PROCEDURE
REFERENCE
VERSION NUMBER
1
AUTHOR
APPROVED BY
LINDA SMITH
RENEWAL DATE
DATE
January 2012
January 2010
Information Security Policy
Initially Conceived: July 2007
Primary Author:
For Review:
L. Smith
July 2009
By:
e-Systems Steering Group
With approval of:
SMT
Consultation with Management Forum, JSCC
Contents
Introduction ................................................................................. 3
Responsibilities for Information Security ..................................... 4
Compliance with Legislation ....................................................... 4
Monitoring Electronic Communications ....................................... 5
Breaches of Security................................................................... 6
Policy Awareness and Disciplinary Procedures……………… ..... 6
Supporting Codes of Practice and Guidance Notes .................... 7
Statutes of the Information Security Policy.................................. 7
Impact Assessments……………………………………..………...8
Appendices – Related Codes of Practice
a)
b)
c)
d)
e)
f)
g)
h)
i)
j)
Freedom of Information (FO1) Code of Practice
Data Protection
Computer Systems Interception and Monitoring
Telecommunications
IT Architecture
Blackberry
Electronic Mail (email)
Web Development
Safe Storage and Disposal of References, HR files, and Data
(Including Medical Records)
Closed Circuit Television (CCTV)
TM/JW/Pers/Information Security Policy
01.10
-2-
1.
Background & Context
Information systems are of primary importance in supporting College business and activities. The
availability, confidentiality and use of information systems is critical to the success of the College
as is the data integrity within those systems. The College also takes seriously its responsibility to
protect the individuals about whom data is stored within those systems.
Blackpool and The Fylde College aims to ensure appropriate availability, confidentiality and use of
information systems and data by operating in compliance with relevant legislation alongside related
College policies and Codes of Practice. This Information Security Policy and the associated Codes
of Practice outline the guidelines and procedures to be followed in order to achieve this.
The objectives of this policy are to:
i.
ii.
iii.
iv.
ensure that all of the College’s computing facilities, programs, data, network,
telecommunications, CCTV and equipment are adequately protected against loss, misuse
or abuse
ensure that all users are aware of and comply with this Policy and all associated Codes of
Practice
ensure that all users are aware of and comply with the relevant UK and European
Community legislation
ensure that users understand their own responsibilities for appropriate use and protection
of any systems or data they have access to
This Policy has been approved by the college Senior Management Team which has delegated its
implementation to Directors, Heads of School and Heads of Corporate Departments.
2.
Ownership
The College Senior Management Team is responsible for approving Information Security (IS)
policies.
The College e-Systems Steering Group is responsible for ensuring the regular review, updating
and re-publication of the IS policy as well as associated codes of practice and any relevant
guidelines.
The Director of Capital Projects and Estates is responsible for managing the College CCTV
systems and for providing advice relating to its use.
The Head of Central Network Services (CNS) is responsible for managing the College Network
and Internet access and for providing support and advice in relation to the network and resources.
The College Data Protection Officer is responsible for advising with respect to overall compliance
with the Data Protection and Freedom of Information Acts.
The Director of Human Resources is responsible for communication of this policy and related
Codes of Practice to staff.
However, it is the responsibility of each individual to ensure his/her understanding of and
compliance with this Policy and the associated Codes of Practice.
TM/JW/Pers/Information Security Policy
01.10
-3-
3.
Authority & Scope of this Policy
The Information Security Policy and associated Codes of Practice apply to all staff, learners and
partners/clients of the College as well as any third party authorised by the College to access its
information systems or data. They relate to the use of:

any facilities owned, leased, rented or on-loan by the College including data processed using
those facilities which is protected by the terms of the Data Protection Act
any systems or resources connected to the College network directly or indirectly at any time
any College-owned/licensed data or programs, be they on College or on private systems
any data or programs provided to the College by sponsors or external agencies



This Policy will be reviewed annually and revised according to:



4.
Developments in e-systems & ICT
Amendments to legislation
Outcomes of risk assessments performed by the e-Systems Steering Group
Responsibilities for Information Security
This Policy does not form part of a formal contract of employment with the College, but it is a
condition of employment that employees will abide by all College policies, procedures, codes of
practice and values. Likewise, the Policy and its associated Codes of Practice form part of the
Regulations for Students as outlined in the Student Handbook and on Moodle.
The Codes of Practice associated with this policy are published with it as Appendices. They are
also available on CollegeNet and will be made available in alternative formats (e.g., Braille, sound
recording) upon request. Staff, learners, clients, partners and third parties are responsible for
ensuring that they work in accordance with these Codes of Practice.
5.
Systems & Processes
5.1
Compliance with Legislation
The College has an obligation to abide by all UK legislation and relevant legislation of the
European Community. Of particular importance in this respect are:
The Computer Misuse Act 1990
The Regulation of Investigatory Powers Act 2000
The Data Protection Act 1998
The Freedom of Information Act 2000
The Children Act 2004
All users must comply with the abovementioned legislation and any individual can be held
personally responsible for any breach of the legislation.
In order to comply with the Data Protection Act, Blackpool and The Fylde College is registered with
the Information Commissioner’s office as a Data Controller (Registration No.: Z4700416). In
accordance with the Act, the College has notified the Information Commissioner regarding its use
of various types of data. Full details of registration and notification can be found in the Data
Protection Code of Practice.
TM/JW/Pers/Information Security Policy
01.10
-4-
Summaries of the legislation most relevant to the College’s IS policy may be found in the Codes of
Practice supporting this Policy. For full texts of the most relevant legislation, please contact the
College Data protection Officer (datarequest@blackpool.ac.uk).
The e-Systems Steering Group will co-ordinate annual departmental risk assessments to assess:





the business value of the information users are capturing and using
the information security controls currently in place
changes to operating systems
changing business requirements and priorities
changes in the relevant legislation
Where the outcome of the risk assessments highlights a need for changes to central systems,
services or procedures, these will be executed by the e-Systems Steering Group. It is the
responsibility of the individual Head of School or Corporate Service to revise their own security
arrangements in accordance with recommendations from the e-Systems Steering Group.
5.2
Acceptable Use of Resources/Systems
Information systems and resources are made available to college staff for use in relation to their
work. It is accepted that reasonable personal use of these systems and resources may be made
outside of working periods. Any such use of college information systems, including e-mail, internet,
online social networking media and any related systems or resources, must be made with due
respect to others at all times. No information which may be considered inappropriate or defamatory
may be composed, published or transmitted using college systems or resources. Any such
inappropriate conduct or misuse of college systems will be deemed a disciplinary matter.
5.3
Monitoring of Electronic Systems & Communications
College-provided Internet/Intranet and email privileges are College resources and, as such, may
be monitored for unusual activity. Correspondence via email cannot be guaranteed to be private
and, hence, confidential correspondence should be sent by other means than via College systems.
The distribution of information using any College-provided systems is subject to scrutiny and the
College reserves the right to determine the suitability of information being transmitted.
In accordance with the Telecommunications (Lawful Business Practice) (Interception of
Communications) Regulations 2000, made under the Regulation of Investigatory Powers Act (RIPA)
2000, the College will exercise its right to intercept and monitor electronic communications
received by and sent from the College for the purposes permitted under those Regulations. The
purposes cover, but are not limited to, monitoring for criminal or unauthorised use, viruses, threats
to the system e.g. hacking and denial of service attacks, ensuring the effectiveness of its
operations and compliance with College policies and regulations.
In addition, telephone communication and CCTV may be monitored in connection with:




crime prevention or detection
the apprehension and prosecution of offenders
ensuring compliance with legislation
ensuring compliance with College policies, procedures, codes of practice and values
TM/JW/Pers/Information Security Policy
01.10
-5-
5.4
Breaches of Information Security
Anyone suspecting that there has been, or is likely to be, a breach of Information Security should
inform the Head of CNS or the Data Protection Officer immediately. The Head of CNS or the Data
Protection Officer will advise the College on appropriate courses of action.
In the event of a suspected or actual breach of security, the Head of CNS may, after consultation
with the Head of School or Corporate Department in question, make inaccessible or remove any
unsafe user accounts, logins, data and/or programs from the network and report this to a senior
post-holder.
If a breach of Information Security affects the security of personal information relating to any data
subject(s), the Data Protection Officer may authorise any user account to be locked and its
contents made available to authorised individuals for investigation. Such a breach may lead to civil
or criminal proceedings.
Senior post-holders have the authority to take any action deemed necessary to:



5.5
protect the College against breaches of security
manage any identified breach of security
limit the risk or damage resulting from any potential or identified breach of security
Policy Awareness and Disciplinary Procedures
New members of staff will be directed towards this Policy by the Department of Human Resources
on appointment. Learners will be directed towards this Policy during enrolment or induction.
Existing staff, learners, partners and authorised third parties with access to the College network will
be advised of the existence of this policy statement and the associated codes of practice which are
published on the College website, CollegeNet and Moodle.
Failure of an individual student or member of staff to comply with this policy may lead to instigation
of the relevant disciplinary procedures. Failure of a client, partner or third party to comply may lead
to the cancellation of a contract or partnership. In certain circumstances, legal action may be taken.
6. Contacts
Any complaints, concerns or queries relating to this policy or related codes of practice should be
directed to the Chair of the e-Systems Steering Group in the first instance.
TM/JW/Pers/Information Security Policy
01.10
-6-
Blackpool and the Fylde College
Preliminary Impact Assessment – Information Security Policy
Audit Prompt
Response
Who was responsible for writing this policy?
Key author
Linda Smith
Others consulted:
JSCC,Tim Marsh, Ruth Paisley,
Steve Musgrave
Is the policy written for:

Staff;

Learners (please indicate level);

Members of the general public;

Senior management or Members of the Governing Body;

All of the above?
What is the reading level indicator for this policy?
Yes primarily staff
Advanced due to nature
Simple guide(s) recommended
Will the policy affect members of the target audience equally?
Yes
If no, please indicate the specific groups targeted by the
policy.
In targeting the policy at a specific group of people will
members of other groups be disadvantaged?
Does this policy contain visual images?
No
If yes, are these technical or cultural in nature?
How will this policy be disseminated?
Collegenet, JSCC, Induction, Via
HR
What arrangements have been made for production in
alternative formats?
Does this policy contribute to the College’s Equality Targets?
No
If yes, please indicate how.
Does this policy help the College fulfil its duties under the
Learning and Skills Act 2000 by promoting equality:

Between members of different racial groups;
TM/JW/Pers/Information Security Policy
01.10
-7-
No

Between women and men;

Between persons who are disabled and persons who are
not?
If this policy applies to staff and vocational trainees, does it
comply with current and forthcoming Employment Regulations,
in that is it free from discrimination on the grounds of:

Gender (including transgender issues);
Yes

Racial, Ethnic or National Origin;
Yes

Sexual Orientation;
Yes

Religion and Belief?
Yes
Is the policy free from discrimination on the grounds of Age?
Yes
Does the policy uphold the ethos of the following initiatives:
Yes

Stamp out Stigma – Mental Health Initiative;

Navajo Gay Friendly Charter Mark?
Does the policy comply with the ethos of the College Equality
Charter?
Yes
Is it free from discrimination on the grounds of:

Additional Leaning Needs;

Economic Needs;

