Skip to content ↓

Online-safety-policy

Online Safety Policy Co-op Academy Grange

Approved by governors 29 March 2022 To be reviewed by March 2023

Scope of the Policy

This policy applies to all members of the academy community (including staff, students/pupils, volunteers, parents/carers, visitors, community users) who have access to and are users of school/academy digital technology systems, both in and out of the academy.

The Education and Inspections Act 2006 empowers Headteachers to such extent as is reasonable, to regulate the behaviour of students/pupils when they are off the academy site and empowers members of staff to impose disciplinary penalties for inappropriate behaviour. This is pertinent to incidents of online-bullying or other online safety incidents covered by this policy, which may take place outside of the academy, but is linked to membership of the school/academy. The 2011 Education Act increased these powers with regard to the searching for and of electronic devices and the deletion of data (see appendix for template policy). In the case of both acts, action can only be taken over issues covered by the published Behaviour Policy.

The academy will deal with such incidents within this policy and associated behaviour and anti-bullying policies and will, where known, inform parents/carers of incidents of inappropriate online safety behaviour that take place out of school.

Roles and Responsibilities

The following section outlines the online safety roles and responsibilities of individuals and groups within the academy:

Governors

Governors are responsible for the approval of the online safety policy and for reviewing the effectiveness of the policy. This will be carried out by the Governors receiving regular information about online safety incidents and monitoring reports. A member of the Governing Body has taken on the role of Online Safety Governor/Director . The role of the Online Safety Governor/Director will include:

regular meetings with the Online Safety Co-ordinator/officer

attendance at Online Safety Group meetings

regular monitoring of online safety incident logs

regular monitoring of filtering/change control logs

reporting to relevant Governors/Board/Committee/meeting

Headteacher/Principal and Senior Leaders

The Headteacher has a duty of care for ensuring the safety (including online safety) of members of the school community, though the day to day responsibility for online safety will be delegated to the Online Safety Lead.

The Headteacher and (at least) another member of the Senior Leadership Team should be aware of the procedures to be followed in the event of a serious online safety allegation being made against a member of staff. (see flow chart on dealing with online safety incidents – included in a later section – “Responding to incidents of misuse” and relevant Local Authority/MAT/other relevant body disciplinary procedures).

The Headteacher/Principal and Senior Leaders are responsible for ensuring that the Online Safety Lead and other relevant staff receive suitable training to enable them to carry out their online safety roles and to train other colleagues, as relevant.

The Headteacher/Principal and Senior Leaders will ensure that there is a system in place to allow for monitoring and support of those in school who carry out the internal online safety monitoring role. This is to provide a safety net and also support to those colleagues who take on important monitoring roles. (The school/academy will need to describe this and may wish to involve the Local Authority/MAT/other responsible body in this process)

The Senior Leadership Team will receive regular monitoring reports from the Online Safety Lead.

Online Safety Lead

(It is strongly recommended that each school should have a named member of staff with a day to day responsibility for online safety, some schools may choose to combine this with the Designated Safeguarding Lead role. Schools may choose to appoint a person with a child welfare background, preferably with good knowledge

Page 1

and understanding of the new technologies, rather than a technical member of staff – but this will be the choice of the school)

leads the Online Safety Group

takes day to day responsibility for online safety issues and has a leading role in establishing and reviewing the school online safety policies/documents

ensures that all staff are aware of the procedures that need to be followed in the event of an online safety incident taking place.

provides training and advice for staff

liaises with the Local Authority/MAT/relevant body

liaises with school technical staff

receives reports of online safety incidents and uses CPOMs to log online safety incidents Auditing the record to look for patterns and inform future developments meets regularly with safeguarding /Director to discuss current issues, review incident logs and filtering/change control logs attends relevant meetings of Governors/Directors

reports regularly to Senior Leadership Team

(The school will need to decide how these incidents will be dealt with and whether the investigation/action/sanctions will be the responsibility of the Online Safety Lead or another member of staff e.g. Headteacher/Principal/Senior Leader/Designated Safeguarding Lead/Class teacher/Head of Year etc.)

Network Manager/Technical staff

Those with technical responsibilities are responsible for ensuring:

that the academy’s technical infrastructure is secure and is not open to misuse or malicious attack that the academy meets required online safety technical requirements and any trust guidance that may apply.

that users may only access the networks and devices through a properly enforced password protection policy

the filtering policy is applied and updated on a regular basis and that its implementation is not the sole responsibility of any single person (see appendix “Technical Security Policy Template” for good practice) that they keep up to date with online safety technical information in order to effectively carry out their online safety role and to inform and update others as relevant

that the use of the networks/internet/digital technologies are regularly monitored in order that any misuse/attempted misuse can be reported to the Headteacher and Senior Leaders; Online Safety Lead for investigation/action/sanction

that monitoring software/systems are implemented and updated as agreed in school/academy policies

Teaching and Support Staff

Are responsible for ensuring that:

they have an up to date awareness of online safety matters and of the current academy online safety policy and practises

they have read, understood and signed the staff acceptable use policy/agreement (AUP/AUA) they report any suspected misuse or problem to the deputy Headteacher or use CPOMs to record the concern where this is appropriate for investigation/action/sanction

all digital communications with students/pupils/parents/carers should be on a professional level and only carried out using official school systems

online safety issues are embedded in all aspects of the curriculum and other activities students/pupils understand and follow the Online Safety Policy and acceptable use policies students/pupils have a good understanding of research skills and the need to avoid plagiarism and uphold copyright regulations

they monitor the use of digital technologies, mobile devices, cameras, etc. in lessons and other school activities (where allowed) and implement current policies with regard to these devices

in lessons where internet use is pre-planned students/pupils should be guided to sites checked as suitable for their use and that processes are in place for dealing with any unsuitable material that is found in internet searches

Page 2

Designated Safeguarding Lead/Designated Person/Officer Should be trained in online safety issues and be aware of the potential for serious child protection/safeguarding issues to arise from:

sharing of personal data

access to illegal/inappropriate materials

inappropriate on-line contact with adults/strangers

potential or actual incidents of grooming

online-bullying

(N.B. it is important to emphasise that these are safeguarding issues, not technical issues, simply that the technology provides additional means for safeguarding issues to develop. Some schools may choose to combine the roles of Designated Safeguarding Lead and Online Safety Lead).

Online Safety Group

The Online Safety Group provides a consultative group that has wide representation from the school/academy community, with responsibility for issues regarding online safety and the monitoring the Online Safety Policy including the impact of initiatives. Depending on the size or structure of the school/academy this group may be part of the safeguarding group. The group will also be responsible for regular reporting to the Governing Body/Directors.

Members of the Online Safety Group (or other relevant group) will assist the Online Safety Lead (or other relevant person, as above) with:

the production/review/monitoring of the school online safety policy/documents.

the production/review/monitoring of the school filtering policy (if the school chooses to have one) and requests for filtering changes.

mapping and reviewing the online safety/digital literacy curricular provision – ensuring relevance, breadth and progression

monitoring network/internet/filtering/incident logs

consulting stakeholders – including parents/carers and the students/pupils about the online safety provision

monitoring improvement actions identified through use of the 360 degree safe self-review tool (Schools/academies will need to decide the membership of the Online Safety Group. It is recommended that the group should include representation from students/pupils and parents/carers). An Online Safety Group Terms of Reference Template can be found in the appendices

Students/Pupils:

are responsible for using the school/academy digital technology systems in accordance with the student/pupil acceptable use agreement

have a good understanding of research skills and the need to avoid plagiarism and uphold copyright regulations

need to understand the importance of reporting abuse, misuse or access to inappropriate materials and know how to do so

will be expected to know and understand policies on the use of mobile devices and digital cameras. They should also know and understand policies on the taking/use of images and on online-bullying. should understand the importance of adopting good online safety practice when using digital technologies out of school and realise that the school’s/academy’s online safety policy covers their actions out of school, if related to their membership of the school

Parents/carers

Parents/carers play a crucial role in ensuring that their children understand the need to use the internet/mobile devices in an appropriate way. The school/academy will take every opportunity to help parents understand these issues through parents’ evenings, newsletters, letters, website, social media and information about national/local online safety campaigns/literature. Parents and carers will be encouraged to support the school/academy in promoting good online safety practice and to follow guidelines on the appropriate use of:

digital and video images taken at school events

access to parents’ sections of the website/Learning Platform and on-line student/pupil records Page 3

their children’s personal devices in the school/academy (where this is allowed)

Community Users

Community Users who access school/academy systems or programmes as part of the wider school/academy provision will be expected to sign a Community User AUA before being provided with access to school/academy systems. (A community users acceptable use agreement template can be found in the appendices.)

Policy Statements

Education – Students/Pupils

Whilst regulation and technical solutions are very important, their use must be balanced by educating students/pupils to take a responsible approach. The education of students/pupils in online safety/digital literacy is therefore an essential part of the school’s/academy’s online safety provision. Children and young people need the help and support of the school to recognise and avoid online safety risks and build their resilience.

In planning their online safety curriculum schools/academies may wish to refer to:

DfE Teaching Online Safety in Schools

Education for a Connected Word Framework

SWGfL Project Evolve – online safety curriculum programme and resources

Online safety should be a focus in all areas of the curriculum and staff should reinforce online safety messages across the curriculum. The online safety curriculum should be broad, relevant and provide progression, with opportunities for creative activities and will be provided in the following ways: (statements will need to be adapted, depending on school/academy structure and the age of the students/pupils)

A planned online safety curriculum should be provided as part of Computing/PHSE/other lessons and should be regularly revisited

Key online safety messages should be reinforced as part of a planned programme of assemblies and tutorial/pastoral activities

Students/pupils should be taught in all lessons to be critically aware of the materials/content they access on-line and be guided to validate the accuracy of information.

Students/pupils should be taught to acknowledge the source of information used and to respect copyright when using material accessed on the internet

Students/pupils should be supported in building resilience to radicalisation by providing a safe environment for debating controversial issues and helping them to understand how they can influence and participate in decision-making. N.B. additional duties for schools/academies under the Counter Terrorism and Securities Act 2015 which requires schools to ensure that children are safe from terrorist and extremist material on the internet.

Students/pupils should be helped to understand the need for the student/pupil acceptable use agreement and encouraged to adopt safe and responsible use both within and outside school/academy.

