www.st-margarets.warrington.sch.uk

INFORMATION MANAGEMENT POLICY (INCL. BUSINESS CONTINUITY)

CARE, CHALLENGE, CELEBRATE WITH CHRIST

St Margaret’s CE (VA) Primary School School Road Orford Warrington WA2 9AD Telephone: 01925 634207 Facsimile: 01925 243342 Email: [email protected]

POLICY

St Margaret’s Church of England Primary School

ST MARGARET’S CE PRIMARY SCHOOL – INFORMATION MANAGEMENT POLICY

CONTENTS CONTENTS ............................................. 2 1.0 Purpose ............................................. 3 2.0 Organisational security .................................. 3 3.0 Personnel security ..................................... 5 4.0 Physical and environmental security ........................ 5 5.0 Communications and operations management ................. 6 6.0 Access control ........................................ 7 7.0 Systems development and maintenance ..................... 7 8.0 Business continuity management ........................... 7 Appendix 1 ............................................. 11

-2-

SMCE Information Management Policy

ST MARGARET’S CE PRIMARY SCHOOL – INFORMATION MANAGEMENT POLICY

1.0 Purpose 1.1 This information access and security policy provides clear direction and support for information security that is applicable to all staff at all levels of the organisation. The policy describes the means by which the school aims to preserve confidentiality, integrity and availability of data. Confidentiality: information is accessible only to those authorised to have access Integrity: safeguarding the accuracy and completeness of information Availability: ensuring that authorised users have access to information when required. 1.2 It is acknowledged that the school has legal, statutory and contractual requirements with which it must comply. The school complies with the rules of good information handling, known as the data protection principles, and the other requirements of the Data Protection Act. 1.3 The senior manager in the school allocated overall responsibility for information security is the Headteacher. 1.4 This policy will be reviewed and updated as necessary. 1.5 Specialist security advice will be sought where necessary. The LA & ICT Support Team will be consulted as a source of such advice, for example for data protection or network security issues. 2.0 Organisational security 2.1 This is the overall responsibility of Headteacher. 2.2 An accurate inventory is maintained of all the assets associated with information systems. This is the responsibility of the Headteacher. 2.3 Each “information asset” (e.g. information system, database, etc) has an owner who is responsible for its day to day security. Information is classified according to its degree of sensitivity and confidentiality, indicating the need and priority for its protection and is labelled appropriately (e.g. level 1 is all staff access, level 5 is Headteacher only). Each classification has defined procedures for copying, storage, transmission (e.g. post, fax, email, telephone) and destruction. 2.4 Information Software Physical Services

Databases, documentation, manuals, plans, archived information Application and system software Computer and communications equipment Power, air conditioning

-3-

SMCE Information Management Policy

ST MARGARET’S CE PRIMARY SCHOOL – INFORMATION MANAGEMENT POLICY

2.5 Authorisation level 1 2

Names of Key Personnel

Authorised to:

All teaching and support staff

Pupil files Emergency contact file SIMS Pupil Module – All access rights SIMS Attendance Module – All access rights School electronic calendar

Office staff: Support Services Manager Admin Assistant Learning Mentor

3

Office staff: Headteacher’s Secretary Enquiries & Admissions Secretary

All SIMS Modules – All access rights FMS SIMS Module – All access rights School Outlook electronic calendar DHT Incident Journal Entry

Senior management: Headteacher Deputy Headteacher 2.6 Sensitivity Levels: 1= Not deemed sensitive 2= Some aspects deemed sensitive 3= Most aspects deemed sensitive INFORMATION ASSET

PURPOSE

SIMS Pupils SIMS Personnel SIMS FMS SIMS Assessment Manager School Outlook electronic calendar

Pupil Details Staff Details Financial Management Pupil Performance Data School appointments Parents Calendar

