Web Site Download Carol Johnston

Transcription

1 What I need to know about data protection and information security when purchasing a service that requires access to my information by a third party. Web Site Download Carol Johnston Corporate Development November 2012

2 All Schools are separate legal entities for Data Protection purposes (known as Data Controllers) rather than a collective part of the North Eastern Education and Library Board. This document is intended to act as a general guide. Data Protection can be complicated so it should not be taken as an absolute statement of the law and obligations covered by the Data Protection Act It is a criminal offence to break any conditions of the Act. It is essential that you follow the procedures you have adopted within your school on handling and releasing information. Further information is available via The Information Commissioners Office via: a Data Protection Help Line: Tel or their web-site: h t t p : / / w w w. n e e l b. o r g. u k Page 1

3 Introduction Schools collect and process personal information to deliver educational services. The school is the Data Controller as it determines the purpose and manner in which personal information is processed. For the individual or Data Subject, personal privacy and confidentiality is expected. The school is responsible for controlling the amount of information collected, its accuracy; security; what it is used for; who it is shared with and that it is not kept for longer than necessary. Schools are adopting new technologies such as: contact by text or ing services; attendance/behaviour management reporting; cashless catering systems or virtual learning environments or online assessment environments, to deliver services, communicate with parents and help teachers collaborate. With such advancements, schools often employ external companies or Data Processors to support the delivery of services. Anyone who has access to a school s information (including anyone employed by an external company) must be made aware of the school s procedures for handling personal information. It should never be assumed that because of their occupation, they fully understand their responsibilities. You need to show that you are managing any risk which could be associated with allowing third party access to the information you hold. The aim of this guide is to offer general data protection advice and it contains guidance from C2K on the technical issues around granting access to the SIM system. For technical guidance on SIM access, please contact your local C2K Support Manager. Any school considering buying goods or services should contact the boards Procurement Office for advice and support. For advice on Data Protection Subject Access Requests you can refer to: The Claims and Legal Administrator: Wendy Nelson by Wendy.Nelson@neelb.org.uk Further information is available from The Office of the Information Commissioners website: h t t p : / / w w w. n e e l b. o r g. u k Page 2

4 School s Responsibility The School is the Data Controller (School Principal) and decides on the level of access to anyone (Data Processor) who processes their information. Although a Data Processor may have their own view on the access they require, the Data Controller must satisfy itself that this is not excessive. NB: The School Principal and Board of Governors are accountable for any breach of the Data Protection Act by the Data Processor where the school isn t able to demonstrate that proper assurances were obtained at the beginning and managed throughout the process. It is recommended the school obtains these assurances, in writing, before any access is granted. This will provide evidence of the school complying with its obligations as a Data Controller under the Data Protection Act. It will also mean that the detail supplied by the Data Processor can be revisited from time to time to make sure it is still accurate. Any person/company/organisation wishing to access information should complete and sign a questionnaire and return it to the school before any agreement on the level of access is made. Questions you should consider asking are included in the Appendix to this document. This is a checklist of assurances a school should obtain from a Data Processor before allowing access to personal information. Depending on the service a school is purchasing, it may not be necessary to ask all of the questions listed or there may be additional questions which will be apparent when you examine the process. h t t p : / / w w w. n e e l b. o r g. u k Page 3

5 Data Protection Relevant Principles to Consider The First Data Protection Principle states that personal data must be processed fairly and lawfully. This means that personal data must be used in a way the data subjects would expect or to which they have agreed. Schools must consider if data subjects need to be informed before using personal data in any new way. In a school context, if it is something the school has always done, but simply intends to do in a new way, then informing data subjects (pupils, parents or staff) of the school s intentions and providing reassurance around security/privacy etc., may be sufficient. If the data is to be used for a completely new purpose the school should consider informing those involved. There are special conditions if sensitive person data is involved. Details are contained in Schedule 3 of the Data Protection Act. The Second Data Protection Principle requires that personal information obtained for one or more specified and lawful purposes must not be processed in any way incompatible with that purpose. (Unless the data subject gives permission). For example, if phone numbers are collected for the purpose of contacting parents they must not be used for any other purpose such as target marketing from a company offering services. The Fifth Data Protection Principle requires that personal data is not kept for longer than it is needed for its specific purpose. This means making sure that information is destroyed when it is no longer required. The Seventh Data Protection Principle requires that appropriate security is in place to safeguard personal information. Assurances must be obtained from the Data Processor that information is held and processed securely. Breaches of the Act by a Data Processor could leave the school liable to fines and penalties. A part of this principle which is often overlooked is that it conveys the responsibility of making sure staff are aware of security procedures and their obligations under the Data Protection Act and importantly they appreciate that they can be individually liable for any breach they commit. Security is not only about having procedures to protect computer systems or locking filing cabinets, clearing sensitive paperwork from desks and making sure that waste containing personal data is disposed of by shredding etc., but one of the most important requirements is ensuring that personal data is not disclosed to someone who does not have a right to receive it. h t t p : / / w w w. n e e l b. o r g. u k Page 4