Staff should act as good role models in their use of digital technologies, the internet and mobile devices in lessons where internet use is pre-planned, it is best practice that students/pupils should be guided to sites checked as suitable for their use and that processes are in place for dealing with any unsuitable material that is found in internet searches.

Where students/pupils are allowed to freely search the internet, staff should be vigilant in monitoring the content of the websites the young people visit.

It is accepted that from time to time, for good educational reasons, students may need to research topics (e.g. racism, drugs, discrimination) that would normally result in internet searches being blocked. In such a situation, staff can request that the Technical Staff (or other relevant designated person) can temporarily remove those sites from the filtered list for the period of study. Any request to do so, should be auditable, with clear reasons for the need.

Education – Parents/carers

Many parents and carers have only a limited understanding of online safety risks and issues, yet they play an essential role in the education of their children and in the monitoring/regulation of the children’s online behaviours. Parents may underestimate how often children and young people come across potentially harmful and inappropriate material on the internet and may be unsure about how to respond.

Page 4

The school/academy will therefore seek to provide information and awareness to parents and carers through: (select/delete as appropriate)

Curriculum activities

Letters, newsletters, web site, Learning Platform

Parents/carers evenings/sessions

High profile events/campaigns e.g. Safer Internet Day

Reference to the relevant web sites/publications e.g. swgfl.org.uk, www.saferinternet.org.uk/, http://www.childnet.com/parents-and-carers (see appendix for further links/resources)

Education – The Wider Community

The school/academy will provide opportunities for local community groups/members of the community to gain from the school’s/academy’s online safety knowledge and experience. This may be offered through the following:

Providing family learning courses in use of new digital technologies, digital literacy and online safety Online safety messages targeted towards grandparents and other relatives as well as parents. The school/academy website will provide online safety information for the wider community Sharing their online safety expertise/good practice with other local schools

Supporting community groups e.g. Early Years Settings, Childminders, youth/sports/voluntary groups to enhance their online safety provision (possibly supporting the group in the use of Online Compass, an online safety self-review tool for groups such as these - www.onlinecompass.org.uk

Education & Training – Staff/Volunteers

It is essential that all staff receive online safety training and understand their responsibilities, as outlined in this policy. Training will be offered as follows: (select/delete as appropriate)

A planned programme of formal online safety training will be made available to staff. This will be regularly updated and reinforced. An audit of the online safety training needs of all staff will be carried out regularly. Online Safety BOOST includes unlimited online webinar training for all, or nominated, staff (https://boost.swgfl.org.uk/)

All new staff should receive online safety training as part of their induction programme, ensuring that they fully understand the school/academy online safety policy and acceptable use agreements. Online Safety BOOST includes an array of presentations and resources that can be presented to new staff (https://boost.swgfl.org.uk/)

It is expected that some staff will identify online safety as a training need within the performance management process.

The Online Safety Lead (or other nominated person) will receive regular updates through attendance at external training events (e.g. from SWGfL/LA/other relevant organisations) and by reviewing guidance documents released by relevant organisations.

This online safety policy and its updates will be presented to and discussed by staff in staff/team meetings/training sessions.

The Online Safety Lead (or other nominated person) will provide advice/guidance/training to individuals as required. Online Safety BOOST includes an array of presentation resources that the Online Safety coordinator can access to deliver to staff https://boost.swgfl.org.uk/ It includes presenter notes to make it easy to confidently cascade to all staff

Training – Governors/Directors

Governors/Directors should take part in online safety training/awareness sessions, with particular importance for those who are members of any group involved in technology/online safety/health and safety /safeguarding. This may be offered in a number of ways:

Attendance at training provided by the Local Authority/MAT/National Governors Association/or other relevant organisation (e.g. SWGfL).

Participation in school/academy training/information sessions for staff or parents (this may include attendance at assemblies/lessons).

Page 5

Technical – infrastructure/equipment, filtering and monitoring If the school/academy has a managed ICT service provided by an outside contractor, it is the responsibility of the school/academy to ensure that the managed service provider carries out all the online safety measures that would otherwise be the responsibility of the school/academy, as suggested below. It is also important that the managed service provider is fully aware of the school/academy online safety policy/acceptable use agreements. The school/academy should also check their Local Authority/MAT /other relevant body policies on these technical issues.

The school/academy will be responsible for ensuring that the school/academy infrastructure/network is as safe and secure as is reasonably possible and that policies and procedures approved within this policy are implemented. It will also need to ensure that the relevant people named in the above sections will be effective in carrying out their online safety responsibilities: (schools/academies will have very different technical infrastructures and differing views as to how these technical issues will be handled – it is therefore essential that this section is fully discussed by a wide range of staff – technical, educational and administrative staff before these statements are agreed and added to the policy:)

A more detailed Technical Security Template Policy can be found in the appendix.

School/academy technical systems will be managed in ways that ensure that the school/academy meets recommended technical requirements (these may be outlined in Local Authority/MAT/other relevant body policy and guidance)

• There will be regular reviews and audits of the safety and security of school/academy technical systems

• Servers, wireless systems and cabling must be securely located and physical access restricted All users will have clearly defined access rights to school/academy technical systems and devices. All users (at KS2 and above) will be provided with a username and secure password by (insert name or

title) who will keep an up to date record of users and their usernames. Users are responsible for the security of their username and password. (Schools/academies may choose to use group or class logons and passwords for KS1 and below, but should consider whether this models good password practice and need to be aware of the associated risks – see appendix)

The “master/administrator” passwords for the school/academy systems, used by the Network Manager (or other person) must also be available to the Headteacher/Principal or other nominated senior leader and kept in a secure place (e.g. school/academy safe)

• (Insert name or role) is responsible for ensuring that software licence logs are accurate and up to date and that regular checks are made to reconcile the number of licences purchased against the number of software installations (Inadequate licencing could cause the school to breach the Copyright Act which could result in fines or unexpected licensing costs)

Internet access is filtered for all users. Illegal content (child sexual abuse images) is filtered by the broadband or filtering provider by actively employing the Internet Watch Foundation CAIC list. Content lists are regularly updated and internet use is logged and regularly monitored. (the school/academy will need to decide on the merits of external/internal provision of the filtering service – see appendix). There is a clear process in place to deal with requests for filtering changes (see appendix for more details)

Internet filtering/monitoring should ensure that children are safe from terrorist and extremist material when accessing the internet. N.B. additional duties for schools/academies under the Counter Terrorism and Securities Act 2015 which requires schools/academies to ensure that children are safe from terrorist and extremist material on the internet. (see appendix for information on “appropriate filtering”).

The school/academy has provided enhanced/differentiated user-level filtering (allowing different filtering levels for different ages/stages and different groups of users – staff/pupils/students etc) • School/academy technical staff regularly monitor and record the activity of users on the school technical systems and users are made aware of this in the acceptable use agreement. (schools may wish to add details of the monitoring programmes that are used).

An appropriate system is in place (to be described) for users to report any actual/potential technical incident/security breach to the relevant person, as agreed).

Appropriate security measures are in place (schools/academies may wish to provide more detail) to protect the servers, firewalls, routers, wireless systems, work stations, mobile devices, etc. from accidental

Page 6

or malicious attempts which might threaten the security of the school systems and data. These are tested regularly. The school infrastructure and individual devices are protected by up to date virus software. An agreed policy is in place (to be described) for the provision of temporary access of “guests” (e.g. trainee teachers, supply teachers, visitors) onto the school systems.

An agreed policy is in place (to be described) regarding the extent of personal use that users (staff/students/pupils/community users) and their family members are allowed on school devices that may be used out of school.

An agreed policy is in place (to be described) that allows staff to/forbids staff from downloading executable files and installing programmes on school devices.

An agreed policy is in place (to be described) regarding the use of removable media (e.g. memory sticks/CDs/DVDs) by users on school devices. Personal data cannot be sent over the internet or taken off the school site unless safely encrypted or otherwise secured. (see School Personal Data Policy Template in the appendix for further detail)

Mobile Technologies (including BYOD/BYOT)

Mobile technology devices may be school owned/provided or personally owned and might include: smartphone, tablet, notebook/laptop or other technology that usually has the capability of utilising the school’s wireless network. The device then has access to the wider internet which may include the school’s learning platform and other cloud based services such as email and data storage.

All users should understand that the primary purpose of the use mobile/personal devices in a school context is educational. The mobile technologies policy should be consistent with and inter-related to other relevant school polices including but not limited to the safeguarding policy, behaviour policy, bullying policy, acceptable use policy, and policies around theft or malicious damage. Teaching about the safe and appropriate use of mobile technologies should be an integral part of the school’s online safety education programme.

In preparing a mobile technologies policy the school should consider possible issues and risks. These may include: security risks in allowing connections to your school network, filtering of personal devices, breakages and insurance, access to devices for all students, avoiding potential classroom distraction, network connection speeds, types of devices, charging facilities, total cost of ownership. A range of mobile technology implementations is possible

For further reading, please refer to “ NEN Technical Strategy Guidance Note 5 – Bring your own device”

A more detailed Mobile Technologies Template Policy can be found in the appendix. The school may however choose to include these aspects of their policy in a comprehensive acceptable use agreement, rather than in a separate Mobile Technologies Policy. It is suggested that the school should in this overall policy document outline the main points from their agreed policy. A checklist of points to be considered in included below.

The school acceptable use agreements for staff, pupils/students and parents/carers will give consideration to the use of mobile technologies

The school allows: (the school should complete the table below to indicate which devices are allowed and define their access to school systems)

School Devices Personal Devices

School

School owned

Authorised

Student

Staff

Visitor

owned for

for multiple

device1 

owned

owned

owned

single user

users

Allowed in school

Yes

Yes

Yes Yes/No2

Yes/No2

Yes/No2

Full network

access

Yes

Yes

Yes

Internet

only

1 Authorised device – purchased by the pupil/family through a school-organised scheme. This device may be given full access to the network as if it were owned by the school.