Social Needs?
Policy Author__________________________
TM/JW/Pers/Information Security Policy
01.10
-8-
Policy Auditor Tim Marsh
Pro-forma for Impact Assessment – Information Security Policy
Name of policy/function being assessed:
Name of manager/group carrying out the
assessment:
Has the initial screening form been completed?
Yes
No
Is this a new or existing policy/function?
1.
In what areas are there concerns that the
policy/function could have an impact
(please tick box)
New
□ Gender
□ Disability
□ Age
None
2.
What sort of concerns are there that the
policy/function could have a differential impact
on other groups? Please give details.
(continue overleaf if necessary).
What evidence do you have for this?
None
3.
4.
□ Race
□ Sexuality
□ Religion/belief
-
What are the risks associated with the policy
in relation to the differential impact?
5. What are the expected benefits of the policy?
6. Who has been approached to explore these
issues e.g. staff groups, trade unions, student
groups, voluntary groups etc.
(Please give dates and details of contact).
7. How have you gained the views of these
experts/groups (e.g. letter, meetings,
interviews, forums, workshops, questionnaires
or any other method)?
8. Please give details of the views of the
experts/groups on the issues involved.
9. Taking into account these views and the
available evidence please outline the risks
associated with the policy/function weighed
against the benefits.
10. What changes/modifications will now be made
to the policy/function in the light of this Impact
Assessment?
11. How will these changes/modifications be
communicated to interested parties (i.e. the
groups which were adversely affected) and
those consulted:
Signed (completing Officer)
None
…………………………………………………….
……………………………………………….
Job Title: …………………………………………
TM/JW/Pers/Information Security Policy
01.10
-9-
Security & Clarity
JSCC, Working Group chaired by the Vice
Principal
Good practice sought from other College’s
Universities legal advice from College
Employment Legal Advisors (EEF)
Contained in documentation
Benefits re clarity & security
Further consultation with Trade Unions
Via Trade Unions & SMT
Date of completion of Impact Assessment:
Appendix A
Freedom of Information (FOI)
Code of Practice
Initially Conceived: July 2007
Primary Author:
L. Smith
For Review:
January 2012
By:
e-Systems Steering Group
With approval of:
Director of Quality & Standards
TM/JW/Pers/Information Security Policy
01.10
- 10 -
1.
Background & Context
Under the Freedom of Information Act 2000 the College must allow individuals access to
the information it holds. Blackpool and The Fylde College takes its responsibilities with
regard to the Freedom of Information Act very seriously. This document provides a code of
practice through which those responsibilities will be effectively managed.
2.
Authority & Scope of these Guidelines
The purpose of this code of practice is to ensure that the terms of the Freedom of Information Act
2000 are adhered to and that:



a significant volume of routinely published information is made available to the public as a
matter of course via the Publication Scheme
other information not included in the Publication Scheme is readily available on request and
such a request is dealt with in a timely manner, and
in cases where information is covered by an exemption, consideration is given as to
whether or not the information should be released
This code of practice has been formulated within the context of the college Information Security (IS)
Policy and should be interpreted in accordance with the terms of that document.
This guidance does not form part of the formal contract of employment. However, it is a condition
of employment that employees abide by any policies, procedures, codes of practice and values,
issued by Blackpool and The Fylde College.
3.
Ownership
Overall responsibility for this Code of Practice lies with the Data Protection/ Freedom of Information
Officer who will draw up guidelines for staff and promote compliance with the Act within the College.
4.
Responsibilities
Compliance with the Freedom of Information Act is the responsibility of all Blackpool and The Fylde
College employees. Any breach of this Act or of this document may lead to disciplinary action.
New members of staff will receive an introductory briefing on the Freedom of Information Act at
induction. Guidelines and relevant information will be made available to existing members of staff
electronically via CollegeNet or in alternative formats via requests to the Data Protection Officer /
Freedom of Information Officer.
5.
Systems & Processes
5.1
Available Guidance
Guidance on the procedures necessary to comply with the terms of the Freedom of Information Act
is available on CollegeNet or from the Data Protection / Freedom of Information Officer.
5.2
The College Publication Scheme
The College’s Publication Scheme is available electronically on the College website, on CollegeNet
or in hard copy from any reception, library or student administration office. Alternative formats will
be made available upon request through the Data Protection / Freedom of Information Officer. The
Publication Scheme will specify:
TM/JW/Pers/Information Security Policy
01.10
- 11 -



5.2
what information the College makes routinely available to the public
in what format that information is routinely available, and
whether or not there is a cost for providing that information
Specific Requests for Information
The Freedom of Information Act introduces two basic rights to individuals:
1. the right to be told whether information exists, and
2. the right to receive the information in a specific format
Information not made routinely available according to the College’s Publication Scheme is
available through a specific request for information.
Anybody can make a request for information and all requests will be dealt with by the Data
Protection / Freedom of Information Officer or his/her nominees.
Request for information which is not routinely made available should be made in writing and a
charge may be made for processing them. If information is requested which is subject to
exemptions, this will be reviewed by the Data Protection / Freedom of Information Officer and
requests may be denied. Anyone requesting such information will be advised of this fact in writing.
The College will respond to requests within 20 working days unless additional time is required to
locate any information requested. If a fee is chargable, this response period may be extended until
the fee is paid. If there is likely to be a delay for either of these reasons, the applicant will be
advised in writing by the Data Protection / Freedom of Information Officer or his/her nominees.
5.3
Fees & Charges
Unless otherwise specified information made available through the College’s Publication Scheme
will be free of charge.
The College reserves the right to charge an appropriate fee for processing specific requests which
are not listed in the publication scheme. This is in accordance with the Act and applicants will be
advised of any such charges upon receipt of the request.
5.4
Complaints
The Quality and Standards Unit will coordinate responses through the college Complaints
Procedure in respect of any complaints regarding this Code of Practice.
Complaints should be addressed to the Director of Quality and Standards in the first instance.
Complaints will be acknowledged immediately and a more comprehensive reply will normally be
received within 21 days.
In the event that an applicant is unhappy with the outcome of the Complaints Procedure, s/he may
request an independent review. Requests for an independent review should be made in writing to:
The Information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Tel.: 01625 545 700
Fax.: 01625 545 510
TM/JW/Pers/Information Security Policy
01.10
- 12 -
5.5
Exemptions under the Act
There are a number of exemptions under the Act. Some exemptions are related to the public
interest and a test must be carried out to establish whether or not it is in the public interest to
release the information. Other exemptions are absolute exemptions. The complete list of
exemptions is published on the Information Commissioner’s website (www.ico.gov.uk).
Where a request is made for information which is subject to exemption, the College will consider a
prejudice test and a public interest test. The College may withhold the requested information
depending upon the outcome of those tests.
6. Contacts
Questions or concerns about this Code of Practice or the Freedom of Information Act itself should
be addressed to:
The Data Protection / Freedom of Information Officer
Blackpool and The Fylde College
Ashfield Road
Blackpool Lancashire FY2 0HB
Tel: (01253) 504064
Email: datarequest@blackpool.ac.uk
TM/JW/Pers/Information Security Policy
01.10
- 13 -
Appendix B
Data Protection
Code of Practice
Initially Conceived: July 2007
Primary Author:
L. Smith
For Review:
January 2012
By:
e-Systems Steering Group
With approval of:
Director of Quality & Standards
TM/JW/Pers/Information Security Policy
01.10
- 14 -
1.
Background & Context
Blackpool and The Fylde College is required by law to comply with the Data Protection Act 1998
and any amendments of that Act. This document provides guidance to employees, students and
clients of the College. It explains their individual responsibilities under the Data Protection Act.
The Data Protection Act
The Data Protection Act is intended to protect any individual about whom information is captured or
used. The Act regulates the use of information which can be used to identify individuals. This
includes, but is not limited to, paper files and documents, electronic records, digital records,
images and sound recordings.
The 8 Data Protection Principles state that personal data must:








Be obtained and processed fairly and lawfully and not processed unless certain conditions
are met
Be obtained for a specified and lawful purpose and not processed in any manner
incompatible with that purpose
Be adequate, relevant and not excessive for those purposes
Be accurate and kept up to date
Be kept no longer than is necessary for that purpose
Be processed in accordance with the data subject’s rights
Be kept safe from unauthorised access, accidental loss or destruction; and
Not be transferred to a country outside the European Economic Area, unless that country
has equivalent levels of protection for personal data.
Blackpool and The Fylde College and all employees, students or individuals processing personal
information on behalf of the College are responsible for adhering to the principles of data protection
at all times.
2.
Ownership
Blackpool and The Fylde College is an incorporated further education institution and, as such, is a
named data controller under the Data Protection Act. The College is registered to process data
with the Information Commissioner (Registration Number: Z4700416) and the College Corporation
is ultimately responsible for implementation of the Data Protection Act. However, the designated
Data Protection Officer and his or her nominees will deal with day to day matters.
3.
Authority & Scope of these Guidelines
This guidance forms part of Blackpool and The Fylde College’s Information Security Policy and
should be interpreted in accordance with the terms of that document.
(i)
Employees
This guidance does not form part of the formal contract of employment. However, it is a
condition of employment that employees will abide by any policies, procedures and codes
of practice issued by Blackpool and The Fylde College. Failure to abide by this guidance
may result in disciplinary proceedings.
Any employee who believes that the guidance has not been followed in respect of personal
data about themselves should raise the issue with the Data Protection Officer. If the matter
is not resolved satisfactorily, it may be raised as a formal grievance.
TM/JW/Pers/Information Security Policy
01.10
- 15 -
(ii)
Students
By enrolling with the college a student agrees to be bound by college regulations. Any
student who ignores his/her responsibilities in this respect may be subject to disciplinary
regulations being invoked.
4.
Responsibilities
Compliance with the Data Protection Act is the responsibility of all Blackpool and The Fylde
College employees, students and clients. Any breach of this Act or of this document may lead to
disciplinary action, access to College facilities being withdrawn or a criminal prosecution.
4.1
Responsibilities of Students and Clients as Data Subjects
Students and clients are responsible for:


checking that information held about them is accurate and up to date
informing the College of any changes to the information held about them, e.g., change of
address, change to married name etc.
Blackpool and The Fylde College cannot be held responsible for any inaccuracy unless the student
or client can demonstrate that s/he had previously notified the College in writing of the change(s)
required.
An offer of a course place or business agreement may be withdrawn if information provided by the
individual is found to have been intentionally falsified or omitted.
4.2
Responsibilities of College Employees
4.2.1 As data subjects:
College employees are responsible for:


checking that information held about them is accurate and up to date
informing the College of any changes to the information held about them, e.g., change
of address, change to name as a result of marriage/divorce etc.
Blackpool and The Fylde College cannot be held responsible for any inaccuracy unless the
employee can demonstrate that s/he had previously notified the College in writing of the change(s)
required.
4.2.2 As data handlers
As part of their responsibilities, employees may be required to record, hold or use information
about other people. If and when this is the case employees must:
(i)
ensure that any personal data they keep for any purpose is stored securely i.e., not
accessible to other people
If computerised, information should be password protected or stored on media which is itself kept
securely (e.g., memory stick in locked cabinet). Paperwork containing personal information about
anybody must be stored in locked cabinets or in a locked and secure room when not in use.
(ii)
ensure that personal data they record or keep is not disclosed to any unauthorised
individual
TM/JW/Pers/Information Security Policy
01.10
- 16 -
Information must be kept out of the view of others and in a place where unauthorised individuals
are not able to access it (e.g., registers in locked cabinets or in secure rooms). Electronic
information is subject to inadvertently being viewed by third parties so computer screens must be
locked when unattended and passwords never revealed to anyone else. Use of another user’s
password or account details may result in disciplinary proceedings.
Information must not be discussed with unauthorised individuals or passed on in conversation or
by any other means (e.g., discussions about course work, ability or personal circumstances).
(iii)
ensure that information or data stored is destroyed appropriately and completely
Information and data held about others must be destroyed completely in a manner which does not
allow that information to be reconstructed or re-used.
Confidential waste boxes, bags and shredding machines are available on all College sites and
must be used to destroy information stored on paper. If in doubt, please contact your
administration office.
Deleting electronic information from memory sticks, discs or similar does not guarantee that the
data can not be retrieved. It may be necessary to burn or reformat such media and advice should
be sought from CNS about appropriate disposal of data.
(iv)
ensure that any students for whom they are responsible adhere to the guidelines in this
policy
Where students undertake research or projects using personal data, the data subject must be
informed in advance of the proposed use of their information and must consent to their personal
information being used. The Data Protection Officer must also be informed of the proposed
research or project before it begins and all information must be kept securely.
(v)
notify the college Data Protection Officer about any personal data they systematically
record, process, hold or use
(vi)
not disclose any personal information to another party without the consent of the data
subject or the authority of the Data protection Officer.
Unauthorised disclosure of personal information will usually be a disciplinary matter.
(vii)
be aware of their responsibilities with respect to personal data and sensitive personal data
Personal data is information that allows an individual to be identified when used either alone or in
conjunction with other means at your disposal. It is usually necessary to get the consent of the
individual before recording, processing, holding or using any such information.
Sensitive personal data is information about an identifiable individual which may potentially
influence decisions taken about that individual in any context. This might include information about
race, religion, sexuality or membership of trade unions. When processing sensitive personal data,
it is necessary to obtain “express consent” from the individual to whom the information pertains
(see 11. Consent and Express Consent).
TM/JW/Pers/Information Security Policy
01.10
- 17 -
5.
Systems & Processes
5. 1
Notification of Data Held and Processed
All employees, students and college clients are entitled to know:




what information Blackpool and The Fylde College holds and processes about them and
why
how they can gain access to that information
how to update that information to maintain accuracy
what Blackpool and The Fylde College is doing to comply with its obligations under the
Data Protection Act
Information held about students and employees is provided on application forms, at interview or
enrolment and during the induction period. Additions and amendments will be made to this
information during the period of study or employment as required. Information about college
clients may be of a financial or contractual nature and will be held for specified purposes e.g.,
payment processing.
5.2
Retention of Data
Blackpool and The Fylde College will keep some types of information for longer than others and
the table below indicates the periods of time different information will be held:
Type of Data
Student records including, but
not limited to, administrative
enrolment
details,
central
attendance records, additional
learning
support
provided,
payments, centrally stored
academic achievements and
the tutor file containing issues
relating to progress and
conduct.
Application forms/interview
notes.
Accident books, and records
and reports of accidents
Medical records kept by reason
of the Control of Substances
Hazardous
to
Health
Regulations
Personnel files including staff
development records and notes
of disciplinary and grievance
hearings
Wages and salary records
Statutory Sick Pay records and
calculations
Health records
Retention Period
At least 7 years from the date
the student leaves the college
At least 10 years for personal
and academic references with
the agreement of the student
At least 6 months from the date In case of litigation.
of the interviews
3 years after the date of the last RIDDOR 1985
entry
40 years
COSHHR 1994
6
years
from
employment
6 years
6 years
end
of References
litigation
and
potential
Taxes Management Act 1970
Statutory Sick Pay (General)
Regulations 1982
Until end of employment or 3 Management of Health and
years later if termination of Safety at Work Regulations and
employment is connected to limitation period for personal
health, including stress.
injury claims
TM/JW/Pers/Information Security Policy
01.10
Reason
In case of litigation, audit or
inspection,
To comply with requests for
copies
of
certificates
or
references.
- 18 -
Statutory Maternity Pay records
and calculations
Income Tax and NI returns,
including correspondence with
tax office
Facts relating to redundancies
where
less
than
20
redundancies`
Facts relating to redundancies
where
20
or
more
redundancies`
HE Exam Scripts
HE Outline details of student
marks
HE Student Files
HE Exam Board Minutes
HE Annual Reports
3 years
Statutory
Maternity
Pay
(General) Regulations 1986
At least 3 years after the end of Income Tax (Employment)
the financial year to which the Regulations 1993
records relate
3 years from the date of Time limits on litigation
redundancy
3 years from the date of As above
redundancy
Current year plus 2 years
Permanent
until the end of the relationship
plus 6 years (as FE)
Current year plus 6 years
Permanent
5.3.1 Destruction of Personal Information
Blackpool and The Fylde College will ensure that centrally managed information (e.g., information
on the College student record system) is not retrievable or reusable after destruction. However,
employees are responsible for the proper destruction of information they hold about others (see 5
ii). Blackpool and The Fylde College will make facilities available for archiving and destroying such
information (contact Data Protection Officer for details). It is not possible to centrally monitor every
file on the College network. Hence, employees are responsible for notifying the Data Protection
Officer or CNS when information stored on the college network needs to be destroyed according to
section 6 above (Retention of Data).
5.4
Rights to Access Information
Employees, students and other users of The College have the right to access personal data held
about them. Any person who wishes to exercise this right should contact the Data Protection
Officer or email datarequest@blackpool.ac.uk. Parents and guardians of students aged 15 or
over do not have an automatic right of access to information about their charges and will not be
given access to any such data unless the student has advised the administration office that he or
she consents to the release of that information.
Blackpool and The Fylde College will make a standard administrative charge of £10 to cover the
costs of processing requests for access to information. However, if complying with a request takes
an unusual amount of time or effort, additional charges may apply. Any such charges will be
outlined in writing to the individual making the request as soon as the request has been received
by the Data Protection Officer.
Blackpool and The Fylde College will comply with requests for access to personal information
within 20 days unless there is good reason for delay. In such cases, the reason for delay will be
explained in writing to the individual making the request. Students will be entitled to information
about their marks for both coursework and examinations. However, this may take longer than 20
days to provide if information has already been archived or if Awarding Bodies need to provide
information.
TM/JW/Pers/Information Security Policy
01.10
- 19 -
Additional rights of access are governed by the Freedom of Information Act. A Code of Practice for
compliance with this Act is also published by the College under the overarching college Information
Security Policy.
5.5
Examination/Progression Information
Examination and progression results may be displayed or published within the College. Any
individual who does not wish to be included in such a list must make a formal written request for
exclusion to the Data Protection Officer.
5.6
Publication of Blackpool and The Fylde College Information
Information that is already in the public domain is exempt from the 1998 Act and bound by the
terms of the Freedom of Information Act 2000. The College Publication Scheme lists information
which is publicly available. In addition, Blackpool and The Fylde College may publish or display:



the names of College governors and details of how to contact them
lists of key senior staff and their College contact details
photographs of key senior staff.
Any individual who has good reason for wishing details in these lists or categories to remain
confidential must contact the Data Protection Officer.
Personal information not listed above will not be published or displayed without written consent
from the individual to whom the information pertains.
5.7
Consent and Express Consent
Much of the information processed by Blackpool and The Fylde College is required for the College
to perform its business. Under the Data Protection Act it is accepted that such information must be
processed by the College. For example, some posts will bring employees into contact with children,
young people or vulnerable adults. Blackpool and The Fylde College has a duty under the
Children Act and other legislation to ensure that employees are suitable for the post applied for and
a duty of care to all employees and students. The College must, therefore, ensure that those who
access College sites and facilities do not pose a threat or danger to others. Hence, it is necessary
to process information about previous criminal convictions and health issues as part of the
College’s routine business.
Other kinds of information that are processed require “consent” from the individual to whom the
information pertains. Agreement to the processing of some kinds of information is a condition of
acceptance of the formal written agreement or contract between the individual and the College. In
such cases the formal written agreement or contract will usually contain a statement to this effect.
Student learning agreements, for example, contain a statement advising that student information
may be shared with organisations for the purposes of research and development. Students may
choose not to consent to this and may notify the enrolling officer before signing the agreement.
Sometimes it is necessary to process information which might be considered sensitive such as
information about a person’s health, criminal convictions, race, gender, sexuality, membership of
trade unions or family details. This may be to ensure that Blackpool and The Fylde College is a
safe place for everyone or to comply with the law or with other College policies, procedures, codes
of practice and values. These include but are not limited to:
-
The Equality Act
The Disability Discrimination Act
The Children Act
The Prevention of Terrorism Act
- College Equal Opportunities Policy
- College Health and Safety Policy
- College Disability and Gender Equality Schemes
TM/JW/Pers/Information Security Policy
01.10
- 20 -
Such information is deemed sensitive under the Data Protection Act. The College appreciates that
processing such data may cause concern. In processing any such data “express consent” will be
sought from the data subject. Express consent means that the individual to whom the information
pertains must understand how the information will be used and be comfortable with it being used in
that way.
The College will process sensitive data only where it is reasonably required. An offer of
employment or of a course place may be withdrawn if an individual refuses to give consent without
good reason.
6.
Contacts
Blackpool and The Fylde College’s Data Protection Officer will ensure that at least two (2)
nominees are trained sufficiently to deal with general queries in his or her absence. However, in
case of emergency, the Data Protection Officer can be contacted through the college reception at
any time.
Questions or concerns about data protection or about this code of practice should be addressed to:
The Data Protection Officer
Blackpool and The Fylde College
Ashfield Road
Blackpool, Lancashire FY2 0HB
Tel:
01253 504064
Email: datarequest@blackpool.ac.uk
TM/JW/Pers/Information Security Policy
01.10
- 21 -
Appendix C
Computer Systems
Interception and Monitoring
Code of Practice
Initially Conceived: December 2007
Primary Author:
S. Musgrave
For Review:
January 2012
By:
e-Systems Steering Group
With approval of:
Director of Quality and Standards
TM/JW/Pers/Information Security Policy
01.10
- 22 -
1
Background and Context
1.1 Monitoring of electronic data in public and private organisations is regulated primarily
by the Regulation of Investigatory Powers Act 2000, which allows for legitimate
interception of communications by organisations on their private telecommunications
networks. That is, it gives “lawful authority.”
2.
Ownership
2.1 The e-Systems Steering Group endorsed the Computer Systems Interception and
Monitoring Code of Practice and delegated responsibility for its maintenance and
implementation to the Central Network Services (CNS) Department.
3.
Authority and Scope of these Guidelines
3.1 Blackpool and The Fylde College reserves the right to monitor all communications on
those facilities, in accordance with this code of practice. As such, authorised users of
the system should be aware that personal communications, as well as communications
related to the function of Blackpool and The Fylde College, made via the facilities, may
be intercepted, monitored, or both by CNS staff or other technical staff as lawfully
authorised by Blackpool and The Fylde College.
3.2 To describe the monitoring measures that the College has decided are acceptable.
3.3 To describe the types of circumstances as a result of which monitoring may be
instituted.
4.
Responsibilities
4.1 Staff
Attempts by any member of staff to implement unauthorised systems of monitoring will be in
breach of this code of practice and may lead to disciplinary action.
4.2 Users (Staff and Learners)
All users are responsible for reporting to the Head of CNS any criminal activity or potential
criminal activity which might warrant monitoring.
5.
Systems and Processes
5.1
Definitions
5.1.1 Laws & Regulations



All Blackpool and The Fylde College’s policies, procedures, codes of practice,
values or other regulations
Contractual agreements with third parties
UK law
TM/JW/Pers/Information Security Policy
01.10
- 23 -
5.1.2 User Data
Staff and student data held on its computer equipment, email and other electronic
data entering, leaving, or within, Blackpool and The Fylde College’s network.
5.1.3 Privacy Expectations
If the controller of the telecommunications or computer system has made
reasonable efforts to inform potential users that interceptions may be made, and
thus they have no reasonable expectations of privacy in relation to their
communications, the following actions are permitted:
5.1.4 Blackpool and The Fylde College may monitor and record communications:

to establish the existence of facts, to ascertain compliance with regulatory or
self-regulatory practices or procedures or to ascertain or demonstrate
standards which are, or ought to be achieved (quality control and training);

in the interests of national security;

to prevent or detect crime;

to investigate or detect allegations of misconduct, unauthorised system use,
breach of contract or fraud

to secure, or as an inherent part of, effective system operation

ensure continuation of business in the absence of specific individuals or teams
5.1.5 Blackpool and The Fylde College may monitor but not record:

received communications to determine whether they are business or personal
communications;

communications made to anonymous telephone helplines.
5.1.2 Blackpool and The Fylde College has the legal right, at any time, to inspect user
data to ensure conformity with laws and regulations
5.1.3 Blackpool and The Fylde College is obliged by virtue of the agreement entered into
with UKERNA to ensure as far as possible that its users do not use the
SuperJANET system to transmit or transfer certain types of electronic data.
5.1.4 Blackpool and The Fylde College is obliged by law to report to the police the
discovery of certain types of electronic data, if that data is found on Blackpool and
The Fylde College’s equipment, or transmitted across the college’s network.
5.1.5 Many types of routine service tasks involve members of Central Network Services
and other members of Blackpool and The Fylde College technical staff having
access to various levels of user data.
TM/JW/Pers/Information Security Policy
01.10
- 24 -
5.2
Unauthorised Monitoring
Unauthorised monitoring is not permitted. Attempts by any member of staff to
implement any such system of monitoring will be in breach of this code of practice
and may be subject to disciplinary action under the College Staff Management
Procedures.
5.3
Incidental Viewing
Blackpool and The Fylde College recognises that, owing to the nature of computer
systems, user data may at times be visible in readable form.
In such
circumstances, that data may well be viewed by CNS staff or by relevant staff in
other administrative and academic departments.
Such incidental viewing will not constitute a breach of this code of practice, even
where such viewing leads to either the implementation of controlled monitoring (as
described below), disciplinary action against the user concerned, or both.
5.4
Controlled Monitoring
5.4.1 Blackpool and The Fylde College reserves the right to monitor and access user data
in the following circumstances:

Where, by virtue of carrying out routine computer service tasks, members of CNS or
other members of Blackpool and The Fylde College’s technical staff discover data:
 Which breaches laws and regulations
 Where the nature of the data suggests such a breach has occurred or will occur.

