GDPR

 

 

General Data Protection Regulation (GDPR)

Privacy Notices

Premier Learning Trust respects you and your child’s privacy when you use the Organisation’s services and is committed complying with privacy legislation.

The information below is what is referred to as a ‘Privacy Notice’ which explain how the Organisation uses and protects your personal information.

Before we start, if you look to the bottom of this webpage you’ll see a list of services that the Organisation provides. Under each service is more detailed information about how we use and protect your personal information, simply click on the link to find out more.

Premier Learning Trust has a Data Protection Officer whose role it is to ensure that any personal information processed by the Organisation is processed fairly and lawfully (respecting your rights and ensuring we follow the law). If you have any concerns or questions regarding how we look after your personal information, please contact the Data Protection Officer Lauri Almond, at DPO@essex.gov.uk or by calling 03330 130975 .

Why we use your personal information

Why we use personal information

We may need to use some information about you to:

  • deliver services and support to you;
  • manage those services;
  • train and manage the employment of our workers who deliver those services;
  • help investigate any worries or complaints you have about your services;
  • keep track of spending on services;
  • check the quality of services; and
  • to help with research and planning of new services.

What are our legal reasons for processing personal information?

There are a number of legal reasons why we need to collect and use personal data.  Each privacy notice from the menu on the left explains for each service which legal reason is being used.  Generally we collect and use personal information in the following circumstances:

  • Where you, or your legal representative, have given consent
  • Where you have entered into a contract with us
  • Where it is necessary to perform our statutory duties
  • Where it is necessary to protect someone in an emergency
  • Where it is required by law
  • Where it is necessary for employment purposes
  • Where you have made your data publicly available
  • Where it is necessary to establish, exercise or defend a legal claim
  • Where it is in the substantial public interest
  • Where it is necessary to protect public health
  • Where it is necessary for archiving public interest material, research, or statistical purposes

Where we are using your consent to process your personal data, you have the right to withdraw that consent at any time.  If you wish to withdraw your consent, please contact the Data Protection Officer, Lauri Almond at DPO@essex.gov.uk so that your request can be dealt with.

What is Personal Information?

Personal information is often records that can identify and relate to a living person. This can also include information that when put together with other information can then identify a person.

What are Special Categories of Information?

This is personal information that needs more protection due to its sensitivity.  This information is likely to include:

  • sexuality and sexual health
  • religious or philosophical beliefs
  • ethnicity
  • physical or mental health
  • trade union membership
  • political opinion
  • genetic/biometric data

How we limit the use of personal information

Where necessary Premier Learning Trust processes personal data to deliver our services effectively; but wherever possible, the data that we process will be anonymised, pseudonymised or de-personalised.  This means the information can no longer identify a person.

When using personal data for research purposes, the data will be anonymised/pseudonymised to avoid the identification of a person, unless you have agreed that your personal information can be used for the research project.

 

We do not sell personal data to any other organisation for the purposes of selling products.

Your privacy rights

The law provides you with a number of rights to control the processing of your personal information:

Accessing the information we hold about you

You have the right to ask for all the information we have about you. When we receive a request from you in writing, we must normally give you access to everything we have recorded about you. However, we will not let you see any parts of your record which contain:

 

  • Confidential information about other people; or
  • Data an information professional thinks will cause serious harm to your or someone else’s physical or mental wellbeing; or
  • If we think that the prevention or detection of crime may be adversely affected by disclosing data to you.

This applies to paper and electronic records. If you ask us, we will also let others see your record (except if one of the points above applies).  If you cannot ask for your records in writing, we will make sure there are other ways you can apply.  If you have any queries regarding access to your information please contact the school directly via the contact details on their website.

Changing information you believe to be inaccurate

You should let us know if you disagree with something written on your file. We may not always be able to change or remove the information; however, we will correct factual inaccuracies and may include your comments in the records.  Please use the contact details above to report inaccurate information.

 

Asking for your information to be deleted (right to be forgotten)

 

In some circumstances you can request the erasure of the personal information used by the Organisation, for example:

 

  • Where the personal information is no longer needed for the purpose for which it was collected
  • Where you have withdrawn your consent to the use of your information (where there is no other legal basis for the processing)
  • Where there is no legal basis for the use of your information
  • Where erasure is a legal obligation

 

Where personal information has been shared with others, the Organisation shall make every reasonable effort to ensure those using your personal information comply with your request for erasure.

 

Please note that the right to erasure does not extend to using your personal information where:

 

  • Is required by law
  • It is used for exercising the right of freedom of expression
  • It is in the public interest in the area of public health
  • It is for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes where it would seriously affect the achievement of the objectives of the processing
  • It is necessary for the establishment, defense or exercise of legal claims.

 

Restricting what your information is used for

 

You have the right to ask us to restrict what we use your personal data for where one of the following applies:

 

  • You have identified inaccurate information, and have notified us of this
  • Where using your information is unlawful, and you wish us to restrict rather than erase the information
  • Where you have objected to us using the information, and the legal reason for us using your information has not yet been provided to you

 

When information is restricted it cannot be used other than to securely store the data, and with your consent, to handle legal claims, protect others, or where it is for important public interests of the UK.

 

Where restriction of use has been granted, we will inform you before the use of your personal information is resumed.

 

You have the right to request that the Organisation stop using your personal information for some services. However, if this request is approved this may cause delays or prevent us delivering a service to you. Where possible we will seek to comply with your request, but we may need to hold or use information in connection with one or more of the Organisation’s legal functions.

 

 

Computer based decisions about you and if you are ‘profiled’

 

You have the right to object about decisions being made about you by automated means (by a computer and not a human being), unless it is required for any contract you have entered into, required by law, or you have consented to it. You also have the right to object if you are being ‘profiled’. Profiling is where decisions are made about you based on certain things in your personal information. If and when the Organisation uses your personal information to profile you, you will be informed.

 

If you have concerns regarding automated decision making, or profiling, please contact the Data Protection Officer who will be able to advise you about how your information is being used.

Who will we share your personal information with?

We use a range of companies and partners to either store personal information or to manage it for us. Where we have these arrangements there is always a contract, memorandum of understanding or information sharing protocol in place to ensure that the organisation complies with data protection law. We complete privacy impact assessments before we share personal information to ensure their compliance with the law.

Sometimes we have a legal duty to provide information about people to other organisations, e.g. Child Protection concerns or Court Orders.

 

We may also share your personal information when we feel there is a good reason that is more important than protecting your confidentiality. This does not happen often, but we may share your information:

 

  • to find and stop crime or fraud; or
  • if there are serious risks to the public, our staff or to other professionals; or
  • to protect a child.

The law does not allow us to share your information without your permission, unless there is proof that someone is at risk or it is required by law.