2 The school should add below any specific requirements about the use of mobile/personal devices in school Page 7

No network access

Aspects that the school may wish to consider and be included in their online safety policy, mobile technologies policy or acceptable use agreements:

School owned/provided devices:

Who they will be allocated to

Where, when and how their use is allowed – times/places/in school/out of school

If personal use is allowed

Levels of access to networks/internet (as above)

Management of devices/installation of apps/changing of settings/monitoring

Network/broadband capacity

Technical support

Filtering of devices

Access to cloud services

Data Protection

Taking/storage/use of images

Exit processes – what happens to devices/software/apps/stored data if user leaves the school Liability for damage

Staff training

Personal devices:

Which users are allowed to use personal mobile devices in school (staff/pupils/students/visitors) Restrictions on where, when and how they may be used in school

Storage

Whether staff will be allowed to use personal devices for school business

Levels of access to networks/internet (as above)

Network/broadband capacity

Technical support (this may be a clear statement that no technical support is available) Filtering of the internet connection to these devices

Data Protection

The right to take, examine and search users devices in the case of misuse (England only) – N.B. this must also be included in the Behaviour Policy.

Taking/storage/use of images

Liability for loss/damage or malfunction following access to the network (likely to be a disclaimer about school responsibility).

Identification/labelling of personal devices

How visitors will be informed about school requirements

How education about the safe and responsible use of mobile devices is included in the school online safety education programmes.

Use of digital and video images

The development of digital imaging technologies has created significant benefits to learning, allowing staff and students/pupils instant use of images that they have recorded themselves or downloaded from the internet. However, staff, parents/carers and students/pupils need to be aware of the risks associated with publishing digital images on the internet. Such images may provide avenues for online-bullying to take place. Digital images may remain available on the internet forever and may cause harm or embarrassment to individuals in the short or longer term. It is common for employers to carry out internet searches for information about potential and existing employees. The school will inform and educate users about these risks and will implement policies to reduce the likelihood of the potential for harm: (select/delete as appropriate)

When using digital images, staff should inform and educate students/pupils about the risks associated with the taking, use, sharing, publication and distribution of images. In particular they should recognise the risks attached to publishing their own images on the internet e.g. on social networking sites.

Page 8

Written permission from parents or carers will be obtained before photographs of students/pupils are published on the school website/social media/local press (may be covered as part of the AUA signed by parents or carers at the start of the year - see parents/carers acceptable use agreement in the appendix)

In accordance with guidance from the Information Commissioner’s Office, parents/carers are welcome to take videos and digital images of their children at school/academy events for their own personal use (as such use in not covered by the Data Protection Act). To respect everyone’s privacy and in some cases protection, these images should not be published/made publicly available on social networking sites, nor should parents/carers comment on any activities involving other students/pupils in the digital/video images.

Staff and volunteers are allowed to take digital/video images to support educational aims, but must follow school/academy policies concerning the sharing, distribution and publication of those images. Those images should only be taken on school/academy equipment; the personal equipment of staff should not be used for such purposes.

Care should be taken when taking digital/video images that students/pupils are appropriately dressed and are not participating in activities that might bring the individuals or the school/academy into disrepute. Students/pupils must not take, use, share, publish or distribute images of others without their permission Photographs published on the website, or elsewhere that include students/pupils will be selected carefully and will comply with good practice guidance on the use of such images.

Students’/Pupils’ full names will not be used anywhere on a website or blog, particularly in association with photographs.

Student’s/Pupil’s work can only be published with the permission of the student/pupil and parents or carers.

Data Protection

With effect from 25th May 2018, the data protection arrangements for the UK changed following the European Union General Data Protection Regulation (GDPR). As a result, schools are likely to be subject to greater scrutiny in their care and use of personal data. More detailed guidance is available in the appendices to this document. Schools/academies should ensure that they take account of policies and guidance provided by local authorities/MAT/or other relevant bodies. For schools/academies that wish to carry out a more detailed review of their data protection policies and procedures SWGfL provides a self-review tool – 360data.org.uk

Personal data will be recorded, processed, transferred and made available according to the current data protection legislation.

The school/academy must ensure that:

it has a Data Protection Policy. (see appendix for template policy)

it implements the data protection principles and is able to demonstrate that it does so through use of policies, notices and records.

it has paid the appropriate fee Information Commissioner’s Office (ICO) and included details of the Data Protection Officer (DPO).

it has appointed an appropriate Data Protection Officer (DPO) who has a high level of understanding of data protection law and is free from any conflict of interest. The school/academy may also wish to appoint a Data Manager and Systems Controllers to support the DPO

it has an ‘information asset register’ in place and knows exactly what personal data it holds, where this data is held, why and which member of staff has responsibility for managing it

the information asset register records the lawful basis for processing personal data (including, where relevant, how consent was obtained and refreshed). Where special category data is processed, an additional lawful basis will have also been recorded

it will hold only the minimum personal data necessary to enable it to perform its function and it will not hold it for longer than necessary for the purposes it was collected for. The school should develop and implement a ‘retention policy” to ensure there are clear and understood policies and routines for the deletion and disposal of data to support this. personal data held must be accurate and up to date where this is necessary for the purpose it is processed for. Have systems in place to identify inaccuracies, such as asking parents to check emergency contact details at suitable intervals

Page 9

it provides staff, parents, volunteers, teenagers and older children with information about how the school/academy looks after their data and what their rights are in a clear Privacy Notice (see Privacy Notice section in the appendix)

procedures must be in place to deal with the individual rights of the data subject, e.g. one of the 8 data subject rights applicable is that of Subject Access which enables an individual to see to have a copy of the personal data held about them (subject to certain exceptions which may apply).

data Protection Impact Assessments (DPIA) are carried out where necessary. For example, to ensure protection of personal data when accessed using any remote access solutions, or entering into a relationship with a new supplier (this may also require ensuring that data processing clauses are included in the supply contract or as an addendum)

IT system security is ensured and regularly checked. Patches and other security essential updates are applied promptly to protect the personal data on the systems. Administrative systems are securely ring fenced from systems accessible in the classroom/to learners

it has undertaken appropriate due diligence and has required data processing clauses in contracts in place with any data processors where personal data is processed.

it understands how to share data lawfully and safely with other relevant data controllers. it reports any relevant breaches to the Information Commissioner within 72hrs of becoming aware of the breach in accordance with UK data protection law. It also reports relevant breaches to the individuals affected as required by law. In order to do this, it has a policy for reporting, logging, managing, investigating and learning from information risk incidents.

If a maintained school/academy, it must have a Freedom of Information Policy which sets out how it will deal with FOI requests.

all staff receive data protection training at induction and appropriate refresher training thereafter. Staff undertaking particular data protection functions, such as handling requests under the individual’s rights, will receive training appropriate for their function as well as the core training provided to all staff.

When personal data is stored on any mobile device or removable media the:

data must be encrypted and password protected.

device must be password protected. (be sure to select devices that can be protected in this way) device must be protected by up to date virus and malware checking software

data must be securely deleted from the device, in line with school/academy policy (below) once it has been transferred or its use is complete.

Staff must ensure that they: (schools/academies may wish to include more detail about their own data/password/encryption/secure transfer processes)

at all times take care to ensure the safe keeping of personal data, minimising the risk of its loss or misuse

can recognise a possible breach, understand the need for urgency and know who to report it to within the school

can help data subjects understands their rights and know how to handle a request whether verbal or written. Know who to pass it to in the school

where personal data is stored or transferred on mobile or other devices (including USBs) these must be encrypted and password protected.

will not transfer any school/academy personal data to personal devices except as in line with school policy

access personal data sources and records only on secure password protected computers and other devices, ensuring that they are properly “logged-off” at the end of any session in which they are using personal data

Page 10

(The school/academy will need to set its own policy as to whether data storage on removal media is allowed, even if encrypted – some organisations do not allow storage of personal data on removable devices.)

The Personal Data Advice and Guidance in the appendix provides more detailed information on the school’s/academy’s responsibilities and on good practice.

Communications

This is an area of rapidly developing technologies and uses. Schools/academies will need to discuss and agree how they intend to implement and use these technologies e.g. some schools do not allow students/pupils to use mobile phones in lessons, while others recognise their educational potential and allow their use. This section may also be influenced by the age of the students/pupils. The table has been left blank for school/academy to choose its own responses.

A wide range of rapidly developing communications technologies has the potential to enhance learning. The following table shows how the school currently considers the benefit of using these technologies for education outweighs their risks/disadvantages:

Staff & other

adultsStudents/Pupils

wed tain

mes

Communication Technologies

Mobile phones may be brought to the school/academy

Use of mobile phones in lessons

Use of mobile phones in social time

Taking photos on mobile phones/cameras

Use of other mobile devices e.g. tablets, gaming devices

Use of personal email addresses in school/academy, or on school/academy network

Use of school/academy email for personal emails

Use of messaging apps

Use of social media

Use of blogs

d for staff

wed owed

tain

mes

staff

sion

wed

The school/academy may also wish to add some of the following policy statements about the use of communications technologies, in place of, or in addition to the above table:

When using communication technologies, the school/academy considers the following as good practice:

The official school/academy email service may be regarded as safe and secure and is monitored. Users should be aware that email communications are monitored. Staff and students/pupils should therefore use

Page 11

only the school/academy email service to communicate with others when in school, or on school/academy systems (e.g. by remote access).

Users must immediately report, to the nominated person – in accordance with the school/academy policy, the receipt of any communication that makes them feel uncomfortable, is offensive, discriminatory, threatening or bullying in nature and must not respond to any such communication. (Online Safety BOOST includes an anonymous reporting app Whisper – https://boost.swgfl.org.uk/)

Any digital communication between staff and students/pupils or parents/carers (email, social media, chat, blogs, VLE etc) must be professional in tone and content. These communications may only take place on official (monitored) school/academy systems. Personal email addresses, text messaging or social media must not be used for these communications.

Whole class/group email addresses may be used at KS1, while students/pupils at KS2 and above will be provided with individual school/academy email addresses for educational use. (Schools/academies may choose to use group or class email addresses for younger age groups e.g. at KS1)

Students/pupils should be taught about online safety issues, such as the risks attached to the sharing of personal details. They should also be taught strategies to deal with inappropriate communications and be reminded of the need to communicate appropriately when using digital technologies.

Personal information should not be posted on the school/academy website and only official email addresses should be used to identify members of staff.

Social Media - Protecting Professional Identity

With an increase in use of all types of social media for professional and personal purposes a policy that sets out clear guidance for staff to manage risk and behaviour online is essential. Core messages should include the protection of pupils, the school/academy and the individual when publishing any material online. Expectations for teachers’ professional conduct are set out in ‘Teachers Standards 2012’. Ofsted’s online safety inspection framework reviews how a school/academy protects and educates staff and pupils in their use of technology, including the measures that would be expected to be in place to intervene and support should a particular issue arise. Schools/academies are increasingly using social media as a powerful learning tool and means of communication. It is important that this is carried out in a safe and responsible way.