SENSITIV -ITY LEVEL 2 3 3 2

KEEPER

Mrs A McGuiness Mrs A McGuiness Mrs E Dean Mrs J Holmes

AUTHORISA -TION LEVEL 2 3 3 2

2

Mrs A McGuiness

2

PHYSICAL ASSETS ARE RECORDED WITHIN THE INVENTORY BOOK/DATABASE

-4-

SMCE Information Management Policy

ST MARGARET’S CE PRIMARY SCHOOL – INFORMATION MANAGEMENT POLICY

3.0 Personnel security 3.1 This is the overall responsibility of Headteacher. 3.2 Security in job responsibilities Security responsibilities are clearly documented and, where appropriate, addressed at the recruitment phase and included in contracts of employment. Personnel screening processes for permanent and temporary staff include appropriate controls (e.g. availability of satisfactory references, confirmation of claimed academic and professional qualifications, independent identity checks). There is a formal disciplinary process for employees who violate security policies and procedures and employees are made aware of the action to be taken if they disregard security requirements. 3.3 Information security education and training All staff receive appropriate training and regular updates in security policies and procedures before access to systems is granted. This includes training in security requirements, controls and legal requirements, as well as in the correct use of information systems (e.g. log-on procedures). 3.4 Responding to security incidents and malfunctions A formal procedure exists for reporting and responding to security incidents, malfunctions and weaknesses. All staff are aware of their responsibilities to note and report such incidents through the proper management channels as quickly as possible. Recovery is carried out only by appropriately trained and experienced staff. Users are made aware that they should not, under any circumstances, attempt to prove a suspected security weakness as this could be interpreted as potential misuse of the system 4.0 Physical and environmental security 4.1 This is the overall responsibility of Headteacher. 4.2 Secure areas Areas in which critical or sensitive information is processed are physically secured to prevent unauthorised access, damage or interference. Control is achieved by conventional security procedures (e.g. doors and windows locked when unattended, intruder detection systems). Access to secure areas is controlled and restricted to authorised personnel only, with he use of keys. 4.3 Equipment security Equipment is sited or protected to minimise the risk of theft (including security marking) and damage (e.g. fire, water, impact, power surge). Cabling is protected from interception or damage (e.g. use of conduit, fibre, avoidance of public areas). Equipment is correctly maintained and serviced by authorised personnel. 4.4 Off-site security Equipment is not taken off-site without authorisation. Where necessary and appropriate, equipment is logged out and back by the Administrative Staff. Equipment and media taken off the premises is not left unattended in public places. Portable computers are carried as hand luggage and disguised where possible when travelling. Home working is subject to suitable controls.

-5-

SMCE Information Management Policy

ST MARGARET’S CE PRIMARY SCHOOL – INFORMATION MANAGEMENT POLICY

4.5 Secure disposal or re-use of equipment Appropriate arrangements are made for the secure disposal of media containing sensitive information. Confidential paper documents are securely disposed of by shredding. Storage devices containing sensitive information are destroyed or securely overwritten (rather than using the standard delete function) prior to disposal. Equipment containing storage media (e.g. hard disks) are checked to ensure that sensitive data and licensed software have been removed or overwritten prior to disposal or re-use. 4.6 Clear desk and screen policy Paper and computer media are stored in suitable locked cabinets where appropriate. Sensitive printed material is cleared from printers immediately and filed or shredded. PCs and printers are not left logged on when unattended and are protected as appropriate by key locks and passwords when not in use. Users terminate active sessions and log off when finished. Where appropriate, PCs shut down or time-out after a period of inactivity, with a limited time-out facility afforded by password protected screen savers. 5.0 Communications and operations management 5.1 This is the overall responsibility of the Headteacher. 5.2 Operating procedures are documented and maintained. Changes to systems are controlled with significant changes identified and recorded, following assessment of the potential impact of the change and the change details communicated to the relevant persons. Incident management procedures are in place to ensure a quick, orderly and effective response to security incidents. 5.3 Protection against malicious software (viruses, etc.) Software licensing requirements are complied with and the use of unauthorised software is prohibited. Anti-virus detection and repair software is installed and regularly updated. Electronic mail attachments and downloads and any files of uncertain origin on electronic media or downloaded are checked for malicious software before use. Appropriate business continuity plans for recovery from attack are in place (e.g. data and software back-up and recovery arrangements). The school has contracts for recovery with LA ICT Support Team. 5.4 Housekeeping and network management Back-up copies of essential information and software are taken regularly according to an appropriate schedule. At least three generations of back-up information are retained for important applications and are stored with an appropriate level of physical protection at a sufficient distance to escape a disaster at the main site. Back-up media and restoration processes are regularly checked to ensure that they are effective. Controls are in place to ensure the security of data in networks and the protection of connected services from unauthorised access. Backup procedure - data Remote data storage

Routine Remotely taken every night.

