Information Security Policy Statement

2016/17

Aims

This policy statement is designed to set out the roles and responsibilities of protecting valuable information held byCommunity Learning andSkills in Cheshire. It will illustrate the already existing procedures complying with data protection, set out new procedures that would be best to use in practice and set out the selection and application of appropriate safeguarding techniques that will further help thestoring of information securely.

Scope

These policies apply to all members of staff who have direct contact with data:

  • The provider –returning data electronically or by post. Full instructions will be issued by The CLaSiC Management Information Team and may be changed at short notice.
  • The CLaSiC teams – personal records will be retained under lock and key or archived in a secure environment
  • Learners – no data, unless explicitly specified, will be shared with a third party (refer to Learner Enrolment Form Data Protection statement).

All areas of information processing and retentionwill be covered, from the learner imputing their details onto a registration form, to how that information is transferred to central information handlers, data imputers and analysis systems. Guidelines of efficient practical procedures will be provided, such as how to store and finally destroy personal/sensitive data. Practical procedures that cover the negligence of a learner exposing their own information will also be advised.

Policy Statement

This policy statement will focus on the implementing of reasonable systems and structures[1]. Sufficient resources will be put in place so that the security objectives can be realistically achieved.

Compulsory Data Protection training must be completed by all staff who handle data. Employees responsible for personal or sensitive data will also receive training appropriate to their role.

Unannounced examinations will be conducted by the manager to help developways in which security can be improved (see appendix 3). Any staff members that discover security shortfalls will be responsible for reporting them to their line manager.

Staff will at all time act in a responsible, professional and security-aware manner, maintaining an awareness of this policy statement and the Data Protection Act.

This policy will be shared via the relevant shared folders and in order to be easily accessible by all employees and subcontractors.

Legislative influences

This policy is written in accordance with the Data Protection Act 1998, and follows the eight data protection principles[2].These ensurethat personal data is:

  1. Processed fairly & lawfully
  2. Processed only for a specified purpose and not processed for any purpose incompatible with the original purpose
  3. Accurate, relevant and not excessive
  4. Accurate and up to date
  5. Not kept longer than is necessary
  6. Processed in accordance with the rights of the data subject
  7. Stored securely with appropriate physical and technical security measures in place
  8. Not transferred outside of the EEA

The specific terms used within this policy are drawn from the definitions set outby the Data Protection Act 1998, as provided below:

  • Data- information recorded electronically or manually and is held in a relevant filing system or structured form. Unstructured data held in manual form (referred to as Category e-data) is now also defined as data due to the Freedom of Information Act 2000 amendments
  • Personal Data- refers to the information that can help identify an individual on its own, or in correlation with other information. It affects an individual's privacy and can contain details such as date of birth, contact details or qualifications
  • Sensitive Data- private information about an individual such as racial or ethnic origin, political opinions, religious beliefs, physical or mental health condition and sexual orientation

Conditions 1of Schedule 2 raises the ethical issue of consent (see appendix 1). This can be overcome by including short statements on paperwork, stating that consent will automatically be given once the learner begins to fill in the form.

Condition 1of Schedule 3[3] raises the issue of obtaining explicit consent for personal sensitive information (see appendix 2). As a provider of government funded learning or mentoring, our organisation must collect and process both personal and sensitive information. This can be overcome by requiring each learner to sign a data protection statement after completing their registration form.

Individual Rights

This policy will also take into consideration the EU Data Protection Reform from January 2012. The new General Data Protection Regulation states that the learner must have clear and understandable information of what their data is going to be used for and how it is going to be stored. The new regulations will also strengthen individuals’ right to be forgotten if the information previously obtained is no longer necessary, or the storage period consented has expired.For the purpose of this policy,any information relating to the Skills Funding agency funded provision, for example learner forms or course forms, should be kept securely stored for a period of 14 years before they are considered for destruction. This length of time is required for provisions that have been funded or co-funded through the European Social Fund. All data that has derived from provisions delivered by CLaSiCshould be treated as ifthey were funded by the ESF.Learners or customers should be made aware of the time period their information will be stored for.

Right of Access to Information

Section 11 of the Human Rights Act 1998 safeguards the right to ask for personal information[4], making it vital to store data in a secure, well organised manner which can be easily accessible only by those who are authorised to do so. This policy will focus on the ICO Code or Practice.A request must be made in writing, must be accompanied by proof of identity andproof of address. All information must then be provided within forty days of receiving the complete request.

Policy in Practice

Data security is not simply a matter of paper, databases, servers and storage facilities. It relates to the complete management information system. This makes it difficult to provide complete data security for any organisation. ‘Total and complete network security are seen as a myth’[5], therefore this information security statementwill merely propose policy guidelines that can be implemented to limit unauthorised dataaccessing. Complete security in every case cannot be guaranteed. Any specific incident will be left to the discretion of the line manager who will followSchedule 1 of the Data Protection Act(see appendix 4).