A more detailed Social Media Template Policy can be found in the appendix. The school/academy may however choose to include these aspects of their policy in a comprehensive acceptable use agreement, rather than in a separate Social Media Policy. It is suggested that the school/academy should, in this overall policy document, outline the main points from their agreed policy. A checklist of points to be considered is included below.

All schools, academies, MATs and local authorities have a duty of care to provide a safe learning environment for pupils and staff. Schools/academies, MATs and local authorities could be held responsible, indirectly for acts of their employees in the course of their employment. Staff members who harass, engage in online bullying, discriminate on the grounds of sex, race or disability or who defame a third party may render the school/academy or local authority/MAT liable to the injured party. Reasonable steps to prevent predictable harm must be in place.

The school/academy provides the following measures to ensure reasonable steps are in place to minimise risk of harm to pupils, staff and the school through:

Ensuring that personal information is not published

Training is provided including: acceptable use; social media risks; checking of settings; data protection; reporting issues. Online Safety BOOST includes unlimited webinar training on this subject: https://boost.swgfl.org.uk/

Clear reporting guidance, including responsibilities, procedures and sanctions

Risk assessment, including legal risk

School/academy staff should ensure that:

No reference should be made in social media to students/pupils, parents/carers or school/academy staff They do not engage in online discussion on personal matters relating to members of the school community Personal opinions should not be attributed to the school /academy or local authority/MAT Security settings on personal social media profiles are regularly checked to minimise risk of loss of personal information

When official school/academy social media accounts are established there should be: A process for approval by senior leaders

Page 12

Clear processes for the administration and monitoring of these accounts – involving at least two members of staff

A code of behaviour for users of the accounts, including

Systems for reporting and dealing with abuse and misuse

Understanding of how incidents may be dealt with under school/academy disciplinary procedures

Personal Use:

Personal communications are those made via a personal social media accounts. In all cases, where a personal account is used which associates itself with the school/academy or impacts on the school/ academy, it must be made clear that the member of staff is not communicating on behalf of the school/academy with an appropriate disclaimer. Such personal communications are within the scope of this policy

Personal communications which do not refer to or impact upon the school are outside the scope of this policy

Where excessive personal use of social media in school is suspected, and considered to be interfering with relevant duties, disciplinary action may be taken

The school/academy permits reasonable and appropriate access to private social media sites

Monitoring of Public Social Media:

As part of active social media engagement, it is considered good practice to pro-actively monitor the Internet for public postings about the school

The school should effectively respond to social media comments made by others according to a defined policy or process

The school’s/academy’s use of social media for professional purposes will be checked regularly by the senior risk officer and Online Safety Group to ensure compliance with the school policies. Online Safety BOOST includes Reputation Alerts that highlight any reference to the school/academy in online media (newspaper or social media for example) https://boost.swgfl.org.uk/)

Dealing with unsuitable/inappropriate activities

Some internet activity e.g. accessing child abuse images or distributing racist material is illegal and would obviously be banned from school/academy and all other technical systems. Other activities e.g. cyber-bullying would be banned and could lead to criminal prosecution. There are however a range of activities which may, generally, be legal but would be inappropriate in a school/academy context, either because of the age of the users or the nature of those activities.

The school/academy believes that the activities referred to in the following section would be inappropriate in a school/academy context and that users, as defined below, should not engage in these activities in/or outside the school/academy when using school/academy equipment or systems. The school/academy policy restricts usage as follows:

User ActionsAcc 

Acc

Acc

Un

Un

ept

ept

ept

acc

acc

abl

abl

abl

ept

ept

e

e

e

abl

abl

at

for

e

e

cer

no

an

tai

mi

d

n

nat

ille

tim

ed

gal

es

us

ers

Page 13

Users shall not visit

Internet

sites, make, post,

download, upload,

data

transfer,

communicat e or pass

on, material, remarks,

proposals or

comments that contain or relate to:

passwords)

Child sexual abuse images –The making, production or distribution of indecent images of children. Contrary to The Protection of Children Act 1978

N.B. Schools/academies should refer to guidance about dealing with self-generated images/sexting – UKSIC Responding to and managing sexting incidents and UKCIS – Sexting in schools and colleges

Grooming, incitement, arrangement or facilitation of sexual acts against children Contrary to the Sexual Offences Act 2003.

Possession of an extreme pornographic image (grossly offensive, disgusting or otherwise of an obscene character) Contrary to the Criminal Justice and Immigration Act 2008

Criminally racist material in UK – to stir up religious hatred (or hatred on the grounds of sexual orientation) - contrary to the Public Order Act 1986

Pornography

X

Promotion of any kind of discrimination

X

threatening behaviour, including promotion of physical violence or mental harm

X

Promotion of extremism or terrorism

Any other information which may be offensive to colleagues or breaches the integrity of the ethos of the school or brings the school into disrepute

X

X

Activities that might be classed as cyber-crime under the Computer Misuse Act: Gaining unauthorised access to school networks, data and files, through the use of computers/devices

Creating or propagating computer viruses or other harmful files Revealing or publicising confidential or proprietary information (e.g. financial / personal information, databases, computer / network access codes and passwords)

Disable/Impair/Disrupt network functionality through the use of computers/devices

Using penetration testing equipment (without relevant permission)

N.B. Schools/academies will need to decide whether these should be dealt with internally or by the police. Serious or repeat offences should be reported to the police. Under the Cyber-Prevent agenda the National Crime Agency has a remit to prevent young people becoming involved in cyber-crime and harness their activity in positive ways – further information here

Using systems, applications, websites or other mechanisms that bypass the filtering or other safeguards employed by the school/academy

X

Revealing or publicising confidential or proprietary information (e.g. financial/personal information, databases, computer/network access codes and

X

Unfair usage (downloading/uploading large files that hinders others in their use of

X

Using school systems to run a private business

X

X

X

X

X

X

X

the internet)

Infringing copyright

Page 14

On-line gaming (educational)

On-line gaming (non-educational) On-line gambling

On-line shopping/commerce

File sharing

Use of social media

Use of messaging apps

Use of video broadcasting e.g. Youtube

(The school/academy should agree its own responses and place the ticks in the relevant columns, in the table above. They may also wish to add additional text to the column(s) on the left to clarify issues. The last section of the table has been left blank for schools/academies to decide their own responses)

Responding to incidents of misuse

This guidance is intended for use when staff need to manage incidents that involve the use of online services. It encourages a safe and secure approach to the management of the incident. Incidents might involve illegal or inappropriate activities (see “User Actions” above). Online Safety BOOST includes a comprehensive and interactive ‘Incident Management Tool’ that steps staff through how to respond, forms to complete and action to take when managing reported incidents (https://boost.swgfl.org.uk/)

Page 15

Illegal Incidents

If there is any suspicion that the web site(s) concerned may contain child abuse images, or if there is any other suspected illegal activity, refer to the right hand side of the Flowchart (below and appendix) for responding to online safety incidents and report immediately to the police.

Page 16

Other Incidents

It is hoped that all members of the school/academy community will be responsible users of digital technologies, who understand and follow school/academy policy. However, there may be times when infringements of the policy could take place, through careless or irresponsible or, very rarely, through deliberate misuse.

In the event of suspicion, all steps in this procedure should be followed:

Have more than one senior member of staff involved in this process. This is vital to protect individuals if accusations are subsequently reported.

Conduct the procedure using a designated computer that will not be used by young people and if necessary can be taken off site by the police should the need arise. Use the same computer for the duration of the procedure.

It is important to ensure that the relevant staff should have appropriate internet access to conduct the procedure, but also that the sites and content visited are closely monitored and recorded (to provide further protection).

Record the URL of any site containing the alleged misuse and describe the nature of the content causing concern. It may also be necessary to record and store screenshots of the content on the machine being used for investigation. These may be printed, signed and attached to the form (except in the case of images of child sexual abuse – see below)

Once this has been completed and fully investigated the group will need to judge whether this concern has substance or not. If it does, then appropriate action will be required and could include the following: o Internal response or discipline procedures

o Involvement by Local Authority/Academy Group or national/local organisation (as relevant). o Police involvement and/or action

If content being reviewed includes images of child abuse, then the monitoring should be halted and referred to the Police immediately. Other instances to report to the police would include:

o incidents of ‘grooming’ behaviour

o the sending of obscene materials to a child

o adult material which potentially breaches the Obscene Publications Act

o criminally racist material

o promotion of terrorism or extremism

o offences under the Computer Misuse Act (see User Actions chart above)

o other criminal conduct, activity or materials

Isolate the computer in question as best you can. Any change to its state may hinder a later police investigation.

It is important that all of the above steps are taken as they will provide an evidence trail for the school/academy and possibly the police and demonstrate that visits to these sites were carried out for safeguarding purposes. The completed form should be retained by the group for evidence and reference purposes.

School/academy actions & sanctions

It is more likely that the school/academy will need to deal with incidents that involve inappropriate rather than illegal misuse. It is important that any incidents are dealt with as soon as possible in a proportionate manner, and that members of the school community are aware that incidents have been dealt with. It is intended that incidents of misuse will be dealt with through normal behaviour/disciplinary procedures as follows: (the school/academy will need to agree upon its own responses and place the ticks in the relevant columns. They may also wish to add additional text to the column(s) on the left to clarify issues. Schools/academies have found it useful to use the charts below at staff meetings/training sessions).

Actions/Sanctions

Page 17

Students/Pupils Incidents

Ref

er

to

clas s

teac her/ tuto r

Re fer to

He ad of

De pa rt

m

en t/Y ea r/o th

er

Re fer to

He ad tea ch er/ Pri

nci pal

Re fer to Pol ice

Refer to technic al

support staff for action re

filtering/ security etc.

Inf

or

m

pa re

nts /ca rer s

Re m

ov

al

of

ne tw or

k/i

nt

er

ne t

ac

ce

ss

rig hts

Wa rni ng

Furthe r

sancti on e.g. detent ion/ex clusio n

Deliberately accessing or trying to access material that could be considered illegal (see list in earlier section on unsuitable/inappropriate activities).

