Ashton, Manchester

E-Safety Policy

Policy Created: January 2020
Reviewed by: Grace Speakman
Review Date: January 2021

Contents

  • Introduction
  • School e-Safety Template Policy
  • Development, monitoring and review of the Policy
  • Schedule for development, monitoring and review
  • Roles and Responsibilities
  • Policy Statements
  • Appendices

Roles and Responsibilities

The following section outlines the e-Safety roles and responsibilities of individuals and groups within the school :

Headteacher
The Headteacher is responsible for the approval of the e-Safety Policy and for reviewing the effectiveness of the policy.

This will be carried out by the Curriculum, Personnel and Behaviour members of staff by receiving regular information about e-Safety incidents and monitoring reports to include:

  • regular meetings with the e-Safety Co-ordinator
  • regular monitoring of e-Safety incident logs
  • The Headteacher has a duty of care for ensuring the safety (including e-Safety) of members
    of the school community, though the day to day responsibility for e-Safety may be delegated to
    the e-Safety Co-ordinator.
  • The Headteacher and the Deputy Headteacher are aware of the procedures to be followed in the event of a serious e-Safety allegation being made against a member of staff.
  • The Headteacher is responsible for ensuring that the e-Safety Coordinator and other relevant staff receive suitable training to enable them to carry out their e-Safety roles and to train other colleagues, as relevant.
  • The Headteacher will ensure that there is a system in place to allow for monitoring and support of
    those in school who carry out the internal e-Safety monitoring role. This is to provide a safety net
    and also support to those colleagues who take on important monitoring roles.
  • The Senior Leadership Team / Senior Management Team will receive regular monitoring reports from the e-Safety Co-ordinator / Officer.

e-Safety Coordinator / Officer:

The e-Safety Coordinator

  • takes day to day responsibility for e-Safety issues and has a leading role in establishing and
    reviewing the school e-Safety policies / documents
  • ensures that all staff are aware of the procedures that need to be followed in the event of an e-
    Safety incident taking place.
  • provides (or identifies sources of) training and advice for staff
  • liaises with (school) technical staff
  • receives reports of e-Safety incidents 3 and creates a log of incidents to inform future e-Safety developments.
  • meets regularly with e-Safety coordinator to discuss current issues, review incident logs and if
    possible, filtering / change control logs
  •  attends relevant meeting
  • reports regularly to Senior Leadership Team
    Network Manager /

Technical staff:

The school has a managed ICT service provided by an outside contractor. It is the responsibility of the school to ensure that the managed service provider carries out all the e-Safety measures that would otherwise be the
responsibility of the school technical staff, as suggested below.

It is also important that the managed service provider is fully aware of the school e-Safety policy and procedures.

Teaching and Support Staff

Are responsible for ensuring that:

  • they have an up to date awareness of e-Safety matters and of the current school e-Safety
    policy and practices
  • they have read, understood and signed the Staff Acceptable Use Policy / Agreement (AUP /
    AUA)
  • they report any suspected misuse or problem to the Headteacher /e-Safety Coordinator /
    for investigation / action
  • all digital communications with students / pupils / parents / carers should be on a professional level and only carried out using official school systems
  • e-Safety issues are embedded in all aspects of the curriculum and other activities
  • students / pupils understand and follow the e-Safety and acceptable use agreements / policies
  • they monitor the use of digital technologies, mobile devices, cameras etc in lessons and other
    school activities (where allowed) and implement current policies with regard to these devices
  • in lessons where internet use is pre-planned students / pupils should be guided to sites checked
    as suitable for their use and that processes are in place for dealing with any unsuitable material
    that is found in internet searches

Safeguarding Designated Person

The Safeguarding Designated Person should be trained in e-Safety issues and be aware of the potential for serious safeguarding issues to arise from:

  • sharing of personal data
  • access to illegal / inappropriate materials
  • inappropriate on-line contact with adults / strangers
  • potential or actual incidents of grooming
  • cyber-bullying

e-Safety Group
The e-Safety Group provides a consultative group that has wide representation from the school community, with responsibility for issues regarding e-Safety and monitoring the e-Safety policy including the impact of initiatives.

Members of the e-Safety Group will assist the e-Safety Coordinator with:

  • the production / review / monitoring of the school e-Safety policy / documents.
  • mapping and reviewing the e-Safety curricular provision – ensuring relevance, breadth and
    progression
  • monitoring network / internet / incident logs where possible
  • consulting stakeholders – including parents / carers and the students / pupils about the e-Safety
    provision
    • monitoring improvement actions identified through use of the 360 degree a self-review tool

An e-Safety Group Terms of Reference Template can be found in the appendices (B4)
Students / pupils:

  • are responsible for using the school digital technology systems in accordance with the
    Student / Pupil Acceptable Use Agreement
  • have a good understanding of research skills and the need to avoid plagiarism and uphold
    copyright regulations
  • need to understand the importance of reporting abuse, misuse or access to inappropriate
    materials and know how to do so
  • will be expected to know and understand policies on the use of mobile devices and digital
    cameras. They should also know and understand policies on the taking / use of images and on
    cyber-bullying.
  • should understand the importance of adopting good e-Safety practice when using digital
    technologies out of school and realise that the school’s e-Safety Policy covers their actions out of
    school, if related to their membership of the school

Parents / Carers

Parents / Carers play a crucial role in ensuring that their children understand the need to use the internet / mobile devices in an appropriate way. The school will take every opportunity to help parents understand these issues through parents’ evenings, newsletters, letters, website / VLE and information about national / local e-Safety campaigns / literature.

Parents and carers will be encouraged to support the school in promoting good e-Safety practice and to follow guidelines on the appropriate use of:

  • digital and video images taken at school events
  • access to parents’ sections of the website / VLE and on-line student / pupil records
  • their children’s personal devices in the school (where this is allowed)
    Community Users
    Community Users who access school systems / website / VLE as part of the wider school provision will be expected to sign a Community User AUA before being provided with access to school systems.


Policy Statements
Education – young people

Whilst regulation and technical solutions are very important, their use must be balanced by educating students / pupils to take a responsible approach.

The education of students / pupils in e-Safety is therefore an essential part of the school’s e-Safety provision.

Children and young people need the help and support of the school to recognise and avoid e-Safety risks and build their resilience.

e-Safety should be a focus in all areas of the curriculum and staff should reinforce e-Safety messages across the curriculum.

The e-Safety curriculum should be broad, relevant and provide progression, with opportunities for creative activities and will be provided in the following ways:

  • A planned e-Safety curriculum should be provided as part of ICT / Computing / PSE /
    Digital Literacy lessons or other lessons and should be regularly revisited
  • Key e-Safety messages should be reinforced as part of a planned programme of
    assemblies and tutorial / pastoral activities
  • Students / pupils should be taught in all lessons to be critically aware of the materials / content they access on-line and be guided to validate the accuracy of information.
  • Students / pupils should be taught to acknowledge the source of information used and to respect copyright when using material accessed on the internet
  • Students / pupils should be helped to understand the need for the student / pupil Acceptable Use
    Agreement and encouraged to adopt safe and responsible use both within and outside school
  • Staff should act as good role models in their use of digital technologies the internet and mobile
    devices
  • In lessons where internet use is pre-planned, it is best practice that pupils should be guided to sites
    checked as suitable for their use and that processes are in place for dealing with any unsuitable
    material that is found in internet searches.
  • Where students / pupils are allowed to freely search the internet, staff should be vigilant in
    monitoring the content of the websites the young people visit.
  • It is accepted that from time to time, for good educational reasons, students may need to research topics (e.g. racism, drugs, discrimination) that would normally result in internet searches being blocked. In such a situation, staff can request that the Technical Staff (or other relevant designated person) can temporarily remove those sites from the filtered list for the period of study. Any request to do so, should be auditable, with clear reasons for the need.

Education – parents / carers

Many parents and carers have only a limited understanding of e-Safety risks and issues, yet they play an essential role in the education of their children and in the monitoring / regulation of the children’s on-line behaviours. Parents may underestimate how often children and young people come across potentially harmful
and inappropriate material on the internet and may be unsure about how to respond.
The school will therefore seek to provide information and awareness to parents and carers through:

Education – The Wider Community

The school will provide opportunities for local community groups / members of the community to gain from the
school’s e-Safety knowledge and experience. This may be offered through the following:

  • Providing family learning courses in use of new digital technologies, digital literacy and e-Safety
  • e-Safety messages targeted towards grandparents and other relatives as well as parents.
  • The school website/Facebook page will provide e-Safety information for the wider community
  • Supporting community groups e.g. Early Years Settings, Childminders, youth / sports / voluntary
    groups to enhance their e-Safety provision – www.onlinecompass.org.uk)

Education & Training – Staff / Volunteers

It is essential that all staff receive e-Safety training and understand their responsibilities, as outlined in this policy.

Training will be offered as follows:

  • A programme of formal e-Safety training will be made available to staff. This will be regularly updated and reinforced. An audit of the e-Safety training needs of all staff will be carried out regularly. It is expected that some staff will identify e-Safety as a training need within the performance management process.
  • All new staff will receive e-Safety training as part of their induction programme, ensuring
    that they fully understand the school e-Safety policy and Acceptable Use Agreements.
  • The e-Safety Coordinator will receive regular updates through attendance at external training events and by reviewing guidance documents released by relevant organisations.
  • This e-Safety policy and its updates will be presented to and discussed by staff in staff / team meetings / INSET days.
  • The e-Safety Coordinator will provide advice / guidance / training to individuals as required.

Technical – infrastructure / equipment, filtering and monitoring

The School infrastructure/equipment, filtering and monitoring is undertaken by an external, third party provider.

This includes

  • There will be regular reviews and audits of the safety and security of school technical
    systems
  • Servers, wireless systems and cabling must be securely located and physical access
    restricted
  • All users will have clearly defined access rights to school technical systems and devices.
  • Where appropriate users will be provided with a username and secure password
  • Users are responsible for the security of their username and password
  • The Headteacher is responsible for ensuring that software licence logs are accurate and up to date and that regular checks are made to reconcile the number of licences purchased
    against the number of software installations (Inadequate licencing could cause the school to
    breach the Copyright Act which could result in fines or unexpected licensing costs)
  • Internet access is filtered for all users.
  • Appropriate security measures are in place to protect the servers, firewalls, routers, wireless
    systems, work stations, mobile devices etc from accidental or malicious attempts which might
    threaten the security of the school systems and data. These are tested regularly. The school infrastructure and individual workstations are protected by up to date virus software.
  • The provision of temporary access of “guests” (e.g. trainee teachers, supply teachers, visitors) onto the school systems is allowed but is monitored by the Headteacher and the e-Safety coordinator.
  • An agreed policy is in place regarding the extent of personal use that users (staff / students /
    pupils / community users) and their family members are allowed on school devices that may be
    used out of school.
  • An agreed policy is in place that allows staff to / forbids staff from downloading executable files and installing programmes on school devices.
  • An agreed policy is in place regarding the use of removable media (e.g. memory sticks / CDs /
    DVDs) by users on school devices. Personal data cannot be sent over the internet or taken off
    the school site unless safely encrypted or otherwise secured.