Responsibility Mrs E Dean / LA

5.5 Electronic mail Guidelines exist on when to use and not to use email. Staff understand the potential difficulties of the difference between electronic and traditional forms of communication (e.g. speed, message structure, degree of informality and vulnerability to unauthorised actions and attack interception and viruses). Staff understand their responsibility not to use email in such a way as to compromise the good name of the school (e.g. defamatory email, harassment, unauthorised purchasing).

-6-

SMCE Information Management Policy

ST MARGARET’S CE PRIMARY SCHOOL – INFORMATION MANAGEMENT POLICY

6.0 Access control 6.1 This is the responsibility of Headteacher. 6.2 User registration Formal procedures are in place to control the allocation of access rights to information systems and services. Users have authorisation from the system owner and the level of access is appropriate for the purpose. User access rights are regularly reviewed; access rights of leavers are removed immediately and redundant user IDs removed. Privileges associated with each system and user are identified, allocated on a need-to-use basis and kept to a minimum. 6.3 User password management Users understand the need to keep passwords confidential and to avoid sharing them, keeping a paper record or recording them in a way that makes them accessible to unauthorised persons. Passwords are changed if there is a possibility that security has been compromised, according to a system that ensures use of quality passwords. 7.0 Systems development and maintenance 7.1 This is the responsibility of Headteacher. 7.2 Security issues are identified and considered at an early stage when procuring or developing new information systems. Input data is validated to ensure that it is correct and appropriate. Outputs and downloaded or uploaded data are checked for validity and integrity. 8.0 Business continuity management 8.1 This is the responsibility of Headteacher. 8.2 Business continuity management aims to reduce disruption to the running of the school that would otherwise be caused by, for example, natural disasters, accidents, equipment failures and deliberate actions. It should be read in conjuction with the Critical Incident Policy. It applies to all business processes, not just those related to information management. Continuity plans, each with an identified owner, are in place within a business continuity planning framework that ensures that all the plans are consistent and a priority order exists. The purpose of the business continuity phase of your response is to ensure that critical activities are resumed as quickly as possible and/or continue to be delivered during the disruption. This may involve activation one or more of your business continuity strategies to enable alternative ways of working. During an incident it is unlikely that you will have all of your resources available to you, it is therefore likely that some ‘non critical’ activities may need to be suspended at this time.

-7-

SMCE Information Management Policy

ST MARGARET’S CE PRIMARY SCHOOL – INFORMATION MANAGEMENT POLICY

Business Continuity Actions

1.

2.

ACTION Identify any other stakeholders required to be involved in the Business Continuity response Evaluate the impact of the incident

3.

Plan how critical activities will be maintained, utilising pre-identified or new business continuity strategies

4.

Log all decisions and actions, including what you decide not to do and include your decision making rationale Log all financial expenditure incurred Allocate specific roles as necessary

5. 6. 7. 8.

Secure resources to enable critical activities to continue/be recovered Deliver appropriate communication actions as required

-8-

FURTHER INFO/DETAILS Depending on the incident, you may need additional/specific input in order to drive the recovery of critical activities, this may require the involvement of external partners Take time to understand the impact of the incident on ‘business as usual’ School activities by communicating with key stakeholders to gather information. Consider the following questions:  Which School activities are disrupted?  What is the impact over time if these activities do not continue?  What are current staffing levels?  Are there any key milestones or critical activity deadlines approaching?  What are your recovery time objectives?  What resources are required to recover critical activities? Consider:  Immediate priorities  Communication strategies  Deployment of resources  Finance  Monitoring the situation  Reporting  Stakeholder engagement Produce an action plan for this phase of response. Complete Yellow Incident Form

Keep any receipts. Roles allocated will depend on the nature of the incident and availability of staff Consider requirements such as staffing, premises, equipment, ICT, welfare issues etc Ensure methods of communication and key messages are developed as appropriate to the needs of your key stakeholders e.g. Staff, Parents/Carers, Governors, Suppliers, Local Authority, Central Government Agencies etc.