Unauthorised use of non-educational sites during lessons

Unauthorised/inappropriate use of mobile phone/digital camera/other mobile device

Unauthorised/inappropriate use of social media/ messaging apps/personal email

Unauthorised downloading or uploading of files

Allowing others to access school/academy network by sharing username and passwords

Attempting to access or accessing the school/academy network, using another student’s/pupil’s account

Attempting to access or accessing the school/academy network, using the account of a member of staff

Corrupting or destroying the data of other users

Sending an email, text or message that is regarded as offensive, harassment or of a bullying nature

Continued infringements of the above, following previous warnings or sanctions

Actions which could bring the school/academy into disrepute or breach the integrity of the ethos of the school

Using proxy sites or other means to subvert the school’s/academy’s filtering system

Accidentally accessing offensive or pornographic material and failing to report the incident

X

X

X

Page 18

Deliberately accessing or trying to access offensive or pornographic material

Receipt or transmission of material that infringes the copyright of another person or infringes the Data Protection Act

Actions/Sanctions

Staff Incidents

Ref er

to

line ma nag er

Ref er

to

He adt ea ch er

Pri nci pal

Ref er

to

Lo cal Au th

ori ty/ HR

Ref er

to

Pol ice

Refer to

Techn ical

Suppo rt

Staff

for

action re

filterin g etc.

Wa rni ng

Su sp en sio n

Dis cip lin

ary act ion

Deliberately accessing or trying to access material that could be considered illegal (see list in earlier section on unsuitable/inappropriate activities).

Inappropriate personal use of the internet/social media/personal email

Unauthorised downloading or uploading of files

Allowing others to access school network by sharing username and passwords or attempting to access or accessing the school network, using another person’s account

Careless use of personal data e.g. holding or transferring data in an insecure manner

Deliberate actions to breach data protection or network security rules

Corrupting or destroying the data of other users or causing deliberate damage to hardware or software

Sending an email, text or message that is regarded as offensive, harassment or of a bullying nature

Page 19

X X X

Using personal email/social networking/instant messaging/text messaging to carrying out digital communications with students/pupils

Actions which could compromise the staff member’s professional standing

Actions which could bring the school/academy into disrepute or breach the integrity of the ethos of the school/academy

Using proxy sites or other means to subvert the school’s/academy’s filtering system

Accidentally accessing offensive or pornographic material and failing to report the incident

Deliberately accessing or trying to access offensive or pornographic material

Breaching copyright or licensing regulations

Continued infringements of the above, following previous warnings or sanctions

Page 20

Appendix

Copies of the more detailed template policies and agreements, contained in the appendix, can be downloaded from:

SWGfL Online Safety Policy Templates

Acknowledgements

SWGfL would like to acknowledge the contribution of a wide range of individuals and organisations whose policies, documents, advice and guidance have contributed to the development of the online safety policy templates and of the 360 degree safe online safety self-review tool.

Copyright of these template policies is held by SWGfL. Schools/academies and other educational institutions are permitted free use of the Template Policies for the purposes of policy writing, review and development. Any person or organisation wishing to use the document for other purposes should seek consent from SWGfL (onlinesafety@swgfl.org.uk) and acknowledge its use.

Every effort has been made to ensure that the information included in this document is accurate, as at the date of publication in January 2020. However, SWGfL cannot guarantee its accuracy, nor can it accept liability in respect of the use of the material.

© South West Grid for Learning Trust Ltd 2020

Page 21

Appendices

Student/Pupil Acceptable Use Agreement Template – for older students/pupils 29 Student/Pupil Acceptable Use Policy Agreement Template – for younger pupils (Foundation/KS1) 32 Parent/Carer Acceptable Use Agreement Template 33 Staff (and Volunteer) Acceptable Use Policy Agreement Template 38 Acceptable Use Agreement for Community Users Template 41 Responding to incidents of misuse – flow chart 42 Record of reviewing devices/internet sites (responding to incidents of misuse) 43 Reporting Log 44 Training Needs Audit Log 45 School Technical Security Policy Template (including filtering and passwords) 46 School/academy Personal Data Advice and Guidance 53 School/academy policy template: Electronic Devices - Searching & Deletion 63 Mobile Technologies Policy Template (inc. BYOD/BYOT) 68 Social Media Policy Template 71 School Policy Template – Online Safety Group Terms of Reference 76 Legislation 78 Glossary of Terms 85

Page 22

Student/Pupil Acceptable Use Agreement Template – for older students/pupils

Sections that include advice or guidance are written in BLUE. It is anticipated that schools will remove these sections from their final acceptable use document. Schools should review and amend the contents of this agreement to ensure that it is consistent with their online safety policy and other relevant school policies. Due to the number of optional statements and the advice/guidance sections included in this template, it is anticipated that the final document will be more concise. Schools/academies will need to decide on the suitability of the statements/language used and may wish to amend these in light of the age/abilities of the students/pupils.

School/academy policy

Digital technologies have become integral to the lives of children and young people, both within schools and outside school. These technologies are powerful tools, which open up new opportunities for everyone. These technologies can stimulate discussion, promote creativity and stimulate awareness of context to promote effective learning. Young people should have an entitlement to safe access to these digital technologies.

This acceptable use agreement is intended to ensure:

that young people will be responsible users and stay safe while using the internet and other digital technologies for educational, personal and recreational use.

that school systems and users are protected from accidental or deliberate misuse that could put the security of the systems and will have good access to digital technologies to enhance their learning and will, in return, expect the students/pupils to agree to be responsible users.

Acceptable Use Agreement

I understand that I must use school systems in a responsible way, to ensure that there is no risk to my safety or to the safety and security of the systems and other users.

For my own personal safety:

I understand that the school/academy will monitor my use of the systems, devices and digital communications.

I will keep my username and password safe and secure – I will not share it, nor will I try to use any other person’s username and password. I understand that I should not write down or store a password where it is possible that someone may steal it. 

I will be aware of “stranger danger”, when I am communicating on-line.

I will not disclose or share personal information about myself or others when on-line (this could include names, addresses, email addresses, telephone numbers, age, gender, educational details, financial details etc.)

If I arrange to meet people off-line that I have communicated with on-line, I will do so in a public place and take an adult with me.

I will immediately report any unpleasant or inappropriate material or messages or anything that makes me feel uncomfortable when I see it on-line.

I understand that everyone has equal rights to use technology as a resource and:

I understand that the school/academy systems and devices are primarily intended for educational use and that I will not use them for personal or recreational use unless I have permission.

I will not try (unless I have permission) to make large downloads or uploads that might take up internet capacity and prevent other users from being able to carry out their work.

I will not use the school/academy systems or devices for on-line gaming, on-line gambling, internet shopping, file sharing, or video broadcasting (e.g. YouTube), unless I have permission of a member of staff to do so. (schools/academies should amend this section to take account of their policy on each of these issues)

Page 23

I will act as I expect others to act toward me:

I will respect others’ work and property and will not access, copy, remove or otherwise alter any other user’s files, without the owner’s knowledge and permission.

I will be polite and responsible when I communicate with others, I will not use strong, aggressive or inappropriate language and I appreciate that others may have different opinions.

I will not take or distribute images of anyone without their permission.

I recognise that the school has a responsibility to maintain the security and integrity of the technology it offers me and to ensure the smooth running of the school/academy:

I will only use my own personal devices (mobile phones/USB devices etc.) in school if I have permission (schools/academies should amend this section in the light of their mobile devices policies). I understand that, if I do use my own devices in the school/academy, I will follow the rules set out in this agreement, in the same way as if I was using school equipment.

I understand the risks and will not try to upload, download or access any materials which are illegal or inappropriate or may cause harm or distress to others, nor will I try to use any programmes or software that might allow me to bypass the filtering/security systems in place to prevent access to such materials.

I will immediately report any damage or faults involving equipment or software, however this may have happened.

I will not open any hyperlinks in emails or any attachments to emails, unless I know and trust the person/organisation who sent the email, or if I have any concerns about the validity of the email (due to the risk of the attachment containing viruses or other harmful programmes)

I will not install or attempt to install or store programmes of any type on any school device, nor will I try to alter computer settings.

I will only use social media sites with permission and at the times that are allowed (schools/academies should amend this section to take account of their policy on access to social media).

When using the internet for research or recreation, I recognise that: I should ensure that I have permission to use the original work of others in my own work Where work is protected by copyright, I will not try to download copies (including music and videos) When I am using the internet to find information, I should take care to check that the information that I

access is accurate, as I understand that the work of others may not be truthful and may be a deliberate attempt to mislead me.

I understand that I am responsible for my actions, both in and out of school:

I understand that the school/academy also has the right to take action against me if I am involved in incidents of inappropriate behaviour, that are covered in this agreement, when I am out of school and where they involve my membership of the school community (examples would be online-bullying, use of images or personal information).

I understand that if I fail to comply with this acceptable use agreement, I may be subject to disciplinary action. This could include (schools/academies should amend this section to provide relevant sanctions as per their behaviour policies) loss of access to the school network/internet, detentions, suspensions, contact with parents and in the event of illegal activities involvement of the police.

Please complete the sections on the next page to show that you have read, understood and agree to the rules included in the acceptable use agreement. If you do not sign and return this agreement, access will not be granted to school systems and devices.

Student/Pupil Acceptable Use Agreement Form

This form relates to the student/pupil acceptable use agreement; to which it is attached.

Please complete the sections below to show that you have read, understood and agree to the rules included in the acceptable use agreement. If you do not sign and return this agreement, access will not be granted to school

Page 24

systems. (Schools/academies will need to decide if they require students/pupils to sign, or whether they wish to simply make them aware through education programmes/awareness raising).

I have read and understand the above and agree to follow these guidelines when:

I use the school/academy systems and devices (both in and out of school)

I use my own devices in the school/academy (when allowed) e.g. mobile phones, gaming devices USB devices, cameras etc.

I use my own equipment out of the school/academy in a way that is related to me being a member of this school/academy e.g. communicating with other members of the school, accessing school email, VLE, website etc.

Name of Student/Pupil:

Group/Class:

Signed:

Date:

Parent/Carer Countersignature (optional)

It is for schools/academies to decide whether or not they require parents/carers to sign the parent/carer acceptable use agreement (see template later in this document). This includes a number of other permission forms (including digital and video images/biometric permission/cloud computing permission).

Some schools/academies may, instead, wish to add a countersignature box for parents/carers to this student/pupil acceptable use agreement.

