ict data security - advance trustadvancetrust.org/pdf/policy/advance trust ict data security...
TRANSCRIPT
ICT Data Security
Date: December 2015
Staff Responsible: Mr John Agg/Mrs Ann Starr
Advance Trust, a Charity and Company limited by guarantee, registered in England and Wales Company number 08414933 whose registered office is at Vale of Evesham School, Four Pools Lane, Evesham, Worcs, WR11 1BN
Telephone: (01386) 442753 Fax: (01386) 443367 [email protected] www.advancetrust.org Executive Principal: Mrs Ann M Starr
1. INTRODUCTION 1.1 According to a Freedom of Information request made by Big Brother Watch to 434 Local Authorities, between July 2008 and July 2011, 132 Schools and Local Authorities lost sensitive information in at least 1035 separate incidents. * At least 35 councils lost information about children and those in care * The information of at least 3100 children, young people or students was compromised in 118 cases * At least 244 laptops and portable computers were lost * A minimum of 98 memory sticks and more than 93 mobile devices went missing This has prompted the following warning from the Information Commissioners Office (ICO): “The loss of or unauthorised access to personal information is likely to cause most harm to pupils, parents or staff and is most likely to result in us taking action. Individuals have a right to take action for compensation if loss of personal data causes them damage. The Information Commissioner now has the power to impose a monetary penalty for serious contraventions of the data protection principles. So not taking security seriously causes a reputational risk and could cost you money.” 1.2 Advance Trust therefore recognises that a robust and consistent strategy should exist in each of its Schools. The strategies employed for example with Data encryption methods should be subject to frequent and ongoing revision as new techniques are employed and older techniques become vulnerable where weaknesses about these systems are disclosed in the public domain. This Policy is designed to provide a unified strategy of Best Practice in data security. We are managing a significant investment in the use of our ICT. In many areas of work the use of ICT is vital and must be protected from any form of disruption or loss of service. It is therefore essential that the availability, integrity and confidentiality of the ICT systems and data are maintained at a level that is appropriate for our needs. 1.3 REVIEW This policy will be reviewed as it is deemed appropriate, but no less frequently than every Term. The policy review will be undertaken by the nominated representative of Advance Trust.
2. POLICY OBJECTIVES 2.1 Against this background there are three main objectives of the ICT Security Policy: - a) To ensure that equipment and data are adequately protected against any action that could adversely affect Advance Trust. b) To ensure that users are aware of and fully comply with all relevant legislation. c) To create and maintain within the organisation a level of awareness of the need for ICT security and for it to be an integral part of the day to day operation so that all staff understand the need for ICT security and their own responsibilities in this respect . 3. APPLICATION 3.1 The ICT Security Policy is intended for all Advance Trust Schools staff who have control over or who use or support the school‟s Administration and Curriculum ICT systems or data. Anyone using the school‟s ICT systems or data must be subject to an “acceptable ICT use” Policy. 3.2 For the purposes of this document the terms „ICT‟ (or „ICT system‟), „ICT data‟ and „ICT user‟ are defined as follows: - „ICT‟ (or „ICT system‟) means any device for automatic storing and processing of data and includes Workstations, Servers, Tablets, Laptops and smart phone devices. • „ICT data‟ means any information stored or processed by ICT and includes programs, text, pictures and sound; • „ICT user‟ applies to any Advance Trust School employee, pupil or other authorised person who uses the school‟s ICT systems and/or data. 4 GOVERNING BODY 4.1 The governing body has ultimate responsibility for ensuring that the school complies with the legislative requirements relating to the use of ICT systems and for disseminating policy on ICT security and other ICT related matters. – In practice, the day-to-day responsibility for implementing these legislative requirements rests with the Headteacher. 5 HEADTEACHER 5.1 The Headteacher is responsible for ensuring that the legislative requirements relating to the use of ICT systems are met and that the school‟s ICT Security Policy, as may be amended from time to time, is adopted and maintained by the school.
