This policy was last reviewed by the Information Security Working Group in August 2022.
This policy was last approved by Information Security Working Group in September 2022.
Purpose and scope
The Information Security and Data policies provide everyone (e.g. students, staff, third parties) with clear and consistent instructions on how to protect themselves, others and College IT assets (e.g. data and services). The policies, associated processes and procedures are designed to reduce information-related risk to tolerable levels. All staff, students and third party users must adhere to these policies to keep the College and its people secure from Information Security risks, such as ever-evolving cyber-threats or non-compliance with the Data Protection Act 2018.
This document overarches all Information Security policies. It sets out the high-level expectations for anyone processing information (digital or physical) on behalf of the College, concerning learning, teaching and administration.
Non-compliance of policies puts people and the College at risk. . A breach of information security may result in damage to you, our students, or your colleagues through the loss of control over personal data or confidential data, identity theft, fraud or financial loss. Breaches to this policy also put the College at risk of cyber-threats, legal action and regulatory penalties. Additionally, sometimes damages are irreparable and have serious reputational consequences.
Therefore non-compliances may lead to the removal of IT equipment, services and account privileges. In some cases, disciplinary measures might be pursued, which may also lead to legal action.
Information security fundamentals
Information and systems must remain secure and private. Everyone must agree to and uphold the following information security fundamentals:
- Consider and process information (e.g. confidential student record or restricted commercial document) according to the Information Handling Policy'
- Safeguard information (according to its classification) with appropriate security measures (e.g. encryption) to protect against unauthorised access
- Make information available only to those who have a legitimate right to access it
- Report breaches of the information security policies to the IT Services
- Take personal responsibility for IT resources (e.g. computers, accounts, storage) and use in line with the policies.
Anyone using College services has a responsibility to protect data and systems in their control. Those responsibilities are defined in the Information and Data policies. The full set of policies is listed below.
Managers must ensure staff are aware of and comply with information security policies, complete mandatory training (including any additional training required for certain roles e.g. Finance), report non-compliance and maintain the confidentiality, integrity and availability of College information assets.
Information Security Manager
The Information Security Manager is responsible for the delivery of a suitable and robust information security programme that identifies and addresses security and privacy risks.
IT Services does not routinely monitor internet usage, electronic communication (e.g. email), documents (e.g. on Google Drive) or other digital information. Such information may be viewed where necessary to protect the rights, property, or personal safety and to preserve the integrity of systems (e.g. investigations as a result of a security breach) of the College, students and staff, or to comply with legal obligations, such as responding to requests from enforcement agencies, requests for personal data from individuals, court orders, or other legal processes.
Most College systems maintain transactions and events, this is required for operational management. They may include:
- The geographic area where a device is using College websites, applications or services;
- Device data such as type of software and hardware used, IP address, browser type and settings, date and times (e.g. creation, modification and erasure), language preferences, and cookie information.
The College, each student and member of staff have an obligation to abide by all relevant legislation. Particularly:
- Computer Misuse Act 1990
- Copyright, Designs and Patents Act 1988
- Data Protection Act 2018
- UK General Data Protection Regulation (GDPR) 2018
- Human Rights Act 1998
- Regulation of Investigatory Powers Act 2000
- Terrorism Act 2006
- Privacy and Electronic Communication Regulations 2003
- Counter-Terrorism and Security Act 2015.
Data security breaches
The College must inform relevant legal and regulatory entities when certain data security incidents occur. For example, where there is a reportable personal data breach, College must inform the Information Commissioners Office within 72 hours. It is, therefore, essential you report data security breaches to the IT Services Desk (firstname.lastname@example.org) immediately to limit the impact to the College and individuals.
Some examples of data security incidents are:
- Loss or theft of confidential information (e.g. documents taken from a car or left in a cafe)
- Loss or theft of equipment used to store confidential information (e.g. laptop, smartphone, USB stick)
- Accidental or unauthorised disclosure of ‘confidential’ or ‘strictly confidential’ information (e.g. documents sent to an incorrect recipient or incorrect permissions to files)
- Unauthorised access to, removal/copying or modification of records or data
- A computer system or equipment compromise (e.g. malware, denial of service attack)
- A compromised account (e.g. spoofing, hacking, shared password)
- A compromised location holding confidential information or critical equipment such as servers.
Individuals must only use systems provided by IT Services for carrying out College business. In some circumstances, existing solutions may not meet requirements and therefore using third party services may be possible, but only with the express permission from IT Services.
The College uses Google services for the use of email, storing and sharing files in the cloud. Information uploaded to, read, modified and shared using these apps (e.g. Google Mail and Google Docs) are automatically encrypted to ensure the data is secure. Google undergoes regular independent audits on their data centres (e.g. cloud services), network, and operations (e.g. internal processes). Compliance is certified compliance through industry standards such as ISO 27001 and 27017.
Google processes RCA data in a way that is compliant with both the GDPR and the DPA(2018).
Personal information collected in the Core Services (e.g. Google Mail and Google Docs) is used only to provide the Core Services. Google does not serve ads in the Core Services or use personal information collected in the Core Services for advertising purposes.
For more information, please read Google’s ‘Google Workspace for Education Privacy Notice’: https://workspace.google.com/terms/education_privacy.html
Training and awareness
The College will provide the necessary resources to help everyone meet their information security and privacy obligations. All staff must complete mandatory training, others may need to complete additional modules depending on their department or school and the confidentiality of the data they manage.
Information security training and guidance
This policy will be reviewed as it is deemed appropriate, but no less frequently than every three years.