Information Management and Security Policy - UNCLASSIFIED
Document Control
School / Norfolk Community Primary SchoolTitle / Information Management and Security Policy
Status / Draft
Owner / Senior Information Risk Owner
Protective Marking / Unclassified
Review date / Autumn Term bi Annually
Revision History
Version / Revision Date / Reviser / Description of RevisionContents
1. Introduction and Purpose
2. Scope of this document
3. Policy Applicability
4. Decision making under this policy
5. Information Handling Policy
6. Responsibility for the handling of information
7. Identifying Information Assets
8. Information risk assessment
9. Responding to security incidents
10. Information Security Policy.
11. Approach to Information Policy
12. Management of Information Security
13. Information Sharing Policy
14. Purpose
15. Approach to data sharing
16. Disclosure of personal data
17. Information Management Policy
18. Approach to Information Management
19. Involvement in Information Management
20. Authority for this policy
21. Relevance
22. Definitions
23. Policy Governance
24. Policy Compliance
Page 2 of 9 © Sheffield City Council 2011
Information Management and Security Policy - UNCLASSIFIED
1 Introduction and Purpose
1.1 The information vision will be realised by the School through the adherence to the policy points outlined in this document and by embedding Information Management best practice and procedures into the Schools activities.
1.2 This is the Information Management and Security Policy for Norfolk Community Primary Schoolit covers all information created by the School and information entrusted to it regardless of format and storage medium.
1.3 The Information Management and Security Policy will outline the schools high level approach to the management and security of the information entrusted to it. The SIRO will create and approve the procedure and best practise required to enable the school to fulfil it’s policy obligations.
1.4 The school will detail all its approved procedures and best practise in a separate document (Information Management and Security Manual).
2 Scope of this document
2.1 This policy sets out the approach of Norfolk Community Primary School in the following areas of Information management and Security;
· Information Handling
· Information Security
· Information Sharing
· Information Management
2.2 This policy will compliment but not replace or override any existing school policies which relate to Information Management and Security.
2.3 The School will review policies that are affected by or have an Impact on this strategy as part of the policy implementation. Policies include:
· FOI Policy
· ICT Policy
· Safeguarding Policy
· SEN Policy
2.4 Where a change resulting from the implementation of this policy affects the way in which people work or conduct activities in the School this will be clearly documented and communicated to all those concerned.
3 Policy Applicability
3.1 This policy applies to everyone who is authorised by the School to use any paper based or electronic system containing information provided for, owned, controlled or administered by the School.
3.2 This policy applies to all information processed by and on behalf of the School regardless of format.
4 Information Handling Policy
Responsibility for the handling of Information
4.1 The School accepts that everyone who has access to information is responsible for it. The School will make this clear to everyone this policy applies to and tell them of the consequences of mishandling information.
4.2 The school will appoint a Senior Information Risk Owner (SIRO) in the first instance. The role and responsibilities of the SIRO are defined in the schools Information Management Strategy document. The schools appointed SIRO will be named in the Information Management Strategy document
Identifying Information Assets
4.3 The School will identify its information assets (an information asset is a collection of data or a discrete set of data, such as learner educational records or an attendance register) and put adequate arrangements in place to manage them.
4.4 Once the school has identified its information Assets the school will group them logically to allow a appropriate Information Asset Owner to be assigned to each group and to allow more efficient managing of the assets. Once the SIRO has identified and grouped the assets, these will be detailed in the Information Management and Security Manual.
Information risk assessment
4.5 Given the importance of understanding the risks the School runs in handling its information, the School will carry out and act on Information Risk Assessments. The School will protect information in proportion to the risks to that information that have been identified in Risk Assessments.
4.6 The School will establish criteria for assessing risks, which will include identifying: information assets; relevant legal requirements; School operational requirements and the reputational impact of incidents (such as the unauthorised disclosure of information).
4.7 The School will apply the criteria it establishes in priority order. That priority order will identify the order in which risks will be established and appropriate mitigations deployed. The highest priority will be given to Information Assets containing personal data and the next highest priority will be given to information which is critical to the School’s work.
4.8 The School will identify the threats to its information assets; the existing security controls that apply to them; the vulnerabilities to which they are subject; the consequences of a risk arising; and other relevant issues.
4.9 When threats and the associated mitigations have been identified, the School will implement those mitigations and document them as procedure/best practise in it’s Information Management and Security Manual .
Responding to security incidents
4.10 The School will put in place a process for responding to security incidents. This process will be supported by: appropriate management commitment; a resolution team; an individual in charge of each incident; a communications plan, if appropriate; resolution action plans; knowledge of previous incidents; appropriate awareness raising routes.
4.11 Policies and procedures will reflect best practice as far as possible and will be regularly reviewed for correctness, consistency and compliance with relevant standards. In the case of Information Security, the ISO/EC 27000 series standards are relevant.
4.12 The School will monitor its own compliance with its policies and procedures. The School will formally record the results of compliance checks and will act to deal with any reported non-compliance.
5 Management of Information Security
5.1 The School will ensure adequate security training amongst those to whom this policy applies; it will deploy adequate guidance for them and encourage them to become more security aware. Clear and simple routes will be established to enable people to raise security concerns and to encourage good security practice. Formal security incident reporting will be implemented.
5.2 The School will provide guidance to its staff about working online, email and other electronic communications, password security, the secure use of portable devices such as laptop computers and secure working both on and off site.