Policy guidelines that can be used to maximise data protection

When working with hard copy data:

  • Data should be well- organised, clearly labelled and easily accessible by those who are authorised to do so
  • Records should be stored inlockable storage facilities, located areas or offices that are not normally accessible to the public
  • Those who regularly transfer paper records between CLaSiC locations should be issued with a lockable case
  • If it is not reasonable for those transferring records to return records straight to a main data storage area, the person transporting the records should:
  • Place the records in an issued lockable case
  • Inform their line manager or the local data controller of the number of records they are transporting and when they will be returned to a main storage facility
  • Ensure that the lockable case, which the records are being transported in, is not left visibly unattended at any point during the transfer
  • Ensure that while storing records outside of a main storage facility, reasonable steps are made to ensure that the storage case is left in a secure, non-visible location
  • All people overseeing the creation of, transfer or processing of personal information shouldhave a DBS check (subject to current law -this may not always be possible) and the number should be kept centrally on record
  • Any hard copy records should only be sent through the postal system as special delivery, unless they are of a personal nature, then should not be transferred through the postal system
  • If physical transfer of significant numbers of unencrypted paper records be necessary, two persons should oversee the transfer at all times
  • A register of transfers should be taken at the departure and receiving end of the transfer, this register should not be overseen by those transferring the records
  • Records will finally be destroyed by being disposed of in a locked metal container, then shredded only by those who are authorised to do so

When working with electronic data:

  • Email should not be used to transfer records, however this can be used to discuss 1 item of information (for example name of a learner) without linking to any second piece of information
  • Electronic records should onlybe transferred over the internet using a secure connection (the padlock should be shown at the bottom of the browser, address should be
  • All computers that hold personal information should have a password which complies with council security policy to move through before access is granted
  • Files containing personal/sensitive data should not be left unattended unless there is a secure password on the file or the desktop is locked
  • Files contained on ‘data sticks’ should have a password to access them (i.e. excel or word etc password) and should not be used as permanent storage unless locked and stored in the same way that paper records are archived
  • Should a person with access to the data leave the organisation, their access rights (on PCs etc) should immediately be removed
  • If a physical transfer of significant numbers of unencrypted electronic format be necessary, two persons should oversee the transfer at all times
  • A register of transfers should be taken at the departure and receiving end of the transfer, this register should not be overseen by those transferring the records
  • Any records within this scheme held or transferred to a location outside of a main location should be encrypted to 256bit level, independent of passwords on the files themselves
  • All records that hold sensitive data should be encrypted to 256bit level independently of passwords on the file
  • Records should be held only in a main location

When working with learner negligence:

  • Registration forms should include a statement providing information on how and why the data will be stored, who the information may be shared with and who will be able to contact them via the information they have submitted. Consent to this will be then given once the learner begins to fill out the registration form
  • Notices will be placed on shared computers to remind learners that documents should not be saved onto the desktop and if so the learners are doing it at their own risk
  • Registers should be taken by the teacher so that no personal information regarding other learners can be obtained
  • Only registers with a short statement, informing the learner that the information on the register sheet will be seen by others in the class, will be passed around for each learner to sign

Appendix 1

SCHEDULE 2 of the Data protection ACT

Conditions relevant for purposes of the first principle: processing of any personal data

1The data subject has given his consent to the processing.

2The processing is necessary—

(a)for the performance of a contract to which the data subject is a party, or

(b)for the taking of steps at the request of the data subject with a view to entering into a contract.

3The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.

4The processing is necessary in order to protect the vital interests of the data subject.

5The processing is necessary—

(a)for the administration of justice,

[F1(aa)for the exercise of any functions of either House of Parliament,]

(b)for the exercise of any functions conferred on any person by or under any enactment,

(c)for the exercise of any functions of the Crown, a Minister of the Crown or a government department, or

(d)for the exercise of any other functions of a public nature exercised in the public interest by any person.

Amendments (Textual)

F1Sch. 2 para. 5(aa)inserted (1.1.2005) by2000 c. 36,ss. 73,87(3),Sch. 6 para. 4(withss. 56,78);S.I. 2004/1909,art.2;S.I. 2004/3122,art. 2

Modifications etc. (not altering text)

C1Sch. 2 para. 5extended (2.12.1999) byS.I. 1999/3145,arts. 1,9(3)(b);S.I. 1999/3208,art. 2

6(1)The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

(2)The[F2Secretary of State]may by order specify particular circumstances in which this condition is, or is not, to be taken to be satisfied.

Annotations:

Amendments (Textual)

F2Words inSch. 2 para. 6substituted (19.8.2003) byThe Secretary of State for Constitutional Affairs Order 2003 (S.I. 2003/1887),art. 9,Sch. 2 para. 9(1)(b)

Commencement Information

I1Sch. 2 para.6wholly in force at 1.3.2000;Sch. 2 para. 6in force for certain purposes at Royal Assent sees. 75(2)(i);Sch. 2 para. 6in force at 1.3.2000 insofar as not already in force byS.I. 2000/183,art. 2(1)

Appendix 2

SCHEDULE 3 of the Data protection ACT

Conditions relevant for purposes of the first principle: processing of sensitive personal data

1The data subject has given his explicit consent to the processing of the personal data.

2(1)The processing is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment.

