INFORMATION SECURITY POLICY HERE
March 2024
INFORMATION AND SECURITY POLICY
The UK General Data Protection Regulation (UK GDPR) aims to protect the rights of individuals about whom data is obtained, stored, processed or supplied and requires that organisations take appropriate security measures against unauthorised access, alteration, disclosure or destruction of personal data.
K1 International Class Association (K1ICA) is dedicated to ensure the security of all information that it holds and implements the highest standards of information security in order to achieve this. This document sets out the measures taken by the K1ICA to achieve this, including to: -
• Protect against potential breaches of confidentiality;
• Ensure that all information assets and IT facilities are protected against damage, loss or misuse;
• Support our Data Protection Policy in ensuring all Volunteers are aware of and comply with UK law and our own procedures applying to the processing of data; and • Increase awareness and understanding at the K1ICA of the requirements of information security and the responsibility of Volunteers to protect the confidentiality and integrity of the information that they handle.
INTRODUCTION
Information Security can be defined as the protection of information and information systems from unauthorised access, use, disclosure, disruption, modification or destruction.
Volunteers working on behalf of the K1ICA (Volunteers) are referred to the K1ICA’s Data Protection Policy, Data Breach Policy and Electronic Information and Communication Systems Policy for further information. These policies are also designed to protect personal data.
For the avoidance of doubt, the term ‘mobile devices’ used in this policy refers to any removable media or mobile device that can store data. This includes, but is not limited to, laptops, tablets, digital cameras, memory sticks and smartphones.
SCOPE
The information covered by this policy includes all written, spoken and electronic information held, used or transmitted by or on behalf of the K1ICA, in whatever media. This includes information held on a computer systems, paper records, hand-held devices, and information transmitted orally.
This policy applies to all Volunteers, including temporary workers, other contractors, interns, directors and any and all third parties authorised to use the IT systems. All Volunteers are required to familiarise themselves with its content and comply with the provisions contained in it.
This policy does not form part of any individual’s terms and conditions of employment with the K1ICA and is not intended to have contractual effect. Changes to data protection legislation will be monitored and further amendments may be required to this policy in order to remain compliant with legal obligations.
GENERAL PRINCIPLES
All data stored on our IT Systems are to be classified appropriately (including, but not limited to, personal data, sensitive personal data and confidential information. Further details on the categories of data can be found in the K1ICA’s Data Protection Policy and Record of Processing Activities). All data so classified must be handled appropriately in accordance with its classification.
Volunteers should discuss with the Class Chair the appropriate security arrangements for the type of information they access in the course of their work.
All data stored on our IT Systems and our paper records shall be available only to Volunteers with legitimate need for access and shall be protected against unauthorised access and/or processing and against loss and/or corruption.
All IT Systems are to be installed, maintained, serviced, repaired, and upgraded by the Class Chair or by such third party/parties as the Class Chair may authorise. The responsibility for the security and integrity of all IT Systems and the data stored thereon (including, but not limited to, the security, integrity, and confidentiality of that data) lies with the Class Chair unless expressly stated otherwise.
All Volunteers have an obligation to report actual and potential data protection compliance failures to the Class Chair who shall investigate the breach. Any breach which is either known or suspected to involve personal data or sensitive personal data shall be reported to the DClass Chair.
PHYSICAL SECURITY AND PROCEDURES
Paper records and documents containing personal information, sensitive personal information, and confidential information shall be positioned in a way to avoid them being viewed by people passing by as far as possible, e.g., through windows. At the end of the working day, or when you leave your desk unoccupied, all paper documents shall be securely locked away to avoid unauthorised access.
Available [storage rooms, locked cabinets, and other storage systems with locks] shall be used to store paper records when not in use. If you do not feel you have the appropriate and/or sufficient storage available to you, you must inform the K1ICA Class Chair as soon as possible.
Paper documents containing confidential personal information should not be left on office and classroom desks, on Volunteers tables, or pinned to noticeboards where there is general access unless there is legal reason to do so and/or relevant consents have been obtained. You should take particular care if documents have to be taken out of K1ICA.
The physical security of buildings and storage systems shall be reviewed on a regular basis. If you find the security to be insufficient, you must inform the Class Chair as soon as possible. Increased risks of vandalism and or burglary shall be considered when assessing the level of security required.
The following measures are taken by the K1ICA to ensure physical security of the building/s and storage systems:
• The K1ICA carry out regular checks of the buildings and storage systems to ensure they are maintained to a high standard.
• The K1ICA has an electronic lock system to minimise the risk of unauthorised people from entering the K1ICA premises.
• Visitors should be recorded and accompanied at all times by a Volunteer and never be left alone in areas where they could have access to confidential information.
COMPUTERS AND I.T.
Responsibilities of the Class Chair.
The Class Chair shall be responsible for the following:
a) ensuring that all IT Systems are assessed and deemed suitable for compliance with the K1ICA’s security requirements;
b) ensuring that IT Security standards within the K1ICA are effectively implemented and regularly reviewed, working in consultation with the K1ICA’s management, and reporting the outcome of such reviews to the K1ICA’s management;
c) ensuring that all Volunteers are kept aware of this policy and of all related legislation, regulations, and other relevant rules whether now or in the future in force, including, but not limited to, the UK GDPR and the Computer Misuse Act 1990.
Furthermore, the Class Chair shall be responsible for the following: a) assisting all Volunteers in understanding and complying with this policy; b) providing all Volunteers with appropriate support and training in IT Security matters and use of IT Systems;
c) ensuring that all Volunteers are granted levels of access to IT Systems that are appropriate for each member, taking into account their job role, responsibilities, and any special security requirements;
d) receiving and handling all reports relating to IT Security matters and taking appropriate action in response [including, in the event that any reports relate to personal data, informing the Data Protection Officer];
e) taking proactive action, where possible, to establish and implement IT security procedures and raise awareness among Volunteers;
f) monitoring all IT security within the K1ICA and taking all necessary action to implement this policy and any changes made to this policy in the future; and
g) ensuring that regular backups are taken of all data stored within the IT Systems at regular intervals and that such backups are stored at a suitable location offsite.
RESPONSIBILITIES – Volunteers
All Volunteers must comply with all relevant parts of this policy at all times when using the IT Systems.
Computers and other electronic devices should be locked when not in use to minimise the accidental loss or disclosure.
You must immediately inform Class Chair of any and all security concerns relating to the IT Systems which could or has led to a data breach as set out in the Data Breach Policy.
Any other technical problems (including, but not limited to, hardware failures and software errors) which may occur on the IT Systems shall be reported to the Class Chair immediately.
You are not permitted to install any software of your own without the approval of the Head of Operations. Any software belonging to you must be approved by the Class Chair and may
only be installed where that installation poses no security risk to the IT Systems and where the installation would not breach any licence agreements to which that software may be subject.
Prior to installation of any software onto the IT Systems, you must obtain written permission by the Class Chair. This permission must clearly state which software you may install, and onto which computer(s) or device(s) it may be installed.
Prior to any usage of physical media (e.g., USB memory sticks or disks of any kind) for transferring files, you must make sure to have the physical media virus-scanned. Approval from the Head of Operations must be obtained prior to transferring of files using cloud storage systems.
If you detect any virus this must be reported immediately to the Class Chair (this rule shall apply even where the anti-virus software automatically fixes the problem).
ACCESS SECURITY
All Volunteers are responsible for the security of the equipment allocated to or used by them and must not allow it to be used by anyone other than in accordance with this policy. The K1ICA has a secure firewall and anti-virus software in place. These prevent individuals from unauthorised access and to protect the K1ICA’s network. The K1ICA also teach individuals about e safety to ensure everyone is aware of how to protect the K1ICA’s network and themselves.
All IT Systems (in particular mobile devices) shall be protected with a secure password or passcode, or such other form of secure log-in system as approved by the Class Chair. All passwords must, where the software, computer, or device allows:
a) be at least 6 characters long including both numbers and letters;
All mobile devices provided by the K1ICA, shall be set to lock, sleep, or similar, after a period of inactivity, requiring a password, passcode, or other form of log-in to unlock, wake or similar. You may not alter this time period.
Volunteers should be aware that if they fail to log off and leave their terminals unattended, they may be held responsible for another user’s activities on their terminal in breach of this policy, the K1ICA’s Data Protection Policy and/or the requirement for confidentiality in respect of certain information.
DATA SECURITY
Personal data sent over the K1ICA network will be encrypted or otherwise secured.
All Volunteers are prohibited from downloading, installing, or running software from external sources without obtaining prior authorisation from the Class Chair who will consider bona fide requests for work purposes. Please note that this includes instant messaging programs, screen savers, photos, video clips, games, music files and opening any documents or communications from unknown origins. Where consent is given, all files and data should always be virus checked before they are downloaded onto the K1ICA’s systems.
You may connect your own devices (including, but not limited to, laptops, tablets, and smartphones) to the K1ICA’s Wi-Fi provided that you follow the Class Chair’ requirements and instructions governing this use. All usage of your own device(s) whilst connected to the K1ICA’s network or any other part of the IT Systems is subject to all relevant K1ICA Policies (including, but not limited to, this policy). The Class Chair may at any time request the immediate disconnection of any such devices without notice.
ELECTRONIC STORAGE OF DATA
All portable data, and in particular personal data, should be stored on encrypted drives using methods recommended by the Class Chair.
All data stored electronically on physical media, and in particular personal data, should be stored securely in a locked box, drawer, cabinet, or similar.
You should not store any personal data on any mobile device, whether such device belongs to the K1ICA or otherwise without prior written approval of the Class Chair. You should delete data copied onto any of these devices as soon as possible and make sure it is stored on the K1ICA’s computer network in order for it to be backed up.
All electronic data must be securely backed up by the end of the each working day.
HOME WORKING
You should not take confidential or other information home without prior permission of the Class Chair here satisfied appropriate technical and practical measures are in place within your home to maintain the continued security and confidentiality of that information.
When you have been given permission to take confidential or other information home, you must ensure that:
a) the information is kept in a secure and locked environment where it cannot be accessed by family, visitors; and
b) all confidential material that requires disposal is shredded or, in the case of electronical material, securely destroyed as soon as any need for its retention has passed.
COMMUNICATIONS, TRANSFER, INTERNET, AND EMAIL USE
The K1ICA work to ensure the systems do protect pupils and Volunteers and are reviewed and improved regularly.
If Volunteers or pupils discover unsuitable sites or any material which would be unsuitable, this should be reported to the Class Chair.
Regular checks are made to ensure that filtering methods are appropriate, effective, and reasonable and that users access only appropriate material as far as possible. This is not always possible to guarantee and the K1ICA cannot accept liability for the material accessed or its consequence.
All personal information, and in particular sensitive personal information and confidential information should be encrypted before being sent by email or sent by tracked DX (document exchange) or recorded delivery. You may not send such information by fax unless you can be sure that it will not be inappropriately intercepted at the recipient fax machine.
Postal, DX, fax and email addresses and numbers should be checked and verified before you send information to them. In particular you should take extra care with email addresses where auto-complete features may have inserted incorrect addresses.
You should be careful about maintaining confidentiality when speaking in public places. You should make sure to mark confidential information ‘confidential’ and circulate this information only to those who need to know the information in the course of their work for the K1ICA.
Personal or confidential information should not be removed from the K1ICA without prior permission from the Class Chair except where the removal is temporary and necessary. When such permission is given, you must take all reasonable steps to ensure that the integrity of the information and the confidentiality are maintained. You must ensure that the information is:
a) not transported in see-through or other un-secured bags or cases.
b) not read in public places (e.g., waiting rooms, cafes, trains, etc.); and
c) not left unattended or in any place where it is at risk (e.g., in car boots, cafes, etc.)
Version | Author | Date written / approved | Approved by |
1.0 | IRD | 14/3/2024 | Class Chair |