Information security is the process by which you ensure that you keep all of the data that you hold safe and secure, minimising the risk of loss, theft, damage or destruction.
While there is no legislation that specifically defines what form your information security policies or processes should take, Data Proetction legilsation has security enshrined within it. Article 32 of the General Data Protection Regulation states that:
"the controller and processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk...in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed."
This means that schools are responsible for ensuring that appropriate measures are in place to adequately safeguard and protect the data that they hold.
Schools should ensure that they have robust policies in place to uphold information security. As a minimum we would recommend that the following should be in place:
- Information Security Policy
- Acceptable Use Policies for Staff, Students and Third Parties
- Internet, Email and E-Safety Policies
- Social Networking Policy
Schools that hold a service level agreement with the Information Governance Unit can contact us for guidance if required.