Data Protection/ Information Security Policy

Transcription

1 Data Protection/ Information Security Policy Date Policy Reviewed 27 th April 2016 Date Passed to Governors: 27 th April 2016 Approved by Governors: 7 th June 2016 Date of Next Review: June 2018

2 Data Protection Policy Statement The Longfield Academy Trust is committed to the eight principles of the Data Protection Act 1998: 1) Personal data shall be processed fairly and lawfully 2) Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes 3) Personal data shall be adequate, relevant and not excessive 4) Personal data shall be accurate and, where necessary, kept up to date 5) Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes 6) Personal data shall be processed in accordance with the rights of data subjects under this Act 7) Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data 8) Personal data shall be not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. This statement represents the response of the Governing Body to its duties under the Data Protection Act Our Commitment Aims The Longfield Academy Trust will implement the requirements of the Data Protection Act 1998 and any subsequent amendments or regulations on protecting data, and the academy s controls and procedures will ensure integrity and security of data. The Longfield Academy Trust will maintain a Data Protection register entry with the Information Commissioner, and ensure that all personal data obtained, held, used or disclosed conforms to the details recorded within that registration. In addition The Longfield Academy Trust will ensure that: 1) A member of the senior management team has overall responsibility for the implementation of Data Protection. This is currently the Finance Director. 2) Staff are aware of their responsibilities under the Data Protection Act. 3) Staff are trained and supported to deal effectively with the requirements of the Act, including the need to deal with subject access requests, in whole or in part, in accordance with the Act.

3 4) The requirements of the Act are considered in decision making processes, such as the development of policy and procedures and the design and the implementation of information systems. 5) The operations of the organisation are developed to meet the highest standards of openness and accountability. Scope of the Policy The policy statement of commitment and the ensuing controls and procedures arising from the policy are applicable to all members of the Academy, including pupils. Those with responsibility for handling or processing information are particularly affected. Monitoring The Finance Director has responsibility for maintaining a register of all requests made for information under the Data Protection Act that do not fall within the remit of the Data Protection Registration with the Information Commissioner, and the action taken on each application. It will identify reoccurring requests for the same or similar information and provide information for the reviews of the Data Protection Registration. The Longfield Academy Trust will register all complaints received about its Data Protection arrangements and will ensure learning points that arise from such complaints are used to improve related policies, procedures and guidance. The Finance Director will annually review this policy and its associated procedures and arrangements to ensure it remains up to date, effective and takes account of emerging good practice. Where new legal directions come into force, the policy will be reviewed in line with the commencement of that legislation. The Academy Data Controller, (The Trust s Finance Director) will ensure that the Academy s Data Protection Registration is renewed, reviewed and, where necessary, updated annually. The Business Committee will receive an annual report on the Academy s Information Policies that will include a report on the review of the Data Protection Policy. The controls and procedures may also be subject to review by the Academy auditors who would make recommendations on the basis of their findings. Arrangements and procedures that may be affected by changes in legislation will be reviewed as necessary. Significant changes in arrangements or procedures arising from these will be notified to Governors.

4 Criteria for monitoring The Policy and associated procedures and arrangements will be monitored within the context of legislation, including: 1) Data Protection 2) Computer Misuse 3) Human Rights 4) Equal Opportunities 5) Telecommunications 6) Health & Safety Requests and charges Requests for information can be made under the Freedom of Information Act or a Subject Access Request. Requests should be made in writing by letter or to the Academy, either to a named member of staff or role title, or to the Finance Director: Andrew Collishaw Longfield Academy Trust Longfield Road Darlington DL3 0HT Proof of identity (normally a driving licence, passport or utility bill or corporate identification in the case of organisations) will be required before the request can be met. The request will be dealt with within the required response time of 40 calendar days, subject to any extensions as stated within the Data Protection Act. If the request is too general the Academy will offer advice and assistance to determine the information required. The Academy does not have the right to ask why information is being sought, but the information can be volunteered to assist the Academy in meeting the request. The Academy s Charging and Remission Policy details the current costs charged for retrieval of information. Review and appeal If an applicant is dissatisfied with the handling of a request, they have the right to ask for an internal review. Internal review requests should be submitted no later than 40 working days after the date on which the applicant believes that the academy has failed to comply with the requirement, and should be addressed to:-