He/she is also responsible for ensuring that any special ICT security measures relating to the school‟s ICT facilities are applied and documented as an integral part of the Policy. 5.2 The Headteacher is also responsible for ensuring that the requirements of the Data Protection Act 1998 are complied with fully by the school. This is represented by an on-going responsibility for ensuring that the: - • Registrations under the Data Protection Act are up-to-date and cover all uses being made of personal data and • Registrations are observed by the school 5.3 In addition, the Headteacher is responsible for ensuring that users of systems and data are familiar with the relevant aspects of the Policy and to ensure that the appropriate controls are in place for staff to comply with the Policy 6 INTERNAL AUDIT 6.1 Advance Trust Schools have purchased Forensic Monitoring Software to assist in the detection of mis-use of the ICT system and to assist in identification of issues such as Radicalisation, bullying and all forms of abuse. The Headteacher must nominate an individual to analyse the data generated by the software on a daily basis and the nominated individual must inform a member of the Schools‟ Child Protection team or Headteacher immediately if concerns are present. 6.2 Advice on the effective use of the Forensic software including customisation of the Software to include additional detection formula can be sought from John Agg (ICT Consultant) for Advance Trust. 7 USERS 7.1 All users of the school‟s ICT systems and data must comply with the requirements of this ICT Security Policy 7.2 Users are responsible for notifying the Headteacher of any suspected or actual breach of ICT security. 8 LEGISLATION 8.1 The responsibilities referred to in this Policy recognise the requirements of the current legislation relating to the use of ICT systems, which comprise principally of:- DATA PROTECTION ACTS 1984 & 1998 COMPUTER MISUSE ACT 1990 COPYRIGHT, DESIGNS AND PATENTS ACT 1988
9 COMPUTER MISUSE ACT 1990 9.1 Under the Computer Misuse Act 1990 the following are criminal offences, if undertaken intentionally: - Unauthorised access to a computer system or data; Unauthorised access preparatory to another criminal action; Unauthorised modification of a computer system or data. 9.2 All users must be given written notice that deliberate unauthorised use, alteration, or interference with a computer system or its software or data, whether proprietary or written „in-house‟, will be regarded as a breach of school policy and may be treated as gross misconduct and that in some circumstances such a breach may also be a criminal offence. 10 COPYRIGHT, DESIGNS AND PATENTS ACT 1988 10.1 The Copyright, Designs and Patents Act 1988 provides the legal basis for the protection of intellectual property which includes literary, dramatic, musical and artistic works. The definition of „literary work‟ covers computer programs and data. 10.2 Where computer programs and data are obtained from an external source they remain the property of the originator. Our permission to use the programs or data will be governed by a formal agreement such as a contract or licence 10.3 All copying of software is forbidden by the Act unless it is in accordance with the provisions of the Act and in compliance with the terms and conditions of the respective licence or contract 10.4 Each School is responsible for compiling and maintaining an inventory of all software held by the School and for checking it at least annually to ensure that software licences accord with installations. 11 MANAGEMENT OF THE POLICY 11.1 Suitable training for all ICT users and documentation to promote the proper use of ICT systems should be provided. Users will also be given adequate information on the policies, procedures and facilities to help safeguard these systems and related data. A record of the training provided through the school to each individual user will be maintained 11.2 In addition, users will be made aware of the value and importance of such ICT systems and data, particularly data of a confidential or sensitive nature, and be made aware of their personal responsibilities for ICT security 11.3 The Headteacher must ensure that adequate procedures are established in respect of the ICT security implications of personnel changes. Suitable measures should be applied that provide for continuity of ICT security when staff vacate or occupy a post. These measures as a minimum must include: -