Bring Your Own Device (BYOD)

At the current time School does not allow pupils to use their own technologies. This will be reviewed annually

Use of digital and video images
The development of digital imaging technologies has created significant benefits to learning, allowing staff and students / pupils instant use of images that they have recorded themselves or downloaded from the internet.

However, staff, parents / carers and students / pupils need to be aware of the risks associated with publishing digital images on the internet. Such images may provide avenues for cyberbullying to take place.

Digital images may remain available on the internet forever and may cause harm or embarrassment to individuals in the short or longer term. It is common for employers to carry out internet searches for information about potential and
existing employees.

The school will inform and educate users about these risks and will implement policies to
reduce the likelihood of the potential for harm:

  • When using digital images, staff should inform and educate students / pupils about the
    risks associated with the taking, use, sharing, publication and distribution of images. In
    particular they should recognise the risks attached to publishing their own images on the
    internet e.g. on social networking sites.
  • In accordance with guidance from the Information Commissioner’s Office, parents / carers are
    welcome to take videos and digital images of their children at school events for their own personal
    use (as such use in not covered by the Data Protection Act). To respect everyone’s privacy and in
    some cases protection, these images should not be published / made publicly available on social
    networking sites, nor should parents / carers comment on any activities involving other students /
    pupils in the digital / video images.
  • Staff and volunteers are allowed to take digital / video images to support educational aims, but
    must follow school policies concerning the sharing, distribution and publication of those images.
    Those images should only be taken on school equipment, the personal equipment of staff should
    not be used for such purposes.
  • Care should be taken when taking digital / video images that students / pupils are appropriately
    dressed and are not participating in activities that might bring the individuals or the school into disrepute.
  • Students / pupils must not take, use, share, publish or distribute images of others without their permission
  • Photographs published on the website, or elsewhere that include students / pupils will be selected
    carefully and will comply with good practice guidance on the use of such images.
  • Students’ / Pupils’ full names will not be used anywhere on a website or blog, particularly in
    association with photographs.
  • Written permission from parents or carers will be obtained before photographs of students / pupils are published on the school website
  • Student’s / Pupil’s work can only be published with the permission of the student / pupil and
    parents or carers.


Data Protection

Personal data will be recorded, processed, transferred and made available according to the Data Protection Act 1998 which states that personal data must be:

  • Fairly and lawfully processed
  • Processed for limited purposes
  • Adequate, relevant and not excessive
  • Accurate
  • Kept no longer than is necessary
  • Processed in accordance with the data subject’s rights
  • Secure
  • Only transferred to others with adequate protection.

The school must ensure that:

  • It will hold the minimum personal data necessary to enable it to perform its function and it
    will not hold it for longer than necessary for the purposes it was collected for.
  • Every effort will be made to ensure that data held is accurate, up to date and that inaccuracies are corrected without unnecessary delay.
  • All personal data will be fairly obtained in accordance with the “Privacy Notice” and
    lawfully processed in accordance with the “Conditions for Processing”. (see Privacy Notice section in the appendix)
  • It has a Data Protection Policy
  • It is registered as a Data Controller for the purposes of the Data Protection Act (DPA)
  • The Headteacher is the responsible person as identified in the Data Protection Policy
  • Risk assessments are carried out
  • It has clear and understood arrangements for the security, storage and transfer of personal data
  • Data subjects have rights of access and there are clear procedures for this to be obtained
  • There are clear and understood policies and routines for the deletion and disposal of data
  • There is a policy for reporting, logging, managing and recovering from information risk incidents
  • There are clear Data Protection clauses in all contracts where personal data may be passed to
    third parties
  • There are clear policies about the use of cloud storage / cloud computing which ensure that such
    data storage meets the requirements laid down by the Information Commissioner’s Office.

Staff must ensure that they:

  • At all times take care to ensure the safe keeping of personal data, minimising the risk of its loss or misuse.
  • Use personal data only on secure password protected computers and other devices, ensuring that they are properly “logged-off” at the end of any session in which they are using personal data.
  • Transfer data using encryption and secure password protected devices.


When personal data is stored on any portable computer system, memory stick or any other removable media:

  • the data must be encrypted and password protected
  • the device must be password protected or stored at all times in the school safe.
  • the device must offer approved virus and malware checking software
  • the data must be securely deleted from the device, in line with school policy (below) once it has
    been transferred or its use is complete

Communications

This is an area of rapidly developing technologies and uses. Schools will need to discuss and agree how they intend to implement and use these technologies e.g. few schools allow students / pupils to use mobile phones in lessons, while others identify educational potential and allow their use.

This section may also be influenced by the age of the students / pupils. The table has been left blank for school to choose its own responses.

A wide range of rapidly developing communications technologies has the potential to enhance learning. The following table shows how the school currently considers the benefit of using these technologies for education outweighs their risks / disadvantages:

Staff & other adults

Students / Pupils

Communication Technologies

  • Mobile phones may be brought to school
  • Use of mobile phones in lesson
  • Use of mobile phones in social time
  • Taking photos on mobile phones / cameras
  • Use of other mobile devices e.g. tablets.
  • Use of personal email addresses in school, or on school network
  • Use of school email for personal emails
  • Use of messaging apps
  • Use of social media
  • Use of blogs

The school may also wish to add some of the following policy statements about the use of communications technologies, in place of, or in addition to the above table:


When using communication technologies the school considers the following as good practice:

  • The official school email service may be regarded as safe and secure and is monitored.
    Users should be aware that email communications are monitored. Staff and students / pupils
    should therefore use only the school email service to communicate with others when in school,
    or on school systems (e.g. by remote access).
  • Users must immediately report to the nominated person – in accordance with the school
    policy – the receipt of any communication that makes them feel uncomfortable, is
    offensive, discriminatory, threatening or bullying in nature and must not respond to any
    such communication.
  • Any digital communication between staff and students / pupils or parents / carers (email,
    chat, VLE etc) must be professional in tone and content. These communications may only
    take place on official (monitored) school systems. Personal email addresses, text messaging or social media must not be used for these communications.
  • Whole class / group email addresses may be used in the FP, while pupils at KS2 will be provided with individual school email addresses for educational use.
  • Pupils should be taught about e-Safety issues, such as the risks attached to the sharing of personal details. They should also be taught strategies to deal with inappropriate communications and be reminded of the need to communicate appropriately when using digital technologies.
  • Personal information should not be posted on the school website and only official email
    addresses should be used to identify members of staff.


Social Media – Protecting Professional Identity

With an increase in use of all types of social media for professional and personal purposes a policy that sets out clear guidance for staff to manage risk and behaviour online is essential.

Core messages should include the protection of pupils, the school and the individual when publishing any material online.

All adults working with children and young people must understand that the nature and responsibilities of their work place them in a position of trust and that their conduct should reflect this.

All schools and LEAs have a duty of care to provide a safe learning environment for pupils and staff. Schools and LEAs could be held responsible, indirectly for acts of their employees in the course of their employment.

Staff members who harass, cyberbully, discriminate on the grounds of sex, race or disability or who defame a third party may render the school liable to the injured party. Reasonable steps to prevent predictable harm must be in place.

All staff working at any educational establishment are expected to demonstrate a professional approach and respect for pupils and their families and for colleagues and the learning setting.

The school provides the following measures to ensure reasonable steps are in place to minimise risk of harm to
pupils, staff and the school through limiting access to personal information:

  • Training to include: acceptable use; social media risks; checking of settings; data protection;
    reporting issues.
  • Clear reporting guidance, including responsibilities, procedures and sanctions
  • Risk assessment, including legal risk


School staff should ensure that:

  • No reference should be made in social media to students / pupils, parents / carers or school staff
  • They do not engage in online discussion on personal matters relating to members of the school
    community
  • Personal opinions should not be attributed to the school
  • Security settings on personal social media profiles are regularly checked to minimise risk of loss of personal information.

The school’s use of social media for professional purposes will be checked regularly by Senior Staff and e-Safety committee to ensure compliance with the Social Media, Data Protection, Communications, Digital Image and Video Policies.

Unsuitable / inappropriate activities

Some internet activity e.g. accessing child abuse images or distributing racist material is illegal and would obviously be banned from school and all other technical systems. Other activities e.g. cyber-bullying would be banned and could lead to criminal prosecution.

There are however a range of activities which may, generally, be legal but would be inappropriate in a school context, either because of the age of the users or the nature of those activities.

The school believes that the activities referred to in the following section would be inappropriate in a school context and that users, as defined below, should not engage in these activities in school or outside school when using school equipment or systems.

The school policy restricts usage as follows:


User Actions

Users shall not visit Internet sites, make, post, download, upload, data transfer, communicate or pass on, material, remarks, proposals or
comments that contain or relate to:

  • Child sexual abuse images The making, production or distribution of
    indecent images of children. Contrary to The Protection of Children Act
    1978
  • Grooming, incitement, arrangement or facilitation of sexual acts against children Contrary to the Sexual Offences Act 2003.
  • Possession of an extreme pornographic image (grossly offensive, disgusting or otherwise of an obscene character) Contrary to the Criminal Justice and Immigration Act 2008
  • criminally racist material in UK – to stir up religious hatred (or hatred on the grounds of sexual orientation) – contrary to the Public Order Act 1986
  • pornography
  • promotion of any kind of discrimination
  • threatening behaviour, including promotion of physical violence or mental harm
  • any other information which may be offensive to colleagues or breaches the integrity of the ethos of the school or brings the school into disrepute
  • Using school systems to run a private business
  • Using systems, applications, websites or other mechanisms that bypass the filtering or other safeguards employed by the school
  • Infringing copyright
  • Revealing or publicising confidential or proprietary information (e.g. financial / personal information, databases, computer / network access codes and passwords)
  • Creating or propagating computer viruses or other harmful files
  • Unfair usage (downloading / uploading large files that hinders others in their use of the internet)
  • On-line gaming (educational)
  • On-line gaming (non educational)
  • On-line gambling
  • On-line shopping / commerce
  • File sharing
  • Use of social media
  • Use of messaging apps
  • Use of video broadcasting e.g. YouTube

Responding to incidents of misuse

This guidance is intended for use when staff need to manage incidents that involve the use of online services. It encourages a safe and secure approach to the management of the incident. Incidents might involve illegal or inappropriate activities (see “User Actions” above).

Illegal Incidents

If there is any suspicion that the web site(s) concerned may contain child abuse images, or if there is
any other suspected illegal activity, refer to the right hand side of the Flowchart (below and appendix)
for responding to online safety incidents and report immediately to the police.

Other Incidents

It is hoped that all members of the school community will be responsible users of digital technologies, who understand and follow school policy.

However, there may be times when infringements of the policy could take place, through careless or irresponsible or, very rarely, through deliberate misuse.