5 The Headteacher: Susan Johnson Longfield Academy Trust Longfield Road Darlington DL3 0HT If you are not content with the outcome of the internal review, an applicant has the right to apply directly to the Information Commissioner for a decision. The Information Commissioner can be contacted at: Information Commissioner s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF Making a request (Academy staff) No member of the Academy staff whilst acting within their respective role should make a request under the Data Protection Act 1998 without first receiving the authorisation of a member of the senior management team. Specific Data Protection Act Guidance Photos The Data Protection Act is unlikely to apply in many cases where photographs are taken in school. Fear of breaching the provisions of the Data Protection Act will not be wrongly used to stop people taking photographs or videos which provide many with much pleasure. Where the Data Protection Act does apply, a common sense approach suggests that if the photographer asks for permission to take a photograph, this will usually be enough to ensure compliance. Photos taken for official school use may be covered by the Data Protection Act and pupils and students will be advised why they are being taken. Photographs/videos should be stored securely and access should be restricted. At no time should access to photographs be open to other pupils or parents. Biometrics The Longfield Academy Trust does hold any biometric data relating to pupils or staff. This data is always stored securely.

6 Bring Your Own Device Bring your own device raises a number of data protection concerns due to the fact that the device is owned by the user rather than the data controller. It is crucial that the school ensures that all processing for personal data which is under his control remains in compliance with the Data Protection Act. Currently Bring Your Own Devices does not happen within the curriculum within the Trust. Cloud Computing The Longfield Academy Trust, as data controller, has a responsibility to ensure that the processing carried out by their cloud service provider complies with the Data Protection Act. The Trust will ensure that a contract and a data processing agreement in place. Data confidentiality When choosing a cloud service provider the Trust will select a data processor providing sufficient guarantees about the technical and organisational security measures governing the processing to be carried out, and will take reasonable steps to ensure compliance with those measures. Service availability Service availability means ensuring timely and reliable access to personal data. One threat to availability in the cloud which is often outside the responsibility of the cloud service provider is the accidental loss of network connectivity between the client and the service provider. The school as data controllers will therefore check whether they have adopted reasonable measures to cope with the risk of disruptions such as backup internet network links. The school will assess the level of risk and whether the school is prepared to accept that risk. Data transfers beyond the European Economic Area (EEA) The school understands that cloud service being provided by companies outside of the EEA may not have to comply with such tight data protection protocols. The Longfield Academy Trust will therefore only choose a cloud based supplier which confirms that the data is stored within the EEA. Payment Card Information The Longfield Academy Trust does currently receive debit/credit card payments and also via SIMS Agora/Parentmail. Sims Agora/Parentmail complies with the Payment Card Industry Data Security Standard. (PCI DSS). SIMS Agora/Parentmail has the appropriate firewalls to protect cardholder data, and also anti-virus software. Access to SIMS Agora is via a series of system passwords. When credit/debit card

7 information is received the receipts of the payments are stored securely with cardholders information encrypted. Information Security Employee Responsibilities Employees are responsible for:- 1) Ensuring any information they provide to The Longfield Academy Trust in connection with their employment is accurate and up to date. 2) Informing the Academy of any changes to information they have previously provided e.g. changes of address. 3) Checking the information that the Academy will send out from time to time giving details of information held and processed. 4) Informing the Academy of any errors or changes. If and when employees as part of their responsibilities collect, access and process information for employment records they must comply with the Guidelines for Data Protection. Line Managers are responsible for ensuring all employees they supervise are aware of their responsibilities under the Data Protection Act. The Academy will review annually the personal data held in respect of individual employees and will send a copy to employees to ensure it is accurate and up to date. Data Security Personal information (pupils, employees, commercial or any other information) should be kept in a locked filing cabinet or securely on the schools network. Information of this nature should not be stored on memory sticks. All employees are responsible for ensuring that:- 1) Any data which they have is kept secure particularly if taking data off site on laptop computers, tablets or files. If mobile devices are taken off site, they should never be left in a car overnight. A password must be in place for the device. The same precedent applies if personal data is stored on employees own devices. 2) At all times take care to ensure the safe keeping of personal data, minimising the risk of its loss or misuse. 3) Ensure any document containing personal data is password protected. 4) Personal information is not disclosed either orally or in writing deliberately or accidentally or otherwise to any unauthorised third party. 5) No personal information is given to unknown third parties over the telephone. The sharing of personal data is required as detailed elsewhere in the

