SIR GRAHAM BALFOUR MULTI-ACADEMY TRUST
ACCEPTABLE USE POLICY
1.1 The Acceptable Use Policy is part of the SGBMAT’s suite of Information Security Policies. The Acceptable Use Policy must be read in conjunction with the Information Security Policy and its constituent Policies listed below:
- Data Protection Policy
- Freedom of Information Policy
- Records Management Policy
- Staff Code of Conduct
- Safeguarding Policy
- Student Code of Conduct
- Complaints Policy
- E-safety Policy
1.2 SGBMAT has a duty to ensure that information is correctly and professionally managed in the interests of:
2.1 SGBMAT is responsible for all the data and information collected, analysed, stored, communicated and reported. However, there is a risk that data and information may be subject to theft, misuse, loss and corruption.
2.2 The SGBMAT Acceptable Use Policy is intended to create an environment in which data and information is secure and Users are appropriately trained and educated.
3. Key Elements
3.1 Information takes many forms and includes:
- hard copy data printed or written on paper;
- data stored electronically;
- communications sent by post/courier or using electronic means;
- stored tape, microfiche or video;
This policy applies to information used in all ICT systems used by the MAT Academies.
3.2 This policy applies to:
- all employees working at all locations, including those working from home
- other workers (e.g. casual and agency workers, secondees and contractors) who have access to information systems or information used for SGBMAT purposes
- Governors of the LGB
- Trustees and Members of the SGBMAT Board.
(together the “Users”).
3.3 SGBMAT recognises that information technology and communication systems play an essential role in enabling greater efficiency for staff and can significantly improve outcomes for students. To operate effectively within the MAT Academies these technologies and systems rely on staff and other ICT users observing relevant policies, procedures and best practice guidelines.
3.4 All Users must accept that SGBMAT’s ICT equipment (including mobile devices), email, network, and internet services may only be used in accordance with the Sir Graham Balfour MAT’s Information Security Policy and the other policies it encompasses including the Acceptable Use Policy and the Data Protection Policy all of which are available on Office 365. It is your responsibility to read and understand the contents of these policies and accept the terms and conditions contained within them. If you do not abide by these terms and conditions, your access to the system(s) may be restricted or removed and you may be subject to disciplinary action. Internet, network and email use is logged for audit monitoring purposes including inappropriate use and you are responsible for all activity logged against your network account. All passwords should remain confidential and should not be shared with others, whether verbally or otherwise.
3.5 This policy should be read in conjunction with the Policies listed in 1.1 above and the E Safety Policy. It is the responsibility of all SGBMAT staff to comply with these policies and be familiar with their content. Furthermore, Leadership Group, staff and contractors/guest users have specific responsibilities.
3.6 SGBMAT is responsible for all the data and information collected, analysed, stored, communicated and reported.
3.7 The Headteacher of each Academy is responsible for implementing the SGBMAT Acceptable Use Policy in their School and ensuring compliance by all Academy staff.
3.8 The Leadership Group has been assigned the role of managing the handling of and access to specific information and information systems. Leadership Group is responsible for ensuring that staff and other users of the School’s ICT facilities within their own services are informed of and work in a manner that is consistent with the principles outlined in this policy.
3.9 It is the responsibility of all staff to ensure that they have read, understood and observe this policy and other policies as outlined above. Staff must fully understand that all systems and services are provided as business tools and that there is no guaranteed individual right to privacy.
3.10 Contractors/External Partners must be made aware of this policy and any relevant codes of practice and guidance. Appropriate ICT access will be provided where necessary to allow work to be carried out as set down by the School but only once the Third Party Access Agreement has been signed and returned prior to work starting.
Reporting Information Security Incidents
3.11 It is extremely important that in circumstances where there has been an information security breach, the Headteacher and the Network Manager are made aware immediately so that the impact of the breach can be minimised. It is a disciplinary offence to not report or withhold information regarding a breach or a suspected breach.
3.12 All staff are directly accountable for all ICT activity associated with their user account. It is the responsibility of the user to protect their password.
- You must not tell anyone your password.
- Passwords should be ‘strong’, ideally including upper and lower case and numbers, being a minimum of 12 characters long and ideally a passphrase (eg RedAppleBasket19).
- You should not write down your password but if this is necessary every attempt should be made to keep this secure and locked away.
- You must not ask anyone for their password.
- You must not log onto the network as another user.
- You must not allow another user including students to use any device whilst you are logged onto to it.
Authorised Information Access.
3.13 The ability to access information (Hardcopy or Softcopy) or systems containing information is not the same as having the authorisation to do so.
3.14 If you are unsure that you are authorised to access particular information or systems you must check with the Leadership Group.
