor upgrades or replaces equipment on which school data is stored, the Data Controller should be informed how the old equipment will be cleared down before disposal. Assurances should be given that all data will be removed from obsolete hardware. It is recommended that data destruction should adhere to ISO 27001:2005 (International Information Security Standard). h t t p : / / w w w. n e e l b. o r g. u k Page 10
12 Appendix Suggested Questions for any Data Processor Data Processor - Suggested Questions Purpose of the product. What information will be accessed or extracted? How will you use the information? How long will you keep the information? Have you notified, for the purposes of processing information with the Information Commissioners Office. Do you have a Data Protection Policy or Information Security Policy? If yes, how has this been implemented in your company. Are Data Processors staff checked by the Criminal Records Bureau /Access NI? Purpose/Detail What the product does. This can normally be obtained from any marketing literature supplied by the supplier Information should be identified i.e. names, tel. numbers of parents etc. Determine if this is minimum amount of information required to provide the service. If it is subsequently discovered that additional data is being extracted, the data processor could be in breach of any agreement. Confirm that the information will only be used to deliver the service purchased and not for any other purpose Data Processor should confirm that information will be confidentially destroyed as directed by the School. This may take place when the contract ends, when a pupil or member of staff leaves the School or when otherwise instructed by the School. State your registration number issued by the ICO Data Controller can check the Data Protection register Copy of policy if applicable Where sensitive pupil information is involved (see DPA schedule 3) or Data Processors employees have unsupervised physical access to the school, clearance through a criminal record check should be made. It is the DP s responsibility to ensure such clearance is obtained and evidence provided and that access to information will be restricted to such staff. h t t p : / / w w w. n e e l b. o r g. u k Page 11
13 Data Processor - Suggested Questions Where a subcontractor or intermediary is involved, can you provide assurances on behalf of this third party in relation to data protection/ data security compliance and any necessary criminal record checks. Incident Management Do you carry insurance cover in the event of liability incurred in any breach of the DPA 1998? Will any data be sent outside the European Economic Area? Purpose /Detail Written assurance. What measure is in place in the event of an information security breach? Details of insurance cover. If yes - refer to the web site of the office of the information commissioner for advice. h t t p : / / w w w. n e e l b. o r g. u k Page 12
14 Technical Standard and Controls - Suggested Questions. How is the information held on the School Management Information System (MIS) to be accessed by the Data Processor? In what format will the information be extracted e.g. CSV file, spread sheet etc.? How will this transfer be secured? Purpose/Detail Full details must be provided to include method and frequency. Must also include subcontractor activities Data Processor should provide full details which include method and frequency. Must also include any subcontractor activities Data Processor should provide full details. Acceptable methods include SSL, HTTPS or Encryption method. Must also include any subcontractor activities Will the software require any ports to be opened? During the transfer process will any transient information be stored locally within the School and if so what arrangements will be in place to ensure deletion when transfer is complete? Please give details of port and direction. Must also include any subcontractor activities. h t t p : / / w w w. n e e l b. o r g. u k Page 13
15 Technical Standard and Controls - Suggested Questions. Where will the data and any backups be stored? How will information be secured at your site? How will both manual and electronic information be destroyed when no longer required? How is information erased from obsolete hardware? Purpose/Detail Must also include any subcontractor activities Must also include subcontractor sites. It is recommended that data destruction should adhere to ISO 27001: the International Information Security Standard. This can be verified by providing the certificate number and name of awarding body. Such accreditations provide extra assurances that the Data Processor has considered data security in all its processes and procedures. Must also include subcontractor activities It is recommended that hardware should be wiped in line with ISO 27001: 2005This can be verified by providing the certificate number and name of awarding body. Such accreditations provide extra assurances that the Data Processor has considered data security in all its processes and procedures. Has the Data Processor accreditation or alignment with ISO 27001/BS 7799 Information Security Standard? Although not mandatory, it is recommended that the Data Processor has obtained an accreditation in information security. This can be verified by providing the certificate number and name of awarding body. Such accreditations provide extra assurances that the Data Processor (or sub-contractor) has considered data security in all its processes and procedures h t t p : / / w w w. n e e l b. o r g. u k Page 14
So the security measures you put in place should seek to ensure that:
Guidelines This guideline offers an overview of what the Data Protection Act requires in terms of information security and aims to help you decide how to manage the security of the personal data you hold.