• A record that new staff have been issued with, have read the appropriate documentation relating to ICT security, and have signed the list of rules; • A record of the access rights to systems granted to an individual user and their limitations on the use of the data in relation to the data protection registrations in place; 12 PHYSICAL SECURITY LOCATION ACCESS 12.1 Adequate consideration should be given to the physical security of rooms containing ICT equipment (including associated cabling). As far as practicable, only authorised persons should be admitted to rooms that contain servers or provide access to data. Such rooms should have a double locking capability with restricted access to Keys. 12.2 The School must ensure appropriate arrangements are applied for the removal or re-siting of any ICT equipment from its normal location. These arrangements should take into consideration the risks associated with the removal and the impact these risks might have. Advice on impact and repercussions must be sought from the ICT Technician. These include issues such as critical systems reliant on a workstation, server or device that must be shut down at an appropriate time where users are not logged into that system. 12.3 ENCRYPTION 12.4 Encryption protects data from being read by unauthorised users and should be installed on all laptops, tablets and portable drives containing sensitive data that are taken off site. The password or pin chosen to decrypt the data must be suitably complex with numbers and / or special characters 13 EQUIPMENT SITING 13.1 Reasonable care must be taken in the positioning of computer screens, keyboard, printers or other similar devices. Wherever possible, and depending upon the sensitivity of the data, users should observe the following precautions:- • Devices should be positioned in such a way that information stored or being processed cannot be viewed by persons not authorised to know the information. Specific consideration should be given to the positioning of devices on which confidential or sensitive information is processed or retrieved; • Equipment should be sited to avoid environmental damage from causes such as dust and heat;
• Users should avoid leaving computers logged-on when unattended if unauthorised access to the data held can be gained. Clear written instructions to this effect should be given to users; The same rules apply to official equipment in use at a user’s home. 14 SYSTEM SECURITY LEGITIMATE USE 14.1 The school‟s ICT facilities must not be used in any way that breaks the law or breaches the ICT Acceptable use policy. Such breaches include, but are not limited to:- • making, distributing or using unlicensed software or data; • making or sending threatening, offensive, or harassing messages; • creating, possessing or distributing obscene material; • unauthorised private use of the school’s computer facilities. 15 PRIVATE HARDWARE AND SOFTWARE 15.1 Dangers can occur from the use of private devices (i.e. a Laptop belonging to a visitor to the School) connecting to the Schools wireless network. Forensic monitoring software only exists on official School equipment so it is extremely difficult to retrospectively analyse the content of a visitors internet session. If permission is granted by the Headteacher (see 16) to a visitor to use their private equipment on the School network i.e. for purposes of presentations etc, it is vital that the device has up to date anti-virus protection and its use is strictly in accordance with the terms of the ICT Policy. 16 AUTHORISATION 16.1 Authority must be expressly granted by the Headteacher for a visitor to use the school‟s ICT systems. Failure to establish the limits of any authorisation may result in the school being unable to use the sanctions of the Computer Misuse Act 1990. Not only will it be difficult to demonstrate that a user has exceeded the authority given, it will also be difficult to show definitively who is authorised to use a computer system.
16.2 Access eligibility will be reviewed continually, including remote access for support. In particular the relevant access capability will be removed when a person leaves the employment of the school. In addition, access codes, user identification codes and authorisation codes will be reviewed whenever a user changes duties. Failure to change access eligibility and passwords will leave the ICT systems vulnerable to misuse. 17 ACCESS TO THE COUNTY COUNCIL CORPORATE ICT NETWORK 17.1 The Headteacher must seek permission on behalf of the school for any ICT system to be linked to the County Council‟s corporate ICT network. 17.2 DATA TRANSFER
17.3 Transfer of data between organisations such as schools, the LA and the DfE
must only be sent via the Schools secure data transfer system. No confidential or
sensitive data is to be communicated by email, text or other unsecured systems.