 

This risk must be serious before we can go against your right to confidentiality.  When we are worried about physical safety or we feel that we need to take action to protect someone from being harmed in other ways, we will discuss this with you and, if possible, get your permission to tell others about your situation.

 

We may still share your information if we believe the risk to others is serious enough to do so.

 

There may also be rare occasions when the risk to others is so great that we need to share information straight away. If this is the case, we will make sure that we record what information we share and our reasons for doing so. We will let you know what we have done and why as soon as or if we think it is safe to do so.

How do we protect your information?

We will do what we can to make sure we hold personal records (on paper and electronically) in a secure way, and we will only make them available to those who have a right to see them.  Our security includes:

 

  • Encryption allows information to be hidden so that it cannot be read without special knowledge (such as a password). This is done with a secret code or cypher. The hidden information is said to be encrypted.
  • Pseudonymisation allows us to hide parts of your personal information from view so only we can see it. This means that someone outside of ECC could work on your information for us without ever knowing it was yours.
  • Controlling access to systems and networks allows us to stop people who are not allowed to view your personal information from getting access to it.
  • Training for our staff allows us to make them aware of how to handle information and how and when to report when something goes wrong.
  • Ways for us to access your information should something go wrong and our systems not work, including how we manage your information in event of an emergency or disaster.
  • Regular testing of our technology and processes including keeping up to date on the latest security updates (commonly called patches).

View our policy on information security here.

 

If your information leaves the country

 

Sometimes, for example where we receive a request to transfer Organisation records to a new Organisation, it is necessary to send that information outside of the UK.  In such circumstances additional protection will be applied to that data during its transfer, and where the receiving country does not have an adequacy decision from the European Commission, advice will be sought from the Information Commissioners Office prior to the data being sent.

How long do we keep your personal information

For each reason why we use your personal information there is often a legal reason for why we need to keep it for a period of time. We try to capture all of these and detail them in what’s called a ‘retention schedule’. This schedule lists for each service how long your information may be kept for.

Please click here

Where can I get advice?

You can contact our Data Protection Officer, Lauri Almond, at DPO@essex.gov.uk or by calling 03330 130975.

 

For independent advice about data protection, privacy and data sharing issues, you can contact the Information Commissioner’s Office (ICO) at:

 

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire SK9 5AF

 

Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number

 

Alternatively, visit ico.org.uk or email casework@ico.org.uk.

 

Cookies (not the edible ones) & how you use this website

To make this website easier to use, we sometimes place small text files on your device (for example your iPad or laptop). These are known as ‘cookies’. Most big websites do this too.

They improve things by:

  • remembering the things you’ve chosen, so you don’t have to keep re-entering them whenever you visit a new page
  • remembering data you’ve given (for example, your address) so you don’t need to keep entering it
  • measuring how you use the website so we can make sure it meets your needs.

By using our website, you agree that we can place these types of cookies on your device.

 

We do not use cookies on this website that collect information about what other websites you visit (often referred to as privacy intrusive cookies).

 

Our cookies aren’t used to identify you personally. They’re just here to make the site work better for you. Indeed, you can manage and/or delete these files as you wish.

 

To learn more about cookies and how to manage them, visit AboutCookies.org or watch a video about cookies.

How you use this website (something called ‘Google Analytics’)

We use Google Analytics to collect information about how people use this site. We do this to make sure it’s meeting peoples’ needs and to understand how we can make the website work better.

 

Google Analytics stores information about what pages on this site you visit, how long you are on the site, how you got here and what you click on while you are here. We do not collect or store any other personal information (e.g. your name or address) so this data cannot be used to identify who you are.

 

 

Name Typical Content Expires
_utma randomly generated number 2 years
_utmb randomly generated number 30 minutes
_utmc randomly generated number when you close your browser
_utmx randomly generated number 2 years
_utmxx randomly generated number 2 years
_utmz randomly generated number and data on how the site was reached (e.g. direct or via a link, organic search or paid search)

We also collect data on the number of times a word is searched for on the site and the number of failed searches. We use this information to improve access to the site and to identify gaps in the content and see if it is something we should add to the site.

Unless the law allows us to, we do not:

  • share any of the data we collect about you with others, or
  • use this data to identify individuals.

Other people’s cookies

We use videos from YouTube and feeds from other websites such as Facebook and Twitter. These websites place cookies on your device when watching or viewing these pages.

 

Below are links to their cookie policies:

Turning off cookies

You can stop cookies being downloaded on to your computer or other device by selecting the appropriate settings on your browser. If you do this, however, you may not be able to use the full functionality of this website.

There is more information about how to delete or stop using cookies on AboutCookies.org. If you wish, you can also opt out of being tracked by Google Analytics.

 

Further guidance on the use of personal information can be found at ico.org.uk

 

 

List of Services this organisation provides

School Trips Employment Records Governor Services Photo and Video Consent Statutory Pupil Data Use of CCTV Surveillance Essex WEISF

 

 

Policies

Data Protection Policy

Data Protection Policy

General rules in complying with Data Protection law

Policy points are numbered. The numbering corresponds to explanations of ‘why?’ and ‘how?’ for each point further down the page.

What must I do?

1. MUST: All employees must comply with the requirements of Data Protection Law and Article 8 of the Human Rights Act when processing the personal data of living individuals

2. MUST: Where personal data is used we must make sure that the data subjects have access to a complete and current Privacy Notice.

3. MUST: We must formally assess the risk to privacy rights introduced by any new (or change to an existing) system or process which processes personal data

4. MUST: We must process only the minimum amount of personal data necessary to deliver services.

5. MUST: All employees who record opinions or intentions about service users must do so carefully and professionally

6. MUST: We must take reasonable steps to ensure the personal data we hold is accurate, up to date and not misleading.

7. MUST: We must rely on consent as a condition for processing personal data only if there is no relevant legal power or other condition

8. MUST: Consent must be obtained if personal data is to be used for promoting or marketing goods and services.

9. MUST: We must ensure that the personal data we process is reviewed and destroyed when it is no longer necessary.

10. MUST: If we receive a request from a member of the public or colleagues asking to access their personal data, we must handle it as a Subject Access Request

11. MUST: If we receive a request from anyone asking to access the personal data of someone other than themselves, we must fully consider Data Protection law before disclosing it

12. MUST: When someone contacts us requesting we change the way we are processing their personal data, we must consider their rights under Data Protection law.

13. MUST NOT: You must not access personal data which you have no right to view

14. MUST: You must follow system user guidance or other formal processes which are in place to ensure that only those with a business need to access personal data are able to do so

15. MUST: You must share personal data with external bodies who request it only if there is a current agreement in place to do so or it is approved by the Data Protection Officer.