In the event of suspicion, all steps in this procedure should be followed:

  • Have more than one senior member of staff / volunteer involved in this process. This is vital to
    protect individuals if accusations are subsequently reported.
  • Conduct the procedure using a designated computer that will not be used by young people and if
    necessary, can be taken off site by the police should the need arise. Use the same computer for
    the duration of the procedure.
  • It is important to ensure that the relevant staff should have appropriate internet access to conduct
    the procedure, but also that the sites and content visited are closely monitored and recorded (to
    provide further protection)
  • Record the URL of any site containing the alleged misuse and describe the nature of the content
    causing concern. It may also be necessary to record and store screenshots of the content on the
    machine being used for investigation. These may be printed, signed and attached to the form
    (except in the case of images of child sexual abuse – see below)
  • Once this has been completed and fully investigated the group will need to judge whether this
    concern has substance or not. If it does then appropriate action will be required and could include
    the following:
    • Internal response or discipline procedures
    • Involvement by LEA or national / local organisation (as relevant).
    • Police involvement and/or action
    • If content being reviewed includes images of Child abuse then the monitoring should be
    halted and referred to the Police immediately.

Other instances to report to the police would
include:

  • incidents of ‘grooming’ behaviour
  • the sending of obscene materials to a child
  • adult material which potentially breaches the Obscene Publications Act
  • criminally racist material
  • other criminal conduct, activity or materials
  • Isolate the computer in question as best you can. Any change to its state may hinder a later police investigation.

It is important that all of the above steps are taken as they will provide an evidence trail for the school and possibly the police and demonstrate that visits to these sites were carried out for safeguarding purposes.

The completed form should be retained by the group for evidence and reference purposes.

School Actions

It is more likely that the school will need to deal with incidents that involve inappropriate rather than illegal misuse. It is important that any incidents are dealt with as soon as possible in a proportionate manner, and that members of the school community are aware that incidents have been dealt with. It is intended that incidents of
misuse will be dealt with through normal behaviour / disciplinary procedures as follows:

Students / Pupils Actions Incidents:

  • Deliberately accessing or trying to access material that could be considered illegal (see list in earlier section on unsuitable / inappropriate activities).
  • Unauthorised use of non-educational sites during lessons
  • Unauthorised use of mobile phone / digital camera / other mobile device
  • Unauthorised use of social media / messaging apps / personal email
  • Unauthorised downloading or uploading of files
  • Allowing others to access school network by sharing username and passwords
  • Attempting to access or accessing the school network, using another student’s / pupil’s account
  • Attempting to access or accessing the school network, using the account of a member of staff
  • Corrupting or destroying the data of other users
  • Sending an email, text or message that is regarded as offensive, harassment or of a bullying nature
  • Continued infringements of the above, following previous warnings or sanctions
  • Actions which could bring the school into disrepute or breach the integrity of the ethos of the school
  • Using proxy sites or other means to subvert the school’s filtering system
  • Accidentally accessing offensive or pornographic material and failing to report the incident
  • Deliberately accessing or trying to access offensive or pornographic material
  • Receipt or transmission of material that infringes the copyright of another person or infringes the Data Protection Act

Staff Actions

Incidents:

  • Deliberately accessing or trying to access material that could be considered illegal (see list in earlier section on unsuitable / inappropriate activities).
  • Inappropriate personal use of the internet / social media / personal email
  • Unauthorised downloading or uploading of files
  • Allowing others to access school network by sharing username and passwords or attempting to access or accessing the school network, using another person’s account
  • Careless use of personal data e.g. holding or transferring data in an insecure manner
  • Deliberate actions to breach data protection or network security rules
  • Corrupting or destroying the data of other users or causing deliberate damage to hardware or software
  • Sending an email, text or message that is regarded as offensive, harassment or of a bullying nature
  • Using personal email / social networking / instant messaging / text messaging to carrying out digital communications with students / pupils
  • Actions which could compromise the staff member’s professional standing
  • Actions which could bring the school into disrepute or breach the integrity of the ethos of the school
  • Using proxy sites or other means to subvert the school’s ’s filtering system
  • Accidentally accessing offensive or pornographic material and failing to report the incident
  • Deliberately accessing or trying to access offensive or pornographic material in school or using school hardware
  • Breaching copyright or licensing regulations
  • Continued infringements of the above, following previous warnings or sanctions

Appendices – Section A – Acceptable Use Agreement

  • Student / Pupil Acceptable Use Agreement template (younger children)
  • Student / Pupil Acceptable Use Agreement template (older children)
  • Staff and Volunteers Acceptable Use Agreement template
  • Parents / Carers Acceptable Use Agreement template
  • Community Users Acceptable Use Agreement template


Appendices – Section B – Specific Policies

  • School Technical Security Policy template
  • School Personal Data Policy template
  • School Bring Your Own Devices (BYOD) Template Policy
  • School e-Safety Committee Terms of Reference 


Appendices – Section C – Support documents and links

  • Responding to incidents of misuse – flowchart
  • Record of reviewing sites (for internet misuse)
  • School Reporting Log template
  • School Training Needs Audit template
  • Summary of Legislation
  • Office 365

 

Student / Pupil Acceptable Use Policy Agreement Template – for
younger pupils (Foundation / KS1)

This is how we stay safe when we use computers:

  • I will ask a teacher or another adult from the school if I want to use the
    computers
  • I will only use activities that a teacher or another adult from the school
    has told or allowed me to use.
  • I will take care of the computer and other equipment
  • I will ask for help from a teacher or another adult from the school if I
    am not sure what to do or if I think I have done something wrong.
  • I will tell a teacher or another adult from the school if I see something
    that upsets me on the screen.
  • I know that if I break the rules, I might not be allowed to use a
    computer.


Signed (child Yr 2 and above):……………………………………………

Signed (parent): …………………………………………..

Staff (and Volunteer) Acceptable Use Policy Agreement Template


School Policy


New technologies have become integral to the lives of children and young people in today’s society, both within
schools and in their lives outside school. The internet and other digital information and communications
technologies are powerful tools, which open up new opportunities for everyone.

These technologies can
stimulate discussion, promote creativity and stimulate awareness of context to promote effective learning.

They also bring opportunities for staff to be more creative and productive in their work. All users should have an
entitlement to safe internet access at all times.

This Acceptable Use Policy is intended to ensure:

  • that staff and volunteers will be responsible users and stay safe while using the internet and other
    communications technologies for educational, personal and recreational use.
  • that school ICT systems and users are protected from accidental or deliberate misuse that could put the security of the systems and users at risk.
  • that staff are protected from potential risk in their use of ICT in their everyday work.
    The school will try to ensure that staff and volunteers will have good access to ICT to enhance their work, to enhance learning opportunities for students / pupils learning and will, in return, expect staff and volunteers to
    agree to be responsible users.


Acceptable Use Policy Agreement

I understand that I must use school ICT systems in a responsible way, to ensure that there is no risk to my safety
or to the safety and security of the ICT systems and other users. I recognise the value of the use of ICT for enhancing learning and will ensure that students / pupils receive opportunities to gain from the use of ICT. I will,
where possible, educate the young people in my care in the safe use of ICT and embed e-Safety in my work with young people.

For my professional and personal safety:

  • I understand that the school will monitor my use of the ICT systems, email and other digital
    communications.
  • I understand that the rules set out in this agreement also apply to use of school ICT systems (eg laptops, email, etc) out of school, and to the transfer of personal data (digital or paper based) out of school
  • I understand that the school ICT systems are primarily intended for educational use and that I will only use the systems for personal or recreational use within the policies and rules set down by the school. (schools should amend this section in the light of their policies which relate to the personal use, by staff and volunteers, of school systems)
  • I will not disclose my username or password to anyone else, nor will I try to use any other person’s
    username and password. I understand that I should not write down or store a password where it is
    possible that someone may steal it.
  • I will immediately report any illegal, inappropriate or harmful material or incident, I become aware
    of, to the appropriate person.

I will be professional in my communications and actions when using school ICT
systems:

  • I will not access, copy, remove or otherwise alter any other user’s files, without their express
    permission.
  • I will communicate with others in a professional manner, I will not use aggressive or inappropriate language and I appreciate that others may have different opinions.
  • I will ensure that when I take and / or publish images of others I will do so with their permission and in accordance with the school’s policy on the use of digital / video images. I will not use my personal equipment to record these images, unless I have permission to do so. Where these images are published (e.g. on the school website it will not be possible to identify by name, or other personal information, those who are featured.
  • I will only use chat and social networking sites in school in accordance with the school’s policies.
  • I will only communicate with students / pupils and parents / carers using official school systems.
    Any such communication will be professional in tone and manner. I will not engage in any on-line
    activity that may compromise my professional responsibilities.

The school has a responsibility to provide safe and secure access to technologies and
ensure the smooth running of the school :

  • When I use my mobile devices (PDAs / laptops / mobile phones / etc) in school, I will follow the
    rules set out in this agreement, in the same way as if I was using school equipment.
  • I will also follow any additional rules set by the school about such use. I will ensure that any such devices are protected by up to date anti-virus software and are free from viruses.
  • I will not use personal email addresses on the school ICT systems.
  • I will not open any hyperlinks in emails or any attachments to emails, unless the source is known
    and trusted , or if I have any concerns about the validity of the email (due to the risk of the
    attachment containing viruses or other harmful programmes)
  • I will ensure that my data is regularly backed up, in accordance with relevant school policies.
  • I will not try to upload, download or access any materials which are illegal (child sexual abuse
    images, criminally racist material, adult pornography covered by the Obscene Publications Act) or inappropriate or may cause harm or distress to others.
  • I will not try to use any programmes or software that might allow me to bypass the filtering / security systems in place to prevent access to such materials.
  • I will not try (unless I have permission) to make large downloads or uploads that might take up internet capacity and prevent other users from being able to carry out their work.
  • I will not install or attempt to install programmes of any type on a machine, or store programmes on a computer, nor will I try to alter computer settings, unless this is allowed in school policies. (schools / academies should amend this section in the light of their policies on installing
    programmes / altering settings)
  • I will not disable or cause any damage to school equipment, or the equipment belonging to
    others.
  • I will only transport, hold, disclose or share personal information about myself or others, as outlined in the School Data Policy (or other relevant policy).
  • Where digital personal data is transferred outside the secure local network, it must be encrypted. Paper based Protected and
    Restricted data must be held in lockable storage.
  • I understand that data protection policy requires that any staff or student / pupil data to which I
    have access, will be kept private and confidential, except when it is deemed necessary that I am
    required by law or by school policy to disclose such information to an appropriate authority.
  • I will immediately report any damage or faults involving equipment or software, however this may have happened.

When using the internet in my professional capacity or for school sanctioned personal
use:

  • I will ensure that I have permission to use the original work of others in my own work
  • Where work is protected by copyright, I will not download or distribute copies (including music and videos).