18 PASSWORDS 18.1 Passwords protect access to all ICT Systems, including „encryption‟ passwords. Ideally passwords should be memorised. If an infrequently used password needs to be written, this record must be stored securely. Users should be advised about the potential risks of written passwords and should be given clear written instructions on the safeguards to adopt. 18.2 Where an Internet Password is employed (Proxy Authentication) Staff must ensure that this password is kept secure from Pupils and any breach must be reported to the ICT Technician for resetting. 18.3 Passwords should not be obvious or guessable and their complexity should reflect the value and sensitivity of the systems and data involved, e.g. “Administrator” passwords are more critical. Users should be instructed on appropriate techniques for selecting and setting a new password. 18.4 Passwords should be changed frequently to previously unused passwords. Many systems have the capability to prompt or force the user, periodically, to select a new password. 18.5 A typical period is termly. The interval chosen and the methods by which the password changes will be enforced must be suitably documented for users. 18.6 Any person who suspects that someone else knows their password should change it immediately or request that the ICT Technician change it for them. Do to the way that the Forensic data software operates, it is imperative that users only log into
systems using their own credentials unless expressly permitted by the Headteacher. Failure to do so may result in a breach of the ICT Policy being directed against the wrong user. 18.7 A password must be changed if it is affected by a suspected or actual breach of security or if there is a possibility that such a breach could occur, such as: - • When a password holder leaves the school or is transferred to another post; • When a password may have become known to a person not entitled to know it. 18.8 Users must not reveal their passwords to anyone, apart from authorised staff. Users who forget their password must request the ICT Technician issue a new password. 18.9 Where a password to boot a PC or access an internal network is shared, users must take special care to ensure that it is not disclosed to any person who does not require access to the PC or network. 18b WIRELESS NETWORK 18b1 Wireless networks (Wi-fi) must have their Access Points (AP‟s) protected by a
minimum of WPA2 encryption and the wireless password should be suitably complex.
19 BACKUPS 19.1 In order to ensure that our essential services and facilities are restored as quickly as possible following an ICT system failure, back-up copies of stored data will be taken at least on a daily basis. 19.2 Security copies should be clearly marked as to what they are and when they were taken and stored away from the system to which they relate in a restricted access fireproof location and/or off site. Backups taken off-site must be encrypted. 19.3 Security copies should be regularly tested to ensure that they enable the systems/relevant file to be re-loaded in cases of system failure. 19.4 The School data server must be connected to an uninterruptable power supply
(UPS) with Surge Protection. A UPS device with Surge Protection protects against
power spikes and unsafe power reductions. The UPS should preferably have a
minimum rating of 500Va.
20 VIRUS PROTECTION 20.1 The school will use appropriate Anti-virus software for all school ICT systems. 20.2 All Users should take precautions to avoid malicious software that may destroy or corrupt data. 20.3 The school will ensure that every ICT user is aware that any suspect or actual computer virus infection must be reported immediately to the ICT Technician for action. 20.4 Users must scan portable devices they have plugged into any School Workstation to ensure it is virus free. The school will ensure that virus protection exists on any standalone or locally networked computers that can access the Internet and train you in its use. Users must not E-mail material that has not been scanned to other users. If you find a virus, or you think the material has one, you must immediately break the connection, stop using the computer and inform ICT Technician The Governing body could be open to a legal action for negligence should losses occur on the Joint Academic Network (JaNET) as a consequence of a computer virus on school equipment. The Administrators of the JaNET network will disconnect a Schools Broadband feed if a Virus is not dealt with promptly. 20.4 The school will ensure that anti-virus software is installed on all staff laptops. However staff are responsible for ensuring that this software is kept up-to-date on a regular basis using the live update facility of the anti-virus program. 21 DISPOSAL OF EQUIPMENT 21.1 Disposal of redundant ICT equipment will be made with due regard to the sensitivity of the information it contains. 21.2 The Data Protection Act requires that adequate mechanisms be used when disposing of personal data. 22.2 Prior to the transfer or disposal of any ICT equipment the School must ensure that any personal data or software is obliterated from the machine if the recipient organisation is not authorised to receive the data. Where the recipient organisation is authorised to receive the data, they must be made aware of the existence of any personal data to enable the requirements of the Data Protection Act to be met. Serial numbers of equipment must be recorded for Audit purposes. The Data Protection Act requires that any personal data held on such a machine be destroyed.
