Data and Information Security Policy

Similar documents
REMOTE WORKING POLICY

SECURITY POLICY REMOTE WORKING

Acceptable Use of ICT Policy. Staff Policy

PAPER RECORDS SECURE HANDLING AND TRANSIT POLICY

So the security measures you put in place should seek to ensure that:

Portable Devices and Removable Media Acceptable Use Policy v1.0

DATA PROTECTION IT S EVERYONE S RESPONSIBILITY. An Introductory Guide for Health Service Staff

Information Security

Data Protection and Information Security. Data Security - Guidelines for the use of Personal Data

PS177 Remote Working Policy

ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY INFORMATION HANDLING

SERVER, DESKTOP AND PORTABLE SECURITY. September Version 3.0

LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY

Policy Document. IT Infrastructure Security Policy

ICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation

Tameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by:

INFORMATION SECURITY POLICY

Newcastle University Information Security Procedures Version 3

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Corporate Information Security Management Policy

Merthyr Tydfil County Borough Council. Data Protection Policy

Information Governance Policy

COVER SHEET OF POLICY DOCUMENT Code Number Policy Document Name

Remote Working and Portable Devices Policy

Human Resources Policy documents. Data Protection Policy

ENISA s ten security awareness good practices July 09

IM&T POLICY & PROCEDURE (IM&TPP 01) Anti-Virus Policy. Notification of Policy Release: Distribution by Communication Managers

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

Protection of Computer Data and Software

How To Protect Decd Information From Harm

CCG LAPTOP AND PORTABLE DEVICES AND REMOTE ACCESS POLICY

Ixion Group Policy & Procedure. Remote Working

DATA PROTECTION POLICY

KEELE UNIVERSITY IT INFORMATION SECURITY POLICY

2.0 Emended due to the change to academy status Review Date. ICT Network Security Policy Berwick Academy

ATHLONE INSTITUTE OF TECHNOLOGY. I.T Acceptable Usage Staff Policy

MOBILE DEVICE SECURITY POLICY

Data Protection Policy

Security Awareness. A Supplier Guide/Employee Training Pack. May 2011 (updated November 2011)

Highland Council Information Security Policy

Information Security Code of Conduct

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

Mobile Devices Security Policy

School Information Security Policy

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

How To Protect School Data From Harm

How To Ensure Your School Is Safe Online

ICT Security Policy for Schools

INFORMATION SECURITY GUIDE. Employee Teleworking. Information Security Unit. Information Technology Services (ITS) July 2013

Information Governance Framework. June 2015

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014

Scottish Rowing Data Protection Policy

Protocol for Acceptable Use of Internet and by Staff E-Safety Procedures Safeguarding & Child Protection Policy

IT ACCESS CONTROL POLICY

ABERDARE COMMUNITY SCHOOL

STRATEGIC POLICY REQUIRED HARDWARE, SOFTWARE AND CONFIGURATION STANDARDS

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

Data Protection Breach Management Policy

INFORMATION SECURITY POLICY

Information Technology Policy and Procedures

DATA PROTECTION AND DATA STORAGE POLICY

Information Incident Management Policy

Information Security Incident Management Policy September 2013

Guide to INFORMATION SECURITY FOR THE HEALTH CARE SECTOR

NHSnet SyOP 9.2 NHSnet Portable Security Policy V1. NHSnet : PORTABLE COMPUTER SECURITY POLICY. 9.2 Introduction

Physical Security Policy

INFORMATION MANAGEMENT & TECHNOLOGY SECURITY POLICY

Data Security and Extranet

Dene Community School of Technology Staff Acceptable Use Policy

Enterprise Information Security Procedures

Information Technology Acceptable Usage Policy

Policy Document. Communications and Operation Management Policy

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19

DATA AND PAYMENT SECURITY PART 1

Non ASPH Trust Staff - DATA ACCESS REQUEST Page 1/3

Students are expected to have regard to this policy at all times to protect the ipads from unauthorised access and damage.

Rotherham CCG Network Security Policy V2.0

Simon Langton Grammar School for Boys E-Safety Policy

Information Security Incident Protocol

Policies and Procedures. Policy on the Use of Portable Storage Devices

Photography and filming in schools Code of Practice

Transcription:

St. Giles School Inspire and achieve through creativity School Policy for: Date: February 2014 Data and Information Security Policy Legislation: Policy lead(s) The Data Protection Act 1998 (with consideration to the eight data protection principles appearing in Schedule 1) Sofia Orme, School Business Manager 1- School context St. Giles School is a generic special school for pupils aged 4 to 11 years. We are an inclusive school that has the specialist knowledge and skills to meet the needs of children with a range of special educational needs and disabilities. We are the only primary special school in Derby City. We believe St Giles is a very special sort of school where staff, pupils and families work together to make sure that each child s educational experiences are happy ones, of the highest quality and where children make the greatest possible progress. There is also a strong emphasis on communication skills and personal and social development. Our school motto is: Inspire and achieve through creativity We aim to: Provide a broad, balanced and relevant curriculum that enables pupils to develop, progress and achieve to the best of their ability Ensure all aspects of the curriculum provide continuity, progression and age appropriate learning across the key stages Provide a total communication environment that maximises pupil s language skills Create opportunities for all pupils to work together in a positive and meaningful way Create a stimulating, exciting and enjoyable learning setting which promotes independence, initiative and emotional well-being Work closely and collaboratively with parents and other professionals to address all issues that could impede on a pupil s education such as challenging behaviour or health matters Respect difference and diversity and promote an attitude of understanding and tolerance that ensures equal opportunities for all 1

Ensure opportunities to promote inclusion in its widest sense within school, in other educational establishments and across community settings. In this way we broaden pupil s learning and provide meaningful interaction with their peers Assist staff and learners in other establishments through outreach support 2- Introduction and aims For the school to operate effectively, it must process information about its employees and students/pupils/learners data subjects. It does this under the Data Protection Act 1998 and other related legislation. 3- Principles and/or procedures This Policy forms part of the Schools Information Governance Framework. Data Protection For the school to operate effectively, it must process information about its employees and students/pupils/learners data subjects. It does this under the Data Protection Act 1998 and other related legislation. The School acting as a holder known as a custodian or data controller of personal information recognises its moral duty to make sure that data is handled properly and confidentially at all times, whether it is held on paper or electronically. This covers the whole lifecycle, including: obtaining personal data storing and securing personal data using personal data disposing or destroying personal data. The school also has a responsibility to make sure that data subjects have the appropriate access under the 1998 Act, to their personal information upon written request. This policy applies to all permanent and temporary employees and those acting on behalf of the Governing Body/Headteacher. Data Protection Actions By following and maintaining strict safeguards and controls, the school will: acknowledge the rights of individuals to whom personal data relates and make sure that they can use these rights in accordance with the 1998 Act make sure that the collecting and using of personal data is done in a way that recognises the Fair Processing Code, which means that personal data is obtained fairly and lawfully issuing privacy statements when appropriate only obtain and process personal data as specified in our notification collect and process personal data on a need to know basis making sure that it is accurate, not excessive and is disposed of at a time appropriate to its purpose make sure that for all personal data it takes the correct security measures both technically and organisationally - to protect against loss, damage or misuse make sure that the movement of personal data is done in a lawful way, both inside and outside the school and that it has suitable safeguards at all times follow all the good practice advice and guidance issued by the Information Commissioner Office 2

Data Protection Enablers To support these actions, the school will: have a designated Data Protection co-ordinator responsible for gathering and distributing information and issues relating to information security, the Data Protection Act and other related legislation The Data Protection Co-ordinator is The School Business Manager make sure that all activities that relate to the processing of personal data have the correct safeguards and controls to make sure of information security and compliance with the 1998 Act make sure that all contracts and service level agreements SLAs between the school and external organisations, including contract staff where personal data is processed - refers to the 1998 Act where necessary. The school will also: make sure that all employees, including contract staff acting on the school s behalf, understand their responsibilities about information security under the 1998 Act. make sure they receive appropriate mandatory training, instruction and supervision so they can perform these duties effectively and consistently make sure they only have access to personal information that is necessary to their duties make sure that all others acting on the schools behalf are only given access to personal information that is necessary to the duties they perform and no more. The school will: handle any requests for access to personal data courteously, promptly and appropriately, making sure that either the data subject or their authorised representative have the proper right to access under the 1998 Act make sure that information provided is clear and explicit make sure Information Sharing Agreements are in place where necessary and appropriate, when sharing with partner agencies takes place. Manage reported security breaches appropriately and in line with the security breach management framework issued by the Information Commissioners Office review this policy and the safeguards and controls that relate to it regularly, but in any case within 24 months from date of issue, to make sure that they are still relevant, efficient and effective. Information Security The purpose of information security is to protect the highly valued information assets of the school. The objective is to reduce the risk of security incidents and be able to demonstrate to pupils/students, parents and employees that we collect, handle and store their information securely. It also shows a commitment by the school to process information in line with relevant legislation and e-government requirements. The policy applies to all school employees, including contractors and agency workers who have authorised access to school IT systems. 3