I understand that I am responsible for my actions in and out of the school:

  • I understand that this Acceptable Use Agreement applies not only to my work and use of school
    ICT equipment in school, but also applies to my use of school ICT systems and equipment off the premises and my use of personal equipment on the premises or in situations related to my
    employment by the school.
  • I understand that if I fail to comply with this Acceptable Use Policy Agreement, I could be subject to disciplinary action. This could include (schools should amend this section to provide relevant sanctions as per their behaviour policies) a warning, a suspension, referral to the LEA and in the event of illegal activities the involvement of the police.

I have read and understand the above and agree to use the school ICT systems (both in and out of school) and my own devices (in school and when carrying out communications related to the school)
within these guidelines.


Staff / Volunteer Name

Signed

Date

 

Parent / Carer Acceptable Use Agreement Template

Digital technologies have become integral to the lives of children and young people, both within schools and outside school.

These technologies provide powerful tools, which open up new opportunities for everyone. They can stimulate discussion, promote creativity and stimulate awareness of context to promote effective learning.

Young people should have an entitlement to safe internet access at all times.


This Acceptable Use Policy is intended to ensure:

  • that young people will be responsible users and stay safe while using the internet and other
    communications technologies for educational, personal and recreational use.
  • that school systems and users are protected from accidental or deliberate misuse that could put
    the security of the systems and users at risk.
  • that parents and carers are aware of the importance of e-Safety and are involved in the education
    and guidance of young people with regard to their on-line behaviour.

The school will try to ensure that pupils will have good access to digital technologies to enhance their learning and will, in return, expect the students / pupils to agree to be responsible users.

A copy of the Student / Pupil Acceptable Use Agreement is attached to this permission form, so that parents / carers will be aware of the school expectations of the young people in their care.

Parents are requested to sign the permission form below to show their support of the school in this important aspect of the school’s work.

Permission Form

Parent / Carers Name

Student / Pupil Name


As the parent / carer of the above students / pupils, I give permission for my son / daughter to have access to the internet and to ICT systems at school.
Either: (KS2 and above)

I know that my son / daughter has signed an Acceptable Use Agreement and has received, or will receive, e-Safety education to help them understand the importance of safe use of technology and the internet – both in and out of school.
Or: (Foundation Phase)

I understand that the school has discussed the Acceptable Use Agreement with my son / daughter and that they have received, or will receive, e-Safety education to help them understand the importance of safe use of technology and the
internet – both in and out of school.

I understand that the school will take every reasonable precaution, including applying monitoring and filtering systems,
to ensure that young people will be safe when they use the internet and ICT systems.

I also understand that the school
cannot ultimately be held responsible for the nature and content of materials accessed on the internet and using mobile
technologies.

I understand that my son’s / daughter’s activity on the ICT systems will be monitored and that the school will contact me if they have concerns about any possible breaches of the Acceptable Use Agreement.

I will encourage my child to adopt safe use of the internet and digital technologies at home and will inform the school if I have concerns over my child’s e-Safety.


Signed

Date

 

Use of Digital / Video Images

The use of digital / video images plays an important part in learning activities.

Students / Pupils and members of staff may use digital cameras to record evidence of activities in lessons and out of school.

These images may then be used in presentations in subsequent lessons.

Images may also be used to celebrate success through their publication in newsletters, on the school website and occasionally in the public media.

The school will comply with the Data Protection Act and request parents / carers permission before taking images of members of the school.

We will also ensure that when images are published that the young people cannot be identified by the use of their names.

In accordance with guidance from the Information Commissioner’s Office, parents / carers are welcome to take videos and digital images of their children at school events for their own personal use (as such use in not covered by the Data Protection Act).

To respect everyone’s privacy and in some cases protection, these images should not be published / made publicly available on social networking sites, nor should parents / carers
comment on any activities involving other students / pupils in the digital / video images.

Parents / carers are requested to sign the permission form below to allow the school to take and use images of their children and for the parents / carers to agree.

Digital / Video Images Permission Form


Parent / Carers Name


Student / Pupil Name


As the parent / carer of the above student / pupil, I agree to the school taking and using digital / video images of my child / children.

I understand that the images will
only be used to support learning activities or in publicity that reasonably celebrates success and promotes the work of the school.

I agree that if I take digital or video images at, or of, – school events which include images of children, other than my own, I will abide by these guidelines in my use of these images.

Signed

Date

Yes / No

Yes / No

 

Acceptable Use Agreement for Community Users Template


This Acceptable Use Agreement is intended to ensure:

  • that community users of school digital technologies will be responsible users and stay safe while using these systems and devices
  • that school systems, devices and users are protected from accidental or deliberate misuse that
    could put the security of the systems and users at risk.
  • that users are protected from potential risk in their use of these systems and devices.


Acceptable Use Agreement

I understand that I must use school systems and devices in a responsible way, to ensure that there is no risk to my safety or to the safety and security of the systems, devices and other users.

This agreement will also apply to
any personal devices that I bring into the school 

  • I understand that my use of school systems and devices and digital communications will be
    monitored
  • I will not use a personal device that I have brought into school for any activity that would be inappropriate in a school setting
  • I will not try to upload, download or access any materials which are illegal (child sexual abuse
    images, criminally racist material, adult pornography covered by the Obscene Publications Act) or inappropriate or may cause harm or distress to others.
  • I will not try to use any programmes or software that might allow me to bypass the filtering / security systems in place to prevent access to such materials.
  • I will immediately report any illegal, inappropriate or harmful material or incident, I become aware
    of, to the appropriate person.
  • I will not access, copy, remove or otherwise alter any other user’s files, without permission.
  • I will ensure that if I take and / or publish images of others I will only do so with their permission. I
    will not use my personal equipment to record these images, without permission. If images are
    published it will not be possible to identify by name, or other personal information, those who are
    featured.
  • I will not publish or share any information I have obtained whilst in the school on any personal
    website, social networking site or through any other means, unless I have permission from the
    school.
  • I will not, without permission, make large downloads or uploads that might take up internet
    capacity and prevent other users from being able to carry out their work.
  • I will not install or attempt to install programmes of any type on a school device, nor will I try to
    alter computer settings, unless I have permission to do so.
  • I will not disable or cause any damage to school equipment, or the equipment belonging to
    others.
  • I will immediately report any damage or faults involving equipment or software, however this may have happened.
  • I will ensure that I have permission to use the original work of others in my own work
  • Where work is protected by copyright, I will not download or distribute copies (including music and videos).
  • I understand that if I fail to comply with this Acceptable Use Agreement, the school has the right to remove my access to school systems / devices

I have read and understand the above and agree to use the school ICT systems (both in and out of school) and my own devices (in school and when carrying out communications related to the school) within these guidelines.


Name

Signed Date

 

School Technical Security Policy Template (including filtering and
passwords)

Introduction
Effective technical security depends not only on technical measures, but also on appropriate policies and procedures and on good user education and training.

The LEA will be responsible for ensuring that the school infrastructure / network is as safe and secure as is reasonably possible and that:

  • users can only access data to which they have right of access
  • no user should be able to access another’s files (other than that allowed for monitoring purposes
    within the school’s policies)
  • access to personal data is securely controlled in line with the school’s personal data policy
  • logs are maintained of access by users and of their actions while users of the system
  • there is effective guidance and training for users
  • there are regular reviews and audits of the safety and security of school computer systems
  • there is oversight from senior leaders and these have impact on policy and practice.


Responsibilities

The management of technical security will be the responsibility of Headteacher.

Technical Security Policy statements

The school will be responsible for ensuring that the school infrastructure / network is as safe and secure as is reasonably possible and that policies and procedures approved within this policy are implemented.

It will also need to ensure that the relevant people will receive guidance and training and will be effective in carrying out
their responsibilities:

  • School technical systems will be managed by an external agency in ways that ensure that the school meets recommended technical requirements
  • There will be regular reviews and audits of the safety and security of school technical systems
  • Servers, wireless systems and cabling must be securely located and physical access restricted
  • Appropriate security measures are in place to protect the servers, firewalls, switches, routers, wireless systems, work stations, mobile devices etc from accidental or malicious attempts which might threaten the security of the school systems and data.
  • All users will have clearly defined access rights to school technical systems. Details of the access rights available to groups of users will be recorded by the Network Manager / Technical Staff / Other person and will be reviewed, at least annually, by the e-Safety Committee (or other group).
  • Users will be made responsible for the security of their username and password, must not allow other users to access the systems using their log on details and must immediately report any
    suspicion or evidence that there has been a breach of security.
  • The ICT coordinator is responsible for ensuring that software licence logs are accurate and up to date and that regular checks are made to reconcile the number of licences purchased against the number of software installations.)
  • Mobile device security and management procedures are in place (School / Managed Service Provider technical staff regularly monitor and record the activity of users on the school technical systems and users are made aware of this in the Acceptable Use Agreement.
  • Remote management tools are used by staff to control workstations and view users activity
  • An appropriate system is in place ) for users to report any actual / potential technical incident to
    the e-Safety Coordinator
  • An agreed policy is in place for the provision of temporary access of “guests” (e.g. trainee
    teachers, supply teachers, visitors) onto the school system.
  • • An agreed policy is in place regarding the downloading of executable files and the installation of programmes on school devices by users
  • An agreed policy is in place regarding the extent of personal use that users (staff / students /
    pupils / community users) and their family members are allowed on school devices that may be
    used out of school.
  • An agreed policy is in place regarding the use of removable media (e.g. memory sticks / CDs /
    DVDs) by users on school devices.
  • The school infrastructure and individual workstations are protected by up to date software to
    protect against malicious threats from viruses, worms, trojans etc.
  • Personal data cannot be sent over the internet or taken off the school site unless safely encrypted
    or otherwise secured.
  • Password Security
    A safe and secure username / password system is essential if the above is to be established and will apply to all school technical systems, including networks, devices, email and Virtual Learning Environment (VLE).


Policy Statements:

  • All users will have clearly defined access rights to school technical systems and devices. Details
    of the access rights available to groups of users will be recorded by the Network Manager (or
    other person) and will be reviewed, at least annually, by the e-Safety Committee (or other group)
  • All school networks and systems will be protected by secure passwords that are regularly changed
  • The “master / administrator” passwords for the school systems, used by the technical
    staff must also be available to the Headteacher or other nominated senior leader and kept in a secure place e.g. school safe. Consideration should also be given to using two factor authentication for such accounts.
  • Passwords for new users, and replacement passwords for existing users will be allocated. Any
    changes carried out must be notified to the manager of the password security policy (above).
  • All users (adults and young people) will have responsibility for the security of their username and password, must not allow other users to access the systems using their log on details and must immediately report any suspicion or evidence that there has been a breach of security.
  • Users will change their passwords at regular intervals – as described in the staff and student /
    pupil sections below.
  •  requests for password changes should be authenticated by (the responsible person) to ensure that the new password can only be passed to the genuine user (the school will need to decide how this can be managed – possibly by requests being authorised by a line manager for a request by a member of staff or by a member of staff for a request by a pupil / student)

Staff passwords:

  • All staff users will be provided with a username and password.
  • for best practice, the password should be a minimum of 8 characters long and must include three of – uppercase character, lowercase character, number, special characters
  • must not include proper names or any other personal information about the user that might be known by others
  • temporary passwords e.g. used with new user accounts or when users have forgotten their
    passwords, shall be enforced to change immediately upon the next account log-on
  • passwords shall not be displayed on screen, and shall be securely hashed (use of one-way encryption)
  • passwords should be different for different accounts, to ensure that other systems are not put at risk if one is compromised and should be different for systems used inside and outside of school
  • for best practice, should be changed at least every 60 to 90 days
  • should not re-used for 6 months and be significantly different from previous passwords created by the same user – the last four passwords cannot be re-used
  • should be different for different accounts, to ensure that other systems are not put at risk if one is
    compromised
  • should be different for systems used inside and outside of school
  • Student / pupil passwords:
    • All users will be provided with a username and password
  • Users will be required to change their password when requested by the class teacher which should be annually
  • Students / pupils will be taught the importance of password security
  • The complexity (ie minimum standards) will be set with regards to the cognitive ability of the
    children.