More informationData Security and Extranet
Data Security and Extranet Derek Crabtree Schools ICT Support Manager derek.crabtree@merton.gov.uk Target Operating Model 2011 Merton Audit Organisation name: London Borough of Merton Periodic plan date:
More informationData Protection and Information Security Policy and Procedure
Data Protection and Information Security Policy and Procedure Document Detail Category: Data Protection Authorised By: Full Governing Body Author: School Business Manager Version: 1 Status: Approved May
More informationHuman Resources Policy documents. Data Protection Policy
Policy documents Aims of the Policy apetito is committed to meeting its obligations under data protection law. As a business, apetito handles a range of Personal Data relating to its customers, staff and
More informationCloud Software Services for Schools. Supplier self-certification statements with service and support commitments
Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Supplier name Address Contact name Contact email Meritec Limited Meritec House, Acorn Business
More informationData Protection Policy
Data Protection Policy September 2015 Contents 1. Scope 2. Purpose 3. Data protection roles 4. Staff training and guidance 5. About the Data Protection Act 1998 6. Policy 7. The Information Commissioner's
More informationPROPOSED PROCEDURES FOR AN IDENTITY THEFT PROTECTION PROGRAM Setoff Debt Collection and GEAR Collection Programs
PROPOSED PROCEDURES FOR AN IDENTITY THEFT PROTECTION PROGRAM Setoff Debt Collection and GEAR Collection Programs The Identity Theft and Fraud Protection Act (Act No. 190) allows for the collection, use
More informationMerthyr Tydfil County Borough Council. Data Protection Policy
Merthyr Tydfil County Borough Council Data Protection Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of the
More informationDATA PROTECTION POLICY
Title Author Approved By and Date Review Date Mike Pilling Latest Update- Corporation May 2008 1 Aug 2013 DATA PROTECTION ACT 1998 POLICY FOR ALL STAFF AND STUDENTS 1.0 Introduction 1.1 The Data Protection
More informationDATA AND PAYMENT SECURITY PART 1
STAR has teamed up with Prevention of Fraud in Travel (PROFiT) and the Fraud Intelligence Network (FIN) to offer our members the best advice about fraud prevention. We recognise the increasing threat of
More informationCloud Software Services for Schools
Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Please insert supplier details below Supplier name Address Contact name Contact email Contact
More informationData protection. Report on the data protection guidance we gave schools in 2012
Data protection Report on the data protection guidance we gave schools in 2012 Contents 1. Background 2. Summary of recommendations 3. tification 4. Personal data 5. Fair processing 6. Information security
More informationInformation Circular
Information Circular Enquiries to: Brooke Smith Senior Policy Officer IC number: 0177/14 Phone number: 9222 0268 Date: March 2014 Supersedes: File No: F-AA-23386 Subject: Practice Code for the Use of Personal
More informationInformation Security Policy September 2009 Newman University IT Services. Information Security Policy
Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms
More informationData Protection Act 1998. Guidance on the use of cloud computing
Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered
More informationName: Position held: Company Name: Is your organisation ISO27001 accredited:
Third Party Information Security Questionnaire This questionnaire is to be completed by the system administrator and by the third party hosting company if a separate company is used. Name: Position held:
More informationEveryone in the workplace has a legal duty to protect the privacy of information about individuals. AEP/BELB/LJ/2010 Awareness Session
Everyone in the workplace has a legal duty to protect the privacy of information about individuals AEP/BELB/LJ/2010 Awareness Session During 2007 alone, 36,989,300 people in the UK have had their private
More informationEASTERN OKLAHOMA STATE COLLEGE ACCEPTING AND HANDLING CREDIT AND DEBIT CARD PAYMENTS POLICIES AND PROCEDURES
EASTERN OKLAHOMA STATE COLLEGE ACCEPTING AND HANDLING CREDIT AND DEBIT CARD PAYMENTS POLICIES AND PROCEDURES This document describes Eastern Oklahoma State College s policy and procedures for the proper
More informationData Protection Policy
Data Protection Policy CONTENTS Introduction...2 1. Statement of Intent...2 2. Fair Processing or Privacy Statement...3 3. Data Uses and Processes...4 4. Data Quality and Integrity...4 5. Technical and
More informationCloud Software Services for Schools
Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Supplier name Address Contact name Contact email Contact telephone Parent Teacher Online
More informationHow To Protect School Data From Harm
