Data Protection self-assessment in schools - Somerset



Schools should audit their procedures and processes towards Data Protection and Information Security. The ICO offer some self-assessment tools that can help schools evaluate and improve their compliance with the Data Protection Act. are 5 checklists with the first, Data Protection Assurance’ being an oversight of all the others.Once you have worked your way through a checklist then a report can be generated which can list actions, responsibilities and deadline dates. The report can be printed out and shared.The first Data Protection Assurance Checklist is the general list and this is supported with four others.The checklists can be quite frightening and the following points should be considered:An audit is a powerful tool and the support given in these checklists is not to embarrass the schools but to enable them to improveThe checklist are general to all companies and to help schools interpret what they should do there help is given in the tables belowThe checklist need to be completed with the SLT lead with the oversight of Data Protection and Information Security supported by othersFurther support can be obtained from eLIM: contact@ Data protection assurance checklistData Protection policy, responsibility and trainingPolicyeLIM Model Policy available hereManagement ResponsibilityShould be a member of the SLT supported by the Office Manager and IT supportEducation and AwarenessOn induction with regular updates for all staff with training for those with specific responsibilitiesRegistration, fair processing and subject accessRegistrationAnnual renewal. Check here to see your school entryPrivacy NoticeFor learners and workforce.See information hereResponding to subject accessDo you have a process? It does not necessarily have to be a specific policy but should be mentioned in your Data Protection PolicyData Quality, accuracy and retentionData Quality & accuracyYearly Data collection forms for learners and staff plus process for updates during the yearRetention and disposalDo you know what data you hold? Identify and delete old records. Use eLIM Record Audit Spreadsheet here to identify records and links to IRMS toolkit to check retention periods. Do not store excessive recordsSecuritySecurity PolicyThis includes not only technical measures but also physical security. It refers to personal or confidential data and areas where records are kept.OutsourcingYou are still responsible for any data given to someone else. Do you know they have the correct level of protection (see the contract)? Also a problem with it being outside of EU and ‘Safe Harbor’.Privacy Impact assessmentsPrivacy Impact assessmentsDo you know what data you store and what the implications would be if you lost it? Use the eLIM Record Audit Spreadsheet hereRecords ManagementManagement & organisational records, management measuresRecords management organisationShould be the same person who has the responsibility for data Protection but it could be delegated to the Office ManagerRecords management policyAlthough a policy is not statutory (the IRMS toolkit pp8-12 outlines one) passages should be placed in the Data Protection Policy that refer to practice in relation to recordsRecords management riskAlthough you will not be able to see all the risk in storing data you should try to anticipate issues. The eLIM Record Audit Spreadsheet here helps you do thisRecords management trainingTraining should be offered to all staff especially those with responsibility for record managementOutsourcingYou are still responsible for any data given to someone else. Do you know they have a good level of protection (see the contract)? Also a problem with it being outside of EU and ‘Safe Harbor’Monitoring and reportingThe Office Manager and IT support should monitor and report issues to the Data Protection leadRecords creation & maintenanceRecord creationIf there is a new use for data or the collection of new data, the Data Protection lead should be informed. Does the school have a process for this?Records inventoryUse the eLIM Record Audit Spreadsheet here to help you identify dataInformation standardsDo you have a process to amend incorrect data?What is your process for getting rid of excessive data?Tracking & off-site storageTracking and off-site storage of paper recordsAre paper records removed from the secure area? If so what procedures do you have for tracking where the data is?Off-site transfer of electronic recordsPersonal Data must only be transferred off site on encrypted memory. Are ALL laptops/memory sticks that could hold personal data encrypted?Security, access and disposalSecure storage of recordsAre all personal records locked away? Do you have a clean desk policy? Are screens locked if left for an extended period?Access to paper recordsWho has access to paper records?Access to electronic recordsAre users restricted to the absolute minimum of access to personal data through log on restrictions?Business continuityCan you function is the hard drive on the server’s breaks? What contingency do you have? Have you practised a file restore?Disposal of dataHow do you dispose of paper/computers? Is this secure and do you get certificates?Information SecurityManagement & organisational security measuresRisk ManagementDo you have an audit of the data you hold? Use the eLIM Record Audit Spreadsheet here. You could consider all processes involved. Also, consider how sensitive or confidential the data is and what damage or distress could be caused to individuals, as well as the reputational damage to your business, if there was a security rmation Security PolicyHaving looked at the risks, do you have a policy about data security? Information Security responsibilityThere should be a member of SMT with responsibility for Information Security. It can be the Data Protection lead. Although responsibilities can be delegated to ‘owners’ (e.g. Office Manager, IT Support) the responsivity for checking their work belongs to the SLT. OutsourcingYou are still responsible for any data given to someone else. Do you know they have a good level of protection (see the contract)? Also a problem with it being outside of EU and ‘Safe Harbor’Incident managementHow would a data protection breech be reported and dealt with?Your staff and information security awarenessEducation and awarenessHave you trained your staff about their responsibilities and how to report a breech?Physical SecuritySecure areasAre there locks on secure areas?Secure storageIs there lockable storage for all people that deal with personal data? This includes a lockable cupboard/filing cabinet in every classroom?Secure disposalDo you cross-shred records or get a company to dispose of it for you? In each case you should make a note of the records you dispose puter and network securityHome and mobile workingDo you allow your staff to work at home? Do you have rules on how and what they can do?Secure configurationDo you protect the hardware with passwords and controls to protect the machines?Removable mediaIs removable media encrypted?User access controlsDoes each user have a unique name and password to get into areas where there is personal data?Password securityAre the passwords used to get to personal data complex? Is there a process to stop access when someone leaves?Malware protectionAre all machines that access the schools personal data protected from malware?Backup and restorationDo you backup ALL areas that hold personal information, including c: drives on laptops? Are the major backups secured in different locations?MonitoringDo you monitor the network? In some cases this can include the monitoring of network trafficPatch managementIs the software on your systems kept up to date with upgrades?Boundary firewallsDoes your system have a firewall? What rules are in place on this firewall?Data Sharing & Subject AccessManagement & organisational data sharing measuresData sharing policyIs there reference to data sharing in the Data Protection policy?AccountabilityIs there a member of the SLT team with responsibility for Data Protection?Staff trainingAre the people who will make decisions about Data sharing aware of their duties especially when adopting a new service?Data sharing recordsDecision logDo you have a log of those organisations that you share data with? Use the eLIM Record Audit Spreadsheet here to keep a trackInformation sharing agreementsDo you have agreement or contracts in place with those organisations that you share data?RegistrationFair processingDo you have Fair processing notices for both pupils and workforce?ICO RegistrationAre you registered with the ICO?Check here to see your school entrySecuritySecurity measuresWhat security measures do you have in place to protect personal data?Subject accessSubject access processDo you have a process for dealing with Subject Access Requests?Accountability and trainingDo staff know the process for dealing with Subject Access Requests?Compliance monitoringDo you log all Subject Access Requests? Has the process for dealing with Subject Access requests always worked? Direct MarketingDirect MarketingConsentDo your parents opt in to receive newsletters and other ‘marketing’ opportunities? Bought-ins listsDoes not apply to many schoolsTelephone marketingDoes not apply to many schoolsElectronic marketingDoes not apply to many schoolsPostal marketingDo your parents opt in to receive newsletters and other ‘marketing’ opportunities? ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download