Quick Links

Useful Links

Valentines High School

Security Measures

  1. Organisational 
  1. Policies & Documented Procedures 

Policies relating to information governance issues are drafted by employees with detailed knowledge of legal requirements and the Organisation’s processes. All policies have documented review dates and ownership is assigned. Reviews are held ahead of the expiry date or sooner where there is an identified issue. All policies follow a governance route for approval. Key policies are published to the organisation’s website for transparency.

 

  1. Roles 

The organisation has a named Data Protection Officer who is Lauri Almond. This Officer executes the role by reporting the outcome of statutory process to Richard Laws who acts as the organisation’s Senior Information Risk Owner. 

  1. Training 

The organisation regularly reviews our employee roles to ensure that training and awareness messages are appropriate to the nature and sensitivity of the data processing undertaken. Induction processes ensure new employees receive appropriate training before accessing personal data, and all other employees receive refresher training annually. All training received is documented for evidence purposes.

 

  1. Risk Management & Privacy by Design 

The organisation identifies information compliance risks on its risk register. Risks are assigned clear ownership, rated against a consistent schema, appropriate mitigations are identified and are annually reviewed.

 

  1. Contractual Controls 

All Data Processors handling personal data on behalf of the organisations have given assurances about the compliance of their processes; either through procurement assurances/ evidence, contractual agreement controls, risk assessments or supplementary statements.

 

  1. Physical Security 

All employees or contractors who have access to our premises where personal data is processed are provided with Identity Cards which validate their entitlement to access. The organisation operates processes which ensure only those individuals who have an entitlement to access premises are able to. Access to physical storage holding sensitive personal data is further restricted either through lockable equipment with key or code control procedures or through auditable access to specific rooms/ areas of buildings.

 

  1. Security Incident Management 

The organisation maintains a security incident process which, with the support of appropriate training, defines what constitutes a breach of these security measures to facilitate reporting of incidents. The process covers investigation of incidents, risk rating and decisions over whether to notify an incident to the Information Commissioner’s Office (ICO) within the statutory timescale. Incidents are reported to senior leaders and actions are consistently taken and lessons learned implemented.

 

  1. Technical

 

  1. Data at Rest

 

  1. Use of Hosting Services 

Some personal data is processed externally to the organisation’s managed environment by third parties in data centres under agreed terms and conditions which evidence appropriate security measures.

 

  1. Firewalls

 Access to the Organisation’s managed environment is protected by maintained firewalls. Business needs to provide access through the firewall go through a strictly documented change control process which include risk assessment and approval. 

  • Administrator Rights 

Enhanced privileges associated with administrator accounts are strictly managed. Administrator activities are logged and auditable to ensure activity can be effectively monitored. 

  1. Access Controls 

Access permissions to personal data held on IT systems is managed through role based permissions. Managers of appropriate seniority inform IT professionals of additions, amendments and discontinuation of individual accounts within permission groups. Managers are periodically required to confirm that current permissions for which they are the authoriser and employees associated with these permissions are accurate. 

  1. Password Management 

The organisation requires a mandatory password complexity combination of minimum length and characters, plus a required change of password after 90 days. 

  1. Anti-Malware & Patching 

The organisation has a documented change control process which facilitates the prompt implementation of any security updates provided by the suppliers of active software products. 

  • Disaster Recovery & Business Continuity 

As part of the organisation’s business continuity plan, there is provision to ensure effective processes are in place to both safeguard personal data during a service outage incident and to re-establish secure access to the data to support data subject rights in ongoing service provision. 

  1. Data in Transit 
  1. Secure email 

The organisation has access to secure email software for communicating with some third parties where licensing agreements permit this. Sensitive data will be sent using such tools where available. Where software is not available a system of password protecting sensitive data in email attachments is employed. 

  1. Secure Websites 

The organisation has access to third party websites which allow for secure upload of personal data. The organisation uses these facilities to fulfil statutory obligations to report personal data to other public authorities. 

  • Encrypted Hardware 

Devices which store or provide access to personal data are secured by password access. Removable media such as memory sticks are encrypted. 

  1. Hard-Copy Data 

The removal of personal data in hard-copy form is controlled by organisational policy which requires employees to take steps to conceal the data and appropriately secure the data during transport. 

These security measures are reviewed annually and approved as accurate and appropriate by the organisation’s governance process.