(2)The[F1Secretary of State]may by order—

(a)exclude the application of sub-paragraph (1) in such cases as may be specified, or

(b)provide that, in such cases as may be specified, the condition in sub-paragraph (1) is not to be regarded as satisfied unless such further conditions as may be specified in the order are also satisfied.

Annotations:

Amendments (Textual)

F1Words inSch. 3 para. 2substituted (19.8.2003) byThe Secretary of State for Constitutional Affairs Order 2003 (S.I. 2003/1887),art. 9,Sch. 2 para. 9(1)(b)

Commencement Information

I1Sch. 3 para.2wholly in force at 1.3.2000;Sch. 3 para. 2in force for certain purposes at Royal Assent sees. 75(2)(i);Sch. 3 para. 2in force at 1.3.2000 insofar as not already in force byS.I. 2000/183,art. 2(1)

3The processing is necessary—

(a)in order to protect the vital interests of the data subject or another person, in a case where—

(i)consent cannot be given by or on behalf of the data subject, or

(ii)the data controller cannot reasonably be expected to obtain the consent of the data subject, or

(b)in order to protect the vital interests of another person, in a case where consent by or on behalf of the data subject has been unreasonably withheld.

4The processing—

(a)is carried out in the course of its legitimate activities by any body or association which—

(i)is not established or conducted for profit, and

(ii)exists for political, philosophical, religious or trade-union purposes,

(b)is carried out with appropriate safeguards for the rights and freedoms of data subjects,

(c)relates only to individuals who either are members of the body or association or have regular contact with it in connection with its purposes, and

(d)does not involve disclosure of the personal data to a third party without the consent of the data subject.

5The information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.

6The processing—

(a)is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings),

(b)is necessary for the purpose of obtaining legal advice, or

(c)is otherwise necessary for the purposes of establishing, exercising or defending legal rights.

7(1)The processing is necessary—

(a)for the administration of justice,

[F2(aa)for the exercise of any functions of either House of Parliament,]

(b)for the exercise of any functions conferred on any person by or under an enactment, or

(c)for the exercise of any functions of the Crown, a Minister of the Crown or a government department.

(2)The[F3Secretary of State]may by order—

(a)exclude the application of sub-paragraph (1) in such cases as may be specified, or

(b)provide that, in such cases as may be specified, the condition in sub-paragraph (1) is not to be regarded as satisfied unless such further conditions as may be specified in the order are also satisfied.

Annotations:

Amendments (Textual)

F2Sch. 3 para. 7(1)(aa)inserted (1.1.2005) by2000 c. 36,ss. 73,87(3),Sch. 6 para. 4(withss. 56,78);S.I. 2004/1909,art. 2;S.I. 2004/3122,art. 2

F3Words inSch. 3 para. 7substituted (19.8.2003) byThe Secretary of State for Constitutional Affairs Order 2003 (S.I. 2003/1887),art. 9,Sch. 2 para. 9(1)(b)

Modifications etc. (not altering text)

C1Sch. 3 para. 7extended (2.12.1999) byS.I. 1999/3145,arts. 1,9(3)(b);S.I. 1999/3208,art. 2

Commencement Information

I2Sch. 3 para.7wholly in force at 1.3.2000;Sch. 3 para. 7in force for certain purposes at Royal Assent sees. 75(2)(i);Sch. 3 para. 7in force at 1.3.2000 insofar as not already in force byS.I. 2000/183,art. 2(1)

[F67A(1)The processing—

(a)is either—

(i)the disclosure of sensitive personal data by a person as a member of an anti-fraud organisation or otherwise in accordance with any arrangements made by such an organisation; or

(ii)any other processing by that person or another person of sensitive personal data so disclosed; and

(b)is necessary for the purposes of preventing fraud or a particular kind of fraud.

(2)In this paragraph “an anti-fraud organisation” means any unincorporated association, body corporate or other person which enables or facilitates any sharing of information to prevent fraud or a particular kind of fraud or which has any of these functions as its purpose or one of its purposes.]

Annotations:

Amendments (Textual)

F6Sch. 3 para. 7Ainserted (1.10.2008) bySerious Crime Act 2007 (c. 27),ss. 72,94;S.I. 2008/2504,art. 2(e)

8(1)The processing is necessary for medical purposes and is undertaken by—

(a)a health professional, or

(b)a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a health professional.

(2)In this paragraph “medical purposes” includes the purposes of preventative medicine, medical diagnosis, medical research, the provision of care and treatment and the management of healthcare services.

9(1)The processing—

(a)is of sensitive personal data consisting of information as to racial or ethnic origin,

(b)is necessary for the purpose of identifying or keeping under review the existence or absence of equality of opportunity or treatment between persons of different racial or ethnic origins, with a view to enabling such equality to be promoted or maintained, and

(c)is carried out with appropriate safeguards for the rights and freedoms of data subjects.

(2)The[F4Secretary of State]may by order specify circumstances in which processing falling within sub-paragraph (1)(a) and (b) is, or is not, to be taken for the purposes of sub-paragraph (1)(c) to be carried out with appropriate safeguards for the rights and freedoms of data subjects.