SMCE Information Management Policy

ST MARGARET’S CE PRIMARY SCHOOL – INFORMATION MANAGEMENT POLICY

Business Continuity Strategies

1. 2.

3.

4. 5. 6.

1. 2. 3. 4. 5.

1. 2. 3. 4. 5.

1. 2. 3. 4. 5.

Arrangements to manage a loss or shortage of Staff or skills Use of temporary staff e.g. Supply Teachers, Office Staff etc Multi-skilling and cross-training to ensure staff are capable of undertaking different roles and responsibilities, this may involve identifying deputies, job shadowing, succession planning and handover periods for planned (already known) staff absence e.g. maternity leave Using different ways of working to allow for reduced workforce, this may include:  Larger class sizes (subject to adult and child ratios)  Use of Teaching Assistants, Student Teachers, Learning Mentors etc  Virtual Learning Environment opportunities  Pre-prepared educational materials that allow for independent learning  Team activities and sports to accommodate larger numbers of pupils at once Suspending ‘non critical’ activities and focusing on your priorities Using mutual support agreements with other Schools Ensuring Staff management issues are considered i.e. managing attendance policies, job description flexibility and contractual requirements etc Arrangements to manage denial of access to your premises or loss of utilities Using mutual support agreements with other Schools Pre-agreed arrangements with other premises in the community i.e. Libraries, Leisure Centres, Colleges, University premises Virtual Learning Environment opportunities Localising the incident e.g. isolating the problem and utilising different sites or areas within the School premises portfolio Off-site activities e.g. swimming, physical activities, school trips Arrangements to manage loss of technology / telephony / data / power Back–ups of key school data e.g. CD or Memory Stick back–ups, photocopies stored on and off site, mirrored servers etc Reverting to paper-based systems e.g. whiteboards, paper registers Flexible lesson plans Emergency generator e.g. Uninterruptible Power Supply (UPS) Emergency lighting e.g. torches, candles

Arrangements to mitigate the loss of key suppliers, third parties or partners Pre-identified alternative suppliers Ensuring all external providers have business continuity plans in place Insurance cover Using mutual support agreements with other Schools Using alternative ways of working to mitigate the loss e.g. suspending activities, adapting to the situation and working around it

8.3 Compliance Intellectual Property Rights (IPR) Appropriate procedures are in place to ensure compliance with legal restrictions in the use of material in respect of which there may be IPR, such as copyright, design rights or trademarks. Software is usually supplied under a licence agreement that limits the number of copies that can be made of the software. Controls are in place including: maintaining an appropriate inventory or asset register of software, maintaining proof of licence ownership (e.g. licences, master disks, manuals, etc), controlling the number of users, carrying out checks that only authorised software is in use and applying sanctions against unauthorised copying of software.

-9-

SMCE Information Management Policy

ST MARGARET’S CE PRIMARY SCHOOL – INFORMATION MANAGEMENT POLICY

9.0 Pupil use of systems 9.1 This is the responsibility of the HeadteacherICT Co-ordinator. 9.2 The school subscribes to an Acceptable Internet Use Policy based on the ACCITT model. Parental consent is outlined in the prospectus and parents not wishing to comply with this must put their request in writing to the Headteacher. Pupils are made aware of the acceptable use policy. 10.0 Use by the wider community 10.1 This is the responsibility of Headteacher. 10.2 All users of ICT systems are required to sign up to the school’s acceptable use policy and agree to abide by the protocols laid down for staff/pupils as outlined above. 11.0 Sanctions 11.1 This is the responsibility of the Headteacher. 11.2 All users – staff, pupils, other members of the wider school community are subject to sanctions as deemed appropriate

