Checklist and audit trail for compliance with Data Protection Act ...

Checklist & Audit Trail for Compliance with Data Protection Act Iss. 3.1 By K Bailey, 25-Nov-09
Brent Schools’ Data Security Strategy Feb 2009 laid out the Authority’s requirements for schools to discharge their responsibilities under the 1998
Data Protection Act. This checklist is a simple means for schools to demonstrate that they meet the requirements.
Item/Activity
1 Is the school registered with the Information Commissioner’s Office (ICO) & is the ICO registration up to date?
Brent Schools’ Data Security Strategy Section 1.1
2 Does the school have a data security policy that is reviewed at least annually?
3 Does the school’s data security policy require that both the ICO & the Brent Director of Children & Families
be formally notified immediately of any loss of personal data? Brent Schools’ Data Security Strategy Section 1.2
4 Is the school’s electronic personal data backed up? Brent Schools’ Data Security Strategy Section 1.12
Yes
Yes
Yes
Yes
No
No
No
No
5 How often is the personal data backed up? Brent Schools’ Data Security Strategy Section 1.12 Daily
Weekly
Monthly
6 Is a copy of the data stored off-site? Brent Schools’ Data Security Strategy Section 1.12
Yes
No
7 What is the maximum age of the off-site copy? Brent Schools’ Data Security Strategy Section 1.12 1 Day
1 Week
1 Month
Other
8 Are servers containing personal data in a normally locked room or equipment cabinet?
Brent Schools’ Data Security Strategy Section 1.11
9 Are users who access personal data required to have a unique user name together with a strong
password? Brent Schools’ Data Security Strategy Section 1.5
10 Are password changes for users who access personal data enforced at least once per term?
Brent Schools’ Data Security Strategy Section 1.5
11Aretheusers &thenetworkaccounts which haveaccess topersonaldatareviewedatleast annually&keptcurrent?
Brent Schools’ Data Security Strategy Section 1.5
12 Is the access to personal data restricted only to the subset a user requires to do their job?
Brent Schools’ Data Security Strategy Section 1.5
13 Are the PCs used by users who routinely access personal data provided with a password protected
inactivity activated screensaver or an account lockout? Brent Schools’ Data Security Strategy Section 1.10
14 Is remote access from outside the school to personal data controlled, limited, password protected and
conducted over an encrypted channel? Brent Schools’ Data Security Strategy Section 1.6
15 Are documents, (spreadsheets etc.) which contain personal data that are posted on externally accessible
web sites encrypted? Brent Schools’ Data Security Strategy Section 1.2
16 Are pupil photographs published on externally accessible web sites checked to ensure that the file name or any
metadata contained within the file does not identify the pupil? Brent Schools’ Data Security Strategy Section 1.8
17 Is personal data taken off-site on memory sticks, hard disks or other removable media which is not in encrypted form?
Brent Schools’ Data Security Strategy Section 1.2
18 Is personal data taken out of school on laptop PCs or Personal Digital Assistants (PDAs) which is not in
encrypted form? Brent Schools’ Data Security Strategy Section 1.2
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
No
No
No
No
No
No
No
No
No
No
No

Data Protection Act (DPA) 1998 Key Principles
Data may only be used for the specific purposes for which it was collected.
Data must not be disclosed to other parties without the consent of the individual whom it is
about, unless there is legislation or other overriding legitimate reason to share the
information (for example, the prevention or detection of crime). It is an offence for Other
Parties to obtain this personal data without authorisation.
Individuals have a right of access to the information held about them, subject to certain
exceptions (for example, information held for the prevention or detection of crime).
Personal information may be kept for no longer than is necessary.(Kept up to date)
Personal information may not be transmitted outside the European Economic Area unless the
individual whom it is about has consented or adequate protection is in place, for example by
the use of a prescribed form of contract to govern the transmission of the data.
Subject to some exceptions for organisations that only do very simple processing, and for
domestic use, all entities that process personal information must register with the
Information Commissioner's Office.
Entities holding personal information are required to have adequate security measures in
place. Those include technical measures (such as firewalls) and organisational measures (such
as staff training).
Subjects have the right to have factually incorrect information corrected (note: this does not
extend to matters of opinion).
Definitions
Personal Data - Any data which can be used to identify a living person. This includes names,
birthday and anniversary dates, addresses, telephone numbers, fax numbers, email addresses and
so on. It applies only to that data which is held, or intended to be held, on computers ('equipment
operating automatically in response to instructions given for that purpose'), or held in a 'relevant
filing system'. This includes paper filing systems.
Strong Password – Password which is 8 characters minimum length, contains upper and lower
case alphabetical characters and numbers or punctuation characters. It should not contain
dictionary words, the owner’s date of birth or car registration number.
Encryption – Process of transforming information (referred to as plaintext) using an algorithm
(called a cipher) to make it unreadable to anyone except those possessing special knowledge,
usually referred to as a key.
What Constitutes a Successful DPA Audit?
Schools should have a data security policy that is relevant to the school and it should be
reviewed regularly. If schools do not answer “yes” to all the questions posed in this
checklist they are not fully compliant with Brent Schools’ Data Security Strategy.
Issue 3.1 By K Bailey, 25-Nov-09