23. REPAIR OF EQUIPMENT 23.1 If a device, or its permanent storage (usually a disk drive), is required to be repaired by a third party or returned for a warranty repair the significance of any data must be considered. If data is particularly sensitive it must be removed from hard disks and stored on secure media for subsequent reinstallation. 24. STORED DATA 24.1 Advance Trust, (Vale of Evesham School, Kingfisher, Riverside and Newbridge Schools) collect and use personal information about staff, students, parents or carers, Professional Practitioners and other individuals who come into contact with the school. This information is gathered in order to enable it to provide education and other associated functions. In addition, there may be a legal requirement to collect and use information to ensure that the school complies with its statutory obligations. 24.2 Schools have a duty to be registered, as Data Controllers, with the Information Commissioner‟s Office (ICO) detailing the information held together with its use. These details are then available on the ICO‟s website. Schools also have a duty to issue a Fair Processing Notice to all students/parents or carers, this summarises the information held on students, why it is held and the other parties to whom it may be passed on. 24.3 This policy is intended to ensure that personal information is dealt with correctly and securely and in accordance with the Data Protection Act 1998, and other related legislation. It will apply to information regardless of the way it is collected, used, recorded, stored and destroyed, and irrespective of whether it is held in paper format or electronically. 24.4 All staff involved with the collection, processing and disclosure of personal data will be aware of their duties and responsibilities by adhering to these guidelines. 24.5 What is Personal Information? Personal information or data is defined as data which relates to a living individual who can be identified from that data, or other information held. 24.6 Data Protection Principles The Data Protection Act 1998 establishes eight enforceable principles that must be adhered to at all times: 1) Personal data shall be processed fairly and lawfully; 2) Personal data shall be obtained only for one or more specified and lawful purposes; 3) Personal data shall be adequate, relevant and not excessive; 4) Personal data shall be accurate and where necessary, kept up to date;
5) Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose or those purposes; 6) Personal data shall be processed in accordance with the rights of data subjects under the Data Protection Act 1998; 7) Personal data shall be kept secure i.e. protected by an appropriate degree of security; 8) Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of data protection. 24.7 GENERAL STATEMENT Advance Trust, (Vale of Evesham School, Kingfisher, Riverside and Newbridge Schools) is committed to maintaining the above principles at all times. Therefore it will: • Inform individuals why the information is being collected when it is collected • Inform individuals when their information is shared, and why and with whom it was shared • Check the quality and the accuracy of the information it holds • Ensure that information is not retained for longer than is necessary • Ensure that when obsolete information is destroyed that it is done so appropriately and securely • Ensure that clear and robust safeguards are in place to protect personal information from loss, theft and unauthorised disclosure, irrespective of the format in which it is recorded • Share information with others only when it is legally appropriate to do so • Set out procedures to ensure compliance with the duty to respond to requests for access to personal information, known as Subject Access Requests • Ensure our staff is aware of and understand our policies and procedures Procedures for responding to subject access requests made under the Data Protection Act 1998 Rights of access to information There are two distinct rights of access to information held by schools about students. 1. Under the Data Protection Act 1998 any individual has the right to make a request to access the personal information held about them. 2. The right of those entitled to have access to curricular and educational records as defined within the Education Student Information (Wales) Regulations 2004. These procedures relate to subject access requests made under the Data Protection Act 1998.