6 School Data Notification A school should ensure its Data Protection notification shows the processing of information with the service provider. If it isn t, the registration must be amended. h t t p : / / w w w. n e e l b. o r g. u k Page 5

7 Data Processor Assurances With regard to Data Processor Assurances, please consider: Certain information from any third party company wishing to extract information from Sims database held within the C2K network should be obtained in the first instance. Written assurance should be obtained before any agreement on the level of information extraction is agreed. Suppliers should have a clear understanding of what standards they need to meet. Have standards been communicated clearly? Are the consequences of failure clear and contractually robust? Has a rigorous process for monitoring Suppliers performance against such Standards been established? Are you sufficiently confident that the Supplier is managing their information risks? School staff should be aware of the information that Suppliers can legally request from your school. Suggested questions for the Supplier are in the Appendix to this document. Depending on the service you are purchasing, it may not be necessary to ask all of the questions or there may be additional questions which will become apparent when you examine the process or the product details published by the Supplier. Unless the Supplier will be handling sensitive information e.g. Special Education, Education Welfare or Child Protection Records etc., or their staff are required to physically enter the school without supervision; you may not need to determine if they have a criminal record. For continuity purposes you should determine from the Supplier the name of a nominated person who will be your Schools key contact. h t t p : / / w w w. n e e l b. o r g. u k Page 6

8 TECHNICAL STANDARDS AND CONTROLS ADVICE FROM C2K ACCESS LEVELS AND PASSWORD MANAGEMENT The minimum level of access should be granted. Usernames should be unique and details should never be passed to another user. A recommended approach is to create a dedicated MIS user account for the purpose of data extraction. A third party service provider must not share C2K network user accounts between schools. If a username is compromised the password must be changed immediately. In the event of any service disruption due to third party software, C2K managed service providers may charge for service restoration. PHYSICAL SECURITY Clear details must be provided as to the method of data access. The Data Controller should be aware if the Data Processor will need onsite access and or remote access to school systems. Some remote access methods take over the user desktop and have access to all areas on the user desktop. C2K have a remote access solution which can be requested. (Other methods are not recommended). A120 should be completed by the Data Processor if this method of access will be required. It is recommended that the Data Processor has obtained an accreditation in information security (ISO 27001/BS 7799). Such accreditations provide extra assurances that the Data Processor (or sub-contractor) has considered data security in all its processes and procedures. EXTRACTION FORMAT Clear details must be provided on the format in which any data will be extracted. The Data Controller should ensure it has a general understanding of the extraction format and should seek further details or explanation of any technical terms where necessary. h t t p : / / w w w. n e e l b. o r g. u k Page 7

9 The Data Controller must be able to view the data in this format if, at any stage, it wishes to verify the data being transferred. The Data Controller should understand the method being used to extract the data e.g. CSV file spread sheet, automated software routine and the frequency of the extraction process. The Data Controller may wish to view a sample of the data being extracted. SECURING THE TRANSFER Data containing personal information should be transferred using a secure encrypted method. Transfer via removable media or attachment is not recommended, especially where sensitive personal information is involved. The Data Controller should be satisfied that data is transferred to either an external destination or internally within the school using a secure method using e.g. HTTPS, SSL, VPN and Encryption. This is important as data could be intercepted on the internet if it is not sent using a secure method. If data is copied to a mobile storage device e.g. USB pen drive, the data should not leave the site on that device unless the device is encrypted. HARDWARE OR SOFTWARE INSTALLATION/OPENING PORTS Sometimes third party software requires specific ports to be opened. C2K must be informed as this will be subject to security and performance testing. If hardware will be connected to the managed network, information sheet A065 will need to be completed by the Data Processor. This can be obtained from C2K. If software requires changes i.e. a port opened, firewall changes, proxy or browser changes; details will have to be recorded on information sheet A065. This will begin a process which will allow C2K and managed service partners to evaluate requested changes and determine if they will have any impact on the schools managed service. If this will incur a cost it should be determined whether the school or Data Processor will be responsible for the cost. h t t p : / / w w w. n e e l b. o r g. u k Page 8

10 TRANSIENT DATA If third party software is used to transfer information, software can keep a copy on a local PC hard drive. The Data Controller needs to know if this is likely in order to prevent any unauthorised access. When a Data Processor exports data from a school site, there is often a data export file stored on either a fileserver or PC hard drive. Data Processor should identify this in order that steps can be taken to reduce the risk of accidental discovery by unauthorised staff or pupils. Software which is exporting sensitive data should never be installed on a machine pupils have access to. If more than one member of staff has physical access to a PC, it should be noted that all teachers will have access to the C drive and so could view an export data file if it is in a readable format. The data file should be deleted once exported to minimise accidental discovery. LOCATION OF DATA AND ANY BACKUPS The Data Controller should know where any data (including backups) are physically stored. The Data Controller should also be aware how and when stored data and backups are deleted in the event that the contract is terminated. If the Data Processor has hard copy information, the Data Controller needs to be satisfied that it will be destroyed in a safe and secure manner. This should include details of any planned use of mobile devices, capable of storing or transporting your school data. The use of firewalls, anti-hacking and antivirus software should be viewed as an essential part of a provider s network. The Data Processor should provide details of how access to the information is controlled at their site. h t t p : / / w w w. n e e l b. o r g. u k Page 9

