data security policy AWS
DATA SECURITY POLICY (This Policy should be read in conjunction with The School’s Social Media Policy & Staff Acceptable Use Policy) Introduction Staff and Governors at Mayfield School may process personal data or hold documentation about students or the School on a regular basis, including the marking of registers or assessments, as part of pastoral or academic supervision, student administration or writing reports or references. Furthermore, some staff may frequently process information about other staff, especially in the context of disciplinary matters, appeals and recruitment procedures, both internal and external. This policy does not form part of any employee's contract of employment and is not intended to have contractual effect. The School reserves the right to amend this policy at any time. Failure to comply with this policy may expose the School, its staff and/or students to risks including identity theft, fraud or damage to the School’s reputation. Breach of the provisions of this policy will be treated as a disciplinary offence which may result in disciplinary action up to and including summary dismissal in accordance with the School’s Disciplinary Policy and Procedure.
Disclosure of Personal Data All staff, including non-contracted staff and Governors, have a duty to ensure they do not disclose personal data which the School holds to any third parties. Furthermore, all staff will be responsible for ensuring that data is kept securely. If personal information is disclosed either orally or in writing, or in any other way, intentionally or otherwise to any unauthorised third party, this may be dealt with under the School’ s disciplinary procedure, and could be considered as gross misconduct in certain cases. If circumstances do arise whereby the disclosure of data or documentation is urgent and necessary, such as where disclosure is requested by the police to comply with the law, the matter should be referred immediately to the Headteacher to obtain consent to disclose such information. Staff will only be permitted to disclose personal data without consent to third parties in very limited circumstances, such as if personal data is required urgently where a member of staff or student is injured and/or unconscious, but in need of medical attention.
1 Data Security Policy Approved May 2017
Securing Personal Data All staff must make reasonable efforts to ensure that all personal information is kept securely and must only be accessed by those who are authorised by Mayfield School to do so. Staff should put extra measures in place to ensure the security of sensitive data is:
protected by password, if held on a computer; kept in a lockable room with controlled access; kept in a locked filing cabinet or drawer.
Under no circumstances should personal data to be copied and taken offsite for processing. Personal data that requires electronic processing must be accessed and processed on site or remotely via the School’s servers. Personal data must never be copied to USB devices, emailed to personal email accounts or be uploaded to online storage facilities such as Google Drive or Dropbox.
Transmission of Personal Data Under no circumstances are staff to transmit student data such as names, UPN, DOB in unsecured emails in plain text to outside organisations. This information is highly sensitive and should either be sent through encrypted email or be password encrypted, with the password being transmitted in a separate email or over the phone verbally to the recipient
Off-site Use of Personal Data Off-site use of personal data poses a potential greater risk of loss, theft and/or damage to personal data and documentation. Furthermore, the institutional and personal liability that may accrue from the off-site use of personal data is similarly increased. All staff should therefore ensure that:
personal data and documentation is only to be accessed remotely when absolutely necessary, and for the shortest time possible, particularly where sensitive data can be processed; particular care is taken when laptops or other technological devices are used to process personal data at home or in any location other than Mayfield School premises; and this code of practice is adhered to at all times when data or documentation is viewed or processed remotely.
Acceptable Use of SIMS and SIMS Related Third Party Software. Mayfield School uses a Management Information System called SIMS.net. Information through the SIMS system is confidential and protected by law under the Data Protection Act 1998. The School may use other software packages that use personal data stored in the SIMS system for processing. Staff must therefore:
Not distribute or disclose any information obtained from the SIMS system to any person(s) with the exception of the student to which the information relates or to other adult(s) with parental responsibility; and
Not attempt to access the SIMS system or related software in any environment where the security of the information may be placed at risk e.g. on shared internet PCs or in other public places.
2 Data Security Policy Approved May 2017
Disclosure of Personal Data All staff, including non-contracted staff and Governors, have a duty to ensure they do not disclose personal data which the School holds to any third parties. Furthermore, all staff will be responsible for ensuring that data is kept securely. If personal information is disclosed either orally or in writing, or in any other way, intentionally or otherwise to any unauthorised third party, this may be dealt with under the School’ s disciplinary procedure, and could be considered as gross misconduct in certain cases. If circumstances do arise whereby the disclosure of data or documentation is urgent and necessary, such as where disclosure is requested by the police to comply with the law, the matter should be referred immediately to the Headteacher to obtain consent to disclose such information. Staff will only be permitted to disclose personal data without consent to third parties in very limited circumstances, such as if personal data is required urgently where a member of staff or student is injured and/or unconscious, but in need of medical attention.
1 Data Security Policy Approved May 2017
Securing Personal Data All staff must make reasonable efforts to ensure that all personal information is kept securely and must only be accessed by those who are authorised by Mayfield School to do so. Staff should put extra measures in place to ensure the security of sensitive data is:
protected by password, if held on a computer; kept in a lockable room with controlled access; kept in a locked filing cabinet or drawer.
Under no circumstances should personal data to be copied and taken offsite for processing. Personal data that requires electronic processing must be accessed and processed on site or remotely via the School’s servers. Personal data must never be copied to USB devices, emailed to personal email accounts or be uploaded to online storage facilities such as Google Drive or Dropbox.
Transmission of Personal Data Under no circumstances are staff to transmit student data such as names, UPN, DOB in unsecured emails in plain text to outside organisations. This information is highly sensitive and should either be sent through encrypted email or be password encrypted, with the password being transmitted in a separate email or over the phone verbally to the recipient
Off-site Use of Personal Data Off-site use of personal data poses a potential greater risk of loss, theft and/or damage to personal data and documentation. Furthermore, the institutional and personal liability that may accrue from the off-site use of personal data is similarly increased. All staff should therefore ensure that:
personal data and documentation is only to be accessed remotely when absolutely necessary, and for the shortest time possible, particularly where sensitive data can be processed; particular care is taken when laptops or other technological devices are used to process personal data at home or in any location other than Mayfield School premises; and this code of practice is adhered to at all times when data or documentation is viewed or processed remotely.
Acceptable Use of SIMS and SIMS Related Third Party Software. Mayfield School uses a Management Information System called SIMS.net. Information through the SIMS system is confidential and protected by law under the Data Protection Act 1998. The School may use other software packages that use personal data stored in the SIMS system for processing. Staff must therefore:
Not distribute or disclose any information obtained from the SIMS system to any person(s) with the exception of the student to which the information relates or to other adult(s) with parental responsibility; and
Not attempt to access the SIMS system or related software in any environment where the security of the information may be placed at risk e.g. on shared internet PCs or in other public places.
2 Data Security Policy Approved May 2017