Where official complaints are received implying that Blackpool and The Fylde
College’s computer system or network are being used to store, transmit or transfer
data which breaches laws and regulations

Where Blackpool and The Fylde College has been requested, or required, to monitor
data by the police as part of a criminal investigation

Where there is other reasonable suspicion that users are storing, transmitting or
transferring data, which breaches laws and regulations.
Specific monitoring of user data, and specific access to user data by CNS staff may
only be legitimately carried out under this code of practice with the knowledge and
written consent of a senior post-holder of Blackpool and The Fylde College.
Access to user data by an individual’s line manager may be authorised during
absences or for other purposes relating to the work of the college. Such access will
not be deemed monitoring.
5.4.2
Incident management will be carried out by the Head of Central Network Services or
a nominee.
TM/JW/Pers/Information Security Policy
01.10
- 25 -
6
5.4.3
Specific monitoring of, or specific access to, user data should only take place for such
time as is required to ascertain whether the concerned is storing, transmitting or
transferring data which breaches laws and regulations. Long term monitoring should
only be permitted when the police as part of an on-going criminal investigation
specifically request this.
5.4.4
All specific monitoring of, or specific access to, user data must be reported, along with
the reason for that action being taken, and the result, if any, of the monitoring or
access, to [relevant committee] as soon as the monitoring is completed.
5.4.5
Data collected via specific monitoring of, or specific access to, user data will, if not
falling under a statutory exemption, be subject to disclosure as part of a subject
access request under the Data Protection Act 1998.
5.5
Monitoring for Quality and Compliance
5.5.1
Monitoring telephone calls of specific College services for the purpose of quality
control or training may only be legitimately carried out under this code of practice
with authorisation as specified in 5.4.2 and with sufficient notification of the
procedure.
Contacts
6.1
Any queries or feedback regarding this code of practice or its implications should be
directed to the Central Network Services (CNS) Helpdesk on ext. 4222
6.2
This code of practice is maintained CollegeNet and is accessible through the CNS
page. The web version of the code of practice is the definitive version and will
always be the most up to date.
TM/JW/Pers/Information Security Policy
01.10
- 26 -
Appendix D
Telecommunications
Code of Practice
Initially Conceived: December 2007
Primary Author:
S. Musgrave
For Review:
January 2012
By:
e-Systems Steering Group
With approval of:
Director of Quality & Standards
TM/JW/Pers/Information Security Policy
01.10
- 27 -
1.
Background & Context
This document details the College Code of Practice
Telecommunications system and all ancillary equipment.
2.
regarding
use
of
the
Ownership
The e-Systems Steering Group endorsed the Telecommunications code of practice and
delegated responsibility for its maintenance and implementation to the College Network
Services Department.
3.
Authority & Scope Of These Guidelines
This code of practice supports and underpins the College’s strategic and operational plans.
It, together with other policies, procedures, codes of practice and values, constitutes the IT
Strategy of the College.
4.
Systems & Processes
4.1
General
4.1.1
All Telecommunications equipment and ancillary equipment is the property of the
College. All staff shall treat Telecommunications equipment with due care and
attention.
4.1.2
All Telecommunications equipment shall be approved and purchased via the
Estates Department. Any “non-approved” equipment, purchased by others, will not
be maintained by College Network Services (CNS) and will not be allowed to be
connected to the College Network.
4.1.3
All requests for Telecommunications work, including all office moves and changes
must be submitted to the CNS Helpdesk by the appropriate Academic Schools and
Corporate Services staff.
4.2
Billing and usage
4.2.1
The College monitors and reviews Telecommunication costs on a regular basis. As
part of this ongoing exercise, the College may look at costs associated with
individual Telecommunications usage or mobile telephones to ensure:

Efficiency and cost effectiveness

Compliance with appropriate business usage.
Inefficiencies may be addressed by one of the following or other identified means:

Restrictions of services

Advice on how to reduce costs

Request that users implement identified changes to reduce costs
4.2.2 Non-compliance with appropriate business usage may involve setting in motion the
relevant college staff management procedure, which may result in appropriate
restrictions, withdrawal of service, recovery of costs or other measures.
Appropriate business usage would not include:

The use of premium rate numbers for non-authorised use

Non-essential personal usage

Non-business related services that incur a cost

Other misuse of the telecom facilities.
TM/JW/Pers/Information Security Policy
01.10
- 28 -
Essential personal usage should be reasonable and every effort should be made to
conduct personal calls outside of working hours or during breaks. Where this is not
possible, it is expected that personal calls will be brief and conducted with minimal
disruption to colleagues. Personal calls received on personal mobile telephones
should be taken with consideration for others and are expected to be brief. Frequent
and lengthy personal calls made or taken by an individual during working hours may
lead to disciplinary action on grounds of breach of contract.
4.2.3
Information about individual calls may include some or all of the following:
Date of call
Time of call
Originating phone number
Registered user name
Dialled number
Areas of dialled number, e.g. London, Mobile Text Messaging
International calls
Duration
Cost
4.3
College Mobiles
4.3.1
Use of mobiles whilst driving
4.3.2
4.3.3

The College does not expect staff to use mobile telephones whilst driving.
Subsequently, it is not the policy to provide a hands free car kit.

The College shall not be liable for any staff member committing a driving
offence for using a mobile whilst driving.
College Mobile upgrade policy

The College has a policy of standardisation on the type of mobile handsets
provided.

The College will review handset models on a regular basis and upgrade as
appropriate

Requests for individual upgrades will be charged against the corporate service
department or academic school cost code supplied by the Telecommunications
co-ordinator / procurement officer. This will include handset costs and any cost
incurred to buy out existing contracts.
Request for new College Mobile
The College mobile phone bill is paid for out of a central budget. As there is a finite
budget the provision of any new mobile will be subject to budgetary constraints.

4.3.4
Authorisation for any request for a new or upgraded mobile will be sought from
the Head of Academic School or Corporate Service, as the budget holder
Request for College Mobile data card

Authorisation for Mobile data cards will be sought by the individual from the
budget holder

Any request for additional mobile services will be subject to budgetary
constraints.
TM/JW/Pers/Information Security Policy
01.10
- 29 -
4.3.5
Blackberry devices – See the Blackberry Policy
4.4
Extension Handset Type
4.4.1
The College issues three types of handset:
a)
b)
c)
4.4.2
Analogue handsets
Standard fixed line desk top handsets
Digital Fixed
Handset allocation
The allocation of individual handsets is dependent upon Customer requirements and
governed by the College’s IT Strategy/ Telecommunications Architecture Code of Practice.
4.5
Conference Calls
4.5.1
All requests for conference calls should be logged via the College Switchboard.
4.6
Dialling facilities (Class of service)
4.6.1
Each individual telephone extension is allocated a dialling class of service. The most
frequently used classes of service are shown in the table below:
Class of Service
2
4
6
Dialling capabilities
Internal calls only
National area
International
4.6.2 The default class of service is set as national dialling.
4.6.3 Staff requiring international access must submit their request via the College
Switchboard who will request authorisation from the Head of Academic School or
Corporate Service.
4.7
Call Barring
4.7.1 College Network Services (CNS) will regularly review the need to bar numbers on
the basis of cost or security.
4.8
Staff requiring Directory Enquiries should use the Internet for online directories.
4.9
Call Recording
The College permits telephone recording equipment to be used only in compliance
with the College Systems Interception and Monitoring Code of Practice. This will not
usually include individual telephone extensions.
4.10
Voice Mail
4.10.1 The College has a voice mail system, which can be made available to all staff.
4.10.2 It is essential that all voice mail boxes are set up in accordance with the Voice Mail
Guidelines and must be protected by a security code (pin code).
TM/JW/Pers/Information Security Policy
01.10
- 30 -
4.10.3 The College shall monitor usage of the Voice Mail system on a regular basis to
ensure compliance. This shall include monitoring when the voice mail was last
accessed and how many messages are unread.
4.10.4 Please note that College Network Services and telephone switchboard personnel
can see how many messages are unread and will not listen to the content of the
messages under normal circumstances.
4,10.5 Failure to comply with Voice Mail Guidelines may lead to having the service
withdrawn.
4.11
Modem Use
4.11.1 The use of modems will only be permitted provided their use complies with all
relevant policies, procedures, codes of practice and values.
4.12
Call Logging
4.12.1 The College has a call logging system through which it logs details of all outgoing,
incoming and internal calls for individual extensions. Incoming external numbers are
not recorded.
4.12.2 The call logging system is primarily used to:
 Provide cost information
 Provide call statistics for specific user groups.
It is also used to:
 Facilitate monitoring of the network
 Aid in fault diagnosis
4.12.3 The College generates specific call logging reports on a regular basis for specific
business applications. These typically report on number of calls answered, average
time to answer, etc.
4.12.4 As a general rule, College Network Services will not provide ad hoc reports for
detailed call breakdown records for any member of staff unless they are in
accordance with the College Interception and Monitoring Code of Practice and
associated procedures.
4.12.5 All reports will be requested by, and then sent to the Head of Academic School or
Corporate Service.
4.13 Charging
4.13.1 All standard office telephone moves and changes are paid for out of a central
budget. This includes all wiring changes, new extensions and provision of telephone
extensions.
4.13.2 As there is a finite budget, any request for major moves and changes will be subject
to budgetary constraints.
4.13.3 The requesting School, department, project or capital programme will make
payment for the following, for which cost centre codes will be required.

Provision of fax machines.

