St Mary’s and St Peter’s CE Primary School
Data SecurityDate: / September 2016 / Review Date: / September 2017
We at SMSP store and process gigabytes of data every year in the form of assessment, planning, administration, photos, videos and a myriad of others. The presence of this data is invaluable in the development and delivery of quality teaching and services. As a public body, the school is required by law to ensure the privacy of those whom we collect data on. This policy outlines the steps we take to meet this obligation.
Aims
· To ensure that all aspects of data and information management and use conform to the current legislation:
o Data Protection Act;
o Freedom of Information Act;
o Computer Misuse Act.
· To ensure that there is no detriment to data subjects.
· To ensure that data and information is managed efficiently and effectively and for the described purpose.
· To ensure the integrity, accuracy and security of data.
Compliance
The Data Protection Act 1998 requires all organisations to secure any personal data they hold. This covers data held both electronically and on paper.
The school complies fully with the Data Protection principles which state that personal information must be:
· Fairly and lawfully processed;
· Processed for limited purposes;
· Adequate, relevant and not excessive;
· Accurate;
· Not kept longer than is necessary;
· Processed in accordance with an individual’s rights;
· Kept secure;
· Not transferred without adequate protection.
Access To School Data
· The school provides staff and authorised external users access to the data and information required for them to work effectively.
· In order to maintain data confidentiality, integrity, accuracy and security, the school restricts users’ access to that which is necessary.
· Data subjects (e.g. parents, students, staff) have a right of access to information about them (or those under their care) under the Data Protection Act. This information can be obtained by written request.
· The general public had the right to access certain data and information under the Freedom of Information Act via the appropriate channels.
Applicable Data
For the purposes of this policy, the term ‘non-personal data’ refers to any information relating to the school workplace. This includes:
· Lesson plans;
· Policy documents;
· Teaching resources.
In addition, the term ‘personal data’, refers to any information pertaining to individuals that would normally be considered confidential. This may include:
· Assessment results;
· Individual pupil educational/care plans;
· Correspondence with named individuals;
· Contact details;
· Medical information.
For more guidance on what may constitute ‘Personal data’, see “Data Protection Technical Guidance”
Student Images/video
Although the majority of pupil imagery taken and stored at school would not be considered personal data, certain conditions (such as labelling individual images with names or the inclusion of metadata) can result in pupil imagery constituting as personal data. To this end, the following guidelines should be adhered to when placing such data outside of the school system/approved secure online system:
· Photos/videos of individual children should not be labelled with that child’s full name.
· Imagery of individuals or small groups should not be presented or stored with other data that could make the pupils identifiable (for example, a video of a child saying their names or images being uploaded to a ‘class/school’ gallery.).
· Photos of children whose parents have not given consent for online publication should be encrypted when being transported or stored in an unsecure location.
Applicable Domains
For the purposes of this policy, the school premises are considered a ‘secure location’ as are some, approved, online services (such as Integris, ParentMail, etc.). All other locations should be considered ‘unsecure’.
This policy is applicable within secure locations, all unsecure locations (where school data is being stored or accessed) and during any transport of school data between locations.
Applicable Equipment
This policy applies to any technology used to store, transmit or manipulate school data (including photos, video and audio) such as CDs/DVDs, smart phones, cameras, MP3 players, USB memory sticks, tablets and laptops.
This policy applies to all school-owned equipment, and also applies to the use of personal technology with relation to school data.
In-school Data Security
· Data held on the school network is protected by appropriate access permissions.
· On-site storage areas for sensitive data are physically secured.
· Unauthorized software is prohibited and installation restricted.
· Data is regularly backed up (both locally and remotely) and protected against viruses.
· All users of the school network subscribe to the Acceptable Use Policy.
Account Security
Every member of staff is provided with a network account and an LGfL USO account. In accordance with the Acceptable Use Policy, all users are expected to adhere to the following:
· Members of staff are responsible for the protection of their own account details and should not divulge passwords to anyone.
· Passwords should ideally be a combination of letters, numbers and special characters. At a minimum they should use both numbers and a mix of lower- and upper-case letters. They should avoid easily guessable words, such as class names or usernames.
· Passwords should not be written down, saved in web browsers or emailed to anyone.
· Members of staff should not log on to or use any account other than their own, nor allow another to use theirs unsupervised.
· Computers in public areas of the school (for example, the atrium or hall) should not be left logged in and unattended. Staff should always log off when finished with a computer, or lock the terminal if they intend to return.
· All other terminals must be logged out of before leaving at the end of the day. Computers will automatically shut down every night (at approx. 7pm)
Data Retention
In compliance with the Data Protection Act, the school will:
· Ensure that necessary personal data is retained securely for an appropriate period in accordance with the relevant guidance from the DfES and the Local Authority.
· Ensure that personal data is not retained longer than necessary.
· Ensure that personal data, both hardcopy and electronic versions, is disposed of appropriately and securely.
Use of Removable and External Storage
· Staff are free to transport non-personal data via any removable media they deem appropriate. This will usually be CD, DVD or memory stick.
· The transport of personal data must be in an encrypted form (either software or hardware based). The school advocates the use of an encrypted USB memory stick which can be obtained from the eLearning co-ordinator or ICT technician.
· All staff are expected to show due care and diligence when transporting data and should report any potential loses immediately.
Use of Online Services
· Personal data may only be uploaded and stored on school-sanctioned online services (for example: Integris or Target Tracker). The uploading of personal data to any other online service is strictly forbidden without prior approval from a member of SLT.
· Non-personal data (excluding materials relating to specific individuals, e.g. photographs) may be uploaded to online services, provided it does not breech copyright regulations. An example of these could be the submission of a pupil’s artwork to an online gallery. In accordance with the eSafety Policy, such incidences should be undertaken with the consent of the pupil(s) involved.
Use of Email
· Personal data should only be sent via e-mail as an encrypted attachment.
· Personal data should only be sent to approved contacts (such as staff members or borough consultants).
· E-mails should always be sent from and to LGfL e-mail accounts (where possible).
· Non-personal data may be sent via e-mail as an unencrypted attachment or as part of the main message.
· Staff should be aware that e-mail addresses themselves could be considered personal data and should make use of the BCC option when e-mailing multiple contacts.
Use of External Storage/Equipment
· Staff are permitted to retain copies of school data on personal technology, provided this technology predominantly resides in their home address and is adequately protected from viruses, malware & spyware.
· Staff should not retain personal data for longer than required to fulfil their duties.
· Where possible and practical, personal data should be stored in a secure, password-protected, location.
· Where personal data is stored on a home PC/laptop, staff will be expected to ensure that other users of the machine adhere to this policy.
· No school data should be stored on public machines.
· Staff should be aware that any weakening of their personal ICT security (whether accidental or deliberate) could cause a breach of this agreement and must be reported.
Staff Responsibilities
Staff are expected to:
· act responsibly with any data or files they are using;
· report any lost or stolen equipment to the eLearning coordinator or School technician;
· report any loss of data to the eLearning coordinator;
· Report any suspected breaches of data security to the eLearning coordinator;
· Take due care of school data to ensure against loss, theft or abandonment.
· remain vigilant for any breaches of school data security and contact the appropriate member of staff (eLearning coordinator or School technician), if issues are uncovered.
· retain data only while needed. The long-term storage of personal data outside of secure locations is not permitted.
Policy Effectiveness
This policy will be updated as necessary to reflect best practice and to ensure compliance with any changes made to the Data Protection Act.
Headteacher: / Date:Chair of Governing Body: / Date: