E-SAFETY
POLICY
2014/15
Including:
Staff ICT policy (Corporation approved) Data protection policy (Corporation approved) Staff guidelines for Data protection
Data Security, awareness raising Acceptable use declaration
DATA SECURITY PRACTICALITIES - AWARENESS RAISING
For any information that may harm or distress staff or students:
Don’t keep records if you don’t have to; keep it secure
Give access on a reasonable need to know basis with explicit confidentiality requirements
For paper based information:
1. Keep it locked and transport it responsibly.
2. SHRED – see The Executive Office Manager for secure shredding or shred it yourself – especially with the end of term throw out.
NB we do not keep much highly sensitive data that would really cause issues with our students or staff. However, anything found outside College with names etc could be
reported in the press in a way that could damage our reputation. For electronic based information:
1. Password protect Word, Excel and Access files as appropriate; see any IT staff if you cannot do this.
2. Don’t leave data on computer hard drives (the C drive on the computer you are working on) unless you have to – use College servers which are secure and backed up (R/G drive which can also be accessed from home). Less preferably use your own removable media (eg pen drives).
3. If you find yourself disposing of old computers be careful to ensure any sensitive information is deleted from the hard drive.
4. Please don’t pin your password/s to the wall of your office or give it to students for convenience.
5. Change your passwords and make them harder to crack (longer, alphanumeric, different cases and non-alphanumeric characters eg # ).
6. Be very careful with loaned College laptops (what you put on the hard drive and what would happen if it was lost); see 7 below for your responsibilities.
7. Pen drives: we are currently looking at supplying encryption and password protection of pen drives but it is expensive or surprisingly difficult. For the foreseeable future, pen drive data and its backup is the responsibility of individual staff. It needs to be the case that if you lose your pen drive on a Huddersfield station platform, we would not be compromised by a stranger finding it who had malicious intentions.
8. Sending emails with personal or sensitive information: zip the information as an attachment with encryption and password protection before adding it to an email; phone the password for unlocking to the recipient. If you do not know how to do this or do not understand the last statement network support will do this for you. Under such
circumstances, be sure you are sending a file to the right email address and that you have a confidentiality/data protection statement as a signature on your email.
9. PLEASE read the College’s data protection policy available on the Staff intranet and the College web site.
DATA PROTECTION POLICY
Data Controller (1): Mr Peter Gordziejko
Data Controller (2): Mr Phil Rumsey
Introduction
Greenhead College (the college) needs to keep certain information about its employees, students and other users to allow it to monitor performance, achievements and health & safety, for example. It is also necessary to process information so that staff can be recruited and paid, courses organised and legal obligations to funding bodies and government complied with. To comply with law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully. To do this, the college must comply with the Data Protection Principles which are set out in the Data Protection Act 1998.
In summary these state that that personal data shall:
Be obtained and processed fairly and lawfully and shall not be processed unless certain conditions are met
Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose
Be adequate, relevant and not excessive for those purposes
Be accurate and kept up to date
Not be kept for longer than is necessary for that purpose
Be processed in accordance with the data subject’s rights
Be kept safe from unauthorised access, accidental loss or destruction
Not be transferred to a country outside the European Economic Area, unless that country has equivalent levels of protection for personal data.
The college and all staff or others who process or use any personal information must ensure that they follow these principles at all times. In order to ensure that this happens, the college has developed the Data Protection Policy.
Status of the Policy
The policy does not form part of the formal contract of employment, but it is a condition of employment that employees will abide by the rules and policies made by the college from time to time. Any failures to follow the policy can therefore result in disciplinary proceedings. Any member of staff who considers that the policy has not been followed in respect of personal data about themselves should raise the matter with the designated data controller initially. If the matter is not resolved it should be raised as a formal grievance.
Responsibilities of Staff
All staff are responsible for
Checking that any information that they provide to the college in connection with their employment is accurate and up to date.
Informing the college of any changes to this information, e.g. change of address.
Data Security
All staff are responsible for ensuring that:
Any personal data which they hold is kept securely.
Personal information is not disclosed either orally or in writing or accidentally or otherwise to any unauthorised third party.
Personal information should be
kept in a locked filing cabinet; or
in a locked drawer; or
if it is computerised, be password protected; or
kept only on a disk which is itself kept securely.
Student Obligations
Students must ensure that all personal data provided to the college is accurate and up to date. They must ensure that changes of address, etc are notified to their tutor.
If they are using college computer facilities to process their personal data, they are responsible for its security.
Rights to Access Information
Staff, students and other users of the college have the right to access personal data that is being kept about them either on computer or in certain files. Any person who wishes to exercise this right should complete the college ‘Access to Information’ form, which is available on the college intranet, and give it to their line manager / personal tutor.
The college will make a charge of £10 on each occasion that access is requested, although the college has the discretion to waive this.
The college aims to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within 21 days unless there is a good reason for delay. In such cases, the reason for delay will be explained in writing to the person making the request.
Publication of College Information
Information that is already in the public domain is exempt from the 1998 Act. It is the college’s policy to make as much information public as possible, and in particular the following information will be available to the public.
Names of college governors
List of all staff
Photographs of staff
Student examination results
Student destinations
It is the college’s policy to make as much information public as possible. Access to public information is to be available under the Freedom of Information Act 2000.
The college internal phone list will not be a public document
Any individual who has good reason for wishing details in these lists or categories to remain confidential should contact the designated data controller.
Subject Consent
In many cases the college can only process personal data with the consent of the individual. In some cases, if the data is sensitive, express written consent must be obtained. Agreement to the college processing some specified classes of personal data is a condition of acceptance of a student onto any course, and a condition of employment for staff. This includes information about previous criminal convictions.
College staff will be in contact with young people between the ages of 16-19. The college has a duty under the Children Act and other enactments to ensure that staff are suitable for the job, and students for the course offered. The college has a duty of care to all staff and students and must therefore make sure that employees and those who use the college facilities do not pose a threat or danger to other users.
The college will also ask for information about particular health needs, such as allergies, or conditions such as asthma or diabetes. The college will only use the information in the protection of the health and safety of the individual, but will need consent to process in the event of a medical emergency, for example.
Therefore, all prospective staff will be asked to sign a consent to process form and students will be asked to sign a declaration on their learning agreement.
Processing Sensitive Information
Sometimes it is necessary to process information about a person’s health, criminal convictions, race and gender and family details. This may be to ensure the college is a safe place for everyone, or to operate other college policies, such as the sick pay policy or equal opportunities policy. Because this information is considered sensitive, and it is recognised that the processing of it may cause particular concern or distress to individuals, staff and students will be asked to give express consent for the college to do this. Offers of employment or course places may be withdrawn if an individual refuses to consent to, this without good reason.
The Data Controller
The college as a corporate body is the data controller under the Act, and the board is therefore ultimately responsible for implementation. However, the designated data controllers will deal with day-to-day matters.
The college has two designated data controllers. They are named on the top of this document.
Retention of Data
The college will keep some forms of information for longer than others. Because of storage problems, information about students cannot be kept indefinitely, unless there are specific requests to do so. In general, information about students will be kept for a maximum of 10 years after they leave college. This will include
name and address
academic achievements
copies of any reference written
copies of job/course application forms
progress reports.
All other information, including any information about health, race or disciplinary matters will be destroyed within 6 months of the course ending, except in instances where this data is retained by the Equal Opportunities Co-ordinator for statistical purposes.
The college will also need to keep information about staff for longer periods of time. In general, all information will be kept for 10 years after a member of staff leaves the college. Some information will be kept for much longer. This will include information necessary in respect of pensions, taxation, potential or current disputes or litigation regarding the employment, and information required for job references. A full list is available from the data controller.
Conclusion
Compliance with the 1998 Act is the responsibility of all members of the college. Any deliberate breach of the data protection policy may lead to disciplinary action being taken, or access to college facilities being withdrawn, or even a criminal prosecution. Any questions or concerns about the interpretation or operation of this policy would be taken up with the designated data controller.
Staff ICT Policy
The ability of employees to use external e-mail and to access the Internet provides new opportunities for the College as it facilitates the gathering of information and communication with fellow employees, customers and other contacts. However, Internet and e-mail access opens up the College to new risks and liabilities. It is therefore essential that employees read these guidelines and make themselves aware of the potential liabilities involved in using e-mail and the Internet.
1. General Points
1.1 Use of e-mail and the Internet is primarily for work-related purposes.
1.2 The College has the right to monitor any and all aspects of its telephone and computer system that are made available to you and to monitor, intercept and/or record any communications made by employees, including telephones, e-mail or Internet communications.
In addition, the College wishes to make you aware that Close Circuit Television (CCTV) is in operation for the protection of employees and students.
1.3 Computers and e-mail accounts are the property of the College and are designed to assist in the performance of your work. You should, therefore, have no expectation of privacy in any e-mail sent or received, whether it is of a business or personal nature. 1.4 It is inappropriate use of e-mail and the Internet for employees to access, download
or transmit any material which might reasonably be considered to be obscene, abusive, sexist, racist or defamatory. You should be aware that such material may also be contained in jokes sent by e-mail. Such misuse of electronic systems will be misconduct and will, in certain circumstances, be treated by the College as gross misconduct. The College reserves the right to use the content of any employee e-mail in any disciplinary process.
2. Use of e-mail
2.1 E-mails should be drafted with care. Due to the informal nature of e-mail, it is easy to forget that it is a permanent form of written communication and that material can be recovered even when it is deleted from your computer.
2.2 Employees should not make derogatory remarks in e-mails about employees, students, competitors or any other person. Any written derogatory remark may constitute libel.
2.3 Try not to create e-mail congestion by sending trivial messages or unnecessarily copying e-mails. Employees should regularly delete unnecessary e-mails to prevent over-burdening the system.