Office moves and changes which arise as a direct result of a capital
project or programme.
TM/JW/Pers/Information Security Policy
01.10
- 31 -

4.14
Externally funded areas that will be required to pay for all moves and
changes at College agreed costs.
I.T. Telecommunications Purchasing Policy
4.14.1 The College has an IT Purchasing Policy which presents the rules relating to the
procurement of Telecommunications hardware and equipment.
4.14.2 In relation to the procurement of Telecommunications equipment the following
elements of the IT Purchasing Policy apply:
All procurement of Telecommunications equipment must be directed via College
Network Services. Only orders placed by College Network Services will be
processed by the Finance Department.
4.14.3 The College has a purchasing consortium agreement for the provision and
installation of all Telecommunications equipment and ancillary equipment. This
includes the following:









Fax machines
Mobiles
Blackberrys
Telephone PABX system equipment
Voice Mail equipment
Telephone handsets
Digital (feature) handsets
Call logging equipment
Cabling
This agreement is valid until further notice.
4.15
Standard Desktop Telephone Handsets And Miscellaneous Equipment
4.15.1
The College does not have a sole supplier agreement for provision of standard
telephone handsets and/or, miscellaneous equipment, e.g. headsets. The College
purchases this equipment from leading Telecommunications Equipment Suppliers,
based in the UK.
4.15.2
If it is proven to the satisfaction of College Network Services that the approved
sole suppliers cannot supply appropriate equipment and/or services, then
procurement using an alternative supplier may be permitted. If procurement follows
this route then normal College Purchasing Regulations shall be followed.
4.15.3
If a supplier other than an approved sole supplier is used, then an appropriate onsite maintenance contract must be purchased with the service/equipment.
4.16
Purchase Of Network Exchange Lines
4.16.1 The College does not have a sole supplier agreement with any network provider.
The College will procure lines/services from any of the major network service
providers, i.e. British Telecom, Telewest, etc, or any other network provider,
depending on customer requirements, cost, rental etc. and area provision
capabilities of the supplier.
4.16.2 College Network Services will not be responsible for installing network
lines in domestic residences.
TM/JW/Pers/Information Security Policy
01.10
- 32 -
exchange
4.17
Disposal Of Old Equipment - Mobiles / Telephones / Faxes / Etc
4.17.1 Where possible the College will dispose of redundant equipment in an
environmentally sound manner.
5
CONTACTS
5.1
Any queries or feedback regarding this code of practice or its implications should be directed
to the College Network Services Helpline on ext: 4222 or email it.helpdesk@blackpool.ac.uk.
This code of practice is maintained on the Collegenet server and is accessible through the
College Network Services pages. The web version of the code of practice is the definitive
version and will always be the most up to date.
5.2
TM/JW/Pers/Information Security Policy
01.10
- 33 -
Appendix E
Information Technology (I.T.)
Architecture
Code of Practice
Initially Conceived: December 2007
Primary Author:
S. Musgrave
For Review:
January 2012
By:
e-Systems Steering Group
With approval of:
Director of Quality & Standards
TM/JW/Pers/Information Security Policy
01.10
- 34 -
1.
BACKGROUND & CONTEXT
1.1
The code of practice is necessary for the following reasons:





Gives Blackpool and The Fylde College a clear direction in terms of information technology
(I.T.) architecture
Allow economies of scale in terms of purchasing software and hardware and also in terms of
staff skills
Prevents incompatibilities
Allows scalability
Allows emerging technologies to be embraced in a controlled and strategic manner
Allows stability when required
2.
OWNERSHIP
2.1
The College e-Systems Steering Group endorsed this code of practice and delegated
responsibility for its maintenance and implementation to the College Network Services (CNS)
Department.
3.
AUTHORITY & SCOPE OF THESE GUIDELINES
3.1
Adherence to this code of practice both in terms of detail and spirit is compulsory.
3.2
All IT provision, both academic and administrative, within Blackpool and The Fylde College
must align with the definitions outlined in the Technical Elements section.
3.3
This IT Architecture Code of Practice supports and underpins the College’s strategic and
operational plans. It, together with policies, procedures, codes of practice and values,
constitutes the IT Strategy of the College.
3.4
In addition to these policies and strategies there is the following supporting documentation
and information.

IT Strategy
User
Information
Supporting
Documentation
Good Practice Guide to Using Email
Recommended and Endorsed Software
Guidelines for Use of Computing Facilities
Regulations for Use of Computing Facilities
Copyright Guidelines
Security Guides
Desktop Replacement Policy
Voicemail Code of Practice
Web Publishing Code of Practice
Printing Policy & Strategy
TM/JW/Pers/Information Security Policy
01.10
- 35 -
3.5
Architecture Strategy includes consideration of the following:






Server, desktop, notebook, thin-client and sub-notebook operating systems
Network Connection Standards, Protocols and Frame Types
Wireless network connection standards
Servers, Desktop Hardware platforms and Printers
Enterprise wide services (User Authentication and E-mail)
Administrative Databases
4.
RESPONSIBILITIES
4.1
It is the responsibility of all college managers, Heads of Academic Schools, and Heads of
Corporate Services to ensure that this code of practice is observed within their relevant
School/Corporate Department.
4.2
All IT related purchasing for Academic Schools and Corporate Services must be directed via
College Network Service (CNS) staff and the College Procurement Officer to ensure that
hardware and software is purchased in conformance with agreed specifications.
4.3
Under certain circumstances it may prove necessary to provide special dispensation to allow
IT implementation that does not coincide with this code of practice. In such circumstances it
is the responsibility of those seeking the dispensation to justify their need for special
consideration to the College Network Services manager or specialist group convened by the
College Network Service for this purpose.
4.4
Whilst some deviations from the code of practice are anticipated, such cases are exceptional
and can only proceed with appropriate approval. If this approval is withheld then the
development cannot take place.
4.5
You are required to contact CNS before embarking on any IT investment programme or
project. Such programmes and projects include redistribution of existing resources as well as
those requiring additional resources.
5. SYSTEMS & PROCESSES
5.1
Strategy Definitions
Technical elements are divided into the following categories:
Classification
Strategic
Tactical
Tactical Academic
Legacy
Obsolete
Under Evaluation
Not Supported
Description
The preferred system of choice for use within the College. All new
developments must consider this platform.
Fully supported and upgraded.
Unsupported and non-operational systems used for teaching
and/or research purposes only.
Maintained but not upgraded. Last stage of useful life. Upgrades
of these systems will involve replacement with the Strategic or
Tactical System.
Beyond it’s useful life. These installations will be replaced with the
Strategic or Tactical System.
A released or beta System being tested in the College
environment.
Not supported on any part of the Enterprise Network.
TM/JW/Pers/Information Security Policy
01.10
- 36 -
Please note no automatic movement through time is implied.
5.2
Provision Of IT Services
Some services may only be available to users who have appropriately specified hardware and
software.
5.3
Notification Of Changes
College Network Service staff are authorised to install and change IT systems in the College.
Users are required to gain the permission of College Network Service staff for any changes
made to IT systems. Examples of changes requiring such permission include:
 Changes of operating system
 Setting up or removal of a server
 Installation of new application software which is dependant on the College network
infrastructure
 Changes to the role of hardware
 Installation of network printers
5.4
Current Strategy Technical Elements
5.4.1 Operating System Overview
For the cost-effective implementation of IT systems in the institution, the College has largely
developed its computing infrastructure based around industry standard operating systems and
applications.
5.4.2 Server Operating Systems
Servers will be configured to run one of the Strategic or Tactical operating systems as outlined in
the following table:
Classification
Strategic
Tactical
Tactical
Academic
Legacy
Obsolete
Under
Evaluation
Not Supported
Server Operating System
Windows 2003 Server
Windows 2000 Server
Windows 2000 Advanced
Server
UNIX, Linux.
Windows NT Server 4.0 &
Terminal Services Edition
Windows NT 3.51
All other operating systems
TM/JW/Pers/Information Security Policy
01.10
- 37 -
Notes
5.4.3 Desktop, Notebook and Thin-Client Operating Systems
The Windows family of operating systems has by default become the de facto standard PC
Desktop and the College desktop operating systems strategy is primarily focused on Microsoft
products, as shown in the following table:
Classification
Strategic
Tactical
Tactical
Academic
Legacy
Obsolete
Under
Evaluation
Not Supported
Desktop Operating System
Windows XP Professional
Windows CE (Thin Client), Linux (Thin Client)
Windows 2000 Professional
UNIX, Linux, Apple MacOS, Apple OSX
Windows NT Workstation 4.0
Windows 98, Windows 95
Windows Vista
All other operating systems
5.4.4 Thin Client Computing
Blackpool and The Fylde College plans to use Citrix software for delivery of applications software
and CDs to both PCs and Thin Client Terminals. Only Citrix ICA connections are supported.
Classification
Strategic
Legacy
Not Supported
Desktop Operating System
Presentation Server 4.5
Winframe
Citrix Metaframe Xpe
Windows RDP Connections
5.4.5 Sub-Notebook Operating Systems
Small format sub-notebooks computers, or Personal Digital Assistants (PDA), include palm-sized
devices with stylus-based input and handheld devices with keyboard and/or stylus. The following
operating systems for these devices are supported:
Classification
Strategic
Sub-Notebook Operating System
HotSync
ActiveSync
5.4.6 Corporate Wireless Handheld Email Devices
Integrated mobile telephone and email device. The following devices are supported:
Classification
Strategic
Integrated mobile and email device
Blackberry
5.4.7 Network Connection Standards
Category 5e shielded twisted-pair (STP) copper cabling (10Base-T, 100Base-T) and optical fibre
(10Base-FL, 100Base-FX, 1000Base-SX, 1000Base-LX) should be used. There should be no
further installation of Thick and Thin Wire cabling (10Base5 and 10Base2).
TM/JW/Pers/Information Security Policy
01.10
- 38 -
5.4.8 Network Protocols
The following networking protocols are used in the College:
Classification
Strategic
Legacy
Obsolete
Under Evaluation
Network Protocol
TCP/IP v4
DECnet, LAT
IPX/SPX
TCP/IP v6
5.4.9 Frame Type
A single frame type that adheres to international standards has been adopted for the College:
 IEEE 802.3
5.4.10 Wireless Network Connection Standards
Connection to the Enterprise Network using wireless technology is by a IEEE 802.11b and IEEE
802.11g. The College has a Clean Access Service deployed to facilitate secure access to wireless
based services. An unsecured ‘Open College’ wireless connection is also available, but the
recommendation is to use the secure access mode.
5.4.10 Server Strategy
All servers should run either a Strategic or Tactical operating system. Servers should be housed in
designated machine rooms and be implemented as rack-mounted configurations, where possible.
Virtualisation of servers is in use using ESX technology.
5.4.11 Desktop Hardware
See Desktop Replacement Policy
5.4.12 Printer Strategy
See Printing Policy
5.4.13
User Authentication
Access to all computer services requires user authentication. The current mechanism for user
identification is based upon authentication by each native operating system.
College standards that define the format of Usernames, Passwords and Department Codes apply.
For information on these standards contact the College Network Service (CNS) Helpdesk (ext.
4222).
Exception: Access limited by time and content to the web through wireless access for conference
attendees is allowed under a single group ID and password.
TM/JW/Pers/Information Security Policy
01.10
- 39 -
5.4.14 Messaging and E-mail
A single enterprise wide E-mail system using Novell Groupwise has been implemented.
College standards that define the format of standard Mailnames and Non-Personal E-mail Names
apply. For information on these standards contact the CNS Helpdesk (ext: 4222).
5.4.15
Administrative Database System
The following administrative database systems are used in the College:
Classification
Strategic
Tactical
Legacy
Obsolete
Under
Evaluation
Database
Oracle 9i (database engine) & 11i
(application)
Microsoft SQL 2005
Oracle 8i (database engine)
Microsoft SQL 2000
Microsoft SQL Server 7.0
Access 2003
Access 2000
SQL Server 6.5
Microsoft Access 97
Microsoft SQL 2005
More detail pertaining to software may be found in the Software Development Strategy.
6.
CONTACTS
6.1
Any queries or feedback regarding this code of practice or its implications should be directed
to the College Network Service Helpdesk on ext: 4222 or email helpdesk@blackpool.ac.uk
6.2
This code of practice and the detailed technical elements are maintained on the Collegenet
intranet and are accessible through the College Network Services pages.
6.3
The web version of the code of practice is the definitive version and will always be the most
up to date. It also points to other important documentation relating to IT provision within
Blackpool and The Fylde College.
TM/JW/Pers/Information Security Policy
01.10
- 40 -
Appendix F
Blackberry
Code of Practice
Initially Conceived: December 2007
Primary Author:
S. Musgrave
For Review:
January 2012
By:
e-Systems Steering Group
With approval of:
Director of Quality & Standards
TM/JW/Pers/Information Security Policy
01.10
- 41 -
1.
Background & Context
1.1
The College Blackberry Enterprise Server services give users the ability to send and
receive emails as well as other Groupwise facilities such as calendar, and tasks which
synchronise almost instantly. The device also acts as a mobile phone.
1.2
This code of practice outlines funding and distribution principles for Blackberries to ensure
optimum cost effective usage.
1.3
Note: As the technology behind Blackberries has been licensed to other companies other
compatible devices are emerging. For the rest of this document Blackberry means any
device with Blackberry functionality.
2.
OWNERSHIP
2.1
The e-Systems Steering Group endorsed the Blackberry User Code of Practice and
delegated responsibility for the maintenance and implementation of this code of practice to
the College Network Services (CNS) Department.
3.
AUTHORITY & SCOPE OF THESE GUIDELINES
3.1
This code of practice supports and underpins the College’s strategies and plans. It, together
with related policies, procedures, codes of practice and values, constitutes the Information
Security (IS) Policy of the College.
4.
RESPONSIBILITIES
4.1
User Responsibilities

The Blackberry effectively replaces both mobile phone and PDA (such as Palm or
iPaq).