8 document. If there are any doubts regarding the validity of the third party requesting the data requests should be replied to writing. 6) Use personal data only on secure password protected computers and other devices, ensuring that they are properly logged-off at the end of any session in which they are using personal data. 7) If school equipment is to be used by anyone other than the member of staff responsible for it that user must have a separate account set up by the ICT Support Department. The laptop must remain in the users possession at all times. 8) Equipment is insured whilst in school premises or the registered user s home. Whilst in transit it is only covered if it is in the possession of the user. If the equipment is in a situation where it is not covered by insurance, users are responsible for organising their own insurance. Any damage not covered by insurance could be charged to the individual. 9) If staff receives work s on their mobile phone as a minimum a 4 digit passcode must be used on the device. If there is a data breach employees must notify their Headteacher and the Longfield Academy Trust s Finance Director immediately. Major data breaches could be reportable to the Information Commissioners Office, within 24 hours. Therefore it is important that any data breaches are disclosed as a matter of urgency. The Headteacher in conjunction with the Finance Director will review the circumstances of the data breach and decide whether this breach warrants disclosure and any corrective action which may be required. Employees should note that unauthorised disclosure will usually be a disciplinary matter and may be considered gross misconduct in some cases. It may also result in a personal liability for the individual employee. Data Sharing The Longfield Academy Trust, Local Authority and the Department of Education, hold information on pupils in order to run the education system. In doing so the Academy has to follow the Data Protection Act, Data help about pupils has to be used for specific purposes, allowed by law. The Academy holds information about staff in its employment records in order to perform key tasks e.g. recruitment, performance monitoring, recording absence and health & safety matters. The Academy has to comply with the Data Protection Act, 1998 to ensure it is collected and used fairly, stored safety and not disclosed to other persons unlawfully. Pupil Data The Academy holds information on pupils in order to support their teaching and learning, to monitor and report on their progress, to provide appropriate pastoral care, and to assess how well the Academy as a whole is doing. This information

9 includes contact details, National Curriculum assessment results, attendance information, and characteristics such as ethnic group, special educational needs and any relevant medical information. From time to time we are required to pass on some of this data to the Local Authority (LA), to another school, Academy, College to which the pupil is transferring, to the Department of Education, and to the Standards and Testing Agency/Teaching Agency. The local Authority uses information about pupils to carry out specific functions for which it is responsible, such as the assessment of any special educational needs the pupil may have. As with the Department of Education, it may also use the information to derive statistics to inform decision on (for example) the funding of Academies, and to assess the performance of Academies and set targets for them. The statistics are used in such a way that individual pupils cannot be identified from them. The Standards and Testing Agency/Teaching Agency uses information about pupils to administer the National Curriculum tests and assessment. The results of these are passed on to Department of Education in order for it to compile statistics on trends and patterns in levels of achievement. The Standards and Testing Agency/Teaching Agency uses the information to evaluate the effectiveness of the National Curriculum and the associated assessment arrangements, and to ensure that these are continually improved. The Department for Education uses information about pupils for statistical purposes, to evaluate and develop Education Policy and to monitor the performance of the education service as a whole. The statistics are used in such a way that individual pupils cannot be identified from them. On occasions, information may be shared with other Government departments or agencies strictly for statistical or research purposes only. Pupils, as data subjects, have certain rights under the Data Protection Act, including a general right of access to personal data held on them, with parents exercising this right on their behalf if they are too young to do so themselves. If a pupil wishes to access their personal data, or a parent wishes to do so, on their behalf, they can contact the Academy in writing: Please note that all rights under the Data Protection Act to do with information about pupils rest with them as soon as they are old enough to understand these rights. This will vary from one child to another and you will wish to consider the position for your child, but, as a broad guide, it is reckoned that most children will have a sufficient understanding by the age of 12. Separately from the Data Protection Act, Department of Education regulations provide a pupil s parent (regardless of the age of the pupil) with the right to view, or

10 to have a copy of, their child s educational record at the Academy. If a parent wishes to exercise this right they should write to the Academy. Retention of Data Personal information should not be retained on the employment record for any longer than is necessary for the purpose required but equally it should not be discarded if doing so renders the record inadequate. Retention Timescales Application Form 6 years from end of employment References received 6 years from end of employment Payroll and Tax information 6 years from end of employment Annual Leave record 2 years Unpaid/Special Leave record 6 years from end of employment Sickness records 6 years from end of employment Annual Appraisal record 6 years from end of employment Records relating to promotion, training 6 years from end of employment Disciplinary record 6 years from end of employment References given 6 years from date reference provided Summary Record of Service E.g. Name, post(s) held dates of 10 years from end of employment Accident record at work 15 years Injury at work record 15 years. Core financial records 6 financial years + current. These timescales can be extended where there is a justified business reason for doing so not merely that it might be useful to hold such documentation. Application forms and other associated documentation within the Code of Practice for Recruitment and Selection of unsuccessful candidates for jobs should be destroyed after 8 months unless subject to challenge. Date of next review To be reviewed and approved by the Business Committee June 2018.