11 SECURE DESTRUCTION/OBSOLETE HARDWARE Manual data should be shredded and electronic data erased in a way which makes it unrecoverable. If the Data Processor upgrades or replaces equipment on which school data is stored, the Data Controller should be informed how the old equipment will be cleared down before disposal. Assurances should be given that all data will be removed from obsolete hardware. It is recommended that data destruction should adhere to ISO 27001:2005 (International Information Security Standard). h t t p : / / w w w. n e e l b. o r g. u k Page 10

12 Appendix Suggested Questions for any Data Processor Data Processor - Suggested Questions Purpose of the product. What information will be accessed or extracted? How will you use the information? How long will you keep the information? Have you notified, for the purposes of processing information with the Information Commissioners Office. Do you have a Data Protection Policy or Information Security Policy? If yes, how has this been implemented in your company. Are Data Processors staff checked by the Criminal Records Bureau /Access NI? Purpose/Detail What the product does. This can normally be obtained from any marketing literature supplied by the supplier Information should be identified i.e. names, tel. numbers of parents etc. Determine if this is minimum amount of information required to provide the service. If it is subsequently discovered that additional data is being extracted, the data processor could be in breach of any agreement. Confirm that the information will only be used to deliver the service purchased and not for any other purpose Data Processor should confirm that information will be confidentially destroyed as directed by the School. This may take place when the contract ends, when a pupil or member of staff leaves the School or when otherwise instructed by the School. State your registration number issued by the ICO Data Controller can check the Data Protection register Copy of policy if applicable Where sensitive pupil information is involved (see DPA schedule 3) or Data Processors employees have unsupervised physical access to the school, clearance through a criminal record check should be made. It is the DP s responsibility to ensure such clearance is obtained and evidence provided and that access to information will be restricted to such staff. h t t p : / / w w w. n e e l b. o r g. u k Page 11

13 Data Processor - Suggested Questions Where a subcontractor or intermediary is involved, can you provide assurances on behalf of this third party in relation to data protection/ data security compliance and any necessary criminal record checks. Incident Management Do you carry insurance cover in the event of liability incurred in any breach of the DPA 1998? Will any data be sent outside the European Economic Area? Purpose /Detail Written assurance. What measure is in place in the event of an information security breach? Details of insurance cover. If yes - refer to the web site of the office of the information commissioner for advice. h t t p : / / w w w. n e e l b. o r g. u k Page 12

14 Technical Standard and Controls - Suggested Questions. How is the information held on the School Management Information System (MIS) to be accessed by the Data Processor? In what format will the information be extracted e.g. CSV file, spread sheet etc.? How will this transfer be secured? Purpose/Detail Full details must be provided to include method and frequency. Must also include subcontractor activities Data Processor should provide full details which include method and frequency. Must also include any subcontractor activities Data Processor should provide full details. Acceptable methods include SSL, HTTPS or Encryption method. Must also include any subcontractor activities Will the software require any ports to be opened? During the transfer process will any transient information be stored locally within the School and if so what arrangements will be in place to ensure deletion when transfer is complete? Please give details of port and direction. Must also include any subcontractor activities. h t t p : / / w w w. n e e l b. o r g. u k Page 13

15 Technical Standard and Controls - Suggested Questions. Where will the data and any backups be stored? How will information be secured at your site? How will both manual and electronic information be destroyed when no longer required? How is information erased from obsolete hardware? Purpose/Detail Must also include any subcontractor activities Must also include subcontractor sites. It is recommended that data destruction should adhere to ISO 27001: the International Information Security Standard. This can be verified by providing the certificate number and name of awarding body. Such accreditations provide extra assurances that the Data Processor has considered data security in all its processes and procedures. Must also include subcontractor activities It is recommended that hardware should be wiped in line with ISO 27001: 2005This can be verified by providing the certificate number and name of awarding body. Such accreditations provide extra assurances that the Data Processor has considered data security in all its processes and procedures. Has the Data Processor accreditation or alignment with ISO 27001/BS 7799 Information Security Standard? Although not mandatory, it is recommended that the Data Processor has obtained an accreditation in information security. This can be verified by providing the certificate number and name of awarding body. Such accreditations provide extra assurances that the Data Processor (or sub-contractor) has considered data security in all its processes and procedures h t t p : / / w w w. n e e l b. o r g. u k Page 14