Training / Awareness:
Members of staff will be made aware of the school’s password policy:

  • at induction
  • through the school’s e-Safety policy and password security policy
  • through the Acceptable Use Agreement Pupils / students will be made aware of the school’s password policy:
    • in lessons
    • through the Acceptable Use Agreement


Audit / Monitoring / Reporting / Review:

The responsible person will ensure that full records are kept of:

  • User Ids and requests for password changes
  • User log-ons
  • Security incidents related to this policy


Filtering
Introduction

The filtering of internet content provides an important means of preventing users from accessing material that is illegal or is inappropriate in an educational context.

The filtering system cannot, however, provide a 100% guarantee that it will do so, because the content on the web changes dynamically and new technologies are constantly being developed.

It is important, therefore, to understand that filtering is only one element in a larger strategy for e-Safety and acceptable use.

It is important that the school has a filtering policy to manage the associated risks and to provide preventative measures which are relevant to the situation in this school.

Responsibilities:

The responsibility for the management of the school’s filtering will be undertaken by the external agency. They will manage the school filtering, in line with this policy and will keep records / logs of changes and of breaches of the filtering systems.

To ensure that there is a system of checks and balances and to protect those responsible, changes to the school filtering service must (schools should choose their relevant responses):

  • be reported to the ICT coordinator at the school
  • All users have a responsibility to report immediately to the ICT Coordinator any infringements of the school’s filtering policy of which they become aware or any sites that are accessed, which they believe should have been
    filtered.
  • Users must not attempt to use any programmes or software that might allow them to bypass the filtering / security systems in place to prevent access to such materials.

Policy Statements:
Internet access is filtered for all users. Differentiated internet access is available for staff and customised filtering changes are managed by the school. Illegal content is filtered by broadband or filtering provider by actively employing the Internet Watch Foundation CAIC list and other illegal content lists .

Filter content lists are regularly
updated and internet use is logged and frequently monitored. Ideally, the monitoring process alerts the school to breaches of the filtering policy, which are then acted upon.

There is a clear route for reporting and managing changes to the filtering system.

Where personal mobile devices are allowed internet access through the school network, filtering will be applied that is consistent with school practice.

  • The school maintains and supports the managed filtering service provided by the Internet Service Provider
  • In the event of the technical staff needing to switch off the filtering for any reason, or for any user,
    this must be logged and carried out by a process that is agreed by the Headteacher
  • Mobile devices that access the school internet connection (whether school or personal devices) will be subject to the same filtering standards as other devices on the school systems
  • Any filtering issues should be reported immediately to the filtering provider.
  • Requests from staff for sites to be removed from the filtered list will be considered by the technical staff or Service Provider. If the request is agreed, this action will be recorded and logs of such
    actions shall be reviewed regularly by the e-Safety Group.

Education / Training / Awareness:

Pupils / students will be made aware of the importance of filtering systems through the e-Safety education
programme.

They will also be warned of the consequences of attempting to subvert the filtering system.

Staff users will be made aware of the filtering systems through:

  • the Acceptable Use Agreement
  • induction training
  • staff meetings, briefings, Inset.
  • Parents will be informed of the school’s filtering policy through the Acceptable Use Agreement and through e-Safety awareness sessions / newsletter etc.


Changes to the Filtering System:

Users who gain access to, or have knowledge of others being able to access, sites which they feel should be filtered (or unfiltered) should report this in the first instance to the ICT coordinator who will decide whether to make school level changes (as above).

Monitoring:

No filtering system can guarantee 100% protection against access to unsuitable sites.

The school will therefore monitor the activities of users on the school network and on school equipment as indicated in the School e-Safety Policy and the Acceptable Use Agreement.

Audit / Reporting:

Logs of filtering change controls and of filtering incidents will be made available to:

  • the second responsible person
  • e-Safety Group
  • External Filtering provider / LEA / Police on request
    The filtering policy will be reviewed in the response to the evidence provided by the audit logs of the suitability of
    the current provision.

Further Guidance:

Schools may wish to seek further guidance. The following is recommended:

 

Introduction

Schools and their employees should do everything within their power to ensure the safety and security of any material of a personal or sensitive nature.

It is the responsibility of all members of the school community to take care when handling, using or transferring
personal data that it cannot be accessed by anyone who does not:

  • have permission to access that data, and/or
  • need to have access to that data.


Data breaches can have serious effects on individuals and / or institutions concerned, can bring the school into disrepute and may well result in disciplinary action, criminal prosecution and fines imposed by the Information
Commissioners Office . for the school and the individuals involved.

Particularly, all transfer of data is subject to risk of loss or contamination.

Anyone who has access to personal data must know, understand and adhere to this policy, which brings together the legal requirements contained in relevant data protection legislation and relevant regulations and guidance.

Policy Statements

The school will hold the minimum personal data necessary to enable it to perform its function and it will not hold
it for longer than necessary for the purposes it was collected for.

Every effort will be made to ensure that data held is accurate, up to date and that inaccuracies are corrected without unnecessary delay.

All personal data will be fairly obtained in accordance with the “Privacy Notice” and lawfully processed in accordance with the “Conditions for Processing”.

Personal Data

The school and individuals will have access to a wide range of personal information and data.

The data may be held in a digital format or on paper records.

Personal data is defined as any combination of data items that
identifies an individual and provides specific information about them, their families or circumstances.

This will include:

  • Personal information about members of the school community – including pupils / students,
    members of staff and parents / carers eg names, addresses, contact details, legal guardianship
    contact details, health records, disciplinary records
  • Curricular / academic data eg class lists, pupil / student progress records, reports, references
  • Professional records eg employment history, taxation and national insurance records, appraisal records and references
  • Any other information that might be disclosed by parents / carers or by other agencies working
    with families or staff members.

Responsibilities

The school’s Senior Information Risk Officer (SIRO) is the Head Teacher. This person will keep up to date with current legislation and guidance and will:

  • determine and take responsibility for the school’s information risk policy and risk assessment
  • appoint the Information Asset Owners (IAOs)
  • The school will identify Information Asset Owners (IAOs) for the various types of data being held (eg pupil / student information / staff information / assessment data etc).
  • The IAOs will manage and address risks to the information and will understand:
    • what information is held, for how long and for what purpose,
    • how information as been amended or added to over time, and
    • who has access to protected data and why

Everyone in the school has the responsibility of handling protected or sensitive data in a safe and secure manner.

Registration

The school is registered as a Data Controller on the Data Protection Register held by the Information
Commissioner.

http://www.ico.gov.uk/what_we_cover/register_of_data_controllers.aspx

Information to Parents / Carers – the “Privacy Notice”

In order to comply with the fair processing requirements of the DPA, the school will inform parents / carers of all pupils / students of the data they collect, process and hold on the pupils / students, the purposes for which the data is held and the third parties (eg LA, DfE, etc) to whom it may be passed. This privacy notice will be passed to parents / carers through the website.

Parents / carers of young people who are new to the school will be provided with the privacy notice through the website.

Training & awareness

All staff will receive data handling awareness / data protection training and will be made aware of their responsibilities, as described in this policy through: (schools should amend or add to as necessary)
• Induction training for new staff
• Staff meetings / briefings / Inset
• Day to day support and guidance from Information Asset Owners (or insert titles of relevant persons)

Risk Assessments

Information risk assessments will be carried out by Information Asset Owners to establish the security measures
already in place and whether they are the most appropriate and cost effective. The risk assessment will involve:

  • Recognising the risks that are present;
  • Judging the level of the risks (both the likelihood and consequences); and
  • Prioritising the risks.


Risk assessments are an ongoing process and should result in the completion of an Information Risk Actions Form (example below):


Risk ID Information Asset affected

Information
Asset Owner

Protective Marking (Impact
Level)

Likelihood Overall risk level (low,
medium, high)

Action(s) to minimise risk

Impact Levels and protective marking


Following incidents involving loss of data, the Government recommends that the Protective Marking Scheme should be used to indicate the sensitivity of data.

The Protective Marking Scheme is mapped to Impact Levels as
follows:
Government Protective Marking Scheme
label

Impact Level (IL) Applies to schools?

NOT PROTECTIVELY MARKED 0

Will apply in schools PROTECT 1 or 2
RESTRICTED 3
CONFIDENTIAL 4
Will not apply in schools HIGHLY CONFIDENTIAL 5
TOP SECRET 6

Most student / pupil or staff personal data that is used within educational institutions will come under the
PROTECT classification. However some, eg the home address of a child (or vulnerable adult) at risk will be
marked as RESTRICT.
The school will ensure that all school staff, independent contractors working for it, and delivery partners, comply
with restrictions applying to the access to, handling and storage of data classified as Protect, Restricted or
higher. Unmarked material is considered ‘unclassified’. The term ‘UNCLASSIFIED’ or ‘NON‘ or ‘NOT
PROTECTIVELY MARKED’ may be used to indicate positively that a protective marking is not needed.
All documents (manual or digital) that contain protected or restricted data will be labelled clearly with the Impact
Level shown in the header and the Release and Destruction classification in the footer.
Users must be aware that when data is aggregated the subsequent impact level may be higher than the
individual impact levels of the original data. Combining more and more individual data elements together in a
report or data view increases the impact of a breach. A breach that puts students / pupils at serious risk of harm
will have a higher impact than a risk that puts them at low risk of harm. Long-term significant damage to
anyone’s reputation has a higher impact than damage that might cause short-term embarrassment.
Release and destruction markings should be shown in the footer eg. “Securely delete or shred this information
when you have finished using it”.
Schools will need to review the above section with regard to LA policies (where relevant), which may be more
specific, particularly in the case of HR records.
Secure Storage of and access to data
The school will ensure that ICT systems are set up so that the existence of protected files is hidden from
unauthorised users and that users will be assigned a clearance that will determine which files are accessible to
them. Access to protected data will be controlled according to the role of the user. Members of staff will not, as a
matter of course, be granted access to the whole management information system.
All users will use strong passwords which must be changed regularly (insert relevant school details as per the
school’s password security policy). User passwords must never be shared.
Personal data may only be accessed on machines that are securely password protected. Any device that can
be used to access data must be locked if left (even for very short periods) and set to auto lock if not used for five
minutes.
All storage media must be stored in an appropriately secure and safe environment that avoids physical risk, loss
or electronic degradation.
Personal data can only be stored on school equipment (this includes computers and portable storage media
(where allowed). Private equipment (ie owned by the users) must not be used for the storage of personal data.
When personal data is stored on any portable computer system, USB stick or any other removable media:
• the data must be encrypted and password protected,
• the device must be password protected (many memory sticks / cards and other mobile devices
cannot be password protected),
• the device must offer approved virus and malware checking software (memory sticks will not
provide this facility, most mobile devices will not offer malware protection), and

40

• the data must be securely deleted from the device, in line with school policy (below) once it has
been transferred or its use is complete.

