It is critical that schools consider the safety of confidential or personal data both on the school site and also when they are removed from a school site, both in electronic and paper format. Ensuring that ALL staff and governors are aware of how to handle sensitive or personal information, and their responsibilities when accessing data, is vital.
All schools should have a security policy and should review it regularly to ensure that it covers how personal information is stored, transmitted and protected.
Here are some tips for securing information.
- Treat personal data with care and remember that you have a duty of confidentiality towards the Data Subject (the individual who is the subject of personal data). All paper copies of personal information should be kept in a locked filing cabinet or cupboard which should only be accessed by authorised personnel on a need to know basis.
- Whenever personal information is requested under the DPA or other legislation, check that your response will not disclose inappropriate data about other individuals before releasing such information.
- Share only personal information with organisations listed in your data protection notification to the Information Commissioner and on your privacy notices.
- Ensure that personal information is not left on your desk in view of others, and lock it away when not in use.
- Keep cupboards, cabinets and computer equipment containing hard copy or electronic personal information secure, so that only authorised people have access.
- Ensure that PCs, laptops or mobile devices are password protected, log off or lock PCs, laptops and mobile devices if you are leaving them unattended, even for a short time, and change passwords which protect personal data regularly - we recommend at least every 90 days.
- Never tell anyone else your password. Don't let anyone watch as you enter it.
- Don't share IT accounts with other users - have one account for each individual.
- Ensure that passers-by, especially pupils or visitors to school, cannot read information on your computer screen.
- Do not store personal data on removable media (e.g. USB sticks, CD ROMs), unless they are encrypted.
- Do not send personal information by email unless it is encrypted. Emails are not secure.
- Do not remove personal data (electronic or hard copy) from school premises unless authorised by the headteacher.
- Never install unauthorised or free software - it may contain a virus or other security threat.
- Ensure that software and operating systems are kept up to date by installing patches promptly.
- Protect PCs with up to date anti-virus software.
- Double-check postal or email addresses and fax numbers before you send personal information.
- Encrypt back-up media and keep them in a secure storage area.
- Only use official school email accounts for conducting school business.
- If in doubt, seek further advice
- Ensure that you can recognise when there has been a data breach, and have a clear action plan in place to detail how you will respond.