Page 25

Student/Pupil Acceptable Use Policy Agreement Template – for younger pupils (Foundation/KS1)

This is how we stay safe when we use computers:

I will ask a teacher or suitable adult if I want to use the computers/tablets

I will only use activities that a teacher or suitable adult has told or allowed me to use

I will take care of computers/tablets and other equipment I will ask for help from a teacher or suitable adult if I am not sure what to do or if I think I have done something wrong

I will tell a teacher or suitable adult if I see something that upsets me on the screen

I know that if I break the rules I might not be allowed to use a computer/tablet

Signed (child):

(The school will need to decide whether or not they wish the children to sign the agreement – and at which age - for younger children the signature of a parent/carer should be sufficient)

Signed (parent):

Primary schools using this acceptable use agreement for younger children may also wish to use (or adapt for use) the parent/carer acceptable use agreement (the template can be found later in these templates) as this provides additional permission forms (including the digital and video images permission form).

Page 26

Parent/Carer Acceptable Use Agreement Template

Digital technologies have become integral to the lives of children and young people, both within schools and outside school. These technologies provide powerful tools, which open up new opportunities for everyone. They can stimulate discussion, promote creativity and stimulate awareness of context to promote effective learning. Young people should have an entitlement to safe internet access at all times.

This acceptable use policy is intended to ensure:

that young people will be responsible users and stay safe while using the internet and other communications technologies for educational, personal and recreational use.

that school/academy systems and users are protected from accidental or deliberate misuse that could put the security of the systems and users at risk.

that parents and carers are aware of the importance of online safety and are involved in the education and guidance of young people with regard to their on-line behaviour.

The school will try to ensure that students/pupils will have good access to digital technologies to enhance their learning and will, in return, expect the students/pupils to agree to be responsible users. A copy of the student/pupil acceptable use agreement is attached to this permission form, so that parents/carers will be aware of the school expectations of the young people in their care.

Parents are requested to sign the permission form below to show their support of the school in this important aspect of the school’s work. (Schools/academies will need to decide whether or not they wish parents to sign the acceptable use agreement on behalf of their child)

Permission Form

Parent/Carers Name:

Student/Pupil Name:

As the parent/carer of the above students/pupils, I give permission for my son/daughter to have access to the internet and to ICT systems at school.

Either: (KS2 and above)

I know that my son/daughter has signed an acceptable use agreement and has received, or will receive, online safety education to help them understand the importance of safe use of technology and the internet – both in and out of school.

Or: (KS1)

I understand that the school has discussed the acceptable use agreement with my son/daughter and that they have received, or will receive, online safety education to help them understand the importance of safe use of technology and the internet – both in and out of school.

I understand that the school will take every reasonable precaution, including monitoring and filtering systems, to ensure that young people will be safe when they use the internet and systems. I also understand that the school cannot ultimately be held responsible for the nature and content of materials accessed on the internet and using mobile technologies.

I understand that my son’s/daughter’s activity on the systems will be monitored and that the school will contact me if they have concerns about any possible breaches of the acceptable use agreement.

I will encourage my child to adopt safe use of the internet and digital technologies at home and will inform the school if I have concerns over my child’s online safety.

As the school/academy is collecting personal data by issuing this form, it should inform parents/carers as to:

This form (electronic or printed)

Page 27

Who will have access to this form.

Where this form will be stored.

How long this form will be stored for.

How this form will be destroyed.

Signed:

Date:

Use of Digital/Video Images

The use of digital/video images plays an important part in learning activities. Students/Pupils and members of staff may use digital cameras to record evidence of activities in lessons and out of school. These images may then be used in presentations in subsequent lessons.

Images may also be used to celebrate success through their publication in newsletters, on the school website and occasionally in the public media. Where an image is publicly shared by any means, only your child’s *delete as relevant* first name/initials will be used.

The school will comply with the Data Protection Act and request parent’s/carers permission before taking images of members of the school. We will also ensure that when images are published that the young people cannot be identified by the use of their names.

In accordance with guidance from the Information Commissioner’s Office, parents/carers are welcome to take videos and digital images of their children at school events for their own personal use (as such use in not covered by the Data Protection Act). To respect everyone’s privacy and in some cases protection, these images should not be published/made publicly available on social networking sites, nor should parents/carers comment on any activities involving other students/pupils in the digital/video images.

Parents/carers are requested to sign the permission form below to allow the school to take and use images of their children and for the parents/carers to agree.

As the school/academy is collecting personal data by issuing this form, it should inform parents/carers as to:

This form (electronic or printed)

The images

Who will have access to this form.

Where the images may be published. Such as; Twitter, Facebook, the school/academy website, local press, etc. (see relevant section of form below)

Where this form will be stored.

Who will have access to the images.

How long this form will be stored for.

Where the images will be stored.

How this form will be destroyed.

How long the images will be stored for.

How the images will be destroyed.

How a request for deletion of the images can be made.

Digital/Video Images Permission Form

Parent/Carers Name: Student/Pupil Name:

Page 28

As the parent/carer of the above student/pupil, I agree to the school taking digital/video images of my child/children.

Yes/No

I agree to these images being used:

to support learning activities.

Yes/No

in publicity that reasonably celebrates success and promotes the work of the school.

Yes/No

Insert statements here that explicitly detail where images are published by the school/academy

Yes/No

I agree that if I take digital or video images at, or of school events which include images of children, other than my own, I will abide by these guidelines in my use of these images.

Yes/No

Signed:

Date:

Use of Cloud Systems Permission Form

Schools that use cloud hosting services may be required to seek parental permission to set up an account for pupils/students.

Schools will need to review and amend the section below, depending on which cloud hosted services are used.

The school uses *insert cloud service provider name* for pupils/students and staff. This permission form describes the tools and pupil/student responsibilities for using these services.

The following services are available to each pupil/student as part of the school’s online presence in *insert cloud service provider name*

Using *insert cloud service provider name* will enable your child to collaboratively create, edit and share files and websites for school related projects and communicate via email with other pupils and members of staff. These services are entirely online and available 24/7 from any internet-connected computer.

The school believes that use of the tools significantly adds to your child’s educational experience.

As the school/academy is collecting personal data and sharing this with a third party, it should inform parents/carers about:

This form (electronic or printed)

The data shared with the service provider

Who will have access to this form.

What data will be shared

Where this form will be stored.

Who the data will be shared with

How long this form will be stored for.

Who will have access to the data.

How this form will be destroyed.

Where the data will be stored.

How long the data will be stored for.

How the data will be destroyed.

How a request for deletion of the data can be made.

Do you consent to your child to having access to this service? Yes/No

Student/Pupil Name: Parent/Carers Name:

Signed: Date:

Page 29

Use of Biometric Systems in England and Wales

If the school uses biometric systems (e.g. fingerprint/palm recognition technologies) to identify children for access, attendance recording, charging, library lending etc it must (under the “Protection of Freedoms” and Data Protection legislation) seek permission from a parent or carer.

The school uses biometric systems for the recognition of individual children in the following ways (the school should describe here how it uses the biometric system).

Biometric technologies have certain advantages over other automatic identification systems as pupils do not need to remember to bring anything with them (to the canteen or school library) so nothing can be lost, such as a swipe card. 

The school has carried out a data privacy impact assessment and is confident that the use of such technologies is effective and justified in a school context.

No complete images of fingerprints/palms are stored and the original image cannot be reconstructed from the data. Meaning that it is not possible, for example, to recreate a pupil's fingerprint or even the image of a fingerprint from what is in effect a string of numbers.

As the school/academy is collecting special category personal data and *delete as appropriate* sharing this with a third party, it should inform parents/carers about:

This form (electronic or printed)

The data shared with the service provider

Who will have access to this form.

What data will be shared

Where this form will be stored.

Who the data will be shared with

How long this form will be stored for.

Who will have access to the data.

How this form will be destroyed.

Where the data will be stored.

How long the data will be stored for.

How the data will be destroyed.

How consent to process the biometric data can be withdrawn.

Parent/Carers Name:

Student/Pupil Name:

As the parent/carer of the above student/pupil, I agree to the school using biometric

recognition systems, as described above.Yes/No

I understand that the images cannot be used to create a whole fingerprint/palm print of my child and that these images will not be shared with anyone outside the school.

Signed:

Further guidance

Yes/No

Each parent of the child should be notified by the school/academy that they are planning to process their child's biometrics and notified that they are able to object.

In order for a school/academy to process children's biometrics at least one parent must consent and no parent has withdrawn consent. This needs to be in writing.

The child can object or refuse to participate in the processing of their biometric data regardless of parents’ consent.

Page 30

Schools and colleges must provide reasonable alternative means of accessing services for those pupils who will not be using an automated biometric recognition system.

Permission only needs to be collected once during the period that the student/pupil attends the school, but new permission is required if there are changes to the biometric systems in use.

Student/Pupil Acceptable Use Agreement

On the following pages we have copied, for the information of parents and carers, the student/pupil acceptable use agreement.

It is suggested that when the student/pupil AUA is written that a copy should be attached to the parents/carers acceptable use agreement to provide information for parents and carers about the rules and behaviours that students/pupils have committed to by signing the form.

Page 31

Staff (and Volunteer) Acceptable Use Policy Agreement Template

Sections that include advice or guidance are written in BLUE. It is anticipated that schools/academies will remove these sections from their final document. Schools should review and amend the contents of this agreement to ensure that it is consistent with their online safety policy and other relevant school policies. Due to the number of optional statements and the advice/guidance sections included in this template, it is anticipated that the final AUP will be more concise.

School Policy

New technologies have become integral to the lives of children and young people in today’s society, both within schools/academies and in their lives outside school. The internet and other digital information and communications technologies are powerful tools, which open up new opportunities for everyone. These technologies can stimulate discussion, promote creativity and stimulate awareness of context to promote effective learning. They also bring opportunities for staff to be more creative and productive in their work. All users should have an entitlement to safe access to the internet and digital technologies at all times.

This acceptable use policy is intended to ensure:

that staff and volunteers will be responsible users and stay safe while using the internet and other communications technologies for educational, personal and recreational use.

that school/academy systems and users are protected from accidental or deliberate misuse that could put the security of the systems and users at risk.

that staff are protected from potential risk in their use of technology in their everyday work. The school will try to ensure that staff and volunteers will have good access to digital technology to enhance their work, to enhance learning opportunities for students/pupils learning and will, in return, expect staff and volunteers to agree to be responsible users.