The school will need to set its own policy as to whether data storage on removal media is allowed, even if
encrypted – some organisations do not allow storage of personal data on removable devices.
The school has clear policy and procedures for the automatic backing up, accessing and restoring all data held
on school systems, including off-site backups. (the school will need to set its own policy, relevant to its physical
layout, type of ICT systems etc).
The school has clear policy and procedures for the use of “Cloud Based Storage Systems” (for example
Office365) and is aware that data held in remote and cloud storage is still required to be protected in line with the
Data Protection Act. The school will ensure that it is satisfied with controls put in place by remote / cloud based
data services providers to protect the data. (see appendix for further information and the ICO Guidance:
http://www.ico.org.uk/for_organisations/guidance_index/~/media/documents/library/Data_Protection/Practical_ap
plication/cloud_computing_guidance_for_organisations.ashx)
As a Data Controller, the school is responsible for the security of any data passed to a “third party”. Data
Protection clauses will be included in all contracts where data is likely to be passed to a third party.
All paper based Protected and Restricted (or higher) material must be held in lockable storage, whether on or off
site.
The school recognises that under Section 7 of the DPA, http://www.legislation.gov.uk/ukpga/1998/29/section/7
data subjects have a number of rights in connection with their personal data, the main one being the right of
access. Procedures are in place (insert details here) to deal with Subject Access Requests i.e. a written request to
see all or a part of the personal data held by the data controller in connection with the data subject. Data subjects
have the right to know: if the data controller holds personal data about them; a description of that data; the
purpose for which the data is processed; the sources of that data; to whom the data may be disclosed; and a copy
of all the personal data that is held about them. Under certain circumstances the data subject can also exercise
rights in connection with the rectification; blocking; erasure and destruction of data.
Secure transfer of data and access out of school
The school recognises that personal data may be accessed by users out of school, or transferred to the LA or
other agencies. In these circumstances:
• Users may not remove or copy sensitive or restricted or protected personal data from the school
or authorised premises without permission and unless the media is encrypted and password
protected and is transported securely for storage in a secure location
• Users must take particular care that computers or removable devices which contain personal data
must not be accessed by other users (eg family members) when out of school
• When restricted or protected personal data is required by an authorised user from outside the
organisation’s premises (for example, by a member of staff to work from their home), they should
preferably have secure remote access to the management information system or learning
platform;
• If secure remote access is not possible, users must only remove or copy personal or sensitive
data from the organisation or authorised premises if the storage media, portable or mobile device
is encrypted and is transported securely for storage in a secure location;
• Users must protect all portable and mobile devices, including media, used to store and transmit
personal information using approved encryption software; and
• Particular care should be taken if data is taken or transferred to another country, particularly
outside Europe, and advice should be taken from the LEA in this event.

Disposal of data
The school will comply with the requirements for the safe destruction of personal data when it is no longer
required.
The disposal of personal data, in either paper or electronic form, must be conducted in a way that makes
reconstruction highly unlikely. Electronic files must be securely overwritten, in accordance with government
guidance (see earlier section for reference to the Cabinet Office guidance), and other media must be shredded,
incinerated or otherwise disintegrated for data.

A Destruction Log should be kept of all data that is disposed of. The log should include the document ID,
classification, date of destruction, method and authorisation.
Audit Logging / Reporting / Incident Handling
It is good practice, as recommended in the “Data Handling Procedures in Government” document that the
activities of data users, in respect of electronically held personal data, will be logged and these logs will be
monitored by responsible individuals. The audit logs will be kept to provide evidence of accidental or deliberate
data security breaches – including loss of protected data or breaches of an acceptable use policy, for example.
The school has a policy for reporting, managing and recovering from information risk incidents, which
establishes:
• a “responsible person” for each incident;
• a communications plan, including escalation procedures;
• and results in a plan of action for rapid resolution; and
• a plan of action of non-recurrence and further awareness raising.
All significant data protection incidents must be reported through the SIRO to the Information Commissioner’s
Office based upon the local incident handling policy and communication plan.
Use of technologies and Protective Marking
The following provides a useful guide:

The information The technology Notes on Protect Markings

(Impact Level)

School life
and events

School terms, holidays, training
days, the curriculum, extra-
curricular activities, events,
displays of pupils work,
lunchtime menus, extended
services, parent consultation
events

Common practice is to use
publically accessible
technology such as school
websites or portal, emailed
newsletters, subscription
text services

Most of this information will
fall into the NOT
PROTECTIVELY MARKED
(Impact Level 0) category.

Learning and
achievement

Individual pupil / student
academic, social and
behavioural achievements,
progress with learning, learning
behaviour, how parents can
support their child’s learning,
assessments, attainment,
attendance, individual and
personalised curriculum and
educational needs.

Typically schools will make
information available by
parents logging on to a
system that provides them
with appropriately secure
access, such as a Learning
Platform or portal, or by
communication to a
personal device or email
account belonging to the
parent.

Most of this information will
fall into the PROTECT
(Impact Level 2) category.
There may be students/
pupils whose personal data
requires a RESTRICTED
marking (Impact Level 3) or
higher. For example, the
home address of a child at
risk. In this case, the school
may decide not to make this
pupil / student record
available in this way.

Messages
and alerts

Attendance, behavioural,
achievement, sickness, school
closure, transport arrangements,
and other information that it may
be important to inform or contact
a parent about as soon as
possible. This may be
particularly important when it is
necessary to contact a parent
concerning information that may
be considered too sensitive to

Email and text messaging
are commonly used by
schools to contact and
keep parents informed.
Where parents are
frequently accessing
information online then
systems e.g. Learning
Platforms or portals, might
be used to alert parents to
issues via “dashboards” of

Most of this information will
fall into the PROTECT
(Impact Level 1) category.
However, since it is not
practical to encrypt email or
text messages to parents,
schools should not send
detailed personally
identifiable information.
General, anonymous alerts
about schools closures or

43

make available using other
online means.

information, or be used to
provide further detail and
context.

transport arrangements
would fall into the NOT
PROTECTIVELY MARKED
(Impact Level 0) category.
Appendices: Additional issues / documents related to Personal Data
Handling in Schools:
Use of Biometric Information
The Protection of Freedoms Act 2012, includes measures that will affect schools and colleges that use biometric
recognition systems, such as fingerprint identification and facial scanning:
• For all pupils in schools and colleges under 18, they must obtain the written consent of a parent
before they take and process their child’s biometric data.
• They must treat the data with appropriate care and must comply with data protection principles as
set out in the Data Protection Act 1998.
• They must provide alternative means for accessing services where a parent or pupil has refused
consent.

Schools are no longer be able to use pupils’ biometric data without parental consent. The advice came into effect
in September 2013. Schools may wish to consider these changes when reviewing their Personal Data Handling
Template. Schools may wish to incorporate the parental permission procedures into existing parental forms (eg
AUP / Digital & Video Images permission form).
Use of Cloud Services
The movement towards tablet and other mobile technologies in schools presents both opportunities as well as
challenges. Ultimately, the opportunities are around teaching and learning; the challenges are around
successfully managing this pedagogical shift and taking staff, parents and pupils through this technological
change. At the heart of the change is a move away from devices or systems where information is stored locally,
to devices which can access data stored ‘in the cloud’. Just as a PC needs to be connected to a network to get
to the stored data, so must these mobile and tablet devices be connected to the cloud. Wireless access provides
this connection.
Software too can sit in the cloud removing the need for locally installed suites of software. Apps offer an
opportunity to create low cost, flexible learning opportunities which are device agnostic and which can create
personalised learning on a new level.
Schools using the Hwb+ learning platform will have been provisioned with Office 365 which offers cloud based
email, calendar and storage facilities as well as MS Office. By it’s nature, Office 365 is available on any device
which is connected to the internet meaning that these cloud based services can be accessed in school or at
home on smartphones, tablets, laptops, notebooks and PCs. Schools may wish to encourage a Bring Your Own
Device (BYOD) approach which will require as a minimum a strengthening of the existing Acceptable Use
Policy/Agreement.
Just as a school has obligations around data on its physical network, the same obligations are required when
dealing with data in the cloud i.e. it is still required to be protected in line with the Data Protection Act (DPA) and
may be subject to Freedom of Information (FOI) requests.
Freedom of Information
FOI may require anything you write in an official capacity to be potentially made public. This might mean you
need to consider how long content is stored for and the ease of which it can be recovered from a cloud archive.
Cloud services very often are not designed for the long term storage of content, particularly transient
communications with high volume like email. Schools should consider how to secure and back-up to a local
system what could be sensitive or important data.

Data Protection Act

Schools, like any other organisation, are subject to the Data Protection Act (DPA) and its eight basic principles.
The DPA refers to ‘personal data’ – this can be described generally as information which identifies an individual
and is personal to an individual.
The DPA contains eight ‘Data Protection Principles’ which specify that personal data must be:
• Processed fairly and lawfully
• Obtained for specified and lawful purposes
• Adequate, relevant and not excessive
• Accurate and up to date
• Not kept any longer than necessary
• Processed in accordance with the ‘data subject’s’ (the individual’s) rights
• Securely kept
• Not transferred to any other country without adequate protection
It’s also worth considering that whilst not all data is ‘personal’, the information that is, has varying levels of
sensitivity based on the impact were it to be compromised.