16. MUST: Where the content of telephone calls, emails, internet activity and video images of employees and the public is recorded, monitored and disclosed this must be done in compliance with the law and the regulator’s Code of Practice.

17. MUST: All employees must be trained to an appropriate level, based on their roles and responsibilities, to be able to handle personal data securely.

18. MUST: When using ‘data matching’ techniques, this must only be done for specific purposes in line with formal codes of practice, informing service users of the details, their legal rights and getting their consent where appropriate.

19. MUST: We must maintain an up to date entry in the Public Register of Data Controllers

20. MUST: Where personal data needs to be anonymised or pseudonymised, for example for research purposes, we must follow the relevant procedure

21. MUST NOT: You must not share any personal data held by us with an individual or organisation based in any country outside of the European Economic Area

Why must I do it?

1. To comply with legislation

2. To comply with Data Protection legislation which requires us to make the data subject aware of how we will handle their personal data

3. To ensure that the rights of the Data Subject are protected in any proposed new activity or change to an existing one

4. The law states that we must only process the minimum amount of information needed to carry out our business purpose. It is not acceptable to hold information on the basis that it might possibly be useful in the future without a view of how it will be used. Changes in circumstances or failure to keep the information up to date may mean that information that was originally adequate becomes inadequate.

5. To maintain professional standards and to assist in defending the validity of such comments if the data subject exercises their rights to ask us to amend or delete their personal data if they feel it to be inaccurate.

6. To comply with a principle of Data Protection law

7. To comply with Data Protection law. Where processing does not rely on a legal condition other than consent

8. When using personal data for marketing and promoting services it is unlikely that any lawful condition other than consent would apply.

9. To comply with a principle of Data Protection law.

10. To comply with the right to access personal data

11. To comply with a principle of Data Protection law.

12. To comply with the rights of the Data Subject under Data Protection law

13. Personal data must be protected by effective security controls to ensure that only those with approved business need to access the data can do so

14. Personal data must be protected by effective security controls to ensure that only those with approved business need to access the data can do so

15. To comply with the legal requirements to keep personal secure but also to ensure that where there are legal grounds to share information in a managed way that this is done correctly.

16. The law permits organisations to hold such data in order to measure the quality of services being provided, to record consent etc. In certain circumstances recordings may be accessed e.g. to investigate alleged criminal activity or breaches of Organisation policy etc.

17. To comply with a principle in Data Protection law.

18. To comply with the Data Subject’s rights

19. This is a regulatory requirement and allows the public to see what personal information we hold to support transparency

20. Where personal data is used for research purposes, the processing of the data can be legitimised by provisions within Data Protection law

21. To comply with the right of the Data Subject to have equivalent legal safeguards in place over their data in another country as they would here. The member states of the EEA share common legislation which provides assurance to us that personal data will be securely handled under the same provisions that exist under the Data Protection Act.

How must I do it?

1. By following the points in this policy

2. By approving and reviewing a compliant privacy notice in line with the Privacy Notice Procedure and making it available to the data subjects

3. By completing and approving a Privacy Impact Assessment, or Data Protection Impact Assessment where the processing is ‘high risk’ to the rights of the data subjects.

4. By ensuring that the means we use to gather personal data (such as forms etc) only ask for the information that is required in order to deliver the service.

5. By considering that anything committed to record about an individual may be accessible by that individual in the future or challenged over its accuracy.

6. For example, there should be at least an annual check of the currency of data held about service users and whenever contact is re-established with a service user, you should check that the information you hold about them is still correct.

7. By following the points in the Consent Procedure

8. By following the points in the Consent Procedure

9. By following the points in the Records Management Policy. We must review personal data regularly and delete information which is no longer required; although we must take account of statutory and recommended minimum retention periods. Subject to certain conditions, the law

allows us to keep indefinitely personal data processed only for historical, statistical or research purposes. The Retention Schedule will give guidance in these areas.

10. By following the points in the Statutory Requests for Information Policy

11. By following the points in the Statutory Requests for Information Policy. Such requests would typically be managed under the Freedom of Information Act (if from a member of the public) or under Data Protection or Justice law if for a criminal investigation, however the decision whether or not to disclose someone’s personal data to a third party must satisfy the requirements of Data Protection law

12. By reviewing the impact of any requested change on any statutory duty being fulfilled by the Organisation.

13. By being aware through training and guidance from your manager on what information is appropriate for you to access to do your job. Systems and other data storage must be designed to protect access to personal data. You must inform your manager if you have access to data which you suspect you are not entitled to view.

14. By ensuring appropriate security controls are in place and rules to support those controls are followed. The following should be in place:

* technical methods, such as encryption, password protection of systems, restricting access to network folders;

* physical measures, such as locking cabinets, keeping equipment like laptops out of sight, ensuring buildings are physically secure; and

* organisational measures, such as:

o Providing appropriate induction and training so that staff know what is expected of them

o Taking reasonable steps to ensure the reliability of staff that access personal data, for example, by the use of Disclosure and Barring Service (DBS) checks.

o Making sure that passwords are kept secure, forced to be changed after an agreed period and are never shared

15. Consult your manager, any procedure guidance or any library of sharing agreements managed by the Organisation. Consult the Data Protection Officer in one-off cases of sharing.

16. By ensuring that employees and members of the public are fully aware of what personal data is being recorded about them and why, and it what circumstances that data may be used. Operation of overt surveillance equipment such as CCTV must always be done in line with relevant codes of practice captured in the Surveillance Management Procedure. Any covert surveillance must be done in line with the provisions in the Investigatory Powers Act (2016)

17. By completing compulsory training courses relevant to your role

18. By ensuring an Impact Assessment has been approved for the activity

19. The entry should be reviewed annually and an update is to be made when any change to the purposes of processing personal data occur

20. Follow the guidance in the Data Minimisation Procedure

21. Consult the Data Protection Officer over any proposed sharing outside of the EEA. If you are a manager who is proposing a change to or implementing a new system which may involve the hosting of personal data in a nation outside the EEA, this must be first approved by a Privacy Impact Assessment

What if I need to do something against the policy?

If you believe you have a valid business reason for an exception to these policy points, having read and understood the reasons why they are in place, please raise a formal request by contacting the Data Protection Officer, Lauri Almond, via IGS@essex.gov.uk.

Document Control

Version: 1

Date approved: 28th March 2018

Approved by: The Board of Trustees

Next review: March 2019 to review and then approve at the next meeting of the Finance, Audit and Premises committee.

References

* Data Protection Act 1998 (to May 25th 2018)

* General Data Protection Regulations 2016 (from 25th May 2018)

* Article 8, The Human Rights Act 1998

* Investigatory Powers Act 2016

Breach Statement

Breaches of Information Policies will be investigated and may result in disciplinary action. Serious breaches of Policy may be considered gross misconduct and result in dismissal without notice, or legal action being taken against you.