Acceptable Use Policy Agreement

I understand that I must use school systems in a responsible way, to ensure that there is no risk to my safety or to the safety and security of the systems and other users. I recognise the value of the use of digital technology for enhancing learning and will ensure that students/pupils receive opportunities to gain from the use of digital technology. I will, where possible, educate the young people in my care in the safe use of digital technology and embed online safety in my work with young people.

For my professional and personal safety:

I understand that the school/academy will monitor my use of the school digital technology and communications systems.

I understand that the rules set out in this agreement also apply to use of these technologies (e.g. laptops, email, VLE etc.) out of school, and to the transfer of personal data (digital or paper based) out of school (schools/academies should amend this section in the light of their policies which relate to the use of school systems and equipment out of school)

I understand that the school digital technology systems are primarily intended for educational use and that I will only use the systems for personal or recreational use within the policies and rules set down by the school. (schools should amend this section in the light of their policies which relate to the personal use, by staff and volunteers, of school systems)

I will not disclose my username or password to anyone else, nor will I try to use any other person’s username and password. I understand that I should not write down or store a password where it is possible that someone may steal it.

I will immediately report any illegal, inappropriate or harmful material or incident, I become aware of, to the appropriate person.

I will be professional in my communications and actions when using school/academy systems:

I will not access, copy, remove or otherwise alter any other user’s files, without their express permission. Page 32

I will communicate with others in a professional manner, I will not use aggressive or inappropriate language and I appreciate that others may have different opinions.

I will ensure that when I take and/or publish images of others I will do so with their permission and in accordance with the school’s policy on the use of digital/video images. I will not use my personal equipment to record these images, unless I have permission to do so. Where these images are published (e.g. on the school website/VLE) it will not be possible to identify by name, or other personal information, those who are featured.

I will only use social networking sites in school in accordance with the school’s policies. (schools/academies should amend this section to take account of their policy on access to social networking and similar sites)

I will only communicate with students/pupils and parents/carers using official school systems. Any such communication will be professional in tone and manner. (schools should amend this section to take account of their policy on communications with students/pupils and parents/carers. Staff should be made aware of the risks attached to using their personal email addresses/mobile phones/social networking sites for such communications)

I will not engage in any on-line activity that may compromise my professional responsibilities.

The school and the local authority have the responsibility to provide safe and secure access to technologies and ensure the smooth running of the school/academy:

When I use my mobile devices in school, I will follow the rules set out in this agreement, in the same way as if I was using school/academy equipment. I will also follow any additional rules set by the school/academy about such use. I will ensure that any such devices are protected by up to date anti-virus software and are free from viruses. (schools/academies should amend this section in the light of their policies which relate to the use of staff devices)

I will not use personal email addresses on the school/academy ICT systems. (schools/academies should amend this section in the light of their email policy – some schools/academies will choose to allow the use of staff personal email addresses on the premises).

I will not open any hyperlinks in emails or any attachments to emails, unless the source is known and trusted, or if I have any concerns about the validity of the email (due to the risk of the attachment containing viruses or other harmful programmes)

I will ensure that my data is regularly backed up, in accordance with relevant school/academy policies. I will not try to upload, download or access any materials which are illegal (child sexual abuse images, criminally racist material, terrorist or extremist material, adult pornography covered by the Obscene Publications Act) or inappropriate or may cause harm or distress to others. I will not try to use any programmes or software that might allow me to bypass the filtering/security systems in place to prevent access to such materials.

I will not try (unless I have permission) to make large downloads or uploads that might take up internet capacity and prevent other users from being able to carry out their work.

I will not install or attempt to install programmes of any type on a machine, or store programmes on a computer, nor will I try to alter computer settings, unless this is allowed in school/academy policies. (schools/academies should amend this section in the light of their policies on installing programmes/altering settings)

I will not disable or cause any damage to school/academy equipment, or the equipment belonging to others.

I will only transport, hold, disclose or share personal information about myself or others, as outlined in the School/Academy/LA Personal Data Policy (or other relevant policy). Where digital personal data is transferred outside the secure local network, it must be encrypted. Paper based documents containing personal data must be held in lockable storage.

I understand that data protection policy requires that any staff or student/pupil data to which I have access, will be kept private and confidential, except when it is deemed necessary that I am required by law or by school/academy policy to disclose such information to an appropriate authority.

I will immediately report any damage or faults involving equipment or software, however this may have happened.

Page 33

When using the internet in my professional capacity or for school sanctioned personal use:

I will ensure that I have permission to use the original work of others in my own work Where work is protected by copyright, I will not download or distribute copies (including music and videos).

I understand that I am responsible for my actions in and out of the school/academy:

I understand that this acceptable use policy applies not only to my work and use of school/academy digital technology equipment in school, but also applies to my use of school/academy systems and equipment off the premises and my use of personal equipment on the premises or in situations related to my employment by the school/academy

I understand that if I fail to comply with this acceptable use agreement, I could be subject to disciplinary action. This could include (schools/academies should amend this section to provide relevant sanctions as per their behaviour policies) a warning, a suspension, referral to Governors/directors and/or the Local Authority and in the event of illegal activities the involvement of the police.

I have read and understand the above and agree to use the school digital technology systems (both in and out of school) and my own devices (in school and when carrying out communications related to the school) within these guidelines.

Staff/Volunteer Name:

Signed:

Date:

Page 34

Acceptable Use Agreement for Community Users Template

This acceptable use agreement is intended to ensure:

that community users of school/academy digital technologies will be responsible users and stay safe while using these systems and devices

that school/academy systems, devices and users are protected from accidental or deliberate misuse that could put the security of the systems and users at risk.

that users are protected from potential harm in their use of these systems and devices

Acceptable Use Agreement

I understand that I must use school systems and devices in a responsible way, to ensure that there is no risk to my safety or to the safety and security of the systems, devices and other users. This agreement will also apply to any personal devices that I bring into the school/academy:

I understand that my use of school/academy systems and devices will be monitored I will not use a personal device that I have brought into school for any activity that would be inappropriate in a school setting.

I will not try to upload, download or access any materials which are illegal (child sexual abuse images, criminally racist material, terrorist and extremist material, adult pornography covered by the Obscene Publications Act) or inappropriate or may cause harm or distress to others. I will not try to use any programmes or software that might allow me to bypass the filtering/security systems in place to prevent access to such materials.

I will immediately report any illegal, inappropriate or harmful material or incident, I become aware of, to the appropriate person.

I will not access, copy, remove or otherwise alter any other user’s files, without permission. I will ensure that if I take and/or publish images of others I will only do so with their permission. I will not use my personal equipment to record these images, without permission. If images are published it will not be possible to identify by name, or other personal information, those who are featured.

I will not publish or share any information I have obtained whilst in the school on any personal website, social networking site or through any other means, unless I have permission from the school. I will not, without permission, make large downloads or uploads that might take up internet capacity and prevent other users from being able to carry out their work.

I will not install or attempt to install programmes of any type on a school device, nor will I try to alter computer settings, unless I have permission to do so.

I will not disable or cause any damage to school/academy equipment, or the equipment belonging to others.

I will immediately report any damage or faults involving equipment or software, however this may have happened.

I will ensure that I have permission to use the original work of others in my own work Where work is protected by copyright, I will not download or distribute copies (including music and videos).

I understand that if I fail to comply with this acceptable use agreement, the school/academy has the right to remove my access to school systems/devices

I have read and understand the above and agree to use the school digital technology systems (both in and out of school) and my own devices (in school and when carrying out communications related to the school) within these guidelines.

As the school/academy is collecting personal data by issuing this form, it should inform community users about:

Who will have access to this form.

How this form will be destroyed.

Where this form will be stored.

How long this form will be stored for.

Name: Signed: Date:………………………………………. Page 35

Responding to incidents of misuse – flow chart Page 36

Record of reviewing devices/internet sites (responding to incidents of misuse)

Group:

Date:

Reason for investigation:

Details of first reviewing person

Name:

Position:

Signature:

Details of second reviewing person

Name:

Position:

Signature:

Name and location of computer used for review (for web sites)

Web site(s) address/device Reason for concern

Conclusion and Action proposed or taken

Page 37

Reporting Log

Group:

Date

Time

Incident

Action Taken

Incident

Reported By

Signature

What?

By Whom?

Training Needs Audit Log

Group:

Relevant training the last 12 months

Identified Training Need To be met by

Cost

Review Date

Page 38

Page 39

School Technical Security Policy Template (including filtering and passwords)

Suggestions for use

Within this template sections which include information or guidance are shown in BLUE. It is anticipated that schools would remove these sections from their completed policy document, though this will be a decision for the group that produces the policy.

Where sections in the template are written in italics it is anticipated that schools would wish to consider whether or not to include that section or statement in their completed policy.

Where sections are highlighted in BOLD text, it is the view of the SWGfL Online Safety Group that these would be an essential part of a school online safety policy.

The template uses various terms such as school/academy; students/pupils. Users will need to choose which term to use for their circumstances and delete the other accordingly.

Introduction

Effective technical security depends not only on technical measures, but also on appropriate policies and procedures and on good user education and training. The school will be responsible for ensuring that the school infrastructure/network is as safe and secure as is reasonably possible and that:

users can only access data to which they have right of access

no user should be able to access another’s files (other than that allowed for monitoring purposes within the school’s policies).

access to personal data is securely controlled in line with the school’s personal data policy logs are maintained of access by users and of their actions while users of the system there is effective guidance and training for users

there are regular reviews and audits of the safety and security of school computer systems there is oversight from senior leaders and these have impact on policy and practice. If the school/academy has a managed ICT service provided by an outside contractor, it is the responsibility of the school to ensure that the managed service provider carries out all the online safety measures that might otherwise be carried out by the school/academy itself (as suggested below). It is also important that the managed service provider is fully aware of the school/academy online safety policy/acceptable use agreements). The school/academy should also check their Local Authority/Academy Group/other relevant body policies/guidance on these technical issues.