43: DATA SECURITY POLICY DATE OF POLICY: FEBRUARY 2013 STAFF RESPONSIBLE: HEAD/DEPUTY HEAD STATUS: STATUTORY LEGISLATION: THE DATA PROTECTION ACT 1998 REVIEWED BY GOVERNING BODY: FEBRUARY 2013 EDITED:
More informationHERTSMERE BOROUGH COUNCIL
HERTSMERE BOROUGH COUNCIL DATA PROTECTION POLICY October 2007 1 1. Introduction Hertsmere Borough Council ( the Council ) is fully committed to compliance with the requirements of the Data Protection Act
More informationA practical guide to IT security
Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or
More informationScottish Rowing Data Protection Policy
Revision Approved by the Board August 2010 1. Introduction As individuals, we want to know that personal information about ourselves is handled properly, and we and others have specific rights in this
More informationSecure Mobile Shredding and. Solutions
Secure Mobile Shredding and Data Erasure Solutions SECURE MOBILE SHREDDING & DATA ERASURE SERVICES... NCE s mobile shredding and data erasure service permanently destroys your data in a secure and controlled
More informationROEHAMPTON UNIVERSITY DATA PROTECTION POLICY
ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY Originated by: Data Protection Working Group: November 2008 Impact Assessment: (to be confirmed) Recommended by Senate: 28 January 2009 Approved by Council:
More informationData Protection Policy
Data Protection Policy Document Ref: DPA20100608-001 Version: 1.3 Classification: UNCLASSIFIED (IL 0) Status: ISSUED Prepared By: Ian Mason Effective From: 4 th January 2011 Contact: Governance Team ICT
More informationEAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )
EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy ) Background Due to increased threat of identity theft, fraudulent credit card activity and other instances where cardholder
More informationPERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE
PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE ADOPTED ON 9 th January 2008 TABLE OF CONTENTS Page No. 1 Introduction...3 2 Glossary...3 3 Types of Personal Data held by Us...3 4 Obligations
More informationIT asset disposal for organisations
ICO lo Data Protection Act Contents Introduction... 1 Overview... 2 What the DPA says... 3 Create an asset disposal strategy... 3 How will devices be disposed of when no longer needed?... 3 Conduct a risk
More informationGuidance on Personal Data Erasure and Anonymisation 1
Guidance on Personal Data Erasure and Anonymisation Introduction Data users engaged in the collection, holding, processing or use of personal data must carefully consider how to erase such personal data
More informationInformation Security
Information Security A staff guide to the University's Information Systems Security Policy Issued by the IT Security Group on behalf of the University. Information Systems Security Guidelines for Staff
More informationInformation Security Policy for Associates and Contractors
Policy for Associates and Contractors Version: 1.12 Status: Issued Date: 30 July 2015 Reference: 61418080 Location: Livelink Review cycle: Annual Contents Introduction... 3 Purpose... 3 Scope... 3 Responsibilities...
More informationData Protection Policy
Data Protection Policy This policy applies to the national office of Special Olympics GB; athletes, volunteers, and paid staff its clubs and regions; all Special Olympics GB donors, sponsors, and supporters;
More informationBRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS
BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS Mat Wright www.britishcouncil.org CONTENTS Purpose of the code 1 Scope of the code 1 The British Council s data protection commitment and
More informationPolicy Document Control Page
Policy Document Control Page Title Title: Data Protection Policy Version: 3 Reference Number: CO59 Keywords: Data, access, principles, protection, Act. Data Subject, Information Supersedes Supersedes:
More informationData Protection Avoiding Information Commissioner Fines. Caroline Egan 5 June 2014
Data Protection Avoiding Information Commissioner Fines Caroline Egan 5 June 2014 Why is data protection a hot topic in pensions? Pension schemes hold large amounts of personal data Individuals more aware
More informationSomerset County Council - Data Protection Policy - Final
Organisation Title Author Owner Protective Marking Somerset County Council Data Protection Policy - Final Peter Grogan Information Governance Manager Unclassified POLICY ON A PAGE Somerset County Council
More informationPolicy and Procedure for approving, monitoring and reviewing personal data processing agreements
Policy and Procedure for approving, monitoring and reviewing personal data processing agreements 1 Personal data processing by external suppliers, contractors, agents and partners Policy and Procedure
More informationREQUEST FOR QUOTE Department of Children and Families Office of Child Welfare National Youth in Transition Database Survey Tool January 27, 2014