 

Information Governance Policy

 

Information Governance Framework Policy

 

Supporting effective corporate management of Information Governance activities

 

Policy points are numbered. The numbering corresponds to explanations of ‘why?’ and ‘how?’ for each point further down the page.

 

What must I do?

 

  1. MUST: All employees must comply with all Information Policies
  2. MUST: All employees must successfully complete relevant training in Information Governance key messages annually
  3. MUST: All managers must ensure that employees under their management are complying with our policies and any agreed exceptions
  4. MUST: We must ensure that the roles of Data Protection Officer (DPO) and Senior Information Risk Owner (SIRO) are in place
  5. MUST: We must ensure that an Information Governance Strategy is in place
  6. MUST: We must undertake annual reviewsof the IG Strategy, all Information Policies and Information Risks
  7. MUST: Any exceptions to Information Policies must be risk assessed and approved

 

Why must I do it?

 

  1. This is to ensure that the Organisation remains complaint with Information law and provides assurance to the public over secure practices.
  2. This is to ensure that ECC can be certain that staff have been told the correct messages about how to handle data securely, and that we can evidence this to our regulators, partners and the public to give them confidence that we are suitable custodians of their data
  3. Managers have a key role in ensuring any policy is being implemented appropriately.
  4. The DPO role is a statutory requirement and the SIRO is best practice.
  5. Strategies are only effective when they meet the demands of the law and enable employees to achieve compliance in a practical way. It is therefore vital that our strategy reflects the current legal requirements and helps guide employees in a clear way to meet those requirements. The Strategy must therefore be regularly reviewed to ensure it is fit for purpose.
  6. Policies are only effective when they meet the demands of the law and enable employees to achieve compliance in a practical way. It is therefore vital that our policies reflect the current legal requirements and help guide employees in a clear way to meet those requirements. Policy and Risk Management must therefore be regularly reviewed to ensure they are fit for purpose.
  7. We need to monitor and control the risks created by allowing exceptions to policy

 

 

How must I do it?

 

  1. By reading the Information Policies, by attending and completing relevant training, by seeking clarification of policy from managers when unsure.
  2. By attending face-to-face training or completing elearning that has been designated as mandatory for your role.
  3. Ensure employees are instructed appropriately (through both Induction and Refresher training) on how to securely manage the data they have access to in their roles. Ensure employees have completed relevant formal training (for systems they use, and compulsory E-Learning). Use team meetings to discuss information policy issues. Where there is uncertainty over correct procedure, seek advice for clarification.
  4. Appoint new employees or add responsibilities to existing roles. Ensure that the responsibilities of the roles are fully documented and that the role holders have sufficient resource and training to fulfil their roles.
  5. A Strategy should be approved by the Leadership Team and annual reviews should be made against its progress, reported to the Leadership Team and the Strategy should be amended if required.
  6. Policy and Risk reviews should be undertaken annually and approved by the Leadership Team.
  7. By recording approved exceptions in such a way as to be able to report on all current instances; showing who and what the exception is for, why it was granted, when the exception approval period comes to an end and who supported and approved the exception. Assessment of a request for an exception must be done by receiving an approval and acceptance of risk by the Senior Information Risk Owner (SIRO) or a delegated role.

 

What if I need to do something against the policy?

 

If you believe you have a valid business reason for an exception to these policy points, having read and understood the reasons why they are in place, please raise a formal request by contacting the Data Protection Officer, Lauri Almond, via IGS@essex.gov.uk.

 

Document Control

 

Version:                     1

Date approved:         28th March 2018

Approved by:             The Board of Trustees

 

Next review:              March 2019 to review and then approve at the next meeting of the Finance, Audit and Premises committee.

 

References

 

  • Data Protection Act 1998 (to May 25th 2018)
  • General Data Protection Regulations 2016 (from 25th May 2018)
  • Article 8, The Human Rights Act 1998
  • Freedom of Information Act 2000
  • Environmental Information Regulations 2004
Breach Statement

 

Breaches of Information Policies will be investigated and may result in disciplinary action. Serious breaches of Policy may be considered gross misconduct and result in dismissal without notice, or legal action being taken against you.

Statutory Requests for Information

 

Statutory Requests for Information

 

Requirements for managing requests for information to comply with the Freedom of Information Act 2000 (FOI), the Environmental Information Regulations (EIR), the Data Protection Act 1998 (DPA) and from 25th May 2018 the General Data Protection Regulations 2016

 

Policy points are numbered. The numbering corresponds to explanations of ‘why?’ and ‘how?’ for each point further down the page.

 

What must I do?

 

For all types of request for Information:

 

  1. MUST: We must correctly identify the law which applies to the information being requested and manage the request in compliance with that law
  2. MUST: Information should be released unless there a strong legal justification for withholding it.
  3. MUST: Whenever we refuse to provide information, we must clearly and fully explain the reasons why
  4. MUST: We must provide advice and assistance to people making a request.
  5. MUST: We must always try to reply as quickly as possible, but always within the legal deadline.
  6. MUST: All employees must promptly provide all relevant information to a request co-ordinator if asked for it
  7. MUST: If we decide to charge for information, we must do so in accordance with a published policy.
  8. MUST: Where reasonable and practical, we must provide the information in the format requested by the applicant.
  9. MUST: When we respond to a request, we must tell the requestor about our internal review
  10. MUST: When responding to a complaint, we must advise the requestor that they may complain to the ICO if they remain unhappy with the outcome.

 

Why must I do it?

 

  1. The requestor does not have to specify under what legislation they are making a request. It is our responsibility to correctly identify which legislation applies.
  2. We serve the public. We should not hide information from them. The Acts are intended to make us more accountable to the public, to make our processes more transparent, and to encourage the public to trust us.  Information should be released unless we can strongly justify withholding it (embarrassment is not a sufficient reason to withhold information). In some cases, we may have to release non-personal information because it is in the public interest although it might otherwise have been considered exempt. Also, it is a legal offence to deliberately withhold or destroy requested information where there is no legal reason to do so.
  3. We will not be obliged to provide all or part of the information requested if a legal justification applies. If we believe a reason does apply then we must help the public to challenge our decisions effectively by giving our reasons and doing so clearly and fully in line with the requirements of the Acts. This is a legal requirement.
  4. The Acts require us to assist requestors, especially where we may be considering refusing a request, in guiding the public on how to clarify or re-scope their request to achieve the best outcome. This is a legal requirement.
  5. The laws provide statutory deadlines for responding to a request; FOI & EIR – 20 working days, DPA – 40 calendar days (but 20 working days under GDPR from May 2018). There are limited reasons to extend the deadlines. The laws expect information to be well managed and accessible, therefore there is an assumption that requests should be routinely responded to well in advance of the deadline.
  6. In order to comply with regulator and corporate targets for fulfilling requests, all employees have a role to play in making information relevant to the request available promptly so that a response can be drafted within the timescale.
  7. The laws require us to make clear the basis for charging to ensure that charges are fair and un-obstructive. We must tell requestors whether a charge applies before we provide the information and we should tell them what that charge will be.
  8. The acts duty on us to provide information in a format that the requester would find most convenient to their needs. We may refuse unreasonable demands and charge in certain cases, but in principle the requestor should be able to receive the information in the way they specify.
  9. It is a requirement of the act to have an internal review process. Where a requestor expresses dissatisfaction with a response, this must be treated as a complaint. The act states that expressing dissatisfaction is enough to require us to treat it as such. The ICO requires us to complete the internal review process before it will accept an escalation of a complaint to their office.
  10. This is a statutory requirement.

 

 

How must I do it?

 

  1. Follow guidance and training to correctly identify whether the request should be handled under FOI, EIR or DPA/GDPR.
  2. By following the points of this policy and accompanying guidance and training
  3. Ensure the employee making decisions about what can be released and drafting the response has access to legal guidance in order to make the response full and compliant with the law.
  4. Discuss the likely response with the requestor if their request is likely to be refused and explain options that would help them receive as useful a response as possible within the limits of the law. Although we should not ask requestors what they intend to do with the information they have requested, we can explain what we do hold and what is likely to be disclosable to them.
  5. We must record performance against the statutory deadlines to ensure we are aware of how well we are complying with the law and to help make changes to processes if necessary.
  6. Make sure the information you manage is accessible and well structured so that you can retrieve it quickly when requested.
  7. It is not lawful to charge for information without a published policy explaining the basis for arriving at a fee. In the absence of a published policy, charges are not made.
  8. There must be strong prohibitive reasons not to provide information in a format that is within our ability to provide. Conversion to a new format is however different to having to significantly edit and rearrange information to make it legible in the format requested. Under the latter circumstances, a refusal may be valid but advice should be sought if unsure.
  9. We choose to manage complaints (known as Internal Reviews) within 20 working days. Where a simple error has been made in the response it may be that the issue can be resolved informally. If not, then a full review of how the request was handled is required. This must be undertaken by an employee who was not involved in drafting or approving the original request, although the employee drafting the response may discuss how the original request was handled with those involved.
  10. Ensure that the contact details for the ICO are provided to the requestor on any response documentation and explain when it is appropriate to escalate a complaint the ICO in order to make requestors aware of their rights

 

What if I need to do something against the policy?

 

If you believe you have a valid business reason for an exception to these policy points, having read and understood the reasons why they are in place, please raise a formal request by contacting the Data Protection Officer, Lauri Almond, via IGS@essex.gov.uk.

 

Document Control

 

Version:                     1

Date approved:         28th March 2018

Approved by:             The Board of Trustees

Next review:              March 2019 to review and then approve at the next meeting of the Finance, Audit and Premises committee.

 

References

 

  • Data Protection Act 1998 (to 25th May 2018)

 

  • General Data Protection Regulations 2016 (from 25th May 2018)

 

Breach Statement

 

Breaches of Information Policies will be investigated and may result in disciplinary action. Serious breaches of Policy may be considered gross misconduct and result in dismissal without notice, or legal action being taken against you.

 

Acceptable Personal Use of Resources

 

Acceptable Personal Use of Resources and Assets Policy

 

Explaining what is acceptable use of resources and assets provided by us, including IT facilities and covering personal use

 

Policy points are numbered. The numbering corresponds to explanations of ‘why?’ and ‘how?’ for each point further down the page.

 

What must I do?

 

  1. MUST: You must use our facilities economically; your personal use must not create extra costs for us
  2. MUST NOT:You must not use our facilities to undertake any unlawful, libellous, immoral or offensive activities, including accessing, downloading, storing, creating, copying or disseminating offensive material. This includes, but is not limited to, pornographic, sexual, violent or criminal content and racist, sexist or otherwise discriminatory material
  3. MUST NOT: Personal use must not interfere with your productivity and how you carry out your duties
  4. MUST NOT: Personal use must not reflect adversely on ourreputation
  5. MUST NOT: You must not leave personal-use websites open during your working time, even if they are minimised on your screen and you are not actively viewing/ using them
  6. MUST NOT: You must not use browsers or access/ attempt to access sites that are knowingly unacceptable, even if this is in your own time
  7. MUST NOT: You must not send or forward chain, joke or spam emails
  8. MUST NOT: You must not use the Organisation’s facilities for commercial purposes not approved by us or for personal financial gain
  9. MUST NOT: You must not use your access rights or identity as an employee to mislead another person, for personal gain or in any other way which is inconsistent with your role
  10. MUST NOT: You must not disclose (in writing, speech or electronically) information held by us unless you are authorised to do so, and the recipients are authorised to receive it
  11. MUST NOT: When you print, photocopy, scan or fax official-sensitive information, you must not leave the information unattended.
  12. MUST NOT: You must not connect any equipment to ourIT network that has not been approved
  13. MUST NOT: You must not do anything that would compromise the security of the information held by us, such as downloading/ spreading any harmful virus/ program or disabling or changing standard security settings
  14. MUST NOT: You must not make personal use of the information available to you that is not available to the public

 

 

Why must I do it?

 

  1. ALL: To ensure we use our IT and other facilities resources effectively, making sure that our reputation is maintained and to ensure that staff working time is used efficiently on delivering our business outcomes

 

 

How must I do it?

 

  1. By checking with your manager or where you have any uncertainty over what is appropriate
  2. By complying with the points of this policy
  3. You must only make personal use of our IT facilities outside of time you are recording or is designated as your ‘working hours’
  4. By complying with the points of this policy
  5. Closing websites when you are not actively using them
  6. By taking care over the sites you are about to open, including reading search report information before opening
  7. By deleting such items if you receive them.
  8. By checking with your manager where you have any uncertainty over what is appropriate
  9. By checking with your manager where you have any uncertainty over what is appropriate
  10. If you are not sure if you are authorised to disclose information, speak with your manager in the first instance
  11. If you are faxing information outside your immediate office, always make sure that there is someone waiting at the other end to receive it. For other devices, if there is no secure release facility which requires you to be present, you must ensure you wait for the process to complete and remove any originals and copies from the equipment.
  12. Check that equipment has been tagged or marked as an accepted and managed device before insertion/ connection.
  13. IT controls should prevent your ability to download anything harmful, but if in doubt, contact your manager in the first instance.
  14. If you wish to utilise Organisation data in a personal capacity, you must make a formal request for information to the Organisation.

 

 

What if I need to do something against the policy?