Only one device (Mobile phone or blackberry) per user will be issued.

When upgrading from a Mobile Phone to a Blackberry, users will need to return their
mobile to College Network Services (CNS) to allow the transfer of their existing Mobile
number to the Blackberry and to copy across the SIM directory. (Note that this will not
include numbers saved to the handset as opposed to the SIM).

It is the user’s responsibility to familiarise themselves with the guide provided.

International roaming is normally only provided for users whilst abroad on business
trips. Users must inform College Network Services (CNS) of the dates of departure
and return. Costs for international voice and data have increased significantly.
(November 2007).
5.
SYSTEMS & PROCESSES
5.1
Request Handling
All requests for new Blackberries must be made through the Head of Academic School or
Corporate Service who will initially assess before raising with College Network Services (CNS) via
the Helpdesk. Budget holder approval should be sought in advance.
TM/JW/Pers/Information Security Policy
01.10
- 42 -
5.2
Usage
5.3

Only Authorised CNS technical staff may carry out the following:

Operating system upgrades

Software installation

Blackberries should not be connected to a PC or other device other than for USB
recharging

Software should not be downloaded or otherwise loaded and installed on to
Blackberries

Unauthorised, added or upgraded software will be unsupported by College Network
Services (CNS).

Failure of the Blackberry as a result of not conforming to this code of practice will
result in the device being attempted to be reset to factory settings. This will usually
mean a loss of all settings, addresses, uniquely stored emails and other data from
the device.
Eligibility and Funding

To date usage is generally restricted to members of College Management Forum.
However Blackberry requests for non-Forum members should be submitted by
Heads of School or Corporate Department, to the Director of Finance in the first
instance. Any requests submitted will be taken to SMT for decision.

The handset cost will be charged against the corporate service department or
academic school cost code supplied by the requester through the
Telecommunications Co-ordinator (Estates).

In cases of upgrades where current contracts have to be bought out, this cost will be
charged against the departmental cost code supplied by the requester through the
Telecommunications Co-ordinator (Estates).

Costs for replacement, repair and the like over and above or outside of claimed
insurance will be charged against the departmental cost code supplied by the user.

Normal running costs will be paid for centrally.

Externally funded units will be expected to cover all costs.
6.
CONTACTS
6.1
Any queries or feedback regarding this code of practice or its implications should be
directed to the College Network Services (CNS) Helpdesk on ext: 4222 or email
helpdesk@blackpool.ac.uk
6.2
This code of practice is maintained on the Collegenet server and is accessible through
the College Network Services (CNS) pages. The web version of the code of practice is
the definitive version and will always be the most up to date.
TM/JW/Pers/Information Security Policy
01.10
- 43 -
Appendix G
Electronic Mail (e-mail)
Code of Practice
Initially Conceived: December 2007
Primary Author:
S. Musgrave
For Review:
January 2012
By:
e-Systems Steering Group
With approval of:
Director of Quality & Standards
TM/JW/Pers/Information Security Policy
01.10
- 44 -
1.
BACKGROUND & CONTEXT
1.1
This document details the provision and acceptable use of Blackpool and The Fylde
College’s electronic mail system.
2.
OWNERSHIP
2.1
The e-Systems Strategy Group endorsed the e-mail code of practice and delegated
responsibility for its maintenance and implementation to the College Network Services (CNS)
Department.
3.
AUTHORITY & SCOPE OF THESE GUIDELINES
3.1
This code of practice supports and underpins the College strategic and operational plans. It,
together with other policies, procedures, codes of practice and values, constitutes the IT
Strategy of the College.
4.
RESPONSIBILITIES
4.1
College employees and learners are responsible for e-mail use within the scope of this code
of practice and for contacting the CNS Helpdesk to report any related issues.
5.
SYSTEMS & PROCESSES
5.1
College E-Mail/Messaging System
5.2
The College Network Service has a single e-mail/messaging system that is based on Novell
Groupwise suite of services.
5.3
No other email/messaging system or client is recognised or supported within the College
Network Service.
5.4
EMAIL ACCESS
5.4.1
Although limited personal use of the College’s email system is permitted, the
primary purpose of the system is business and academic support. The content of an
individual’s mailbox may therefore be subject to access by third parties under the
following conditions.
5.4.2
Requests from the mailbox owner
5.4.3
Request from sender to delete confidential/private mail which has been sent to an
incorrect College mailbox
5.4.4
To facilitate the repair and essential maintenance of the messaging system
And the following controlled by the College Network Service Interception & Monitoring Policy
(under Regulation of Investigatory Powers Act, 2000).
5.4.5
Requests from Police or Security Services as allowed by current legislation
5.4.6
Requests from Human Resources Department as part of a misconduct investigation
TM/JW/Pers/Information Security Policy
01.10
- 45 -
5.5
5.6
5.7
5.4.7
Request from Head of Academic School / Corporate Service, where the mailbox
owner is no longer an existing member of staff or student
5.4.8
Request from Head of Academic School / Corporate Service to obtain essential
business information after reasonable efforts have been made to contact the user
USE OF EMAIL FOR ADVERTISING
5.5.1
Neither staff nor students should send e-mails to large groups of recipients except
for clear academic purposes and where approved by their academic head of school.
5.5.2
Staff may legitimately use e-mail to convey work-related information to large
numbers of staff or students providing they obtain approval from the Head of
Academic School / Corporate Service before issuing an ‘all-staff’ email broadcast.
5.5.3
Staff are expected to use discretion about the use of email to promote departmental
services or advertise events as such messages may be considered ‘junk’ e-mail
MAILBOX ALLOCATION
5.6.1
Staff and students should keep their mailbox size within the permitted limits and
seek advice on how to dispose of unwanted messages and alternative methods of
storing / archiving messages in the longer term.
5.6.2
Allocations will only be increased temporarily to allow housekeeping to be carried
out.
APPROPRIATE USE
5.7.1
Email, while often seen as an informal form of communication, should be considered
as equivalent to writing a formal letter on College headed notepaper. It is possible to
enter into a binding legal agreement through a simple exchange of emails or to
inadvertently circulate confidential information thus breaking the law. Users are
reminded to treat email as they would a formal letter and to manage their email
accounts with care. Deleting emails does not guarantee their destruction and all
emails should be considered to be retrievable at any time.
5.7.2
Inadvertent misuse of the system can introduce viruses into College systems. For
this reason, the College imposes limits upon the uses of email for both personal and
business purposes. All users are responsible for ensuring any email attachments
received, especially from an unexpected source, are harmless to the College
systems. If in doubt, users should obtain advice and clearance from the CNS
Helpdesk.
5.7.3
The College email system shall not be used for the creation, publishing or
distribution of any disruptive or offensive messages, including offensive comments
about race, gender, disabilities, age, sexual orientation, pornography, religious
beliefs and practice, political belief, union affiliation, national origin or hair colour.
Users who receive any emails with this content should report the matter to a senior
manager or the Human Resources department immediately. Users who create or
transmit emails with this type of content may be subject to disciplinary proceedings
and, depending upon the circumstances, could constitute gross misconduct.
5.7.4
Users may make limited and reasonable use of the College email system for
personal emails during break and lunch times and subject to appropriate use (see
5.5.1). No such use will be considered private and/or confidential nor can the
College guarantee the security of any such email. This applies to emails
sent/received using College computers, laptops or networks. The College reserves
the right to withdraw permission for personal use of the email system at any time.
TM/JW/Pers/Information Security Policy
01.10
- 46 -
6.
CONTACTS
5.1
Any queries or feedback regarding this code of practice or its implications should be directed
to the College Network Services (CNS) Helpline on ext: 4222
5.2
This code of practice is maintained on the Collegenet intranet and is accessible through the
College Network Service (CNS) pages. The Collegenet version of the code of practice is the
definitive version and will always be the most up to date.
TM/JW/Pers/Information Security Policy
01.10
- 47 -
Appendix H
Web Development & Usage
Code of Practice
Initially Conceived: December 2007
Primary Author:
S. Musgrave
For Review:
By:
January 2012
e-Systems Steering Group
With approval of:
Director of Quality & Standards
TM/JW/Pers/Information Security Policy
01.10
- 48 -
1.
BACKGROUND & CONTEXT
1.1
MISSION AIMS SUPPORTED
i.
ii.
Achievement of our aims rests fundamentally on the effective delivery of teaching
and learning, and the accessibility of information to an increasing variety of
audiences.
The Web Usage Code of Practice, therefore, helps us achieve key priorities through
providing information and facilities to underpin teaching and learning, and
developing engagement by staff in the College’s vision, mission and objectives.
2.
OWNERSHIP
2.1
The e-Systems Steering Group endorsed the Web Development Code of Practice and
delegated responsibility for its maintenance and implementation to the College Network
Services (CNS) Department.
3. AUTHORITY & SCOPE OF THESE GUIDELINES
3.1
This strategy supports and underpins the College’s strategic and operational plans. It,
together with other policies, procedures, codes of practice and values, constitutes the IT
Strategy of the College.
4.
RESPONSIBILITIES
4.1
College employees and learners are responsible for their own use of the College web
facilities within the scope of this code of practice and for contacting the CNS Helpdesk to
report any related issues. Inappropriate use of the web facilities may result in disciplinary
proceedings or may be deemed gross misconduct or gross negligence (see 4.2 for
clarification)
4.2
Inappropriate use of web facilities:
College employees, learners and any other user granted access to college web facilities
must not, under any circumstances, access inappropriate or offensive websites or distribute
or obtain similar material through the internet or email when using Company equipment,
even in their own time. Examples of inappropriate or offensive material include racist
material, pornography, sexually explicit images, text and related material, the promotion of
illegal activity or intolerance of others.
The College has the final decision as to whether it considers particular material to be
inappropriate under this Code of Practice. Users who are unsure whether particular
material would be considered appropriate should seek clarification from the Director of
Human Resources before accessing or distributing such material. If users are in any doubt
as to whether the College would consider certain material inappropriate, they should not
access or distribute the material.
If an individual receives material which contains (or the individual suspects may contain)
inappropriate material or inadvertently accesses any such material on the internet , he or
she must immediately report this to the Head of CNS who will advise the individual what to
do. The material must not under any circumstances be forwarded, shown to anyone else or
distributed in any other way.
TM/JW/Pers/Information Security Policy
01.10
- 49 -
4.3
Copyright
Most of the information and software that is accessible via the internet is subject to
copyright or other intellectual property protection. Users must not copy or download
material from the internet using College resources or for use in the College without express
permission from the owner.
5.
SYSTEMS & PROCESSES
5.1
Objectives
5.1.1 A basic principle of the College’s web development is to have a world class web presence.
It must be delivered efficiently, effectively, and professionally, and on behalf of the
user/customer. It is a priority that all developments must be customer focused.
5.2
Web Strategy Objectives Include:








5.3
To provide a vital medium for teaching, learning, assessment and scholarship
activities;
To increase awareness about the College to internal and external audiences and to
specific target audiences – both within the UK and worldwide;
To provide effective web based services for all target groups;
To provide rich internet applications, taking account of the variety of communication
devices available to users;
To empower staff by giving them advice and guidance, and the means and expertise
to publish information on the web;
To engage in continuous improvement of the usability and effectiveness of all College
web based services;
To provide interactive business processes on-line for internal and external customers;
To continue to support innovation, and to draw on new ideas and concepts from
within and outside the FE and HE sector.
Achieving The Objectives
5.3.1 To provide a vital medium for learning and teaching activities.