REQUEST FOR QUOTE SUBJECT: Request for Quotes, State Term Contract #973-561-10-1, Information Technology Consulting Services TITLE: National Youth in Transition Database (NYTD) Survey Tool Proposal Software
More informationData Access Request Service
Data Access Request Service Guidance Notes on Security Version: 4.0 Date: 01/04/2015 1 Copyright 2014, Health and Social Care Information Centre. Introduction This security guidance is for organisations
More informationCloud Software Services for Schools. Supplier self-certification statements with service and support commitments. SafeGuard Software Limited
Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Supplier name Address Contact name Contact email Contact telephone SafeGuard Software Limited
More informationLittle Marlow Parish Council Registration Number for ICO Z3112320
Data Protection Policy Little Marlow Parish Council Registration Number for ICO Z3112320 Adopted 2012 Reviewed 23 rd February 2016 Introduction The Parish Council is fully committed to compliance with
More informationData and Information Security Policy
St. Giles School Inspire and achieve through creativity School Policy for: Date: February 2014 Data and Information Security Policy Legislation: Policy lead(s) The Data Protection Act 1998 (with consideration
More informationBOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February 2006. Title: Information Security Policy
BOARD OF DIRECTORS PAPER COVER SHEET Meeting date: 22 February 2006 Agenda item:7 Title: Purpose: The Trust Board to approve the updated Summary: The Trust is required to have and update each year a policy
More informationInformation Security Policies. Version 6.1
Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access
More informationHow To Choose A Cloud Service From One Team Logic
Cloud Software Services for Schools Supplier Self Certification Statements with Services and Support Commitments Supplier Name One Team Logic Limited Address Unit 2 Talbot Green Business Park Heol-y-Twyn
More informationCloud Software Services for Schools
Request for information on the document re: cloud and secure storage posted on the DfE website, response provided by DfE and Schools Commercial team: The focus of the project is on data security/safety
More informationProtection of Computer Data and Software
April 2011 Country of Origin: United Kingdom Protection of Computer Data and Software Introduction... 1 Responsibilities...2 User Control... 2 Storage of Data and Software... 3 Printed Data... 4 Personal
More informationb. Contact for contract issues/requests (Including billing)
1. Responsibilities of the customer a. Appointed contact(s) The customer is required to provide a named contact with E-Mail address and phone contact for each of the following roles (they can be the same
More informationG-CLOUD IIII FRAMEWORK SERVICE DEFINITION: SCHOOLS HOSTED SERVICE FOR SIMS
G-CLOUD IIII FRAMEWORK SERVICE DEFINITION: SCHOOLS HOSTED SERVICE FOR SIMS Capita Division / Supplier: Service Name: Capita Business Services Ltd SIMS OVERVIEW OF THE SERVICE The hosted service for SIMS
More informationESTRO PRIVACY AND DATA SECURITY NOTICE
ESTRO PRIVACY AND DATA SECURITY NOTICE This Data Privacy and Security Policy is a dynamic document, which will reflect our continuing vigilance to properly handle and secure information that we are trusted
More informationAcceptable Use Guidelines
Attachment to the Computer and Information Security and Information Management Policies Acceptable Use Guidelines NZQA Quality Management System Supporting Document Purpose These Acceptable Use Guidelines
More informationSupplier Information Security Addendum for GE Restricted Data
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
More information1. Introduction... 3. 2. Statement of Policy. 3. 3. The Eight Principles of Data Protection... 4. 4. Scope... 5. 5. Roles and Responsibilities.
Data Protection Policy 2011 Contents Page 1. Introduction... 3 2. Statement of Policy. 3 3. The Eight Principles of Data Protection...... 4 4. Scope.... 5 5. Roles and Responsibilities. 5 6. Development
More informationCorporate ICT & Data Management. Data Protection Policy
90 Corporate ICT & Data Management Data Protection Policy Classification: Unclassified Date Created: January 2012 Date Reviewed January Version: 2.0 Author: Owner: Data Protection Policy V2 1 Version Control
More informationMRS Guidelines for Online Research. January 2012
MRS Guidelines for Online Research January 2012 MRS is the world s largest association for people and organisations that provide or use market, social and opinion research, business intelligence and customer
More informationWe then give an overall assurance rating (as described below) indicating the extent to which controls are in place and are effective.
