Information can take many forms. It includes but is not limited to:
- Hand written documentation
- Information exchanged verbally through speech
- Video or audio footage
- Documents stored electronically
- Letters or other communication sent by post
Information is a major asset for the Trust and as such we all have a personal responsibility to protect and secure it.
Information security breaches carry varying degrees of risk to the Trust and to the individual academies within it. Risks include reputational damage, financial loss, business disruption and personal distress.
Very serious breaches can be catastrophic. Please see below some real life examples of information security breaches and the consequences arising from them.
Example 1 – School Data Breach
The ICO (Information Commissioner’s Office) are investigating a school in Hampstead following the discovery of a data breach of 400 students. The spreadsheet had been publicly available for 18 months and included student names, their parent’s names, home address, phone numbers and email addresses. The data had been derived from a mail shot and had accidentally been placed in a shared area; consequently leaving students and their parents vulnerable to unwanted contact and worse as the type of information available could easily be used for fraudulent criminal activity. The ICO are currently investigating correct action to take, of which a penalty up to £500,000 could be awarded. In addition to a fine by the ICO, failing to comply with the Data Protection Act could result in the school having to pay compensation to the individuals involved, a reduction in Ofsted ratings and having to cope with damaging media attention.
Example 2 – Misplaced Memory Stick
The Press (a York-based newspaper) exclusively reported in October 2015 how a memory stick, which was not protected by a password and contained a number of documents “relating to the governance of a York school”, had been lost. The Press became aware of the incident after being contacted by a source, who claimed the memory stick contained highly sensitive information about pupils and former pupils.
Example 3 – Stolen Laptop
A school and a union in Barnet were subject to significant negative media attention and a hefty fine by the ICO in May 2011 when a laptop was stolen from an employee’s home. Enquires found that while the laptop had encryption software installed on it, the decision on whether or not to encrypt individual documents was left to the employee. At the time of the theft, the laptop included unencrypted personal information relating to approximately 100 individuals, which included details of their membership of the union and, in some cases, details of their physical and mental health.
Example 4 – Leaked Email Addresses
On 1st September 2016, a staff member of the 56 Dean Street (SoHo) clinic sent a newsletter out to 781 subscribers of “Option E,” a service which allows patients with HIV to receive test results, schedule appointments, and receive newsletters via email. Instead of entering the emails in the “BCC” field, the individual entered them into the “To” field, which allowed all recipients of the newsletter to view every other subscriber’s email address. In addition, the full names belonging to 730 of those 781 subscribers were included in the leaked email addresses, allowing recipients to look up the names of the clinic’s patients online. In response to the breach, the United Kingdom Information Commissioner’s Office issued a fine of £180,000 to the Chelsea and Westminster Hospital National Health Service (NHS) Foundation Trust, which operates the clinic.
As a Trust the information we hold and exchange is vast and so the risk of a data breach is increased.
As an employee of the MAT you have a personal responsibility to ensure you do your bit to keep the information we hold safe and secure.
The following rules will help you to reduce the risk of security breaches:
- Lock offices when leaving them unattended for any length of time to prevent unauthorised access to personal information.
- Ensure manual records containing personal information are locked away in a cabinet or drawer when not in use.
- Dispose of documentation in the appropriate way when it has reached the end of its life
- Keep your passwords and user ID to yourself. Never share this with ANYONE. Change your password every 30 days and choose a password that is not easily predicted.
- Make sure you save all documentation to the academy server / shared drive. Personal information should never be stored on an unencrypted mobile storage device (e.g. unencrypted laptops, memory sticks, iPads, portable hard drives and CDs)
- Ensure that your computer screen cannot be viewed by anyone unauthorised to see its content. Use lock screen when you leave the computer unattended.
- Never send personal information by fax unless the information has been de-personalised
- Never send personal information by email as its security cannot be guaranteed. If it is necessary to send information in this way, make sure the personal information has been either password protected or de-personalised. Send the data as an attachment to the email and flag as confidential. Always send the password to open a document in a separate email.
- Never include personal information (such as a pupil’s name) in the subject line of an email.
- If sending any email to multiple recipients outside of the school, consider using blind copy facility so recipients can’t view other recipients’ email addresses (which, depending on the subject of the email, could constitute personal information)
- If you are required within the course of your duties to take personal data home (including laptops, videos, etc), do not leave the information unattended for any length of time, especially in a vehicle overnight. Take great care when working on public transport to ensure your laptop screen cannot be seen by others.
- Never give out personal information over the telephone; instead, invite the caller to put the request in writing. If the request is urgent, take the caller’s name and switchboard telephone number and verify their details before responding.
- Do not discuss other people’s personal business in public areas where conversations can be overheard by people with no right to know the details of the information.
- Ensure scanned personal information is immediately saved to a restricted folder and deleted from the ‘scans’ folder which is accessible by all academy staff.
- Ensure confidential printing is collected immediately and not left on printers for others to see.
Of course, information security is also about protecting our assets from damage, loss and cyber-attacks. FRMAT works closely with IT contractors to ensure that the Trust’s information is protected from viruses and hackers.
You can help us to stay protected by:
- Taking care to check the validity of emails before opening attachments to avoid the risk of computer viruses
- Ensuring paper records are stored on shelves within a cabinet, avoiding the bottom shelf (due to flood damage risk)
- Avoid taking confidential information home as the risks of loss, theft and damage are greatly increased during transportation (if this is absolutely necessary, you should seek permission from the Principal / Head of School who will log this on the Information Asset Register and advise on the steps to be taken to ensure maximum security)