 

If you believe you have a valid business reason for an exception to these policy points, having read and understood the reasons why they are in place, please raise a formal request by contacting the Data Protection Officer, Lauri Almond, via IGS@essex.gov.uk.

 

.

 

Document Control

 

Version:                     1

Date approved:         28th March 2018

Approved by:             The Board of Trustees

Next review:              March 2019 to review and then approve at the next meeting of the Finance, Audit and Premises committee.

 

References

 

  • Data Protection Act 1998 (to May 25th 2018)
  • General Data Protection Regulations (from 25th May 2018)

 

Breach Statement

 

Breaches of Information Policies will be investigated and may result in disciplinary action. Serious breaches of Policy may be considered gross misconduct and result in dismissal without notice, or legal action being taken against you.

 

Data Handling Security Policy

 

Data Handling Security Policy

 

Responsibilities for managing IT equipment, removable storage devices and papers, in the office, in transit and at home or other work locations

 

Policy points are numbered. The numbering corresponds to explanations of ‘why?’ and ‘how?’ for each point further down the page.

 

What must I do?

 

  1. MUST: You must take responsibility for the security of the equipment allocated to you and that is in your custody.
  2. MUST: When you are physically transporting our data outside of our premises, on any medium, you must take steps to keep it secure
  3. MUST: You must not leave Official-Sensitive data unattended in a vehicle for longer than 10 minutes, and always keep it out of sight
  4. MUST: You must take appropriate steps to secure our data at home and other organisations’ premises
  5. MUST: If working with our data on approved unmanaged equipment, you must remove the data when finished
  6. MUST: If you are taking Official-Sensitive information out of the office, this must be recorded
  7. MUST: You must make sure that conversations discussing sensitive data are only audible by an appropriate audience
  8. MUST NOT: You must not allow anyone access to your IT equipment through your IT account
  9. MUST NOT: You must not use any equipment to store our business data that has not been approved
  10. MUST NOT: You must not allow unauthorised people to be able view information on your IT equipment display
  11. MUST NOT: If you use Outlook Web Access from an unmanaged device, you must not save your password in the browser
  12. MUST: You must always use an approved secure method of disposing of physical documents and data storage devices
  13. MUST: You must return all equipment which has been issued to you by us prior to leaving your employment.
  14. MUST: You must report as quickly as possible if your equipment is lost or stolen and assist with any investigation
  15. MUST: You must ensure that all security functions are enabled on your portable equipment, such as pin codes and password access
  16. MUST: You must keep your portable equipment, clean and serviceable, including keeping it charged.
  17. MUST NOT: You must not take any of our equipment abroad unless you are traveling in a business capacity with approval.
  18. MUST NOT: You must not give your portable equipment to another person if you are not using it.

 

Why must I do it?

 

  1. You are the custodian of the equipment; it is your responsibility to keep it physically secure.
  2. To prevent any accidental loss (for example papers or removable media accidentally falling out of bags), or theft (by exposing papers or equipment by not securing them properly). Although laptops are encrypted, it is still possible for a motivated criminal with technical knowledge to access data.
  3. Experience in investigation of thefts at employee homes has shown that if equipment is left in plain view it will be taken, whereas storing away out of sight when not in use results in fewer cases of theft.
  4. To prevent accidental loss, unauthorised use and theft in your home and whilst in other Organisations’ premises
  5. Data in the browser cache or temporary file storage may be useable by other subsequent users of the same device.
  6. To make sure that others know who has custody of important information at all times
  7. We have a duty even within our premises to make sure that personal data is only made available to those with the business need to access it. This applies verbally as well as in recorded form.
  8. All activity on your IT account is assumed to be yours. Logs of activity are maintained. You are accountable for any wrongdoing through your account.
  9. Equipment purchased through us will have appropriate technical security installed, or will have best practice guidance on how to use the equipment securely
  10. Unauthorised people may be able to see sensitive information on your screen.
  11. This introduces the risk of someone who can gain access to your device also getting easy access to the data on your work emails
  12. Secure destruction processes safeguard the information stored on IT devices and physical documents and prevent data being accessed by unauthorised persons
  13. Providing such items is costly and represents a data security risk. We reserve the right to treat instances of refusing to return such items as theft.
  14. This enables to promptly remove data from devices remotely, therefore reducing the risk.Such investigations may lead to disciplinary action, and in extreme circumstances could lead to the service area seeking financial remuneration. Having all the information about a security incident helps us to resolve it quickly and take the appropriate action to manage any risks of information being lost.
  15. Such measures help keep the device and information available on it secure.
  16. Correct use and basic maintenance helps us gain best value from the investment we make in our equipment.
  17. We need to be aware of any risk of using our equipment abroad, especially in countries who do share common legislation to safeguard personal data, and where internet services may expose our devices and therefore our network to malicious threats. There may also be costs involved in replacing equipment which is subject to precautionary measures on your return. The costs of reviewing requests and replacing equipment are not appropriate for instances of employees wanting to use equipment whilst on holiday. Business continuity cover arrangements and delegation should be able to manage instances of leave.
  18. Portable equipment is asset managed across our estate and assigned to an individual. Being able to accurately evidence who holds what equipment is an important assurance we give to the Information Commissioners Office over our ability to manage our assets and the information available on them.

 

 

 

How must I do it?

 