Good Practice Audit outcomes analysis Police Forces April 2013 to April 2014 This report is based on the final audit reports the ICO completed in the Criminal Justice sector, specifically of Police forces,
More informationDATA PROTECTION POLICY
DATA PROTECTION POLICY Approval date: June 2014 Approved by: Board Responsible Manager: Executive Director of Resources Next Review June 2016 Data Protection Policy 1. Introduction Data Protection Policy
More informationTERMS & CONDITIONS of SERVICE for MSKnote. Refers to MSKnote Limited. Refers to you or your organisation
TERMS & CONDITIONS of SERVICE for MSKnote Definitions: "Us or Our or We or Company" You or Your or Client Refers to MSKnote Limited Refers to you or your organisation Information about us: We are MSKnote
More informationThe Manitowoc Company, Inc.
The Manitowoc Company, Inc. DATA PROTECTION POLICY 11FitzPatrick & Associates 4/5/04 1 Proprietary Material Version 4.0 CONTENTS PART 1 - Policy Statement PART 2 - Processing Personal Data PART 3 - Organisational
More informationHuddersfield New College Further Education Corporation
Huddersfield New College Further Education Corporation Card Payments Policy (including information security and refunds) 1.0 Policy Statement Huddersfield New College Finance Office handles sensitive cardholder
More informationREMOTE WORKING POLICY
Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance
More informationInformation and Data Security
Information and Data Security Guidance for Knowsley Schools Version 4.0 Version Control Record: Revision Date Author Summary of Changes V1.0 19 th November 2008 L Hornsby V2.0 18 February 2010. Maria Bannister
More informationEnterprise Information Security Procedures
GHL Network Services Ltd Enterprise Information Security Procedures Prepared By Nigel Gardner Date 16/11/09 1 Contents 1. Openwork s Information Security Policy...3 2. Enterprise Information Security Procedures...3
More informationData Protection. Policy and Application July 2009
Data Protection Policy and Application July 2009 Produced for staff of the House of Commons Service by the Department of Resources Information Rights and Information Security (IRIS) Service Data Policy:
More informationHow To Know What You Can And Can'T Do At The University Of England Students Union
HOW WE USE YOUR INFORMATION This privacy notice tells you what to expect when University of Essex Students Union (referred to as the SU herein) collects personal information. It applies to information
More informationSecurity FAQs (Frequently Asked Questions) for Xerox Remote Print Services
Security FAQs (Frequently Asked Questions) for Xerox Remote Print Services February 30, 2012 2012 Xerox Corporation. All rights reserved. Xerox and Xerox and Design are trademarks of Xerox Corporation
More informationOffice 365 Data Processing Agreement with Model Clauses
Enrollment for Education Solutions Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Enrollment for Education Solutions number Microsoft to complete 7392924 GOLDS03081
More informationAstaro Services AG Rheinweg 7, CH-8200 Schaffhausen. Supplementary data protection agreement. to the license agreement for license ID: between
Astaro Services AG Rheinweg 7, CH-8200 Schaffhausen Supplementary data protection agreement to the license agreement for license ID: between...... represented by... Hereinafter referred to as the "Client"
More informationRecommendations for companies planning to use Cloud computing services
Recommendations for companies planning to use Cloud computing services From a legal standpoint, CNIL finds that Cloud computing raises a number of difficulties with regard to compliance with the legislation
More informationUNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C
UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C This Attachment addresses the Contractor s responsibility for safeguarding Compliant Data and Business Sensitive Information
More informationCloud Service Baseline Requirements
Cloud Service Baseline Requirements Prepared for THE CLIENT By Flexible Computing Ltd www.flexiblecomputing.co.uk Tel: 0845 5440959 @cloudrockstars @mcraddock Version V1.2 Author Mark Craddock Distribution
More informationCloud Software Services for Schools
Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Please insert supplier details below Supplier name Address Contact name Contact email Contact
More informationtechnical factsheet 176
technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection
More informationDATA PROTECTION IT S EVERYONE S RESPONSIBILITY. An Introductory Guide for Health Service Staff
DATA PROTECTION IT S EVERYONE S RESPONSIBILITY An Introductory Guide for Health Service Staff 1 Message from Director General Dear Colleagues The safeguarding of and access to personal information has
More informationUNIVERSITY OF ABERDEEN POLICY ON DATA PROTECTION
UNIVERSITY OF ABERDEEN POLICY ON DATA PROTECTION The Data Protection Act 1998 (DPA) was passed in order to implement the EU Data Protection Directive (95/46/EC) and applies to all data relating to, and
More informationData Protection Procedures
Data Protection Procedures PROCEDURE OVERVIEW: This Procedure outlines Down District Council s ( the Council ) commitment to the Data Protection Act 1998 ( the Act ) and provides a framework for the Council
