ST JOSEPH S CATHOLIC PRIMARY SCHOOL. Secure Data Handling Policy



Similar documents
Information Security Policy. Appendix B. Secure Transfer of Information

CORK INSTITUTE OF TECHNOLOGY

Data Protection Policy

Rick Parsons Information Governance Officer County Hall

GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4

DATA PROTECTION ACT 1998 COUNCIL POLICY

Abertay Data Storage Policy

Little Marlow Parish Council Registration Number for ICO Z

Data Security and Extranet

Data Protection Policy

Corporate ICT & Data Management. Data Protection Policy

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Data Compliance. And. Your Obligations

HERTSMERE BOROUGH COUNCIL

Index. Definitions. What is Data Protection? Rights of Individuals. The 8 Principles of Data Protection

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Data Protection and Data security Policy

Merthyr Tydfil County Borough Council. Data Protection Policy

Data protection policy

2. Scope 2.1 This policy covers all the activities and processes of the University that uses personal information in whatever format.

Summary Electronic Information Security Policy

Data Protection and Information Security Policy and Procedure

PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE

A common sense guide to the Data Protection Act 1998 for volunteers

DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE

University of Limerick Data Protection Compliance Regulations June 2015

Information Governance Policy

Personal data - Personal data identify an individual. For example, name, address, contact details, date of birth, NHS number.

Incident reporting procedure

Scottish Rowing Data Protection Policy

Data Protection Guidance

Data Protection in Ireland

The Manitowoc Company, Inc.

So the security measures you put in place should seek to ensure that:

Data Protection Avoiding Information Commissioner Fines. Caroline Egan 5 June 2014

Data Protection Policy

Policy and Procedure Title: Maintaining Secure Learner Records Policy No: CCTP1001 Version: 1.0

AlixPartners, LLP. General Data Protection Statement

Information security incident reporting procedure

Enterprise Information Security Procedures

DATA PROTECTION POLICY

How To Protect School Data From Harm

Data Protection and Community Councils Briefing Note

University of Oxford. Cancer Epidemiology Unit (CEU) Policy: Information Security Incident Reporting and Management

Data Protection Policy A copy of this policy is published in the following areas: The school s intranet The school s website

Human Resources and Data Protection

Human Resources Policy documents. Data Protection Policy

Information governance guidance for schools

Office of the Data Protection Commissioner of The Bahamas. Data Protection (Privacy of Personal Information) Act, A Guide for Data Controllers

Data Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk

Data Protection Policy

Policy: Remote Working and Mobile Devices Policy

Data protection registration: nature of work descriptions

Data Protection and Information Security. Procedure for reporting a breach of data security. April 2013

Policy Document Control Page

Research Governance Standard Operating Procedure

DATA PROTECTION AND DATA STORAGE POLICY

Information Security Policy

White Paper Security. Data Protection and Security in School Management Systems

USE OF PERSONAL MOBILE DEVICES POLICY

Dublin City University

Name: Position held: Company Name: Is your organisation ISO27001 accredited:

North West Core Skills Programme. Information Governance Implications

DATA PROTECTION POLICY

Dean Bank Primary and Nursery School. Data Protection Policy

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY

Evidence additional element appendix 47. Records Management Guidance for the management of s

Data Protection for the Guidance Counsellor. Issues To Plan For

How To Protect Your Personal Information At A College

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document

DATA PROTECTION AUDIT GUIDANCE

Cloud Computing Legal Considerations for Data Controllers

Version Number Date Issued Review Date V1 25/01/ /01/ /01/2014. NHS North of Tyne Information Governance Manager Consultation

Remote Working and Portable Devices Policy

Data Protection Good Practice Note

Bexley Safeguarding Children Board. Information Sharing and Secure Document Transfer Guidance

ATMD Bird & Bird. Singapore Personal Data Protection Policy

Data Protection Act. Privacy & Security in the Information Age. April 26, Ministry of Communications, Ghana

Hampstead Parochial CofE Primary School Data Protection Policy Spring 2015

The Manchester College

4. The Importance of Internet Use in the Primary Curriculum

Data Protection for Charities

Data and Information Security Policy

All CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid.

Encryption Policy Version 3.0

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

Data Access Request Service

Information Privacy Policy

Protocol for the use of Mobile Phones. For Schools Managed staff and Centrally Employed Teachers

Research Data Storage Facility Terms of Use

10 DATABASE PRACTICE

John of Rolleston Primary School

Electronic Communications Guidance for School Staff 2013/2014

John Leggott College. Data Protection Policy. Introduction

Best Value toolkit: Information management

Career Connection, Inc. Data Privacy. Bringing Talent Together With Opportunity

Client Security Risk Assessment Questionnaire

Newcastle University Information Security Procedures Version 3

Please Note: This guidance is for information only and is not intended to replace legal advice when faced with a risk decision.