- You must not access or attempt to access information or systems containing information that you do not need in order to carry out your role.
- You must not facilitate or attempt to facilitate access for anyone else who is not authorised to access specific information or information systems
Responsible Internet and Email Use.
3.15 All access to our internet and email systems is monitored. There can be no expectation of privacy. You must only use our internet and email systems in accordance with this policy.
3.16 All terms entered into internet search engines are recorded. For investigation purposes content resulting from a search term will be treated as having been accessed irrespective of whether it was blocked by the School internet filter. Similarly email will be treated as having been delivered to the intended recipient irrespective of whether it was blocked by the School email filter.
- You must not email personal data to your own internet based email accounts without permission.
- You must not access or attempt to access illegal or offensive content on the internet.
- You must not attempt to download or distribute illegal or offensive content using our ICT systems.
- You must not use school credentials (username, password or email address) for personal use external services (eg Amazon, EBay, Facebook).
- If for curriculum reasons, it is necessary to access information which could be deemed offensive, permission must first be sought from a member of LG, and then liaise with the Network Manager.
3.17 You must know that copyright applies to most documents automatically and that if you break the copyright rules you may be committing a criminal offence. However, a large amount of copyright material is put onto the internet with the expectation that it will be copied and distributed. The only sensible approach is to consider whether the author or owner of what is being transmitted is likely to object. For example, you can normally pass on an e-mail that contains government advice but you must get permission before you pass on an e-mail containing some technical advice from a commercial consultant.
- Copyright Emails Copyright protection also applies to e-mails. For example, unlawfully scanning a chapter from a textbook and distributing the resulting file by e-mail breaks the author’s copyright just as much as photocopying the chapter and sending the copies by post.
- Copyright Software Computer software has copyright protection in the same way as written documents. You must not transmit copyrighted software from your computer to the internet, or allow any other person to access it on their computer through the internet.
ICT System Protection
3.18 SGBMAT has in place a number of ICT Security systems to protect the SGBMAT network from malicious software. Malicious software if it infected our network could result in loss of service and/or unauthorised external access or disclosure of SGBMAT Information.
- You must not, nor attempt to, disable the Anti-Virus protection and e-safety software on your device(s).
- You must not, nor attempt to, access or transmit information about software designed for breaking through security controls on any system.
- You must not, nor attempt to, intentionally access or transmit information about computer viruses’ or other malicious software.
- You must not, nor attempt to, access or transmit information about software designed for creating malicious software.
- You must not connect personal devices to the network without explicit permission from Leadership Group and the Network Manager. If permission is received then you must ensure your device is virus-free and has up to date anti-virus software.
- You must not, nor attempt to, bypass or deceive any ICT security systems that are in place including internet and email systems.
- You must not, nor attempt to, download or install software from the Internet including shareware, music, games, wallpapers etc.
- You must not store data on external storage devices.
ICT Equipment Protection
3.19 All SGBMAT ICT equipment must only be used for work purposes. Once a user takes possession of the equipment they are directly responsible for the security of the equipment. Should the equipment be damaged, lost or stolen the user will have to account for their actions.
- If you have a mobile device you must ensure that the Operating System and Antivirus software is kept up-to-date regularly.
- SGBMAT ICT equipment must only be used by SGBMAT staff. You must not allow unauthorised users including family and friends to use your SGBMAT ICT equipment.
Security of Records
3.20 You are directly responsible for the security of SGBMAT data and are accountable for your actions if:
- You access it remotely at home via logmein.
- You access school system via the Gateway or Office 365 (e.g. Email, SharePoint, OneDrive)
- You take it off site in any form
- You transfer it to any external agency you remain responsible for the security of the data, during the data transit and once it is with the third party.
- You must never leave paper records containing personal data unattended at any time even when working at home.
- You must never take paper records containing personal data into public buildings if not directly for work purposes.
- You must store the paper records in a secure lockable storage cupboard or cabinet when not in use.
- You must not store SGBMAT data on personal devices including home PCs, laptops or smartphones.
3.21 If you are unsure about the storage or transfer of data you are advised to contact the SGBMAT Network Manager.
IT hardware, software & network access
3.22 Supply and Use of ICT Hardware
- Hardware is the physical equipment used in a computer system. The School will issue ICT users with equipment to enable access to the ICT network and services. This will include, as appropriate, a desktop/laptop PC together with associated keyboard, mouse, screen, docking station, disk drives, memory and mobile devices.
- With the exception of portable devices, such as laptops equipment should not be disconnected, moved or modified in any way without prior discussion with the Network Manager.