Information Security Definition The International Standard ISO/IEC 27001:2005 standard specification for Information Security Management defines Information Security as protecting three aspects of information: confidentiality- making sure that information is accessible only to those authorised to have access integrity- safeguarding the accuracy and completeness of information and processing methods availability - making sure that authorised users have access to information and associated resources when required. Information comes in many forms. It can be: stored on computers sent across networks printed out written spoken visual. Information Security covers the safekeeping of all forms of information to protect its confidentiality, integrity and availability. This is put into practice through appropriate controls, which will be a combination of policies, procedures, standards, guidelines, common sense and physical or hardware/software measures. Information Security responsibilities and accountabilities The Governing Body has responsibility for defining and setting the school s information security policies, standards and procedures. Every IT system user who has access to school information is responsible and accountable for putting into practice these policies, standards and procedures. Information Security is not an option. We are all required to keep a minimum level of security to meet our legal and contractual obligations. Information Security Compliance with legal and contractual requirements The school has an obligation to make sure that all information systems and processes meet the terms of all relevant legislation and contractual requirements, including the: Data Protection Act 1998 Copyright, Designs and Patents Act 1988 Computer Misuse Act 1990 Freedom of Information Act 2000 The School Business Manager has specific responsibility for the Data Protection Act notification to the Office of the Information Commissioner. Actions required to maintain confidentiality, integrity and availability Everyone has a responsibility to make sure that personal information is only collected, used, stored and shared for the purpose it was provided. 4

Make sure any requests for personal information are handled in accordance with the Data Protection Act 1998. Information should only be disclosed on a need to know basis. Always make checks on the identity of callers. Make sure printed or hand written personal information is kept secure at all times. Make sure printed or hand written personal information is disposed of in a secure manner eg using the cross shredder Never dispose of personal information in general waste. Always use the computer screen lock facility where personal information may be held on the hard drive of a PC or laptop when the device is logged in and unattended. Never share user names and passwords. Never encourage others to use anyone else s personal ID and password to log into a PC, the network, individual system or email. It is a criminal offence under the Computer Misuse Act 1990 to access a computer system without authority to do so. Be aware that emails are not usually a secure method of sharing personally identifiable information external to the school. EGRESS email system is used by the school for this. To avoid introducing viruses into the School network never open email attachments from unknown external sources. Make sure you set your password to the minimum standard required. Keep them secure and change them regularly. Working Off Site Information security is put into practice through appropriate controls which could be a combination of policies and procedures, guidelines and common sense. The definition of mobile computer equipment includes all portable equipment that has any data processing capability including but not limited to: Laptops ipads Notebooks Tablets Personal Digital Assistants PDA s and smart phones such as iphones. The definition of mobile storage device includes but is not limited to Universal Serial Bus USB port devices such as pen drives, flash drives and memory sticks Hand held wireless devices such as Bluetooth External hard drives Occasionally it is necessary for employees to take work off school premises to work remotely, whether that be at home or to another location. There are many additional risks to information security that result from this. Mobile computing devices are attractive, portable and easy targets for the opportunist thief. They are susceptible to loss, hacking and the distribution of malicious software viruses. They are often used for storing personal and/or sensitive information, particularly about pupils/students that could be of more value that the device itself, and which if lost or stolen could have very serious financial and reputational implications to the school and its employees. 5

Security of mobile computing equipment, mobile devices and data Mobile computing equipment and the data held on them must be protected by adequate security. They must be kept out of sight - for example in the locked boot of the car when being transported kept secure and guarded from theft and unauthorised access at all times - if you are working on information involving children at home make sure no other member of the family can access this information carried separately and concealed wherever possible by using an ordinary bag or rucksack rather than a laptop case protected from shoulder surfing - when in public, make sure no-one can see your password or any other information backed up to a local server at the earliest opportunity or to an encrypted external hard drive. File and data housekeeping should be performed to make sure obsolete data is not kept any longer than necessary. locked away or put out of sight when not being used this includes at home They must not be left unattended - for example do not leave them in your boot overnight even if kept in a locked garage School pupil/student information must not be loaded onto personal mobile devices Other relevant policies, procedures and standards Acceptable Use of ICT, Internet and Electronic Communication for Staff Policy Compliance with the Data Protection Act Policy The School Business Manager is responsible for monitoring compliance with this Policy If employees knowingly or recklessly fail to comply with this Policy, other school policies, procedures or guidelines the school may take appropriate action under the Disciplinary Procedure. Contact Details Please contact the School Business Manager with any queries in relation to this Policy on 01332 343039 or admin@stgiles.derby.sch.uk. Or contact local authority Information Governance Team on 640763 or information.governance@derby.gov.uk with enquires about this policy or any other referenced policy, procedure or law. Approved by (x): Full governors Staffing and personnel committee Safeguarding committee X Finance, premises and H&S committee Curriculum, teaching and learning committee Headteacher Approval signature and/or date SLT meeting February 2014 Other 6

Next review date: February 2016 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information