5.3 Detailed policy and procedures will apply to the disclosure of School information which is not public. Appropriate guidance will be given to people handing that information to ensure that they can comply with disclosure rules. There will also be clear rules establishing minimum security standards to be used in the transmission of information especially over public networks.
5.4 A clear desk policy should be adopted at all times to ensure that school information is not left on unattended desks or in shared areas. Confidential or personal information should always be shredded or disposed of in a confidential waste bin.
6 Information Sharing Policy
Purpose
6.1 The School is committed to making sure that its information is properly used to support the delivery of the services it provides. This includes the disclosure of information (including personal information) to others. The School recognises the negative impacts of failing to disclose information when it is necessary to do so and will guard against those. The School will make sure that the rights of individuals are recognised and School responsibilities to individuals are properly discharged
7 Approach to data sharing
7.1 The School will only disclose the minimum information necessary for the lawful purpose(s) for which that information is intended to be used. Where the School can control the information it receives it will only require the minimum it needs for its purposes and ensure that the information is of appropriate quality. The School will always act in a proportionate way consistent with its responsibilities under Human Rights law.
7.2 Where the School agrees with another body or person that there is a legal requirement for information to pass between them, the School will comply with that requirement. Where the School agrees with another body or person that there is a legal route giving them an option to pass information between them, the School will decide whether or not to exercise that option bearing in mind the law and the interests of all involved.
7.3 The School will make all its decisions about the receipt and disclosure of information at an appropriate level within the School. The Senior Information Risk Owner is accountable for receipt and disclosure decisions and associated processes. The relevant Information Asset Owner will be responsible for the same decisions and processes. Those responsible for making decisions on receipt and disclosure of information must have appropriate training and guidance available to ensure that they are able to act appropriately at all times.
7.4 The School will always work with others such as the third sector, Police, Central Government and the Health community with the aim of improving services. Where the receipt or disclosure of information is required to support this joint working we will make sure that we enable this where we can.
7.5 Where the School considers that research and/or statistical analysis is appropriate, it will use its information for those purposes where lawful. If it is essential to use personal data for research purposes, that use will comply with Section 33 of the Data Protection Act 1998 where applicable. Where possible and appropriate, research will be carried out by School staff. Written agreements will cover research work carried out for the School by third parties. Those agreements will include terms controlling the receipt, disclosure and use of information; security controls; the School’s rights in the products of the research; and the retention and destruction of School data.
7.6 Where the law requires the School to make a charge for disclosing information, that charge will be made. Where the School has a choice about charging, that choice will be made in a fair and equitable way, bearing in mind the law, School policy, customer and School interests. The School will generally not make charges for disclosing public information.
7.7 The School will comply with relevant Statutory Codes of Practice (such as the Information Commissioner’s Privacy Notices Code of Practice) where they apply.
8 Disclosure of personal data
8.1 The School will comply with Statutory Codes of Practice which affect the disclosure of personal data covered by the Data Protection Act 1998.
8.2 Where the School systematically and routinely discloses or receives personal data with other organisations for established purposes, it will apply the following standards. The School will also apply them where it discloses or is asked to disclose, personal data in cases which aren’t routine, where appropriate.
The School will:
· Determine whether the objectives of disclosure could be met without using personal data
· Consider all the legal implications of doing so, including those involving Human Rights
· Identify the objectives of the proposed disclosure
· Consider the potential risks and benefits of the disclosure, including the impact of not disclosing the data
· Define exactly what personal data is the minimum that needs to be disclosed
· Define exactly who needs to receive the personal data
· Define exactly when it needs to be disclosed
· Define how it will be disclosed
· Apply appropriate security controls to the disclosure process
· All routine disclosure arrangements will as far as possible be documented.
These documents will record:
· The objectives of the disclosure arrangements
· Who will receive the personal data disclosed
· The circumstances in which those recipients may have access to the data
· Identify the personal data to be disclosed
· The quality of the personal data
· The arrangements for the security of that data
· The retention periods applying to that data
· Procedures for handling data subject’s rights in relation to that data (where necessary)
· How and when the disclosure arrangements can or will be terminated
· Regular reviews of the continued need for disclosure of personal data
· An indication of the organisational and individual consequences of failure to comply with security controls applying to the disclosed personal data
· The arrangements that we and the recipient organisations will make to ensure that the terms of the arrangement continue to be met.
9 Authority for this policy
9.1 This policy is made by Senior Information Risk Owner under the authority formally given to them by the School Governors.
10 Relevance
10.1 This policy is relevant to everyone who is authorised by the School to process any paper based or electronic system containing information provided for, owned, controlled or administered by the School.
11 Definitions
11.1 Definitions of terms used in this policy are contained in the “definitions of terms used” document.
12 Policy Governance
12.1 The Senior Information Risk Owner is responsible for developing and implementing the policy. Everyone who is authorised by the School to process any paper based or electronic system containing information provided for, owned, controlled or administered by the School should be consulted about it and informed of it.
13 Policy Compliance
13.1 Failure to comply with this policy is a serious matter. Those it applies to (paragraph 26.1 above) may be subject to criminal, civil or employment related sanctions (for example the misconduct process) if they do not observe the policy.
13.2 All School staff and the person who has approved this policy should be able to provide guidance on it; specific training and written guidance may also be available.
Page 8 of 9