More informationHow To Protect Decd Information From Harm
Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the
More informationStoring and securing your data
Storing and securing your data Research Data Management Support Services UK Data Service University of Essex April 2014 Overview Looking after research data for the longer-term and protecting them from
More informationCyber Security Issues - Brief Business Report
Cyber Security: Are You Prepared? This briefing provides a high-level overview of the cyber security issues that businesses should be aware of. You should talk to a lawyer and an IT specialist for a complete
More informationProcedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom
Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom Indirani 02/11/2009 Draft 2 Include JG s comments Jackie Groom
More informationA Guide to Information Technology Security in Trinity College Dublin
A Guide to Information Technology Security in Trinity College Dublin Produced by The IT Security Officer & Training and Publications 2003 Web Address: www.tcd.ie/itsecurity Email: ITSecurity@tcd.ie 1 2
More informationWebinar Questions Local Government Data Security Help Improve Your Compliance, 30 July 2015
Webinar Questions Local Government Data Security Help Improve Your Compliance, 30 July 2015 Here are the answers to the questions we were asked during the webinar. There are a few questions we are still
More informationCaedmon College Whitby
Caedmon College Whitby Data Protection and Information Security Policy College Governance Status This policy was re-issued in June 2014 and was adopted by the Governing Body on 26 June 2014. It will be
More informationDATA PROTECTION POLICY
DATA PROTECTION POLICY Rev No. 0 New Document 1 2 3 4 5 6 7 Revision Status Details of Amendments Name Date Update of College DPA statement New Reference to Appendix 4 Staff Guidelines ESF document retention
More informationWhite Paper Security. Data Protection and Security in School Management Systems
White Paper Security Data Protection and Security in School Management Systems This paper clarifies the roles and responsibilities of those dealing with the data that is central to school management systems.
More informationWEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY
WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4
More informationDean Bank Primary and Nursery School. Data Protection Policy
Dean Bank Primary and Nursery School Data Protection Policy January 2015 Data Protection Policy Dean Bank Primary and Nursery School handles increasing amounts of personal information and have a statutory
More informationDATA PROTECTION POLICY
Reference number Approved by Information Management and Technology Board Date approved 14 th May 2012 Version 1.1 Last revised N/A Review date May 2015 Category Information Assurance Owner Data Protection
More informationCloud Software Services for Schools
Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Please insert supplier details below Supplier name Address Isuz Ltd. trading as Schoolcomms
More informationWHAT YOU NEED TO KNOW ABOUT CYBER SECURITY
SMALL BUSINESSES WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY ONE CLICK CAN CHANGE EVERYTHING SMALL BUSINESSES My reputation was ruined by malicious emails ONE CLICK CAN CHANGE EVERYTHING Cybercrime comes
More informationDATA PROTECTION POLICY
DATA PROTECTION POLICY DATA PROTECTION POLICY Document Control Information Title Data Protection Policy Version V1.0 Author Diana Watt Date Approved 21 February 2013 Review Date Annually, on the anniversary
More informationSUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This
More informationDATA PROTECTION POLICY
DATA PROTECTION POLICY Version 1.3 April 2014 Contents 1 POLICY STATEMENT...2 2 PURPOSE....2 3 LEGAL CONTEXT AND DEFINITIONS...2 3.1 Data Protection Act 1998...2 3.2 Other related legislation.....4 3.3
More informationData Protection and Community Councils Briefing Note
Data Protection and Community Councils Briefing Note This briefing note has been prepared in response to specific queries raised by Community Councils in Marr in relation to their Data Protection requirements.
More informationData Security Policy. 1. Document Status. Version 1.0. Approval. Review By June 2011. Secure Research Database Analyst. Change History. 1 Version 1.
Data Security Policy 1. Document Status Security Classification Level 4 - PUBLIC Version 1.0 Status DRAFT Approval Life 3 Years Review By June 2011 Owner Secure Research Database Analyst Change History
More informationRECORDS MANAGEMENT POLICY
[Type text] RECORDS MANAGEMENT POLICY POLICY TITLE Academic Year: 2013/14 onwards Target Audience: Governing Body All Staff and Students Stakeholders Final approval by: CMT - 1 October 2014 Governing Body
More information2.0 Emended due to the change to academy status Review Date. ICT Network Security Policy Berwick Academy
Version History Author Approved Committee Version Status date Eddie Jefferson 09/15/2009 Full Governing 1.0 Final Version Body Eddie Jefferson 18/08/2012 Full Governing Body 2.0 Emended due to the change
More information