How to action a subject access request 1) Requests for information must be made in writing; which includes email, and be addressed to the Headteacher or Advance Trust Business Director. If the initial request does not clearly identify the information required, then further enquiries will be made. 2) The identity of the requestor must be established before the disclosure of any information, and checks should also be carried out regarding proof of relationship to the child. Evidence of identity can be established by requesting production of: • passport • driving licence • utility bills with the current address • Birth / Marriage certificate • P45/P60 • Credit Card or Mortgage statement 3) Any individual has the right of access to information held about them. However with children, this is dependent upon their capacity to understand (normally age 12 or above) and the nature of the request. The Headteacher should discuss the request with the child and take their views into account when making a decision. A child with competency to understand can refuse to consent to the request for their records. Where the child is not deemed to be competent an individual with parental responsibility or guardian shall make the decision on behalf of the child. 4) The school may make a charge for the provision of information, dependent upon the following: • Should the information requested contain the educational record then the amount charged will be dependent upon the number of pages provided. • Should the information requested be personal information that does not include any information contained within educational records schools can charge up to £10 to provide it. • If the information requested is only the educational record viewing will be free, but a charge not exceeding the cost of copying the information can be made. 5) The response time for subject access requests, once officially received, is 40 days (not working or school days but calendar days, irrespective of school holiday periods). However the 40 days will not commence until after receipt of fees or clarification of information sought 6) The Data Protection Act 1998 allows exemptions as to the provision of some information; therefore all information will be reviewed prior to disclosure. 7) Third party information is that which has been provided by another, such as the Police, Local Authority, Health Care professional or another school. Before disclosing third party information consent should normally be obtained. There is still a need to adhere to the 40 day statutory timescale.
8) Any information which may cause serious harm to the physical or mental health or emotional condition of the student or another should not be disclosed, nor should information that would reveal that the child is at risk of abuse, or information relating to court proceedings. 9) If there are concerns over the disclosure of information then additional advice should be sought. 10) Where redaction (information blacked out/removed) has taken place then a full copy of the information provided should be retained in order to establish, if a complaint is made, what was redacted and why. 11) Information disclosed should be clear, thus any codes or technical terms will need to be clarified and explained. If information contained within the disclosure is difficult to read or illegible, then it should be retyped. 12) Information can be provided at the school with a member of staff on hand to help and explain matters if requested, or provided at face to face handover. The views of the applicant should be taken into account when considering the method of delivery. If postal systems have to be used then registered/recorded mail must be used. Business Director or Chairperson of the Governing Body who will decide whether it is appropriate for the complaint to be dealt with in accordance with the school‟s complaint procedure. Complaints which are not appropriate to be dealt with through the school‟s complaint procedure can be dealt with by the Information Commissioner. Contact details of both will be provided with the disclosure information. Further advice and information can be obtained from the Information Commissioner‟s Office, www.ico.gov.uk 25. PRIVACY NOTICE (STUDENTS) Advance Trust, (Vale of Evesham School, Kingfisher, Riverside and Newbridge Schools) processes personal information about its students and is a „data controller‟ for the purposes of the Data Protection Act 1998. We collect information from you and may receive information about you from your previous school and the Learning Records Service. We hold and use your information to support your teaching and learning, monitor and report on how well you are doing, provide you with pastoral care and to assess how well your school is doing. The information we hold includes your contact details, national curriculum assessment results, attendance information, your ethnic group, special educational needs and any relevant medical information. If you are enrolling for post-14 qualifications, the Learning Records Service will give us your unique learner number (ULN). We may also ask them for details of any learning you have done in the past or any qualifications you have.
We will not give information about you to anyone outside the school without your permission unless the law and our rules permit it. We are required by law to pass some of your information to relevant bodies such as Department for Education (DfE) Privacy Notice for the school workforce employed or otherwise engaged to work at a school Privacy Notice - Data Protection Act 1998 We Advance Trust, (Vale of Evesham School, Kingfisher, Riverside and Newbridge Schools) are the Data Controllers for the purposes of the Data Protection Act. Personal data is held by the Trust Schools about those employed or otherwise engaged to work at the schools. This is to assist in the smooth running of the school and/or enable individuals to be paid. This personal data includes some or all of the following: identifiers such as name and National Insurance Number; characteristics such as ethnic group; employment contract and remuneration details; post “A” level qualifications; and absence information. The collection of this information will benefit both national and local users by: • improving the management of school workforce data across the sector; • enabling a comprehensive picture of the workforce and how it is deployed to be built up; • informing the development of recruitment and retention policies; • allowing better financial modelling and planning; • enabling ethnicity and disability monitoring; • supporting the work of the School Teacher Review Board and the School Support Staff Negotiating Body. We will not give information about you to anyone outside the school or LA without your consent unless the law and our rules allow us to.