Data Security and Extranet



Similar documents
Corporate ICT & Data Management. Data Protection Policy

Merthyr Tydfil County Borough Council. Data Protection Policy

University of Limerick Data Protection Compliance Regulations June 2015

So the security measures you put in place should seek to ensure that:

Data Protection Policy

Rick Parsons Information Governance Officer County Hall

Human Resources and Data Protection

Data Compliance. And. Your Obligations

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY

Information Governance Policy

Data Protection Policy

Data Protection Policy

DATA PROTECTION ACT 1998 COUNCIL POLICY

Data Protection Policy A copy of this policy is published in the following areas: The school s intranet The school s website

Little Marlow Parish Council Registration Number for ICO Z

Data Protection Act. Privacy & Security in the Information Age. April 26, Ministry of Communications, Ghana

Data Protection and Information Security. Procedure for reporting a breach of data security. April 2013

HERTSMERE BOROUGH COUNCIL

Scottish Rowing Data Protection Policy

Data Protection and Privacy Policy

How To Protect Your Personal Information At A College

CORK INSTITUTE OF TECHNOLOGY

DATA PROTECTION POLICY

The Manitowoc Company, Inc.

Caedmon College Whitby

AlixPartners, LLP. General Data Protection Statement

Human Resources Policy documents. Data Protection Policy

DATA PROTECTION POLICY

John Leggott College. Data Protection Policy. Introduction

Index. Definitions. What is Data Protection? Rights of Individuals. The 8 Principles of Data Protection

Web Site Download Carol Johnston

2. Scope 2.1 This policy covers all the activities and processes of the University that uses personal information in whatever format.

Data Protection Policy June 2014

DATA PROTECTION POLICY

GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4

Data protection policy

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

Policy Document Control Page

Office of the Data Protection Commissioner of The Bahamas. Data Protection (Privacy of Personal Information) Act, A Guide for Data Controllers

Data Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

Information Governance Policy

White Paper Security. Data Protection and Security in School Management Systems

DATA PROTECTION POLICY

Highland Council Information Security Policy

DATA PROTECTION POLICY

Data Protection Policy

All CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid.

Version Number Date Issued Review Date V1 25/01/ /01/ /01/2014. NHS North of Tyne Information Governance Manager Consultation

OFFICIAL. NCC Records Management and Disposal Policy

DATA AND PAYMENT SECURITY PART 1

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Data Protection Act a more detailed guide

Data Protection and Data security Policy

Guidelines on Data Protection. Draft. Version 3.1. Published by

2.0 Emended due to the change to academy status Review Date. ICT Network Security Policy Berwick Academy

QUEENSLAND COUNTRY HEALTH FUND. privacy policy. Queensland Country Health Fund Ltd ABN better health cover shouldn t hurt

DATA PROTECTION POLICY

DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE

Summary Electronic Information Security Policy

Policy Document. IT Infrastructure Security Policy

On the edge Lexis PSL Restructuring & Insolvency

Information Governance Framework. June 2015

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19

1. Introduction Statement of Policy The Eight Principles of Data Protection Scope Roles and Responsibilities.

OBJECTS AND REASONS. (a) the regulation of the collection, keeping, processing, use or dissemination of personal data;

Data Protection Good Practice Note

Data protection policy

Information Security Policy. Appendix B. Secure Transfer of Information

Policy and Procedure for approving, monitoring and reviewing personal data processing agreements

How To Protect School Data From Harm

Data Protection. Policy and Application July 2009

Data protection. Report on the data protection guidance we gave schools in 2012

PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS

ON MUTUAL COOPERATION AND THE EXCHANGE OF INFORMATION RELATED TO THE OVERSIGHT OF AUDITORS

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014

HIPAA Self-Study Module Patient Privacy at Unity Health Care, Inc HIPAA Hotline

Best Practice Guide Workplace privacy

Data Protection for the Guidance Counsellor. Issues To Plan For

Data Protection Policy

Corporate Policy and Strategy Committee

Transcription:

Data Security and Extranet Derek Crabtree Schools ICT Support Manager derek.crabtree@merton.gov.uk

Target Operating Model 2011

Merton Audit Organisation name: London Borough of Merton Periodic plan date: 2012/13 Auditable area: IT Security & Data Handling Controls in Schools Objective of the area under review: Risk description: Audit objective: Head Teachers have established systems designed to ensure personal data about students and staff is afforded adequate protection from loss or misuse and its confidentiality is maintained. Breach of statutory responsibility associated with use of resources and storing of personal data, which could lead to financial penalties for the Council, school and individuals. The audit will assess the level of assurance that management can be given concerning the effectiveness of the control framework for personal sensitive data.