Safeguarding
There are also safeguarding obligations for the use of technology in schools that include (possibly in partnership
with your service provider):
• Effectively monitoring the use of systems to detect potential and actual safeguarding issues
• Monitoring, alerting and responding to illegal activity
• Providing consistent safeguarding provision both within and beyond school if devices/services
leave the site
Criminal Activity
Schools have an immediate obligation to report illegal or criminal activity to the Police. A detailed summary of
legislation that pertains to safeguarding and schools which can be found elsewhere in this documentation.
Other services e.g. Facebook, Twitter, etc are useful cloud tools in and beyond the classroom but it is important
to be aware of age restrictions here too. US Law requires any company operating within the US to comply with
the Children’s Online Privacy Protection Act (COPPA) which legislates against companies who store, process
and manage information on children aged 13 and under and the active or targeted marketing to that age group.
Where is the cloud?
Most education systems have to make use of personal information to function. The DPA (Principle 8) states that
personal data must not be transferred to any other country without adequate protection in situ. Data protection
requirements vary widely across the globe. Countries in the EU approach privacy protection differently to those
outside and are more stringent in the detail and responsibilities of data users than perhaps the US. Microsoft
Office 365 is held in data centres in Amsterdam and Dublin.
Security concerns
Can anyone access data in the cloud centre where it sits? Data centres are required to have stringent physical
interventions in place against data being compromised from internal or external access. There are sophisticated
security mechanisms in place to prevent external hacking of data. Whilst this cannot always be guaranteed to be
100% safe, this sophistication is often beyond the local capability of a single school and so can be regarded as
reasonable duty of care.
Access to data through devices is much more likely given that devices are going to and from school in bags, on
buses, or left lying around at home or school so security now becomes much more of an issue at a user level
than it ever has before. If a device goes missing or breaks, the big advantage of cloud systems is that, apart
from simple local settings, content is in the cloud so data is not ‘lost’ in the same way as if your laptop was stolen
or suffers a hard drive failure. Cloud services can offer device management systems that can lock or locate a
device if missing.

Passwords and authentication are critical at any point in securing access to data but are especially so with data
in the cloud. Some points to consider are:
• Are passwords strong?
• Do users know what a strong password looks like?
• Do you insist on rolling user passwords regularly? Every 60 days? Many businesses do as good
practice.
• Are users educated in good password practice? Is this backed up with a clear and reliable
password policy?

If you need a template then one can be found as part of this policy suite.
It’s also important to ensure there is a clear and reliable culture around reporting issues such as compromise,
loss or unethical practice. This doesn’t happen on its own and needs to be taught. Again, the common sense,
everyday good practice around logging out of systems when finished, having a management plan in place if
something goes wrong, and having reporting mechanisms in place also applies to using cloud technologies.
For example, South West Grid for Learning have produced a free Digital Literacy and Citizenship Curriculum for
Foundation Stage to Year 10+ which has a variety of strands one of which focuses on Privacy and Security.
Pupils and students learn strategies for managing their online information and keeping it secure from online risks
such as identity thieves and phishing. They learn how to create strong passwords, how to avoid scams and
schemes, and how to analyse privacy policies. The version of this resource for Wales is available via Hwb
(November 2014).
Monitoring users
Local networks based on site have the advantage of being relatively easy to filter and monitor for inappropriate
or illegal use and many schools will already have these systems in place. Filtering can be provided as part of a
school’s internet provision, particularly if they have that service delivered through the local/unitary authority. A
school may choose to provide its own through a variety of commercial solutions.
However, when services move into a wider cloud-based environment hosted by an external partner it becomes
more difficult to know what users are storing or accessing, particularly if their connectivity away from the school
is a domestic one.
With all of those separate user folders and portfolios with their separate passwords and widely varying content,
how can you be sure they are not being used to store inappropriate materials? Illegal materials? The school
provides the tools e.g. Office 365 and there is therefore an expectation that the school should ensure that users
are operating in a space that is safe as can be created.
Microsoft state in their user agreements that they reserve the right to actively search stored files.
This means that the school also needs to be clear about what the expectations are around illegal and
inappropriate content and how it intends to ensure those expectations are met. These might include:
• Clear and effective agreement through an Acceptable Use Policy or computer splash screen with
“agree” button
• Positive statements around the use of technology dotted around areas where that technology
might be used (particularly effective are student-designed posters)
• Active education in raising awareness of what illegal or inappropriate both mean
• Staff development in recognising and escalating reports of illegal content
• Reminders that Cloud Service Providers can and do scan content stored on their servers and that
an archive exists
• Establish regular spot checks on mobile devices and advertise the fact that these will be carried
out on school devices and removable media
• Establish and communicate that One Drives provided as part of a school cloud solution will be
subject to random spot checks by resetting passwords back to default to allow auditing or set the
expectation that users should share their online folders with their teacher. The system has been
provided for educational use so there should not be anything in there that isn’t related to learning.

Managing accounts and users
Dealing with one tablet or smartphone on your own account is empowering; you can make choices about how
you set it up, the apps you want; the subscriptions you choose and how many photos or documents to store on
it. Setting up tens of devices with potentially hundreds of users has a whole different set of considerations:

• The distribution and timetabling of school owned devices (particularly those that go home?)
• Can users store content locally on the tablet e.g. photos?
• Can school network and connectivity sustain the use of many devices?
• Is there one standard profile for everyone or can each user customise?
• How are those profiles managed or swapped?
• Are personal devices allowed to be commissioned to the school system (BYOD)?
A Mobile Device Management layer can be critical in establishing access rights to these technologies. You may
need to consult with your service provider to investigate what options are available to you.
If things go wrong
Like any other safeguarding issue there must be clear and rigorous incident management practice that is
consistent with other safeguarding policy.
• Clear and well communicated policy
• Effective routines for securing and recording evidence
• Established reporting routes that are well-communicated, respected and agreed by all
• Clearly communicated sanctions that have been agreed and shared with all users
• Audit trails that are used to shape interventions and inform future practice
What policies and procedures should be put in place for individual users of cloud-
based services?
The school is ultimately responsible for the contract with the provider of the system.
Appendix C6 provides a useful summary of issues around Office 365 written with the support of Microsoft:
The document focusses on Office 365, but poses important considerations if a school is considering services
from another provider.
Privacy and Electronic Communications
Schools should be aware that the Privacy and Electronic Communications Regulations have changed and that
they are subject to these changes in the operation of their websites.
Freedom of Information Act
All schools must have a Freedom of Information Policy which sets out how it will deal with FOI requests. In this
policy the school should:
• Delegate to the Headteacher / Principal day-to-day responsibility for FOIA policy and the provision
of advice, guidance, publicity and interpretation of the school’s policy.
• Consider designating an individual with responsibility for FOIA, to provide a single point of
reference, coordinate FOIA and related policies and procedures, take a view on possibly sensitive
areas and consider what information and training staff may need.
• Proactively publish information with details of how it can be accessed through a Publication
Scheme (see Model Publication Scheme below) and review this annually.
• Ensure that a well-managed records management and information system exists in order to
comply with requests.
• Ensure a record of refusals and reasons for refusals is kept, allowing the Academy Trust to review
its access policy on an annual basis.

Model Publication Scheme
The Information Commissioners Office provides schools with a model publication scheme which they should
complete. This was revised in 2009, so any school with a scheme published prior to then should review this as a
matter of urgency. The school’s publication scheme should be reviewed annually.
Guidance on the model publication scheme can be found at:
http://www.ico.gov.uk/for_organisations/freedom_of_information/guide/publication_scheme.aspx

The Schools Model Publication Scheme Template is available from:
http://www.ico.gov.uk/upload/documents/library/freedom_of_information/detailed_specialist_guides/school
s_england_mps_final.pdf
Further Guidance
ICO guidance can be found at the following link – including a pdf version – updated in September 2012:
http://www.ico.gov.uk/for_organisations/freedom_of_information/guide.aspx

B3 School Bring Your Own Devices (BYOD) Template Policy
Devices are brought into the school entirely at the risk of the owner and the decision to bring the device
in to the school lies with the user and their parents/carers as does the liability for any loss or damage
resulting from the use of the device in school.
The school accepts no responsibility or liability in respect of lost, stolen or damaged devices while at
school or on activities organised or undertaken by the school.
The school accepts no responsibility for any malfunction of a device due to changes made to the device
while on the school network.
The school recommends that the devices are made easily identifiable and have a protective case to help secure
them as the devices are moved around the school. Pass-codes or PINs should be set on personal devices to aid
security.
The school is not responsible for the day to day maintenance or upkeep of the user’s personal device such as
the charging of any device, the installation of software updates or the resolution of hardware issues.

BYOD access will not be permitted without authorisation through the return of the Acceptable Use
Agreement permission slip which has been countersigned b the parents/carers of the student.
Users are expected to act responsibly, safely and respectfully in line with current Acceptable Use Agreements
Users are responsible for keeping their device up to date through software, security and app updates
Users are responsible for charging their own devices and for protecting and looking after their devices while in
school

B4 School Policy Template – e-Safety Group Terms of Reference
1. PURPOSE
To provide a consultative group that has wide representation from the community, with responsibility for issues
regarding e-Safety and the monitoring the e-Safety policy including the impact of initiatives.
2. MEMBERSHIP
2.1 The e-Safety committee will seek to include representation from all stakeholders.
The composition of the group should include

• SLT member/s
• Safeguarding officer
• Teaching staff member
• Support staff member
• e-Safety coordinator (not ICT coordinator by default)
• Parent / Carer
• ICT Technical Support staff (where possible)
• Community users (where appropriate)
• Student / pupil representation – for advice and feedback. Student / pupil voice is essential in the
make up of the e-Safety committee, but students / pupils would only be expected to take part in
committee meetings where deemed relevant.

2.2 Other people may be invited to attend the meetings at the request of the Chairperson on behalf of the
committee to provide advice and assistance where necessary.
2.3 Committee members must declare a conflict of interest if any incidents being discussed directly involve
themselves or members of their families.
2.4 Committee members must be aware that many issues discussed by this group could be of a sensitive or
confidential nature
2.5 When individual members feel uncomfortable about what is being discussed they should be allowed to leave
the meeting with steps being made by the other members to allow for these sensitivities

3. CHAIRPERSON
The Committee should select a suitable Chairperson from within the group. Their responsibilities include:

• Scheduling meetings and notifying committee members;
• Inviting other people to attend meetings when required by the committee;
• Guiding the meeting according to the agenda and time available;
• Ensuring all discussion items end with a decision, action or definite outcome;
• Making sure that notes are taken at the meetings and that these with any action points are
distributed as necessary
4. DURATION OF MEETINGS
Meetings shall be held termly for a period of 2 hour(s). A special or extraordinary meeting may be called when
and if deemed necessary.

