It is critical that schools consider the safety of confidential and/or personal data held in electronic or paper formats that are used both on and off the school site.
Under the General Data Protection Regulation it is vital that ALL staff and governors are aware of how to handle sensitive and/or personal information, and what their responsibilities are when storing, accessing and using data. Under this new legislation there is also a requirement to maintain documented evidence of your awareness and governance.
All schools must have a security policy and should review it regularly to ensure that it covers how personal information is stored, processed and protected.
Here are some tips for securing information:
- Treat personal data with care and remember that you have a duty of confidentiality towards the Data Subject (the individuals whose data you hold).
- Ensure that loose papers, notebooks etc., whether they contain personal information or not, are not left on your desk in view of others; remember to lock papers away when they are not in use.
- Keep cupboards, cabinets and computer equipment containing hard, paper copies, or electronic personal information secure. These should only be accessed by authorised personnel on a need to know basis.
- Ensure that PCs, laptops or mobile devices are password protected, log off or lock PCs, laptops and mobile devices if you are leaving them unattended, even for a short time, and change passwords which protect personal data regularly - we recommend at least every 40 days.
- Ensure that passers-by, especially pupils or visitors to school, cannot read information on your computer screen.
- Double-check postal or email addresses and fax numbers before you send personal information.
- Only use official school email accounts for conducting school business.
- Ensure that software and operating systems are kept up to date by installing patches promptly.
- Protect PCs with up to date anti-virus software.
- Encrypt back-up media and keep them in a secure storage area.
- Ensure that you can recognise when there has been a data breach, and have a clear action plan in place to detail how you will respond.
Whenever personal information is requested under the DPA or other legislation, check that your response will not disclose inappropriate data about other individuals before releasing such information (see section about data protection requests).
- Only share personal information with the organisations listed in your data protection notification (ICO notification) and on your privacy notices.
- Tell anyone else your password. Don't let anyone watch as you enter it.
- Share IT accounts with other users - have one account for each individual.
- Store personal data on removable media (e.g. USB sticks, CD ROMs), unless they are encrypted.
- Send personal information by email unless it is encrypted. Emails are not secure.
- Remove personal data (electronic or hard copy) from school premises unless authorised by the SIRO
- Install unauthorised or free software - it may contain a virus or other security threat.