  1. By following the points in this policy
  2. This relates to paper files, phones, laptops and other removable media such as USB memory sticks, discs and external hard drives. Use equipment which reduces physical effort in order to appropriately manage the risk of overloading or forcing a tenuous hold over physical documents which can result in accidental loss of control over the information. Items should not be visible to others; even partially. This means they should be secured within an appropriate bag or other robust container. Laptop bags are suitable, ensuring that zip compartments are closed concealing the contents. Employees frequently needing to transport quantities of information that are too bulky to carry under full control and/or transporting Official-Sensitive data must review with their manager the need for being supplied with wheeled suitcase-style equipment with code locks to further secure the information.
  3. Items such as paper files, phones, laptops and other removable media left in a vehicle should only be unattended for a short period of time (maximum of 10 minutes for Official-Sensitive information) and must be kept out of sight (not visible to anyone looking in through a vehicle window). Locked in a boot is considered secure for a limited time if it cannot be taken with you when leaving a car.
  4. Only authorised users (this means people with IT accounts provided by us) can use your IT equipment and only through using their own accounts. It is not acceptable to allow family members or friends to use IT facilities or have access to our information even if you are present. You must also make sure that when IT equipment and hard-copy information is not in use that it is stored securely out of sight. If you are located temporarily in the premises of another organisation or your work requires site visits or entering homes of service users, you must secure IT equipment and hard-copy information. Make sure you understand what information your role allows you to share with partners or service users and limit the information you make available accordingly. Your role may require you to allow someone to have access to your IT device, for example a service user in their home may need to read content on your screen and select options from menus. You must understand the limits of their access requirements and manage this access. If you are located in the premises of another Organisation as a semi-permanent base, it is reasonable to leave our data in your allocated office or team area provided that you have the same level of secure storage for equipment and hard-copy as you would in our buildings. You must get approval for storing our data in premises not managed by us from your manager if the location is anything other than your permanent office base.
  5. On most systems this can be done by selecting ‘public network’ when setting up the access. Otherwise it will need to be done manually in the web browser options.
  6. You should have access to systems or a log which allow you to ‘sign-out’ or record what information you are taking custody of, when taken, when returned and (if appropriate) why and under whose authority. Where such facilities are available they must be used.
  7. Most employees who handle Official-Sensitive data will have been located with those of similar roles or be in self-contained spaces. However, there is always the possibility of unauthorised persons being in the vicinity when you may need to discuss sensitive personal data with colleagues near you or over the phone, or display on a screen. You must make sure as the person who is custodian of the information that it is appropriate to discuss or display the information in the circumstances. You must make sure that if you are overhearing or otherwise being exposed to data to which you should not have access, you alert the information custodian to the fact that they are not managing the information appropriately.
  8. Make sure that you lock your screen at all times if you leave your laptop/ desktop or phone unattended to avoid someone accessing your account without your knowledge. Always supervise and monitor anyone using your device in the strictly limited circumstances where allowing someone access is acceptable (for example a service user in their home may need to read content on your screen and select options from menus).
  9. This is including but not limited to computers, printers, phones, tablets and cameras. Order equipment through us and follow any conditions of use associated with an exception to policy, and follow any standard instructions that are supplied with the device. Where technically feasible, encryption will be applied to secure the contents of storage devices.
  10. Ensure that no-one in your vicinity can see and read the screen of your device. This applies to working in public places (such as cafes with Wi-Fi), in partner organisations’ offices, and even when hotdesking within our premises when viewing Official-Sensitive data unless you are certain that others around you are allowed to see similar data.
  11. Do not approve any offer from your device’s browser to save your password when logging in to OWA.
  12. Make use of the facilities for secure disposal of paper documents and IT storage devices.
  13. Follow a leavers checklist with your manager
  14. Raise a security incident and inform your manager. Provide any information requested of you by an investigating officer
  15. Follow the instructions provided to you with your equipment
  16. Follow the instructions provided to you with your equipment
  17. Request an exception to policy request have your case considered
  18. Ensure that any equipment given or received by you is through our processes

 

 

 

What if I need to do something against the policy?

 

If you believe you have a valid business reason for an exception to these policy points, having read and understood the reasons why they are in place, please raise a formal request by contacting the Data Protection Officer, Lauri Almond, via IGS@essex.gov.uk.

 

Document Control

 

Version:                     1

Date approved:         28th March 2018

Approved by:             The Board of Trustees

Next review:              March 2019 to review and then approve at the next meeting of the Finance, Audit and Premises committee.

 

References

 

  • Data Protection Act 1998 (to May 25th 2018)
  • General Data Protection Regulations 2016 (from 25th May 2018)
  • Article 8, The Human Rights Act 1998
Breach Statement

 

Breaches of Information Policies will be investigated and may result in disciplinary action. Serious breaches of Policy may be considered gross misconduct and result in dismissal without notice, or legal action being taken against you.

 

Security Incidents Policy

Security Incidents Policy

A security incident is a confirmed breach, potential breach or ‘near-miss’ breach of one of ECC’s information policies

 

Policy points are numbered. The numbering corresponds to explanations of ‘why?’ and ‘how?’ for each point further down the page.

 

What must I do?

 

  1. MUST: If you discover a security incident, you must immediately report it
  2. MUST: When reporting the incident, you must provide as much information as possible
  3. MUST: The Investigating Officer/ Line Manager must complete investigations as directed by the Business Manager and complete an outcome report (see Procedures for Reporting or Handling a Security Incident with link)
  4. MUST: The Business Manager mustsupport investigations as directed by the Deputy Headteacher and provide an outcome report
  5. MUST: The Business Manager must oversee and support each investigation, maintaining a full record from reporting to closure
  6. MUST: The Headteacher or Head of School must support the investigation of major and critical incidents
  7. MUST: Comply with the timescales and escalation process outlined in our Procedures for Reporting or Handling a Security Incident with link

 

 

Why must I do it?

 

  1. Capturing security incidents allows us to respond effectively when something has gone wrong. Capturing all types of security incidents allows us to understand where our weaknesses are, how well our policies are working and what we should change about our policies to make them more effective
  2. To help us quickly assess the severity of the incident and to speed up the investigation
  3. Carry out an effective process appropriate to the severity of the incident
  4. Carry out an effective process appropriate to the severity of the incident
  5. Ensure the process is followed to completion
  6. Ensure that there is appropriate resource, expertise and independent scrutiny of processes for higher impact incidents
  7. Ensure that all incidents are handled in a timely manner.

 

 

How must I do it?

 

  1. Inform the Business Manager at the earliest opportunity or if you would like to stay anonymous via email at businessmanager@hollandpark.essex.sch.uk or office@altonpark.essex.sch.uk. No action will be taken against any member of staff who reports a security incident about another member of staff in good faith. Identification of a reporting party who requests anonymity shall be protected as far as is feasible.
  2. Include full details of the incident such as dates, names and any remedial action that has been taken.
  3. Where appropriate, undertake the following:
    1. Identify expected outcomes, stakeholders and any policies breached.
    2. Speak to staff involved.
    3. Record evidence and keep an audit trail of events and evidence supporting decisions taken
    4. Get expert help
    5. Escalate
    6. Inform data subjects (service users, staff) where appropriate
    7. Identify and manage risks of the incident
    8. Commence disciplinary action, or record why not
    9. Develop and implement a communications plan where appropriate
    10. Put in place controls to prevent recurrence
    11. Complete the Incident Outcome Report
  4. Where appropriate, undertake the following:
    1. Raise incidents through the Business Manager if reported to them
    2. Work with the Headteacher or Head of School to investigate major security incidents.
    3. Decide whether to investigate personally, or allocate to the line manager/ investigating officer.
    4. Assess the outcome to ensure they are satisfied the appropriate action has been taken.
    5. Provide service area knowledge and advice, and to carry out any recommended actions within their function for major or critical incidents, where required.
  5. Undertake the following:
    1. Classify the Security Incident
    2. Verify the details and oversee the investigation
    3. Work with Headteacher of Head of School to investigate major security incidents.
    4. Advise, support and intervene as appropriate
    5. Review Incident Outcome Reports and close
  6. For major and critical incidents:
    1. Undertake the investigation (critical only)
    2. Work with Headteacher or Head of School) (major only)
    3. Assess if it is necessary for the security incident to be reported to the ICO.
    4. Complete an outcome report and recommend remedial actions.
  7. Follow the process outlined in the ECC Procedures for Reporting or Handling a Security Incident

 

 

What if I need to do something against the policy?

