Security guidelines Whatever you may think……

We make a commitment to …..be careful what you write! our pupils and their parents There are many opportunities for you to make that we keep their subjective comments in files or on the information confidential. If systems about people. we are going to deliver this commitment then we must all follow a few Within this leaflet there is a section on simple security steps at all times: ‘Subject Access Requests’. Under a ‘Subject Access Request’ an individual has the right to 9 Choose a password that is hard to guess and change it regularly see EVERYTHING that is in their file(s) or 9 Lock your PC whenever it is unattended held on systems – including the contents of free text boxes, post-it notes, hand written 9 Lock away any confidential papers when remarks and potentially emails. you leave the office at the end of the day 9 Ensure confidential papers are shredded To avoid the risk of needless or put in the secure disposal bins when no complaints, you should not longer required under any circumstances Data Protection 8 Do not share your password or divulge it make any derogatory, unsubstantiated or subjective 8 Do not gossip about pupils in public Act 1998 remarks about pupils, their parents or any places. member of staff anywhere in the Harpur

Social engineering Trust’s/School’s systems or manual files.

This is the art of getting hold of confidential information by asking for it! Further help and advice The social engineer may The guidance in this document is designed Staff engage in conversation in a for easy reference. The full supporting way that makes people think policies and procedures can be found on the that he is part of the Modern School Intranet. Guidelines organisation. Alternatively he may pretend to be a parent or from an authority such as the The School’s Data Police. Protection Officer is The main aim of social engineers is to get you the Bursar, Bedford to tell them something that they should not Modern School, know. It could be your system password or information about a pupil or their parents. Manton Lane, Make sure that you know the identity of Bedford, MK41 7NT people you are talking to, particularly on the telephone. If in doubt, take their number, get [email protected] advice from your manager or the Data Version 2.0 January 2011 Protection Officer and then call them back. What is the Data Protection Act? What the has to do Sharing information with 3rd parties The Data Protection Act 1998 (DPA) is UK We have to tell pupils and their parents what Occasionally we need to provide information legislation to ensure that peoples’ personal we are using their personal information for. In about pupils and/or their parents to other information is not misused. most cases we do this on the application form organisations. The DPA does not stop us from using and in a guidance leaflet we issue. We have an information sharing agreement in personal information to deliver our services; We have to make sure that we, and any 3rd place with associated organisations, i.e. but it does provide a set of parties we share information with, do not use • Foundation rules and guidelines which it for anything else. • Old Bedfordians Club we must follow. These rules We have to ensure the information is • Bedford School Trust and guidelines are referred accurate, up to date and we dispose of it • Bedford Girls’ School Alumnae to by the DPA as Data securely when we no longer need it. Association Protection Principles. It is vital that we keep information securely, • The Bedford High School Guild It should be noted that the age of a person so security guidelines are provided separately • Old Bedford Modernians is not taken into account by the DPA. in this leaflet. • Dame Alice Harpur School This leaflet aims to provide you with some You can play your part by following our Association essential guidance on complying with these policies, procedures and the security The sharing agreement covers basic contact Principles. Detailed policies have been guidelines. If you are in any doubt, ask the details for pupils and ex-pupils. Any request published on the HTO library. Data Protection Officer. by these organisations for other information must be formally approved by the Bursar at What is personal data? Pupils’ and parents’ access to their own . Personal data is information that relates to a information (subject access requests) We may contact 3rd parties with information living individual who can be identified from the Anyone whose personal data we hold has a about pupils. The most likely reason for this information. It includes information in legal right to ask to see that information. As type of disclosure is information to enable structured manual files as well as in computer such, they can request to see any of their pupils to take part in travel and activities that systems. information held in our computer systems and are organised by external organisations. Some personal data is defined by the DPA as manual files and this is known as a ‘Subject Any provision of information for this purpose “sensitive” and there are special rules Access Request’. There are rules about how must include a statement advising the relating to it. Sensitive personal data is we must respond to these requests which, in organisation that the information must not be information about an individual’s: general, should be made in writing. used for anything else. ¾ Racial or ethnic origin If you receive a Where 3rd parties contact us for information ¾ Political opinions request from a pupil about pupils we need to be very careful. In ¾ Religious beliefs or parent to see their general, we will only respond to written ¾ Trade Union membership information you requests. ¾ Physical or mental health condition should pass it to the If you receive a request for information by ¾ Sexual life Data Protection phone or in person, ask the requestor to write ¾ Committed or alleged offences Officer. in with the individual’s name, what information ¾ Records of criminal proceedings Dealing with requests they need and their reason for asking for it. rd Unless part of an established process, before from 3 parties asking for information about Do not suggest or promise that this will using sensitive data you should check the pupils and parents is dealt with separately in result in us giving them the information. relevant policies on the HTO library and/or this leaflet. ask for advice.