- Equipment which is not owned and supplied by the School should not be attached to the School network. Devices which are not owned and supplied by the School should not be attached to School ICT equipment. However, if there is a business need to use privately owned devices authorisation and justification must be sent by an appropriate manager to SGBMAT Network Manager for consideration and approval.
- Computer equipment should be disposed of safely and appropriately and should not be disposed of by an employee/user themselves. The Network Manager oversees disposal of old equipment.
3.23 Supply and Use of ICT Software
- Only approved software required to support School functions and applications will be installed on School hardware. All such software will be approved by the Network Manager. Staff or any other users of the School’s ICT equipment must not install, move or copy software, change any system files or duplicate copyright document images, without consultation with the Network Manager.
- No School owned software may be installed on personally owned equipment unless the licence agreement specifically permits this.
- If a specific application is needed it must be approved by the appropriate Line Manager in conjunction with the Network Manager who will ensure that all technical considerations relating to your requirements and underlying School systems are addressed. Orders will be authorised by the Budget Holder and countersigned by the Network Manager. The software will be delivered direct to the Network Manager to ensure it is installed on the network/devices as copies are made as required.
- All software used on School ICT equipment must be authorised and acquired legally. This is an individual and School responsibility. ICT will hold and maintain licences for standard desktop system and application software.
- School print\scan\copy\secure file transfer facilities must not be used for personal purposes without permission from a line manager/Leadership Group.
- The School will not be responsible for any damage, distress or loss a user may suffer, including the loss of personal data or losses sustained in any on-line financial transaction whilst using the School facilities for personal reasons. The SGBMAT email addresses must not be used for on-line shopping and banking transactions.
3.24 Wireless Access
School Wireless Access will be configured as standard by the Network Manager for use within School buildings. Requests should be made with the appropriate authorisation if any member of staff or visitor requires access to the guest wireless network.
User accounts on Exchange Online (Office 365) are automatically archived online every 12 months.
3.26 Health & Safety
All ICT facilities and telephone devices must be used in accordance with instructions. For further guidance speak to the SGBMAT Network Manager.
Responsibilities and Expectations of Staff under the Data Protection Act
3.27 SGBMAT is registered under the Data Protection Act 1998 and has Data Protection and Freedom of Information Policies which all staff must read. Staff should be aware of their responsibilities when processing personal data of any living individual (including name, addresses, telephone numbers and all sensitive information). How this relates to ICT and Acceptable Use is set out below.
- Personal Use/Right to Privacy
Staff must be aware that when using the School’s ICT systems for personal use, there is no automatic right to privacy. The ICT systems are monitored and misuse will be identified and acted upon.
Under the Freedom of Information Act 2000, email communications fall within the definition of ‘recorded information’ and the School may be obliged to provide these if requested. All staff must ensure that the content of their emails is business related and the language used is in no way discriminatory or defamatory.
3.28 It is important to understand that the School owns and is liable not only for the equipment, hardware and software but also for any information, including emails sent and received and all internet/intranet pages generated or stored on the School’s ICT equipment.
3.29 There are three key points to remember when upholding the privacy of data
It is necessary for SGBMAT and its Academies to process personal data of its students and staff in order to provide successful services. We are trusted to look after this information and it is everybody’s responsibility to ensure that we are compliant with appropriate Data Privacy laws and GDPR.
Protecting the SGBMAT and its Academies’ reputation is of significant importance and one way in which we can ensure that we do so is by processing personal data carefully and securely. We rely on the actions of our staff in order to maintain this standard.
Give appropriate consideration to what you say and to whom. Students, parents and staff provide information to us for particular purposes and we must respect that in order to maintain their trust.
3.30 Precautions should be taken to avoid revealing confidential information to those within the immediate vicinity. This is especially important in open plan offices and public areas. Staff are encouraged to use smaller offices, if available, for making/taking calls of a confidential nature.
3.31 Confidential information must never be left as a message on an answer phone. Before discussing confidential information with another person their identity and location must be confirmed.
3.32 Do not access or attempt to access any data on School systems unless it is directly related to your role. Having the ability to access information is not the same thing as being authorised to access it.
3.33 It is important that all staff remember to check the contents of all correspondence before sending by email, post or any other means to ensure addresses are accurate and enclosures are relevant.
3.34 You are responsible for any data that you send to print. Ensure all data is removed from the printer and any originals removed after photocopying or scanning. You must also check that you have not collected any data that has been copied, printed or scanned by another member of staff.
Personal Use of ICT
3.35 Staff studying for a work-related qualification with the School’s support may use School facilities to prepare study material. No SGBMAT personal or sensitive data may be used to prepare, research, or produce material in connection with qualifications without the explicit consent of a member of Leadership Group.