 

If you believe you have a valid business reason for an exception to these policy points, having read and understood the reasons why they are in place, please raise a formal request by contacting the Data Protection Officer, Lauri Almond, via IGS@essex.gov.uk.

 

If you believe the policy does not meet your business needs, you may raise this with your Information Champion who, if they agree with your suggestion, may propose a policy change.

 

Document Control

 

Version:                     1

Date approved:         28th March 2018

Approved by:             Board of Trustees

Next review:              March 2019 and next Finance, Audit and Premises committee meeting

 

References

 

  • Data Protection Act 1998 (to 25th May 2018)

 

  • General Data Protection Regulations 2016 (from 25th May 2018)

 

Breach Statement

 

Breaches of Information Policies will be investigated and may result in disciplinary action. Serious breaches of Policy may be considered gross misconduct and result in dismissal without notice, or legal action being taken against you.

 

Records Management Policy

 

Records Management Policy

 

Responsibilities for management of information to support secure access and effective retention, destruction and preservation processes

 

Policy points are numbered. The numbering corresponds to explanations of ‘why?’ and ‘how?’ for each point further down the page.

 

What must I do?

 

  1. MUST: You must documentyour work activities in line with procedures
  2. MUST: You must store all work information in the format and medium best suited to its use in line with procedures
  3. MUST: You must ensure that the information you manage is only known to an appropriate audience
  4. MUST: All information in any format which we hold as a record of our activity must be retained after ‘closure’ in line with Retention Guidelines
  5. MUST: Owners must regularly review information in line with Retention Guidelinesto make best use of the available storage space
  6. MUST: We must monitor the success of the review process to maintain compliance with the law
  7. MUST: You must manage Pupil records in line with best practice and specific system guidance
  8. MUST: You must follow Good Practice for Managing E-Mail when storing emails as records
  9. MUST: We must ensure that the facilities available for storing and managing information meet legal requirementsand best practice
  10. MUST: We must maintain a selection procedure for identifying, reviewing and managing records with historical value
  11. MUST NOT: You must not store business information on apersonal driveor on equipment not provided by the Organisation
  12. MUST: All Information Assets identified on the Register must be associated witha retention period from the Retention Guidelines.
  13. MUST: The Retention Guidelinesmust be reviewed for changes in legislation and the Organisation’s business needs.
  14. MUST: When archiving paper records, information on ownership, retention and indexing quality must be recorded.
  15. MUST NOT: You must not use the archive storage services of any other commercial company than the approved supplier

 

Why must I do it?

 

  • These measures ensure Organisation information, where appropriate to do so, is shared effectively to support efficient business processes and maintain effective service delivery to customers.
  • Managing records in line with the best practice guidance fulfils duties under the section 46 Code of Practice on Records Management under the Freedom of Information Act 2000. Retention Guidelines are published so there is clear communication to customers over what information should still be available to them if they wish to make a request. To retain information too long or to destroy too soon leaves us open to criticisms on openness and transparency, and in some cases, compliance with the law.
  • In order to comply with the Section 46 Code of Practice (see above) we must ensure that we are destroying all related information across all formats. For example, destroying a paper file on a project but keeping all the electronic documents about the project in a shared network folder can cause problems if a Freedom of Information request is received.Therequest co-ordinator assumes that as the paper file is destroyed then we do not hold any information and responds accordingly. We would then be in breach of the act.

 

 

How must I do it?

 

  1. Employees are aware ofbest practicerequirements and any guidance on use of specific systems through training and communications
  2. Employees are aware ofbest practicerequirements and any guidance on use of specific systems through training and communications
  3. You must ensure that paper files are accessible to authorised colleagues in your absence, by ensuring others know where to find keys to lockable storage areas. You must be aware of who information should be shared with, and ensure it is only shared with that audience. You must ensure that you save electronic information in a shared environment, but with appropriate access controls if the information has a restricted audience.
  4. Follow the best practice guidance and any superseding amendments made by the Organisation
  5. Follow the best practice guidance and any superseding amendments made by the Organisation
  6. Designated employees must gather performance data on activities within the scope of this policy for review by the Data Protection Officer and the Leadership Team
  7. Follow the best practice guidance and any superseding amendments made by the Organisation
  8. Follow the best practice guidance and any superseding amendments made by the Organisation
  9. The organisation must approve and regular review facilities such as systems and physical storage as appropriate against security requirements in Data Protection Law, and all employees must help maintain security standards by following procedure.
  10. Records can be identified for preservation at any point in the records lifecycle, but will not transfer until we have no ongoing administrative need (i.e. at the end of a retention period). When information is due to be destroyed, there should be a final review to select records for transfer to the Essex Record Office.
  11. By only storing all business information on the relevant systems designated by the Organisation and by using only equipment approved by the Organisation.
  12. The Information Asset Owner is responsible for ensuring that Information Asset Managers amend entries on the Information Asset Register to show the correct retention period from the schedule.
  13. A policy review (at least annually) must review the provisions of best practice retention guidance and make any necessary amendments, documenting the reasons for change and managing affected records accordingly.
  14. We must complete and retain archiving indexes providing the relevant information about paper records in storage, ensuring that the Organisation is aware of what information it holds at all times and when they can be reviewed.
  15. Any use of a commercial storage provider must be assessed and approved to ensure the right security and financial provisions are place. Use of alternatives that have not been approved may not provide value for money and may not provide secure services.

 

 

 

 

What if I need to do something against the policy?

 

If you believe you have a valid business reason for an exception to these policy points, having read and understood the reasons why they are in place, please raise a formal request by contacting the Data Protection Officer, Lauri Almond, via IGS@essex.gov.uk.

 

 

Document Control

 

Version:                     1

Date approved:         28th March 2018

Approved by:             The Board of Trustees

Next review:              March 2019 to review and then approve at the next meeting of the Finance, Audit and Premises committee.

 

References

 

  • Data Protection Act 1998 (to May 25th 2018)
  • General Data Protection Regulations 2016 (from 25th May 2018)
  • Article 8, The Human Rights Act 1998
  • Freedom of Information Act 2000.
  • Code of Practice on Records Management (under Section 46 of the FoIA)

 

Breach Statement

 

Breaches of Information Policies will be investigated and may result in disciplinary action. Serious breaches of Policy may be considered gross misconduct and result in dismissal without notice, or legal action being taken against you.

 

 

Other Information

 

Information Governance Strategy Click Here