Information Management and Security Policy - UNCLASSIFIED
Document Control
School / Dobcroft Junior SchoolTitle / Information Management and Security Policy
Status / Final
Owner / Senior Information Risk Owner
Protective Marking / Unclassified
Review date / January 2018
Revision History
Version / Revision Date / Reviser / Description of Revision0.1 / 5/1/16 / JC / Personalised to school
0.2 / 5/1/16 / JC / Risk mitigations integrated into Manual.
Contents
1 Introduction and Purpose 3
2 Scope of this document 3
3 Policy Applicability 4
4 Decision Making Under this Policy 4
5 Information Handling Policy 5
6 Responsibility for the handling of Information 5
7 Identifying Information Assets 5
8 Information risk assessment 5
9 Responding to security incidents 6
10 Information Security Policy 6
11 Approach to Information Security 6
12 Management of Information Security 7
13 Information Sharing Policy 8
14 Purpose 8
15 Approach to data sharing 8
16 Disclosure of personal data 9
17 Information Management Policy 11
18 Approach to Information Management 11
19 Involvement in Information Management 11
20 Authority for this policy 12
21 Relevance 12
22 Definitions 12
23 Policy Governance 12
24 Policy Compliance 12
Page 2 of 12 © Sheffield City Council 2011
Information Management and Security Policy - UNCLASSIFIED
1 Introduction and Purpose
1.1 The information vision will be realised by the School through the adherence to the policy points outlined in this document and by embedding Information Management best practice and procedures into the Schools activities.
1.2 This is the Information Management and Security Policy for Dobcroft Junior School it covers all information created by the School and information entrusted to it regardless of format and storage medium.
1.3 The Information Management and Security Policy will outline the schools high level approach to the management and security of the information entrusted to it. The SIRO will create and approve the procedure and best practise required to enable the school to fulfil it’s policy obligations.
1.4 The school will detail all its approved procedures and best practise in a separate document (Information Management and Security Manual).
2 Scope of this document
2.1 This policy sets out the approach of Dobcroft Junior School in the following areas of Information management and Security;
· Information Handling
· Information Security
· Information Sharing
· Information Management
2.2 This policy will compliment but not replace or override any existing school policies which relate to Information Management and Security.
2.3 The School will review policies that are affected by or have an Impact on this strategy as part of the policy implementation. Policies include:
· FOI Policy
· ICT Policy
· Safeguarding Policy
· SEN Policy
2.4 Where a change resulting from the implementation of this policy affects the way in which people work or conduct activities in the School this will be clearly documented and communicated to all those concerned.
3 Policy Applicability
3.1 This policy applies to everyone who is authorised by the School to use any paper based or electronic system containing information provided for, owned, controlled or administered by the School.
3.2 This policy applies to all information processed by and on behalf of the School regardless of format.
4 Decision Making Under this Policy
4.1 The Senior Information Risk Owner (SIRO) is responsible for developing and implementing the policy. Any individuals identified by the SIRO to be a Information Asset Owner for a specific asset group will be consulted on any aspect of this policy that may have an impact on how they manage or secure those Information Assets.
4.2 The Senior Information Risk Owner may make or review any decision under this policy and if appropriate, substitute their own decision for it. Once approved by the schools governing body, any policy changes will need to be re-assed and go through the schools re-approval process.
5 Information Handling Policy
6 Responsibility for the handling of Information
6.1 The School accepts that everyone who has access to information is responsible for it. The School will make this clear to everyone this policy applies to and tell them of the consequences of mishandling information.
6.2 The school will appoint a Senior Information Risk Owner (SIRO) in the first instance. The role and responsibilities of the SIRO are defined in the schools Information Management Strategy document. The schools appointed SIRO will be named in the Information Management Strategy document
6.3 When the school has reached the appropriate level of Information Management and Security maturity the SIRO will identify Information Asset Owner’s (IAO) for each of the specified asset groups. These will be documented in the Information Management Strategy document.
7 Identifying Information Assets
7.1 The School will identify its information assets (an information asset is a collection of data or a discrete set of data, such as learner educational records or an attendance register) and put adequate arrangements in place to manage them.
7.2 Once the school has identified it’s information Assets the school will group them logically to allow a appropriate Information Asset Owner to be assigned to each group (See 6.3 above) and to allow more efficient managing of the assets. Once the SIRO has identified and grouped the assets, these will be detailed in the Information Management and Security Manual.
8 Information risk assessment
8.1 Given the importance of understanding the risks the School runs in handling its information, the School will carry out and act on Information Risk Assessments. The School will protect information in proportion to the risks to that information that have been identified in Risk Assessments.
8.2 The School will establish criteria for assessing risks, which will include identifying: information assets; relevant legal requirements; School operational requirements and the reputational impact of incidents (such as the unauthorised disclosure of information).
8.3 The School will apply the criteria it establishes in priority order. That priority order will identify the order in which risks will be established and appropriate mitigations deployed. The highest priority will be given to Information Assets containing personal data and the next highest priority will be given to information which is critical to the School’s work.
8.4 The School will identify the threats to its information assets; the existing security controls that apply to them; the vulnerabilities to which they are subject; the consequences of a risk arising; and other relevant issues.
8.5 When threats and the associated mitigations have been identified, the School will implement those mitigations and document them as procedure/best practise in it’s Information Management and Security Manual .