3.36 The School’s ICT equipment and facilities, including the internet, may not be used to prepare, research or produce material in connection with a private business or any area which may be deemed as a conflict of interest as detailed in the Third Party Transactions Policy. If in doubt, further clarification must be sought from a member of Leadership Group.
3.37 Personal use of the School ICT facilities is a privilege and not a right. Limited use of the internet for personal purposes is permitted for staff. However, this must not take place during staff’s recorded working hours. You must not use the School’s network storage for personal use.
3.38 Extreme care should be taken when sending out confidential data to either staff or members of the public.
3.39 If an employee needs to work on data away from the School, advice on the best solution should be sought from the SGBMAT Network Manager.
Protective Marking Scheme
3.40 Sir Graham Balfour has implemented this scheme to help protect against data loss. If SGBMAT were to suffer a serious breach then it would damage its reputation with parents and community.
3.41 A protective marking scheme is a way of assigning information to a security level which, in turn, relates to a range of pre-defined controls designed to ensure the information is handled properly.
3.42 On 6 April 2010 the Information Commissioner gained new powers to fine organisations up to a maximum of £500,000 for data security breaches.
3.43 Restricted and confidential documents should be securely marked with the same security levels. It is assumed that all emails sent within School are for SGBMAT use only. None are assumed to be public. The security levels are:
- SGBMAT USE No need to mark document
- RESTRICTED Not for release to all staff
- CONFIDENTIAL Would cause serious damage if released
- As long as the mark is clearly visible, it can appear anywhere. Marking on emails should appear in the subject field; for other documents in the header or footer.
- It is important to note that just marking documents with an appropriate level is not sufficient to protect against data loss.
- It is important to ensure that all information is handled correctly and great care must be taken when sending or transmitting data externally.
3.44 Staff must follow their professional codes of conduct and any relevant legislation when handling confidential information.
3.45 Individual staff members are accountable for their own actions, however teams should work together to ensure that high standards of confidentiality are maintained – please refer to the Safeguarding Policy.
3.46 Information obtained through the course of employment should remain confidential to that environment and should not be discussed in a non-work environment. This extends to when your employment or placement has ceased.
3.47 Any breach, or suspected breach, of confidentiality should be reported to a member of Leadership Group immediately.
3.48 Mishandled data can have serious repercussions for the School, the staff and their students including; financial penalties, negative press, damage to reputation, loss of trust and for staff, the possibility of disciplinary action.
3.49 This policy, in conjunction with the other SGBMAT policies detailed in Section 1.1, outlines what steps to take in order to process personal data in a secure manner and in line with the requirements of the Data Protection Act 1998 and GDPR (May 2018).
3.50 Staff should be aware that personal data can be visible to other members of staff and visitors when working in open plan offices, therefore staff must take precautions to keep this to a minimum where possible.
3.51 There may be staff that unintentionally access or hear about sensitive personal data that they would not normally have access to as part of their daily job. Any member of staff found in this situation must not disclose this information to anybody else.
3.52 There may be circumstances where the School will need to share personal data. This may be as part of an on-going sharing agreement with another organisation or as a one off disclosure, for example information may be shared with the Police to assist them in the prevention and detection of crime.
Social Networking Sites
3.53 SGBMAT may in future communicate with members of the public through social networking sites such as Twitter and Facebook. The aim of this is to support SGBMAT in communicating with a variety of groups of people who use this medium as their main source of information and are not reachable through other, more traditional channels. You should ensure you have read the SGBMAT Code of Conduct.
Personal Email Accounts
3.54 Staff are not permitted to send/forward SGBMAT information to any personal email accounts such as Hotmail, Gmail, Tiscali and Yahoo.
Personal Network Storage
3.55 Staff should use school provided cloud-base storage (Onedrive) for any school based data and not use any other third party storage system, unless prior authorisation, on an exceptional basis, is obtained from the Headteacher.
4. Monitoring and Evaluation
4.1 The SGBMAT Board will formally review this policy biennially or more frequently if circumstances or legislation suggest it is appropriate.
Declaration for Users of SGBMAT Systems including Staff, Governors and Guest Users.
This declaration expands on the terms and conditions you accept whenever you connect to the School network and use the e-mail and internet services.
I confirm that, as an authorised user of the Sir Graham Balfour MAT’s systems, I have read, understood and accepted all of the conditions in the Acceptable Use Policy.
I also fully accept that if I deliberately break any conditions in the policy, SGBMAT may:
- withdraw my access to the e-mail, internet facilities or any other systems temporarily or permanently;
- take disciplinary action against me (if I am staff);
- refer the matter to the Trust Board (if I am a Governor, Trustee or Member);
- begin criminal proceedings against me, if the matter is also a criminal offence; or
- undertake a combination of these things.