5. FUNCTIONS
These are to assist the e-Safety Co-ordinator (or other relevant person) with the following:
• To keep up to date with new developments in the area of e-Safety
• To (at least) annually review and develop the e-Safety policy in line with new technologies and
incidents
• To monitor the delivery and impact of the e-Safety policy
• To monitor the log of reported e-Safety incidents (anonymous) to inform future areas of
teaching / learning / training.
• To co-ordinate consultation with the whole school community to ensure stakeholders are up to
date with information, training and/or developments in the area of e-Safety. This could be
carried out through:
 Staff meetings
 Student / pupil forums (for advice and feedback)
 Surveys/questionnaires for students / pupils, parents / carers and staff
 Parents evenings
 Website/VLE/Newsletters
 e-Safety events
 Internet Safety Day
 Other methods
• To ensure that monitoring is carried out of Internet sites used across the school (if possible)
• To monitor filtering / change control logs (e.g. requests for blocking / unblocking sites).
• To monitor the safe use of data across the [school]
• To monitor incidents involving cyberbullying for staff and pupils

C1 Responding to incidents of misuse – flow chart

C2 Record of reviewing devices / internet sites (responding to incidents of
misuse)
Group
Date
Reason for investigation

Details of first reviewing person
Name
Position
Signature

Details of second reviewing person
Name
Position
Signature

Name and location of computer used for review (for web sites)

Web site(s) address / device Reason for concern

Conclusion and Action proposed or taken

C3 Template Reporting Log

C4 Training Needs Audit

C5 Summary of Legislation
Schools should be aware of the legislative framework under which this e-Safety Policy template and guidance
has been produced. It is important to note that in general terms an action that is illegal if committed offline is also
illegal if committed online.
It is recommended that legal advice is sought in the advent of an e safety issue or situation.
Computer Misuse Act 1990
This Act makes it an offence to:

• Erase or amend data or programs without authority;
• Obtain unauthorised access to a computer;
• “Eavesdrop” on a computer;
• Make unauthorised use of computer time or facilities;
• Maliciously corrupt or erase data or programs;
• Deny access to authorised users.

Data Protection Act 1998
This protects the rights and privacy of individual’s data. To comply with the law, information about individuals
must be collected and used fairly, stored safely and securely and not disclosed to any third party unlawfully. The
Act states that person data must be:
• Fairly and lawfully processed.
• Processed for limited purposes.
• Adequate, relevant and not excessive.
• Accurate.
• Not kept longer than necessary.
• Processed in accordance with the data subject’s rights.
• Secure.
• Not transferred to other countries without adequate protection.

Freedom of Information Act 2000
The Freedom of Information Act gives individuals the right to request information held by public authorities. All
public authorities and companies wholly owned by public authorities have obligations under the Freedom of
Information Act. When responding to requests, they have to follow a number of set procedures.
Communications Act 2003
Sending by means of the Internet a message or other matter that is grossly offensive or of an indecent, obscene
or menacing character; or sending a false message by means of or persistently making use of the Internet for
the purpose of causing annoyance, inconvenience or needless anxiety is guilty of an offence liable, on
conviction, to imprisonment. This wording is important because an offence is complete as soon as the message
has been sent: there is no need to prove any intent or purpose.
Malicious Communications Act 1988
It is an offence to send an indecent, grossly offensive, or threatening letter, electronic communication or other
article to another person. It is also an offence to send information which is false and known or believed to be
false by the sender.
Regulation of Investigatory Powers Act 2000
It is an offence for any person to intentionally and without lawful authority intercept any communication. Where
the system controller has given express consent monitoring or keeping a record of any form of electronic
communications is permitted, in order to:
• Establish the facts;
• Ascertain compliance with regulatory or self-regulatory practices or procedures;
• Demonstrate standards, which are or ought to be achieved by persons using the system;

• Investigate or detect unauthorised use of the communications system;
• Prevent or detect crime or in the interests of national security;
• Ensure the effective operation of the system.
• Monitoring but not recording is also permissible in order to:
• Ascertain whether the communication is business or personal;
• Protect or support help line staff.

Trade Marks Act 1994
This provides protection for Registered Trade Marks, which can be any symbol (words, shapes or images) that
are associated with a particular set of goods or services. Registered Trade Marks must not be used without
permission. This can also arise from using a Mark that is confusingly similar to an existing Mark.
Copyright, Designs and Patents Act 1988
It is an offence to copy all, or a substantial part of a copyright work. There are, however, certain limited user
permissions, such as fair dealing, which means under certain circumstances permission is not needed to copy
small amounts for non-commercial research or private study. The Act also provides for Moral Rights, whereby
authors can sue if their name is not included in a work they wrote, or if the work has been amended in such a
way as to impugn their reputation. Copyright covers materials in print and electronic form, and includes words,
images, and sounds, moving images, TV broadcasts and other media (e.g. YouTube).
Criminal Justice & Public Order Act 1994 / Public Order Act 1986
This defines a criminal offence of intentional harassment, which covers all forms of harassment, including
sexual. A person is guilty of an offence if, with intent to cause a person harassment, alarm or distress, they:
• Use threatening, abusive or insulting words or behaviour, or disorderly behaviour; or
• Display any writing, sign or other visible representation, which is threatening, abusive or
insulting, thereby causing that or another person harassment, alarm or distress.

Racial and Religious Hatred Act 2006 / Public Order Act 1986
This Act makes it a criminal offence to threaten people because of their faith, or to stir up religious hatred by
displaying, publishing or distributing written material which is threatening. Other laws already protect people from
threats based on their race, nationality or ethnic background.
Protection from Harassment Act 1997
A person must not pursue a course of conduct, which amounts to harassment of another, and which he knows or
ought to know amounts to harassment of the other. A person whose course of conduct causes another to fear,
on at least two occasions, that violence will be used against him is guilty of an offence if he knows or ought to
know that his course of conduct will cause the other so to fear on each of those occasions.
Protection of Children Act 1978
It is an offence to take, permit to be taken, make, possess, show, distribute or advertise indecent images of children
in the United Kingdom. A child for these purposes is a anyone under the age of 18.. An image of a child also covers
pseudo-photographs (digitally collated or otherwise). A person convicted of such an offence is liable to
imprisonment for a term of not more than 10 years, or to a fine or to both.
Sexual Offences Act 2003
The new grooming offence is committed if you are over 18 and have communicated with a child under 16 at least twice
(including by phone or using the Internet) it is an offence to meet them or travel to meet them anywhere in the world with
the intention of committing a sexual offence. Causing a child under 16 to watch a sexual act is illegal, including looking at
images such as videos, photos or webcams, for your own gratification. It is also an offence for a person in a position of
trust to engage in sexual activity with any person under 18, with whom they are in a position of trust. (Typically, teachers,
social workers, health professionals, connexions staff fall in this category of trust). Any sexual intercourse with a child
under the age of 13 commits the offence of rape.
Public Order Act 1986

This Act makes it a criminal offence to stir up racial hatred by displaying, publishing or distributing written
material which is threatening. Like the Racial and Religious Hatred Act 2006 it also makes the possession of
inflammatory material with a view of releasing it a criminal offence.
Obscene Publications Act 1959 and 1964
Publishing an “obscene” article is a criminal offence. Publishing includes electronic transmission.
Human Rights Act 1998
This does not deal with any particular issue specifically or any discrete subject area within the law. It is a type of
“higher law”, affecting all other laws. In the school context, human rights to be aware of include:

• The right to a fair trial
• The right to respect for private and family life, home and correspondence
• Freedom of thought, conscience and religion
• Freedom of expression
• Freedom of assembly
• Prohibition of discrimination
• The right to education
• The right not to be subjected to inhuman or degrading treatment or punishment

The school is obliged to respect these rights and freedoms, but should balance them against those rights, duties
and obligations, which arise from other relevant legislation.
The Education and Inspections Act 2006
Empowers Headteachers, to such extent as is reasonable, to regulate the behaviour of students / pupils when
they are off the school site and empowers members of staff to impose disciplinary penalties for inappropriate
behaviour.
The Protection of Freedoms Act 2012
Requires schools to seek permission from a parent / carer to use Biometric systems

51

C6 Office 365 – further information
Where is the data stored?
Data for UK Schools is all hosted within the EU. The primary Microsoft data centre we host the service in is
located in Dublin and the fail-over is to Amsterdam.
How often is the data backed up?
The idea of “back up” is very different with Office365 than with traditional locally hosted services. We use a
network of globally redundant data centres and replicate data on multiple servers across the two data centres.
Does the email service provider have a clear process for recovering data?
Yes. Users themselves can recover data for 30 days after deleting an item. Administrators then have a further 30
days once the item is deleted from the deleted-items folder. There are also additional paid-for archiving services
available with Office365, but with a 25GB inbox per person the pressure on users to archive email is not as great
compared to existing email systems.
How does the email provider protect your privacy?
3 key things: No advertising, no “mingling” of Office 365 data with our consumer services (such as Hotmail) and
full data-portability, in case you ever want to leave the service.
Who owns the data that you store on the email platform?
Schools own the data. Microsoft does not. You own your data, and retain all rights, title and interest in the data
you store with Office 365. You can download a copy of all of your data at any time and for any reason, without
any assistance from Microsoft.
Who has access to the data?
By default no one has access to customer data within the Office 365 service. Microsoft employees who have
completed appropriate background checks and have justified need can raise an escalation for time-limited
access to Customer data. Access is regularly audited, logged and verified through the ISO 27001 Certification.
As detailed in a recent accreditation submission to the UK Government, any organisation that specify “UK” as
their country during tenant creation will be provisioned and data stored within the EU datacentres (Dublin and
Amsterdam).
Microsoft has been granted accreditation up to and including the UK government’s “Impact Level 2” (IL2)
assurance for Office 365. As of February 2013 Microsoft, are the only major international public cloud service
provider to have achieved this level of accreditation and, indeed, it is the highest level of accreditation possible
with services hosted outside of the UK (but inside of the EEA).
Schools may wish to consider the extent to which applicable laws in the US – which apply to services operated
by companies registered in the US, e.g. Microsoft and Google – affect the suitability of these services. For
example the US Patriot Act provides a legal means through which law enforcement agencies can access data
held within these services without necessarily needing the consent or even the knowledge of the customer.
Whilst Safe Start doesn’t intend to put anyone off getting value from these beneficial services, we feel it’s only
right to share what we know about them.
Is personal information shared with anyone else?
No personal information is shared.
Does the email provider share email addresses with third party advertisers? Or serve
users with ads?
No. There is no advertising in Office365.
What steps does the email provider take to ensure that your information is secure?

Microsoft uses 5 layers of security – data, application, host, network and physical. You can read about this in a
lot more detail here.
Office365 is certified for ISO 27001, one of the best security benchmarks available across the world. Office 365
was the first major business productivity public cloud service to have implemented the rigorous set of physical,
logical, process and management controls defined by ISO 27001.
EU Model Clauses. In addition to EU Safe Harbor, Office 365 is the first major business productivity public cloud
service provider to sign the standard contractual clauses created by the European Union (“EU Model Clauses”)
with all customers. EU Model Clauses address international transfer of data.
Data Processing Agreement. Microsoft offers a comprehensive standard Data Processing Agreement (DPA) to
all customers. DPA addresses privacy, security and handling of customer data. Our standard Data Processing
Agreement enables customers to comply with their local regulations. Visit here to get a signed copy of the DPA.
How reliable is the email service?
There is a 99.9% uptime commitment with financially-backed SLA for any paid-for services in Office365 (though
most schools will be using ‘free’ services and therefore will not receive the financially backed SLA).
What level of support is offered as part of the service?
Microsoft offer schools direct telephone support 24/7 for IT administrators and there is also a large range of
online help services, which you can read about here. Our recommendation is that schools use a Microsoft
partner or support organisation with industry specific expertise in cloud services for schools.