Merton Audit Scope Areas for consideration: Limitations to the scope: Audit approach: The following areas for consideration have been identified during the planning phase: Data Protection Act compliance framework Information classification and risk assessments Security of portable devices, e.g. laptops and USB drives, and use of encryption. Use of security profiles to restrict access rights to system functions. Guidance and training provided to staff. Disposal of data / obsolete media. Information Security loss/ breach reporting procedures. Back up arrangements The review will be limited to identifying the existence of operational controls, policy and procedures to manage data security but will not provide assurance that all aspects of data security are being complied with or are operating effectively. Audit testing clearly focussed on a small number of material or key controls. The output will be a report presenting an assurance opinion and key findings on an exception basis.

Merton Audit Required Documents To enable us to commence our fieldwork on the agreed start date, we will require access to the following information or records at the start of the first day of the audit: Policies & procedures relating to IT Security, Mobile Working, Data Protection and data security Risk assessments undertaken in relation to data security Data and hardware disposal policy and procedures Details of data security awareness training provided to users. Details of encryption used in relation to portable devices Backup schedule and contract with third party supplier if not using HGFL or LGFL for this process The full scope of the audit can only be completed within the audit budget if all the requested information is made available at the start of the audit, and the necessary key staff are available to assist the audit process during the audit.

Data Security The ICO enforces and oversees the following legislation: Data Protection Act 1998 Freedom of Information Act 2000 Privacy and Electronic Communications Regulations 2003 Environmental Information Regulations 2004 INSPIRE Regulations 2009

so what changed? Enforcement powers Prior to 2010 powers were limited to issuing enforcement notices and to pursuing those alleged to have broken the Data Protection Act 1998 through the courts. In 2010 The Information Commissioner started to issue fines.

Recognising Personal Data The first step in processing personal data correctly is recognising it. Personal data is information which relates to an identifiable living individual that is processed as data. Processing means collecting, using, disclosing, retaining, or disposing of information. Sensitive personal data is information that relates to race and ethnicity, political opinions, religious beliefs, membership of trade unions, physical or mental health, sexuality and criminal offences.

Data Protection Act 1998 Fairly and lawfully processed Processed for limited purposes Adequate, relevant and not excessive Accurate and up to date Not kept for longer than is necessary Processed in line with your rights Secure Not transferred to other countries without adequate protection

Checklist Is the information I hold on an individual necessary and do I know my purpose for holding such data? Do the individuals concerned know that I hold information on them and the purpose for holding the data? Am I allowed to pass on information on an individual and are my staff aware of under what circumstances they can pass on data? Is the data stored on individuals stored securely? Is the data stored on individuals accurate and current and accessed by those on a need to know basis?

Checklist Is the data stored on individuals deleted or destroyed as soon as it becomes obsolete - is there a process for secure shredding of confidential data? Do I have notices alerting people that I have CCTV - are the cameras correctly located and do not infringe on people's privacy? Has my staff received training to ensure the 8 principles of the Data Protection Act 1998 are adhered to?

Checklist. If my staff's email, internet, or phone use is being monitored have they been made aware of this? Do I have a Data Protection/information security policy and procedures manual set up to handle any issues that may arise? Have I retained my Certificates of Destruction? If I do need to notify the Information Commissioner - is the information held up to date?

The ICO s top tips to schools on complying with the Data Protection Act Notify. Not a top tip so much as a legal requirement. Schools handle personal data, and are obliged to notify the ICO of what they are doing with it. Be fair. Individuals should know what organisations are doing with their personal information, known as fair processing. This includes letting parents and pupils know why and where CCTV is being used, and taking care not to disclose personal info, like photos, online without consent.

The ICO s top tips to schools on complying with the Data Protection Act Keep it secure. This means secure storage, secure usage, secure sharing and secure disposal. And if parts of a school s website are for staff or parents only, make sure there s proper password security in place and they can only access what they re entitled to. Prepare. Spend some time ensuring your school has clear and practical policies. Ensure that staff are trained in what they mean and don t forget to monitor whether the policy is being followed.

ICO action There are a number of tools available to the Information Commissioner s Office for taking action to change the behaviour of organisations and individuals that collect, use and keep personal information. They include Criminal prosecution, Non-criminal enforcement Audit Monetary penalty notice on a data controller http://www.ico.gov.uk/news/latest_news.aspx https://lacms.lgfl.net/merton/services/ictsupport/datagovernance/sitepages/home.aspx https://fronter.com/merton/

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information