9 Responding to security incidents
9.1 The School will put in place a process for responding to security incidents. This process will be supported by: appropriate management commitment; a resolution team; an individual in charge of each incident; a communications plan, if appropriate; resolution action plans; knowledge of previous incidents; appropriate awareness raising routes.
1st step is, retrieve where possible, Report to school (set out timeframes and key contacts), assess potential damage (what information was it? Did it contain personal data? Does the loss pose any immediate threat, was the information attempted to be retrieved?. The loss will need to be assessed and if it is found to be in breach of the data protection act the ICO will need to be informed.
10 Information Security Policy
11 Approach to Information Security
11.1 The School will construct and maintain a sound approach to Information Security based on robust policies and procedures which are formally adopted by the School.
11.2 Policies and procedures will assign responsibilities to designated individuals (or other legal persons as appropriate) who will be required to discharge those responsibilities in a manner consistent with their legal relationship with the School.
11.3 Policies and procedures will reflect best practice as far as possible and will be regularly reviewed for correctness, consistency and compliance with relevant standards. In the case of Information Security, the ISO/EC 27000 series standards are relevant.
11.4 The School will monitor its own compliance with its policies and procedures. The School will formally record the results of compliance checks and will act to deal with any reported non-compliance.
12 Management of Information Security
12.1 The School will use a combination of policy, procedure, guidance and where applicable, formal legal controls (such as those contained in contracts) to manage the security of its information.
12.2 The School will ensure adequate security training amongst those to whom this policy applies; it will deploy adequate guidance for them and encourage them to become more security aware. Clear and simple routes will be established to enable people to raise security concerns and to encourage good security practice. Formal security incident reporting will be implemented.
12.3 The School will make it clear to persons subject to this policy what information needs protecting and to what extent, through use of the Government Protective Marking Scheme.
12.4 The School will provide guidance to its staff about working online, email and other electronic communications, password security, the secure use of portable devices such as laptop computers and secure working both on and off site.
12.5 Detailed policy and procedures will apply to the disclosure of School information which is not public. Appropriate guidance will be given to people handing that information to ensure that they can comply with disclosure rules. There will also be clear rules establishing minimum security standards to be used in the transmission of information especially over public networks.
12.6 A clear desk policy in areas accessible to the public should be adopted at all times to ensure that school information is not left on unattended desks or in shared areas. Confidential or personal information should always be shredded or disposed of in a confidential waste bin.
13 Information Sharing Policy
14 Purpose
14.1 The School is committed to making sure that its information is properly used to support the delivery of the services it provides. This includes the disclosure of information (including personal information) to others. The School recognises the negative impacts of failing to disclose information when it is necessary to do so and will guard against those. The School will make sure that the rights of individuals are recognised and School responsibilities to individuals are properly discharged
15 Approach to data sharing
15.1 The School will only disclose the minimum information necessary for the lawful purpose(s) for which that information is intended to be used. Where the School can control the information it receives it will only require the minimum it needs for its purposes and ensure that the information is of appropriate quality. The School will always act in a proportionate way consistent with its responsibilities under Human Rights law.
15.2 Where the School agrees with another body or person that there is a legal requirement for information to pass between them, the School will comply with that requirement. Where the School agrees with another body or person that there is a legal route giving them an option to pass information between them, the School will decide whether or not to exercise that option bearing in mind the law and the interests of all involved.
15.3 The School will make all its decisions about the receipt and disclosure of information at an appropriate level within the School. The Senior Information Risk Owner is accountable for receipt and disclosure decisions and associated processes. The relevant Information Asset Owner will be responsible for the same decisions and processes. Those responsible for making decisions on receipt and disclosure of information must have appropriate training and guidance available to ensure that they are able to act appropriately at all times.
15.4 The School will always work with others such as the third sector, Police, Central Government and the Health community with the aim of improving services. Where the receipt or disclosure of information is required to support this joint working we will make sure that we enable this where we can.
15.5 Where the School considers that research and/or statistical analysis is appropriate, it will use its information for those purposes where lawful. If it is essential to use personal data for research purposes, that use will comply with Section 33 of the Data Protection Act 1998 where applicable. Where possible and appropriate, research will be carried out by School staff. Written agreements will cover research work carried out for the School by third parties. Those agreements will include terms controlling the receipt, disclosure and use of information; security controls; the School’s rights in the products of the research; and the retention and destruction of School data.
15.6 Where the law requires the School to make a charge for disclosing information, that charge will be made. Where the School has a choice about charging, that choice will be made in a fair and equitable way, bearing in mind the law, School policy, customer and School interests. The School will generally not make charges for disclosing public information.
15.7 The School will comply with relevant Statutory Codes of Practice (such as the Information Commissioner’s Privacy Notices Code of Practice) where they apply.
16 Disclosure of personal data
16.1 The School will comply with Statutory Codes of Practice which affect the disclosure of personal data covered by the Data Protection Act 1998.
16.2 Where the School systematically and routinely discloses or receives personal data with other organisations for established purposes, it will apply the following standards. The School will also apply them where it discloses or is asked to disclose, personal data in cases which aren’t routine, where appropriate.
The School will:
· Determine whether the objectives of disclosure could be met without using personal data
· Consider all the legal implications of doing so, including those involving Human Rights
· Identify the objectives of the proposed disclosure
· Consider the potential risks and benefits of the disclosure, including the impact of not disclosing the data
· Define exactly what personal data is the minimum that needs to be disclosed