IS INFORMATION SECURITY POLICY

Transcription:

ST JOSEPH S CATHOLIC PRIMARY SCHOOL Secure Data Handling Policy THE GOVERNING BODY OF ST JOSEPH S CATHOLIC PRIMARY SCHOOL, DEVIZES Adopted on: March 2015 Our aim is to provide: Timeless values in God s ever changing world where all children can fulfil their potential. 1

This policy should be read and understood in conjunction with the following policies and guidance: The Data Protection Act 1998 Becta: Information Risk Management and Protective Marking Information Sharing: Guidance for Practitioners and Managers HM Govt. Oct 2008 Records Management Society Tool Kit for Schools Principles: Colleagues within schools have increasing access to a wide range of sensitive information 1. There are generally two types of sensitive information; personal data concerning the staff and pupils and commercially sensitive financial data. It is important to ensure that both types of information are managed in a secure way at all times. Personal data is the most likely form of sensitive data that a school will hold. Personal data is defined by the Data Protection Act as Data relating to a living individual who can be identified from the data. The Act gives 8 principles to bear in mind when dealing with such information. Data must: 1. be processed fairly and lawfully 2. be collected for a specified purpose and not used for anything incompatible with that purpose 3. be adequate, relevant and not excessive 4. be accurate and up-to-date 5. not be kept longer than necessary 6. be processed in accordance with the rights of the data subject 7. be kept securely 1 The terms, Information and data are treated as the same for the purposes of this policy. 2

8. not be transferred outside the EEA (European Economic Area) unless the country offers adequate protection. The Data Protection Act states that some types of personal information demand an even higher level of protection, this includes information relating to: racial or ethnic origin political opinions religious beliefs or other beliefs of a similar nature trade union membership physical or mental health or condition sexual life (orientation) the commission or alleged commission by them of any offence, or any proceedings for such or the sentence of any court in such proceedings. The three questions below can be used to quickly assess whether information needs to treated securely, i.e. 1. Would disclosure / loss place anyone at risk? 2. Would disclosure / loss cause embarrassment to an individual or the school? 3. Would disclosure / loss have legal or financial implications? If the answer to any of the above is yes then it will contain personal or commercially sensitive information and needs a level of protection. Procedures and practice: The following practices will be applied within the school: The amount of data held by the school should be reduced to a minimum. 3

Data held by the school must be routinely assessed to consider whether it still needs to be kept or not. Personal data held by the school will be securely stored and sent by secure means. Auditing: The school will be aware of all the sensitive data it holds, be it electronic or paper. A register will be kept detailing the types of sensitive data held, where and by whom, and will be added to as and when new data is generated. How long these documents need to be kept will be assessed using the Records Management Toolkit. Audits will take place annually. This register will be sent to all staff each year to allow colleagues to revise the list of types of data that they hold and manage. The audit will be completed by a member of staff responsible for data protection. Risk assessment will be an on-going process and the school will carry out assessments at regular intervals as risks change over time. Securing and handling data held by the school: 4

The school will encrypt 2 any data that is determined to be personal or commercially sensitive in nature. This includes fixed computers, laptops and memory sticks. Staff should not remove or copy sensitive data from the organisation or authorised premises unless the media is: encrypted, is transported securely will be stored in a secure location. This type of data should not be transmitted in unsecured emails (e.g. pupil names and addresses, performance reviews etc). Data transfer should be through secure websites e.g. S2S, SecureNet Plus, common transfer files and school census data. If this is not available then the file must be minimally password protected or preferably encrypted 3 before sending via email, the password must be sent by other means and on no account included in the same email. A record of the email should be kept, to identify when and to whom the email was sent, (e.g. by copying and pasting the email into a Word document). Data (pupil records, SEN data, contact details, assessment information) will be stored in a secure place e.g. safe / fire safe / remote backup. All staff computers will be used in accordance with the Staff Code of Conduct Policy. 2 Encryption of computers and memory sticks can be provided by the school s technical support. Guidance is available from http://schools.becta.org.uk/index.php?section=lv&catcode=ss_lv_mis_im03&rid=147 34 3 The ICES bulletin has a useful guide explaining how WINZIP a free application can be used to encrypt files that need to be sent either through S2S, SecureNet or email: http://www.teachernet.gov.uk/_doc/14782/ices%20bulletin%20- %20issue%2041%20v1-0Final.pdf 5

When laptops are passed on or re-issued, data will be securely wiped from any hard drive before the next person uses it (not simply deleted). This will be done by a technician using a recognised tool, e.g. McAfee Shredder. The school s wireless network (WiFi) will be secure at all times 4. The school will identify which members of staff are responsible for data protection. The school will ensure that staff who are responsible for sets of information, such as SEN, medical, vulnerable learners, management data etc. know what data is held, who has access to it, how it is retained and disposed of. Where a member of the school has access to data remotely (e.g. SIMS from home), remote access off the school site to any personal data should be over an encrypted connection (e.g. VPN) protected by a username/id and password. This information must not be stored on a personal (home) computer. Members of staff (e.g. senior administrators) who are given full, unrestricted remote access to an organisation s management information system should do so over an encrypted connection and use two-factor authentication, which is available to SIMS users from Capita. This information must not be stored on a personal (home) computer. The school will keep necessary pupil and staff information in accordance with the Records Management Society s guidelines. The school should securely delete commercially sensitive or personal data when it is no longer required as per the Records Management Society s guidance. 6

All staff will be trained to understand the need to handle data securely and the responsibilities incumbent on them this will be the responsibility of the headteacher. When sensitive data is to be sent out of the school it must be done in a secure way. The Information About Children Education and schools (ICES) March Bulletin (no 41) contains a number of useful guidance sections and appendices that cover the issues of Information Sharing and details of how to securely transfer data between schools, LA and Government departments 5. 5 http://www.teachernet.gov.uk/_doc/14782/ices%20bulletin%20- %20issue%2041%20v1-0Final.pdf 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information