Add to collection(s) Add to saved
  1. Business
  2. Management

Data Protection Instructions and outline

advertisement 
Programme of work for Data Protection Survey
Outline
The aim of the survey is to focus on the Data Protection practices of the school, highlighting areas
of good practice and making recommendations as to improvements.
The survey will look at policies and practices, talk to representatives of the school and look at the
physical attributes of Data Protection in the school.
The school will receive a confidential report which will assess the school against aspects of the 360
degree safe award (See Appendix A) and the recommendations from the recent ICO report1.
Aspects of the report will be used anonymously by eLIM to influence work with other schools.
After the visit and report the school will be supported to improve its practice and procedures relating
to any recommendations made.
Arranging the visit
On an invitation from the school, a date for the visit will be arranged.
hours.
The visit will be for 2 – 2½
Gathering of evidence
A week before the visit an email will be sent confirming the visit, requesting access to policies relating
to Data Protection.
These policies could include (please note: no school will have all of these policies and some might
be included in one document):











Data Protection Policy
Privacy Information Notice/Fair Processing Notice
FoI Publication Scheme
Records Management Policy
Records Retention/Disposal Policy
Information Security Policy
Policy for dealing with requests for personal Information
Policy for dealing with requests for general information
e-safety Policy
Acceptable User Policies
Use of images Policy
The adviser will also look at the Data Notification Register on the ICO site.
The Visit
The adviser will be asking for information as shown in the visit survey document2. Many of the
questions are aspirational and not all of the questions will be suitable for all schools. Therefore
positive answers to all of the questions are not required for the school to show excellent practice.
The people who will be able to answer these questions could include: the Data controller for the
school, the Headteacher, SMT in charge of IT, administrators, ICT technicians or support and teacher
in charge of ICT. It is up to the school to decide who is available to answer the questions.
At the end of the visit indications will be given as to the position of the school in relation to its Data
Protection policies and practices.
1
http://www.ico.gov.uk/news/latest_news/2012/report-offers-school-data-protection-advice-17092012.aspx
2https://slp.somerset.org.uk/sites/edtech/Data%20Protection/Data%20Protection/ELIM%20DP%20survey%2
0form.pdf
lead ▪ learn ▪ protect ▪ engage
www.somersetelim.org
Programme of work for Data Protection Survey
The Report
Within 5 working days a draft of a report will be produced and sent to the Headteacher and other
nominated people which will outline:




areas of good practice
recommendations for improvements
Levels relating to aspects in the 360 Degree Safe Tool
Indications as to how and where further support can be obtained
The school will be free to suggest changes to the draft report with the final report being produced
within 5 working days of any change suggested by the school.
The school will be able to use and share the report in any way they wish.
lead ▪ learn ▪ protect ▪ engage
www.somersetelim.org
Programme of work for Data Protection Survey
Appendix A - Aspects from 360 Degree Safe
Policy and Leadership > Leadership > Policy scope
Level 1: There is no e-safety policy.
Level 2: The school is in the process of establishing an e-safety policy.
Level 3: The e-safety policy is limited to the use of the ICT systems, equipment and software in school.
Level 4: The e-safety policy covers the use of the ICT systems, equipment and software in school and also
addresses issues related to the use of school related ICT out of school and the use of personal ICT equipment
in school. It is comprehensive in that it includes sections on issues such as social networking, cyber-bullying,
data protection, passwords, filtering, digital and video images and use of mobile and/or gaming devices. Award
Level
Level 5: The e-safety policy covers the use of the ICT systems, equipment and software in school and also
addresses issues related to the use of school related ICT out of school and the use of personal ICT equipment
in school. It is comprehensive in that it includes sections on issues such as social networking, cyber-bullying,
data protection, passwords, filtering, digital and video images and use of mobile and/or gaming devices. The
policy clearly states the school’s responsibility and commitment to take action over school related e-safety
incidents that take place out of school. The e-safety policy is differentiated and age related, in that it recognises
the needs of young people at different ages and stages within the school.
Policy and Leadership > Leadership > Acceptable use policies
Level 5: There are no Acceptable Use Policies/Agreements.
Level 4: Acceptable Use Policies/Agreements are being developed.
Level 3: Acceptable Use Policies/Agreements are in place for pupils/students and staff.
Level 4: Acceptable Use Policies/Agreements are in place for, and are signed by pupils/students (as
appropriate by age) and staff/adult volunteers. Parents receive and countersign copies of the Pupil/Student
AUP. There are clear induction policies to ensure that young people and adults who are new to the school are
informed of and required to sign AUPs. Pupils/students provide feedback in reviews of AUPs. Award Level
Level 5: Acceptable Use Policies/Agreements, which are differentiated by age and stage, are in place for, and
are signed (annually) by, pupils/students (as appropriate by age), staff/adult volunteers and community users.
Parents receive and, annually, countersign copies of the Pupil/Student AUP. The clear induction policies ensure
that young people and adults who are new to the school are informed of and required to sign AUPs.
Pupils/students provide feedback in reviews of AUPs. All users have knowledge of the e-safety policy and
AUPs and understand their responsibilities, as described in the policy. The school encourages acceptable use
through positive "reciprocal" agreements or covenants.
Policy and Leadership > Leadership > Digital and video images
Level 5: There is no policy relating to the use and publication of digital and video images.
Level 4: A policy relating to the use and publication of digital and video images is being developed.
Level 3: The school has policies relating to the use and publication of digital and video images and this is
referred to in AUPs.
Level 2: The school has clearly understood and accepted policies and AUPs relating to the use and publication
of digital and video images. Parental permission forms are included in the AUP for publication of images on
the website and other publications. Similar permission is gained from older secondary age students, reflecting
their personal rights. All members of the school, including staff are educated about the risks associated with
the taking, use, sharing, publication and distribution of images (and in particular the risks attached to publishing
their own images on the internet). Digital images are always stored securely and disposed of appropriately.
Award Level
Level 1: The school has clearly understood and accepted policies relating to the use and publication of digital
and video images. Parental permission forms are included in the AUP for publication of images on the website
and other publications. Similar permission is gained from older secondary age students, reflecting their
lead ▪ learn ▪ protect ▪ engage
www.somersetelim.org
Programme of work for Data Protection Survey
personal rights. Members of the school are encouraged to use digital and video images to promote the quality
of their learning, but are also educated about the risks associated with the taking, use, sharing, publication and
distribution of images (and in particular the risks attached to publishing their own images on the internet). Staff
are encouraged to use digital and video images to record learning and to celebrate success, but are aware of
the need to take care about the nature of the activities being recorded and to avoid the potential for young
people to be identified from published images. Digital images are always stored securely and disposed of
appropriately.
Infrastructure > Password
Level 1: There is no agreed password policy
Level 2: Password policies are being developed.
Level 3: The school has a password policy which applies to all users. Passwords are secure and are
consistent with national and Local Authority Information Security guidance.
Level 4: The school has clearly understood and accepted policies relating to the use of passwords. Passwords
are secure and consistent with national and Local Authority Information Security guidance. Password
procedures are age appropriate. Password changes are regularly enforced. Users understand that passwords
must never be shared. There are clear procedures for the provision of new passwords, with forced changes at
first log-in. All users have clearly defined access rights to school ICT systems. There are clear policies for the
use and control of the “master/administrator” passwords.
Level 5: The school has clearly understood and accepted policies relating to the use of passwords. Passwords
are secure and fully compliant with national and Local Authority Information Security guidance, with rigorous
testing against these standards. Password procedures are age appropriate. Password changes are regularly
enforced. Users understand that passwords must never be shared. There are clear procedures for the
provision of new passwords, with forced changes at first log-in. All users have clearly defined access rights to
school ICT systems. There are clear policies for the use and control of the “master / administrator” passwords.
There are regular audits of user log ins to check for anonymous or unauthorised log ins. There is regular testing
of systems to ensure that the password security policy is being correctly implemented.
Infrastructure > Personal Data
Level 5: There is no agreed Personal Data policy.
Level 4: A Personal Data policy is being developed.
Level 3: The school has a Personal Data policy. All staff know and understand the need to ensure the safe
keeping of personal data, minimising the risk of its loss or misuse. (Adhering to the Data Protection Act and
relevant national guidance). Parents and carers are informed about their rights and about the use of personal
data through the Privacy Notice. Award Level.
Level 4: The school has a Personal Data policy. All staff know and understand the need to ensure the safe
keeping of personal data, minimising the risk of its loss or misuse. (Adhering to the Data Protection Act and
relevant national guidance). Clear policies about the secure handling, transfer and disposal of data
(passwords, encryption, and removable media) are known, understood and adhered to by users. Parents and
carers are informed about their rights and about the use of personal data through the Privacy Notice. Password
protection is enhanced by the use of encryption and/or two factor authentication for the handling or transfer of
sensitive data. The school has appointed a Senior Risk Information Officer/Data Protection Officer and
Information Asset Owners.
Level 5: The school has a Personal Data policy. Staff know and understand the need to ensure the safe keeping
of personal data, minimising the risk of its loss or misuse. (Adhering to the Data Protection Act and relevant
national guidance). Clear policies about the secure handling and transfer of data (passwords, encryption, and
removable media) are known, understood and adhered to by users. Parents and carers are informed about
their rights and about the use of personal data through the Privacy Notice. Password protection is enhanced
by the use of encryption and/or two factor authentication for the handling or transfer of sensitive data. The
school has appointed a Senior Risk Information Officer/Data Protection Officer and Information Asset Owners.
All protected data is clearly labelled with Impact Labels. There is a clear procedure in place for audit logs to
be kept and for reporting, managing and recovering from information risk incidents.
lead ▪ learn ▪ protect ▪ engage
www.somersetelim.org
Related documents
data protection
data protection
Password-Based Football
Password-Based Football
Homework 3 Solutions
Homework 3 Solutions
password - Department of Computer Science
password - Department of Computer Science
NID Password Change Frequency
NID Password Change Frequency
Open_Source_InfoSec - Open Source Club at Ohio State
Open_Source_InfoSec - Open Source Club at Ohio State
Password_security_terminology_research_task_brenna
Password_security_terminology_research_task_brenna
Age Category Common Sense Media Unit Resources Curriculum
Age Category Common Sense Media Unit Resources Curriculum
esafety primary course 2014 - Somerset Learning Platform
esafety primary course 2014 - Somerset Learning Platform
Programming in a Primary School
Programming in a Primary School
Download
advertisement