A number of cross-College teams will work in co-operation to provide web services to
underpin teaching, learning, assessment and scholarship activities.
5.3.2 To increase awareness about the College to internal and external audiences, and to
specific target audiences – both within the UK and worldwide


Optimisation of search engine ranking through the appropriate use of metadata and
the monitoring of trends
Careful monitoring of content and its relevance to target audiences, in close
consultation with content providers in Academic Schools and Corporate Services
5.3.3 To provide effective web based services for all target groups




Through the development and maintenance of simple and intuitive navigation,
infrastructure and design
Gathering user feedback on existing model and refining as appropriate
Analysis of web statistics, trends and benchmarking activities
Continuous improvement of access and usability by adhering to relevant legislation
TM/JW/Pers/Information Security Policy
01.10
- 50 -
5.3.4 To support internet applications taking account of the variety of communication devices
available to users


5.3.5
Supporting such facilities as Student Record systems, the Employer Engagement
database, on-line application forms, online fee paying facility, student facing
administration systems and others.
Developing means for presentation and delivery to communications devices, such as
mobile phones, PDAs, for applications such as Register Marking, etc.
To empower staff by giving them advice and guidance, and the means and expertise
to publish information (content) on the web



5.3.6
Through deployment and refinement of appropriate web authoring interface.
Roll out of training via the Staff Development unit, as appropriate.
Continuous monitoring and subsequent deployment of improvements in web
authoring tools.
To engage in continuous improvement of the usability and effectiveness of all College
web based services




5.3.7
Through analysis and assimilation of feedback
Through regular benchmarking against other relevant sites
Through regular updating on developments in the relevant technology
By keeping up to date with appropriate (e.g. accessibility) legislation
To provide interactive business processes on line for internal and external customers




Implementation of Identity Management for staff, linking to the Human Resources
business system.
Implementation of Identity Management for learners, linking to the Student Record
system
Planned move from static on-line forms to active forms processing
Planned move to web-enable financial transactions
5.3.8 To continue to support innovation, and to draw on new ideas and concepts from within and
outside of the FE and HE sectors

5.4
Encourage imagination and innovation by seeking out new ideas (internally and
externally) and demonstrating that they can be incorporated
Risks And Dependencies
5.4.1 Dependencies


The development and maintenance of the College’s various web based services are
utterly dependent upon the continued deployment of commercial software packages.
These have to be carefully monitored and managed. The College needs to minimise
our dependence on single providers if they do not conform to standards.
Blackpool’s web presence is dependent upon continuing cross-divisional co-operation
by Academic Schools and Corporate Services.
TM/JW/Pers/Information Security Policy
01.10
- 51 -
5.4.2 Risks
Failure of web service owing to poor performance or system failure would result in:






5.5
Critical reduction in delivery of teaching, learning, assessment and scholarship
activity;
Critical reduction in delivery of Administrative support for core activities;
Loss of competitiveness in the marketplace;
Adverse affect on the College’s reputation;
Inability to communicate effectively with international networks and partners;
Lost revenue.
Monitoring And Evaluation – Key Performance Indicators (KPI)
5.5.1 Monitoring and evaluation will be carried out through:





Analysis of operational stats – website traffic and uptime availability;
Analysis of Virtual Learning Environment (VLE) (Moodle) stats;
User responses – both informal and through Student Forum groups and Staff surveys;
Regular benchmarking against other web services;
Regular reporting (to e-Systems Strategy group) on development deployment of new
online processes.
6.
CONTACTS
6.1
Any queries or feedback regarding this code of practice or its implications should be
directed to the College Network Services Helpdesk (ext: 4222).
6.2
This code of practice is maintained on the Collegenet intranet and is accessible through the
College Network Service pages. The Collegenet version of the code of practice is the
definitive version and will always be the most up to date.
TM/JW/Pers/Information Security Policy
01.10
- 52 -
Appendix I
Code of Practice on the Safe Disposal
of:
References, HR files and Data
(Including Medical Records)
Initially Conceived: December 2007
Primary Author:
T Marsh
For Review:
January 2012
By:
With approval of:
e-Systems Steering Group
Director of Quality and Standards
TM/JW/Pers/Information Security Policy
01.10
- 53 -
1.
REFERENCES
The College uses references to obtain information on candidates’ suitability for employment,
usually, after they have been provisionally offered a post.
On rare occasions the College will seek references prior to the recruitment interview to aid the
recruitment process.
Our references seek to obtain information on the suitability of the application for the post. One
referee is from a current, or most recent, employer.
The College reference letter and grid is attached.
Appointment letters state that any appointment is subject to references satisfactory to us.
The storage of references is on an individual employee’s personal file. This is held in the Human
Resources Section. The storage of references is covered under the Storage of Data section in
Human Resources.
The reference request informs the referee that references may be disclosed to the
applicant/employee.
2.
STORAGE OF HUMAN RESOURCES DATA & FILES
Background & Context
The Human Resources Section of the College requires and utilises data individually and
collectively from :
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Criminal Records Bureau
The Local Government Pension Scheme
The Teachers’ Pension Scheme
LLUK
Association of Colleges
Occupational Health Services
Institute Of Learning
Medical Practitioners
Home office
Other individual bodies and individuals
The information is collected for the purposes of safe employment and the legal returns required of
the college by the Government and Funding bodies.
Annex I attached is the College’s policy statement on the Recruitment of ex offenders.
Ownership
The Director of Human Resources is responsible for the application of the storage policy and
communication of the policy to all the staff of the College. However, it is the responsibility of each
individual to ensure his/her understanding and compliance with this policy.
TM/JW/Pers/Information Security Policy
01.10
- 54 -
Authority and Scope of this Policy
This policy applies to all staff of the College as well as any third party authorised by the College to
access its information systems or data, whether individually or collectively.
Availability/Use of Resources/ Systems
Individuals can access their personal files by giving Human Resources one working day’s notice.
The file may be viewed within Human Resources but not removed. Copies of the file will not be
allowed.
Electronic Data
Information for each individual is stored on the College computerised HR system. This integrated
system holds records for HR, Payroll, Finance, Staff Development, Recruitment & Selection and (it
is planned) Health & Safety.
In the long term the College is looking to develop access for individuals to their records. In the
meantime the same protocol of one working day is applied.
Storage Timescales
Application forms – Unsuccessful Candidates
These will be stored with interview notes for a period of 6 months from the date of the interview
before being confidentially destroyed. (The successful candidates’ application form is stored on
their personal file).
Leavers Personal Files
These will be stored for a period of 6 years before being confidentially destroyed.
CRB records
These are stored in accordance with the CRB policy (Appendix A attached)
Sickness and Medical Reports
Sick notes will be stored either separately alphabetically or with the applicants’ personal file and
destroyed as per the leavers personal file as above. Sick notes are kept for a period of 40 years.
Timesheets
These are kept for a period of 3 years
Other records
These will be kept for a period of 7 years after which they will be confidentially destroyed.
Review
The policy will be reviewed bi-annually by the Director of Human Resources
TM/JW/Pers/Information Security Policy
01.10
- 55 -
Annex 1
Blackpool and The Fylde College
Policy Statement on the Recruitment of Ex-Offenders

As an organisation using the Criminal Records Bureau (CRB) Disclosure service to assess
applicants’ suitability for positions of trust, Blackpool and The Fylde College complies fully with
the CRB Code of Practice and undertakes to treat all applicants for positions fairly. It
undertakes not to discriminate unfairly against any subject of a Disclosure on the basis of
conviction or other information revealed.

Blackpool and The Fylde College is committed to the fair treatment of its staff, potential staff or
users of its services, regardless of race, gender, religion, sexual orientation, responsibilities for
dependants, age, physical/mental disability or offending background.

We have a written policy on the recruitment of ex-offenders, which is made available to all
Disclosure applicants at the outset of the recruitment process.

We actively promote equality of opportunity for all with the right mix of talent, skills and
potential and welcome applicants from a wide range of candidates, including those with
criminal records. We select all candidates for interview based on their skills, qualifications and
experience.

Where a Disclosure is to form part of the recruitment process, we encourage all applicants
called for interview to provide details of their criminal record at an early stage in the application
process. We request that this information is sent under separate, confidential cover, to a
designated person within Blackpool and The Fylde College and we guarantee that this
information is only seen by those who need to see it as part of the recruitment process.

Unless the nature of the position allows Blackpool and The Fylde College to ask questions
about your entire criminal record we only ask about “spent” convictions as defined in the
Rehabilitation of Offenders Act 1974.

We ensure that all those in Blackpool and The Fylde College who are involved in
recruitment process have been suitably trained to identify and assess the relevance
circumstances of offences. We also ensure that they have received appropriate guidance
training in the relevant legislation relating to the employment of ex-offenders, eg
Rehabilitation of Offenders Act 1974.

At interview, or in a separate discussion, we ensure that an open and measured discussion
takes place on the subject of any offences or other matter that might be relevant to the position.
Failure to reveal information that is directly relevant to the position sought could lead to a
withdrawal of an offer of employment.

We make every subject of a CRB Disclosure aware of the existence of the CRB Code of
Practice and make a copy available on request.

We undertake to discuss any matter revealed in a Disclosure with the person seeking the
position before withdrawing a conditional offer of employment.

Please note that the College will process the necessary paperwork for new staff to obtain a
CRB Disclosure, however the cost will be deducted from their first salary payment.
TM/JW/Pers/Information Security Policy
01.10
- 56 -
the
and
and
the
Appendix J
Closed Circuit Television (CCTV)
Code of Practice
Initially Conceived: July 2007
Primary Author:
S. Crane
For Review: January 2012
By:
e-Systems Steering Group
With approval of:
Director of Quality & Standards
TM/JW/Pers/Information Security Policy
01.10
- 57 -
1.
Background & Context
1.1
Blackpool and The Fylde College (the "College") has in place and is further developing a
Closed Circuit Television (CCTV) surveillance system (the "system") across all College
sites.
1.2
CCTV images can be data that relates to a living identifiable individual and can therefore be
"personal data" covered by the Data Protection Act 1998 ("DPA").
This code of practice sets out guidelines how the College will processes personal data
captured on the system in accordance with the DPA and the Information Commissioner's
Office CCTV Code of Practice.
[DN: References to the DPA and ICO CCTV Code of Practice ("ICO Code") have been
added as these are also relevant to the background and context of the development of
Blackpool and The Fylde College's CCTV Code of Practice ("BF Code").]
This code of practice is associated with the College Data Protection Code of Practice, the
provisions of which should be adhered to at all times.
2.
Ownership
2.1
The system is owned by the College and for the purpose of the DPA the data controller is
Blackpool and The Fylde College of [address].
2.2
The Director of Capital Projects and Estates and the Campus Services Manager are jointly
responsible for the operation of the system and for ensuring compliance with this code of
practice and any related procedures.
3.
Purpose of the System
3.1
The purposes of the College CCTV system is to:




Deter and detect criminal activity and anti social behaviour.
Facilitate the identification, apprehension and prosecution of offenders in relation to crime
and public order.
Facilitate the identification of any activities/event which might warrant disciplinary
proceedings being taken against staff or students and assist in providing evidence to
managers and/or to a member of staff or student against whom disciplinary or other action
is, or is threatened, to be taken.
Monitor the movement of vehicles and pedestrian traffic on site.
4.
Responsibilities
4.1
Control Room Staff
4.1.1 All staff working in the Control Room should be aware of the sensitivity of handling
CCTV images and recordings. The Campus Services Manager will ensure that all
staff are fully briefed and trained in respect of the functions, operation and
administration.
4.1.2 Training in the requirements of the DPA will be given to all those required to work in
the Control Room by the Data Protection Officer.
TM/JW/Pers/Information Security Policy
01.10
- 58 -
5.
Systems & Processes
5.1
The CCTV System
5.1.1 The system currently comprises: fixed position cameras; pan tilt and zoom cameras;
monitors; multiplexers; and digital recorders.
5.1.2 As technology advances the College will evaluate and update the available
technology to maximise the effectiveness of the system.
5.1.3 Cameras will be located at strategic but not necessarily fixed points on the campus,
both externally and within buildings. All reasonable steps will be taken to prevent
them from focussing on private accommodation.
5.1.4 In areas where people have a heightened expectation of privacy, such as changing
rooms or toilet areas, cameras will only be used in the most exceptional
circumstances where it is necessary to deal with very serious concerns.
[DN: The above addition is a recommendation of the ICO code - it should also be
noted that in areas where there is a heightened expectation of privacy extra effort
should be made to ensure people are aware they are being monitored].
5.1.4 Signs will be prominently placed at strategic points and at entrance and exit points
of the campus to inform staff, students, visitors and members of the public that a
CCTV installation is in use.
5.1.5 Although every effort has been made to ensure maximum effectiveness of the
system it is not possible to guarantee that the system will detect every incident
taking place within the area of coverage.
5.2
Covert Recording
5.2.1 Covert cameras may be used under the following circumstances on the written
authorisation or request of a senior post holder or individual designated by a senior
post holder, where:
informing the individual(s) concerned that recording was taking place would
seriously prejudice the objective of making the recording; and

there is reasonable cause to suspect that unauthorised or illegal activity is
taking place or is about to take place.
5.2.2 Any such covert processing will only be carried out for a limited and reasonable
period of time consistent with the objectives of making the recording and will only
relate to the specific suspected unauthorised activity.
5.2.3 The decision to adopt covert recording will be fully documented and will set out how
the decision to use covert recording was reached and by whom.
5.3
The CCTV Control Room (Control Room)
5.3.1 Images captured by the system will be recorded and may be monitored in the
Control Room twenty-four hours a day throughout the whole year. Monitors are not
visible from outside the Control Room.
TM/JW/Pers/Information Security Policy
01.10
- 59 -
5.3.2 No unauthorised access to the Control Room will be permitted at any time. Access
will be strictly limited to the duty controllers, authorised members of staff, police
officers, and any person with statutory powers of entry. A list of those members of
staff authorised to access the Control Room is attached at Annex 1.
5.3.3 Additional access may be granted to the Control Room on a case-by-case basis and
only then on written authorisation from the Campus Services Manager or the
Director of Capital Projects and Estates. In an emergency and where it is not
reasonably practicable to secure prior authorisation, access may be granted to
persons with a legitimate reason to enter the Control Room.
5.3.4 Before allowing access to the Control Room, staff will satisfy themselves of the
identity of any visitor and that the visitor has appropriate authorisation. All visitors
will be required to complete and sign the visitors’ log, which shall include details of
their name, their department or organisation they represent, the person who granted
authorisation and the times of entry to and exit from the centre. A similar log will be
kept of the staff on duty in the Control Room and any visitors granted emergency
access.
5.4
Control Room Administration and Procedures
5.4.1
5.5
Details of the administrative procedures which apply to the Control Room will
be set out in a Procedures Manual, a copy of which is available for
inspection by prior arrangement, stating the reasons for the request.
Recording
5.5.1 Recordings are held on a hard disk for 28 days.
[DN: Under the DPA, personal data should only be kept for as long as necessary for
the purposes of processing. The ICO Code recommends that images are only kept
for the shortest period necessary, the decision on the shortest period necessary can
be based on an organisation's own experiences of the period necessary to retain the
images for the purposes of processing.
The 28 day retention period set out above should therefore only be used if this
period meets the above criteria.]
5.5.2 At the end of the 28 day period recordings will be permanently deleted through
secure methods.
[DN: The ICO Code recommends that measures are in place to ensure the
permanent deletion of images through secure methods at the end of the period of
retention. A statement addressing this issue has been added and BF should ensure
that appropriate destruction techniques are in place and followed. [It may be
appropriate to document those methods for staff.]
5.6
Disclosure of recorded images
5.6.1 All disclosures of recorded images will be logged, detailing the date of the disclosure
along with details of who the images have been provided to, (the name of the
person and the organisation they represent) and why they are required?
TM/JW/Pers/Information Security Policy
01.10
- 60 -
5.6.2 Access to recorded images will be restricted to those staff who need to have access
in accordance with the purposes of the system. A list of such staff is given at Annex
1.
5.6.3 Access to recorded images by third parties (i.e. persons other than those members
of staff listed in Annex 1 or individuals who are the subject of the recording by the
CCTV):

Access to images by third parties must be authorised by [the Data Protection
Officer].

Disclosure of recorded material will only be made to third parties in strict
accordance with the purposes of the system and is limited to the following:
o
o
o
o
o
o
o
Law enforcement agencies where images recorded would assist in a criminal
enquiry and/or the prevention of terrorism and disorder.
Prosecution agencies.
Relevant legal representatives.
The media where the assistance of the general public is required in the
identification of a victim of crime or the identification of a perpetrator of a
crime.
People whose images have been recorded and retained unless disclosure to
the individual would prejudice criminal enquiries or criminal proceedings.
Emergency services in connection with the investigation of an accident.
Management, staff, and students as appropriate in respect of any
disciplinary investigations hearings in accordance with the College’s
Disciplinary Procedures and additional authority from the Director of Human
Resources or the Head of Students Services.
5.6.4 Access to recorded images by an individual captured on the recording:

All requests for access to recorded images by an individual captured on the
recording must be authorised by [the Data Protection Officer].

Anyone who has their image recorded by CCTV is entitled to a copy of the
images, subject to the prohibitions on access also covered by the DPA

The copy of the images must be provided within 40 calendar days of
receiving a request. A fee of £10 may be charged to provide the copy of the
recording.
5.6.7 A person whose image has been recorded and retained and who wishes access to
the information must apply in writing to the Data Protection Officer. Any requests for
copies of CCTV footage must include the dates and times of footage being
requested. Non-specific requests will not be actioned. Subject Access Request
Forms are obtainable from the Campus Services Office.
5.6.8 The Data Protection Officer will then arrange for a copy of the recorded images to
be made and given to the applicant or access to a viewing facility. The applicant
must not ask another member of staff to show them the recording, or ask anyone
else for a copy of the recording. All communications must go through the College
Data Protection Officer.
TM/JW/Pers/Information Security Policy
01.10
- 61 -
5.6.9 The Data Protection Act gives the Data Protection Officer the right to refuse a
request for a copy of the recorded images particularly where such access could
prejudice the prevention or detection of crime or the apprehension or prosecution of
offenders.
5.6.10 All such requests will be referred to the Campus Services Manager by the Data
Protection Officer.
5.6.11 If it is decided that a data subject access request is not to be complied with, the
reasons will be fully documented and the data subject informed, whenever possible
in writing, stating the reasons.
5.7
Request to prevent processing
5.7.1 An individual has the right to request a prevention of processing where this is likely
to cause substantial and unwarranted damage or distress to that individual.
5.7.2 All such requests should be addressed in the first instance to the Campus Service
Manager or the Data Protection Officer, who will provide a written response within
21 days of receiving the request setting out their decision on the request. A copy of
the request and response will be retained.
5.8
Contacts
5.8.1
5.8.2



5.9
It is recognised that members of the College and others may have concerns,
complaints or queries about the operation of the system. Any such complaint
should be addressed in the first instance to the Campus Services Manager.
Concerns or enquiries relating to the provisions of the Data Protection Act 1998 may
be addressed to the Data Protection Officer (datarequest@blackpool.ac.uk).
Upon request enquirers will be provided with:
This Code of Practice; and, if appropriate,
An Access Request Form if required or requested.
A Subject Access Request Form if required or requested.
Compliance monitoring
5.9.3
All documented procedures will be kept under review.
5. 9.4
The effectiveness of the system in meeting its purposes will be kept under review.
TM/JW/Pers/Information Security Policy
01.10
- 62 -
Annex 1
Authorised access to the CCTV Control Room and Recorders
Director of Capital Projects & Estates
Campus Services Manager
Estates Technical Officer
Assistant Head of Estates
Deputy Campus Services Manager
Senior Post Holders
Duty Controller/Operator
Head of Student Services
Director of Human Resources
The Data Protection Officer
TM/JW/Pers/Information Security Policy
01.10
- 63 -
Annex 2
Impact Assessment from Privacy Impact Assessment Handbook
Q1.
What organisation will be using the CCTV images? Who will take legal responsibility
under the Data Protection Act (DPA)?
A1.
The College registration under the Data Protection Act is made by Linda Smith, College MI
& F Manager with responsibility as College Data Protection Officer. The Vice Principal
(Resources & Planning) has responsibility to the Principal and Chief Executive for the
College. The College commits to:
i)
ii)
iii)
Releasing images only under appropriate circumstances and within the terms of the
Data Protection Act.
Including a disclaimer with any images released which reminds the recipient(s) of
their responsibility under the Data Protection Act.
Ensuring that only the College Data Protection Officer or the Vice-Principal,
Resources and Planning are authorised to release any images to a third party,
thus ensuring compliance with the terms of the Data Protection Act.
Q2.
What is the organisation’s Purpose for using CCTV? What are the problems it is meant to
address?
A2.
The purpose is for the security and safety of all members of the College community along
with those purposes outlined in the College’s registration with the Information
Commissioner. It is intended to be preventative as well as security.
Q3.
What are the benefits to be gained from its use?
A3.
The benefits are to address issues raised by Learners and staff regarding safety and the
prevention of anti-social behaviour. It will also be used to ensure that traffic (both foot and
vehicular) are safely flowing. Additionally the college reserves the right to use images
arising from a potential grievance or disciplinary matter. This would be used to provide
evidence of an allegation rather than as the instigation of the procedure.
Q4.
Can CCTV technology realistically deliver these benefits? Can less privacy-intrusive
solutions, such as improved lighting, achieve the same objectives?
A4
Yes. The clear policy provides for all the correct use of CCTV images in line with our
registration. In many instances staff have requested CCTV camera (for example in College
car parks and Learning Resource Centres) to be installed and feel more secure and
comfortable with them. CCTV can also act as a deterrent on issues of anti-social behaviour.
The perpetrators can be identified and appropriate action taken in accordance with agreed
College procedures. CCTV is not part of this package of measures. Other measures are
also in place such as improved lighting and an externally provided security presence. It is
note considered that these measures alone would provide an adequate and proportionate
solution. CCTV is not used in isolation.
Q5.
Do you need images of identifiable individuals, or could the scheme use other images not
capable of identifying the individual?
A5.
In respect of criminal damage the police can only take action where an individual is
identified.
Q6.
Will the particular equipment/system of work being considered deliver the desired benefits
now and remain suitable in the future?
TM/JW/Pers/Information Security Policy
01.10
- 64 -
A6
Yes. We believe so. We will review as part of the plans to change our accommodation.
Q7
What future demands may arise for wider use of images and how will you address these?
A7
Will be under review with the experience of using the system and its impact. We are
looking at installing CCTV cameras at the new builds during the build as an information
resource This is under legal advisement.
Q8.
What are the views of those who will be under surveillance?
A8.
Our learners have identified security and safety as a major priority and our staff have
identified challenging anti-social behaviour. These requests have been taken very seriously
and we believe that CCTV addresses some of these concerns. There are some Union
concerns
Q9.
What could you do to minimise intrusion for those that may be monitored, particularly if
specific concerns have been expressed?
A9.
We believe that the protocols and policy are clear. The specific concerns raised by the
College Trade Unions have been listened to. There are College procedures for any
grievances. Our legal advice is that this is a good and fair policy and in keeping with our
registration. We believe that it is a proportionate policy.
The Union concerns centre around the use for car parking, pedestrian and vehicular traffic
and the potential use for College disciplinary procedure. We believe that we have
addressed the concerns around the security of the data and procedures including licence
for use.
Additionally, we have had legal advice from both EEF and DLA on the formulation of the
policy and have sought advice from the Information Commissioner’s Office.
TM/JW/Pers/Information Security Policy
01.10
- 65 -