2.4 Make hard copies of e-mails which you need to retain for record keeping purposes. 2.5 You may want to obtain e-mail confirmation of receipt of important messages. You
system receiving your message. If in doubt, telephone to confirm receipt of important messages.
2.6 Reasonable private use of e-mail is permitted but should not interfere with your work. The contents of personal e-mails must comply with the restrictions set out in these guidelines. Excessive private use of the e-mail system during working hours may lead to disciplinary action and may in certain circumstances be treated by the College as gross misconduct.
2.7 By sending e-mails on the College’s system, you are consenting to the processing of any personal data contained in that e-mail and are explicitly consenting to the
processing of any sensitive personal data contained in that e-mail. If you do not wish the College to process such data you should communicate it by other means.
The Principal and other Senior Post holders have the authority to authorise access to personal email correspondence and internet sites following a grievance, complaint or in the event of any potential disciplinary action. In the case of Senior Post holders, the Chair of Governors would authorise.
3. Use of the Internet
3.1 Reasonable private use of the Internet is permitted but should be kept to a minimum and should not interfere with your work. Excessive private access to the Internet during working hours may lead to disciplinary action and may in certain
circumstances be treated by the College as gross misconduct.
3.2 The sites accessed by you must comply with the restrictions set out in these
guidelines. Accessing inappropriate sites may lead to disciplinary action and may in certain circumstances be treated by the College as gross misconduct.
4. Copyright and downloading
4.1 Copyright applies to all text, pictures, video and sound, including those sent by e-mail or on the Internet. Files containing such copyright protected material may be
downloaded, but not forwarded or transmitted to third parties without the permission of the author of the material or an acknowledgement of the original source of the material, as appropriate.
4.2 Copyrighted software must never be downloaded. Such copyrighted software will include screen-savers.
4.3 The downloading of bit-mapped images and multimedia files is limited to the disk space limitation above.
4.4 College employees should show reasonable vigilance concerning viral threats when importing any files by any means into College systems and should seek help from IT support if in doubt.
4.6 College employees must not use computer systems to purport to speak on behalf of the College unless authorised to do so by the Principal or Governors.
5. General computer usage
5.1 You are responsible for safeguarding your password for the system. For reasons of security, your individual password should not be printed, stored on-line or given to others. User password rights given to employees should not give rise to an expectation of absolute privacy.
5.2 Your ability to connect to other computer systems through the network does not imply a right to connect to those systems or to make use of those systems unless authorised to do so. You should not alter or copy a file belonging to another user without first obtaining permission from the creator of the file.
The Principal and other Senior Post Holders have the authority to authorise access to personal email correspondence and internet sites following a grievance, complaint or in the event of any potential disciplinary action. In the case of Senior Post Holders, the Chair of Governors would authorise.
6 Network Management Department
The Network Management Department is there to assist you. If you require any information or help about the use or set up of your computer you should contact any of the Department’s members of staff.
7 Equal Opportunities
This policy has been framed in compliance with the college’s Equality and Diversity Policy. More detailed information can be found in the College’s Disability Statement and the Equal Opportunities Policy, which can be viewed on the College website (www.greenhead.ac.uk.) Copies are also available from the College on request.
STAFF GUIDELINES FOR DATA PROTECTION
1. All staff process data about students on a regular basis, when marking college work, writing reports or references, or as part of a pastoral or academic role. The college will ensure through enrolment procedures that all students give their consent to this sort of processing. The information that staff deal with on a day-to-day basis will be ‘standard’ and cover categories such as:
General personal details such as name and address.
Details about class attendance, course work marks, grades and comments.
Notes of behaviour and discipline.
Ethnic information.
References and examination results from former schools.
2. Information about a student’s physical or mental health, sexual life, political or religious views is sensitive and can only be collected and processed with the students consent.
e.g. recording information about dietary needs, for religious or health reasons prior to taking students on a field trip; recording information that a student is pregnant, as part of pastoral duties.
3. There may be occasions when it is impossible to obtain the consent of the student to pass on certain sensitive information:
E.g. a student is injured and unconscious, but in need of medical attention, a staff member may have to pass on relevant medical information.
DATA PROTECTION ACT 1998
Guidelines for Retention of Personal Data
HR files and data 6 years from end of employment Application forms 6 mths from the date of interview Redundancies 3 years from date of redundancy Income tax / NI returns minimum 3 years
Statutory Maternity Pay minimum 3 years Statutory Sick Pay minimum 3 years Salary Records 6 years
Accident Book 3 years after last entry Health Records 3 years
Medical records (COSH) 40 years Student Records 10 years
TO RETURN TO HUMAN RESOURCES FOR STAFF RECORDS
I agree to adhere to the guidelines stated in the E-safety
framework and the safe use of ICT policy.
Signed:……… NAME:……… Date:………
Author: P Gordziejko – D Todd Date drafted: May 2010
Date reviewed: November 2014 Date of next review: Spring 2016