- 10 -

SMCE Information Management Policy

ST MARGARET’S CE PRIMARY SCHOOL – INFORMATION MANAGEMENT POLICY

Appendix 1 (Insert name of school) Procedures for responding to subject access requests made under the Data Protection Act 1998 Rights of access to information There are two distinct rights of access to information held by schools about pupils. 1. Under the Data Protection Act 1998 any individual has the right to make a request to access the personal information held about them. 2. The right of those entitled to have access to curricular and educational records as defined within the Education Pupil Information (Wales) Regulations 2004. These procedures relate to subject access requests made under the Data Protection Act 1998. Actioning a subject access request 1. Requests for information must be made in writing; which includes email, and be addressed to (insert name of Headteacher). If the initial request does not clearly identify the information required, then further enquiries will be made. 2. The identity of the requestor must be established before the disclosure of any information, and checks should also be carried out regarding proof of relationship to the child. Evidence of identity can be established by requesting production of:  passport  driving licence  utility bills with the current address  Birth / Marriage certificate  P45/P60  Credit Card or Mortgage statement This list is not exhaustive. 3. Any individual has the right of access to information held about them. However with children, this is dependent upon their capacity to understand (normally age 12 or above) and the nature of the request. The Headteacher should discuss the request with the child and take their views into account when making a decision. A child with competency to understand can refuse to consent to the request for their records. Where the child is not deemed to be competent an individual with parental responsibility or guardian shall make the decision on behalf of the child. 4. The school may make a charge for the provision of information, dependant upon the following:  Should the information requested contain the educational record then the amount charged will be dependant upon the number of pages provided.  Should the information requested be personal information that does not include any information contained within educational records schools can charge up to £10 to provide it. 

f the information requested is only the educational record viewing will be free, but a charge not exceeding the cost of copying the information can be made by the Headteacher.

5. The response time for subject access requests, once officially received, is 40 days (not working or school days but calendar days, irrespective of school holiday periods). However the 40 days will not commence until after receipt of fees or clarification of information sought 6. The Data Protection Act 1998 allows exemptions as to the provision of some information; therefore all information will be reviewed prior to disclosure. 7. Third party information is that which has been provided by another, such as the Police, Local Authority, Health Care professional or another school. Before disclosing third party information consent should normally be obtained. There is still a need to adhere to the 40 day statutory timescale. - 11 -

SMCE Information Management Policy

ST MARGARET’S CE PRIMARY SCHOOL – INFORMATION MANAGEMENT POLICY

8. Any information which may cause serious harm to the physical or mental health or emotional condition of the pupil or another should not be disclosed, nor should information that would reveal that the child is at risk of abuse, or information relating to court proceedings. 9. If there are concerns over the disclosure of information then additional advice should be sought. 10. Where redaction (information blacked out/removed) has taken place then a full copy of the information provided should be retained in order to establish, if a complaint is made, what was redacted and why. 11. Information disclosed should be clear, thus any codes or technical terms will need to be clarified and explained. If information contained within the disclosure is difficult to read or illegible, then it should be retyped. 12. Information can be provided at the school with a member of staff on hand to help and explain matters if requested, or provided at face to face handover. The views of the applicant should be taken into account when considering the method of delivery. If postal systems have to be used then registered/recorded mail must be used. Complaints Complaints about the above procedures should be made to the Chairperson of the Governing Body who will decide whether it is appropriate for the complaint to be dealt with in accordance with the school’s complaint procedure. Complaints which are not appropriate to be dealt with through the school’s complaint procedure can be dealt with by the Information Commissioner. Contact details of both will be provided with the disclosure information. Contacts If you have any queries or concerns regarding these policies / procedures then please contact (Insert name of headteacher), Headteacher. Further advice and information can be obtained from the Information Commissioner’s Office, www.ico.gov.uk

- 12 -

SMCE Information Management Policy