Responsibilities

The management of technical security will be the responsibility of (insert title) (schools/academies will probably choose the Network Manager/Technical Staff/Head of Computing or other relevant responsible person)

Technical Security

Policy statements

The school/academy will be responsible for ensuring that their infrastructure/network is as safe and secure as is reasonably possible and that policies and procedures approved within this policy are implemented. It will also need to ensure that the relevant people receive guidance and training and will be effective in carrying out their responsibilities:

school/academy technical systems will be managed in ways that ensure that the school/academy meets recommended technical requirements (if not managed by the Local Authority, these may be outlined in Local Authority/other relevant body technical/online safety policy and guidance)

there will be regular reviews and audits of the safety and security of school/academy technical systems

servers, wireless systems and cabling must be securely located and physical access restricted Page 40

appropriate security measures are in place to protect the servers, firewalls, switches, routers, wireless systems, work stations, mobile devices etc from accidental or malicious attempts which might threaten the security of the school/academy systems and data

responsibilities for the management of technical security are clearly assigned to appropriate and well trained staff (this may be at school/academy, local authority or managed provider level) all users will have clearly defined access rights to school/academy technical systems. Details of the access rights available to groups of users will be recorded by the network manager/technical staff/other person and will be reviewed, at least annually, by the online safety group.

users will be made responsible for the security of their username and password, must not allow other users to access the systems using their log on details and must immediately report any suspicion or evidence that there has been a breach of security (see password section below)

(insert name or role) is responsible for ensuring that software licence logs are accurate and up to date and that regular checks are made to reconcile the number of licences purchased against the number of software installations (Inadequate licencing could cause the school/academy to breach the Copyright Act which could result in fines or unexpected licensing costs)

mobile device security and management procedures are in place (where mobile devices are allowed access to school/academy systems). (schools/colleges may wish to add details of the mobile device security procedures that are in use).

school/academy/local authority/managed service provider/technical staff regularly monitor and record the activity of users on the school/academy technical systems and users are made aware of this in the acceptable use agreement. (schools/colleges may wish to add details of the monitoring programmes that are used)

remote management tools are used by staff to control workstations and view users activity an appropriate system is in place (to be described) for users to report any actual/potential technical incident to the online safety co-ordinator/network manager/technician (or other relevant person, as agreed) an agreed policy is in place (to be described) for the provision of temporary access of “guests”, (e.g. trainee teachers, supply teachers, visitors) onto the school/academy system

an agreed policy is in place (to be described) regarding the downloading of executable files and the installation of programmes on school/academy devices by users

an agreed policy is in place (to be described) regarding the extent of personal use that users (staff/learners/community users) and their family members are allowed on school/academy devices that may be used out of school/academy

an agreed policy is in place (to be described) regarding the use of removable media (e.g. memory sticks/CDs/DVDs) by users on school/academy devices (see school/academy personal data policy template in the appendix for further detail)

the school/academy infrastructure and individual workstations are protected by up to date software to protect against malicious threats from viruses, worms, trojans etc.

personal data cannot be sent over the internet or taken off the school/academy site unless safely encrypted or otherwise secured. (see school/academy personal data policy template in the appendix for further detail)

Password Security

A safe and secure username/password system is essential if the above is to be established and will apply to all school/academy technical systems, including networks, devices, email and learning platform). You can find out more about passwords, why they are important and how to manage them in our blog article. You may wish to share this with staff members to help explain the significance of passwords as this is helpful in explaining why they are necessary and important. Where sensitive data is in use – particularly when accessed on mobile devices – schools/academies may wish to use more secure forms of authentication e.g. two factor authentication.

Further guidance can be found from the National Cyber Security Centre and SWGfL “Why password security is important

Policy Statements:

These statements apply to all users.

All school/academy networks and systems will be protected by secure passwords. All users have clearly defined access rights to school/academy technical systems and devices. Details of the access rights available to groups of users will be recorded by the Network Manager (or other person) and will be reviewed, at least annually, by the online safety group (or other group).

Page 41

All users (adults and students/pupils) have responsibility for the security of their username and password, must not allow other users to access the systems using their log on details and must immediately report any suspicion or evidence that there has been a breach of security. Passwords must not be shared with anyone.

All users will be provided with a username and password by xxxxx (insert name or title) (see section on password generation in technical notes) who will keep an up to date record of users and their usernames.

Password requirements:

Passwords should be long. Good practice highlights that passwords over 12 characters in length are considerably more difficult to compromise than shorter passwords. Passwords generated by using a combination of unconnected words that are over 16 characters long are extremely difficult to crack. Password length trumps any other special requirements such as uppercase/lowercase letters, number and special characters. Passwords should be easy to remember, but difficult to guess or crack.

Passwords should be different for different accounts, to ensure that other systems are not put at risk if one is compromised and should be different for systems used inside and outside of school/academy Passwords must not include names or any other personal information about the user that might be known by others

Passwords must be changed on first login to the system

The school/academy may wish to recommend to staff and students/pupils (depending on age) that they make use of a ‘password vault’ these can store passwords in an encrypted manner and can generate very difficult to crack passwords. There may be a charge for these services.

Passwords should not be set to expire as long as they comply with the above, but should be unique to each service the user logs into.

Learner passwords:

Primary schools will need to decide at which point they will allocate individual usernames and passwords to pupils. They may choose to use class logons for Foundation Phase (though increasingly children are using their own passwords to access programmes). Schools/colleges need to be aware of the risks associated with not being able to identify any individual who may have infringed the rules set out in the policy and the acceptable use agreement (AUA). Use by students/pupils in this way should always be supervised and members of staff should never use a class log on for their own network/internet access. Schools/colleges should also consider the implications of using whole class logons when providing access to learning environments and applications, which may be used outside school/academy.

Records of learner usernames and passwords for foundation phase students/pupils can be kept in an electronic or paper-based form, but they must be securely kept when not required by the user. Password complexity in foundation phase should be reduced (for example 6-character maximum) and should not include special characters. Where external systems have different password requirements the use of random words or sentences should be encouraged.

Password requirements for students/pupils at Key Stage 2 and above should increase as students’/pupils progress through school/academy.

Users will be required to change their password if it is compromised. Some schools/colleges may choose to reset passwords at the start of each academic year to avoid large numbers of forgotten password reset requests where there is no user-controlled reset process. (Note: passwords should not be regularly changed but should be secure and unique to each account.)

Students/pupils will be taught the importance of password security, this should include how passwords are compromised, and why these password rules are important.

Schools/colleges may wish to add to this list for all or some students/pupils any of the relevant policy statements from the staff section above.

Notes for technical staff/teams

Each administrator should have an individual administrator account, as well as their own user account with access levels set at an appropriate level. Consideration should also be given to using two factor authentication for such accounts.

An administrator account password for the school/academy systems should also be kept in a secure place e.g. school/academy safe. This account and password should only be used to recover or revoke

Page 42

access. Other administrator accounts should not have the ability to delete this account. (A school/academy should never allow one user to have sole administrator access)

Any digitally stored administrator passwords should be hashed using a suitable algorithm for storing passwords (e.g. Bcrypt or Scrypt). Message Digest algorithms such as MD5, SHA1, SHA256 etc. should not be used.

It is good practice that where passwords are used there is a user-controlled password reset process to enable independent, but secure re-entry to the system. This ensures that only the owner has knowledge of the password.

Where user-controlled reset is not possible, passwords for new users, and replacement passwords for existing users will be allocated by xxxxx (insert title) (schools/colleges may wish to have someone other than the school’s/college’s technical staff carrying out this role e.g. an administrator who is easily accessible to users). Good practice is that the password generated by this change process should be system generated and only known to the user. This password should be temporary and the user should be forced to change their password on first login. The generated passwords should also be long and random.

Where automatically generated passwords are not possible, then a good password generator should be used by xxxxx (insert title) to provide the user with their initial password. There should be a process for the secure transmission of this password to limit knowledge to the password creator and the user. The password should be temporary and the user should be forced to change their password on the first login.

Requests for password changes should be authenticated by (the responsible person) to ensure that the new password can only be passed to the genuine user (the school/academy will need to decide how this can be managed – possibly by requests being authorised by a line manager for a request by a member of staff or by a member of staff for a request by a learner)

Suitable arrangements should be in place to provide visitors with appropriate access to systems which expires after use. (For example, your technical team may provide pre-created user/password combinations that can be allocated to visitors, recorded in a log, and deleted from the system after use.)

In good practice, the account is “locked out” following six successive incorrect log-on attempts. Passwords shall not be displayed on screen, and shall be securely hashed when stored (use of one-way encryption).

Training/Awareness:

It is essential that users should be made aware of the need for keeping passwords secure, and the risks attached to unauthorised access/data loss. This should apply to even the youngest of users. It is also essential that users be taught how passwords are compromised, so they understand why things should be done a certain way. Please see our blog for more details on this.

Members of staff will be made aware of the school/academy’s password policy: at induction

through the school/academy’s online safety policy and password security policy

through the acceptable use agreement

Students/pupils will be made aware of the school’s/college’s password policy: in lessons (the school/academy should describe how this will take place)

through the acceptable use agreement

Audit/Monitoring/Reporting/Review:

The responsible person (insert title) will ensure that full records are kept of:

User Ids and requests for password changes

User logons

Security incidents related to this policy

Filtering

Introduction

The filtering of internet content provides an important means of preventing users from accessing material that is illegal or is inappropriate in an educational context. The filtering system cannot, however, provide a 100% guarantee that it will do so, because the content on the web changes dynamically and new technologies are constantly being developed. It is important, therefore, to understand that filtering is only one element in a larger

Page 43

strategy for online safety and acceptable use. It is important that the school has a filtering policy to manage the associated risks and to provide preventative measures which are relevant to the situation in this school.

Many users are not aware of the flexibility provided by many filtering services at a local level for schools/academies. Where available, schools/academies should use this flexibility to meet their learning needs and reduce some of the frustrations occasionally felt by users who wish to maximise the use of the new technologies.

Schools/academies need to consider carefully the issues raised and decide:

Whether they will use the provided filtering service without change or to allow flexibility for sites to be added or removed from the filtering list for their organisation

Whether to introduce differentiated filtering for different groups/ages of users

Whether to remove filtering controls for some internet use (e.g. social networking sites) at certain times of the day or for certain users

Who has responsibility for such decisions and the checks and balances put in place What other system and user monitoring systems will be used to supplement the filtering system and how these will be used

DfE Keeping Learners Safe in Education requires schools to have “appropriate filtering”. Guidance can be found on the UK Safer Internet Centre site.

Schools may wish to test their filtering for protection against illegal materials at: SWGfL Test Filtering

Responsibilities

The responsibility for the management of the school’s filtering policy will be held by (insert title). They will manage the school filtering, in line with this policy and will keep records/logs of changes and of breaches of the filtering systems.

To ensure that there is a system of checks and balances and to protect those responsible, changes to the school filtering service must (schools should choose their relevant responses):

be logged in change control logs

be reported to a second responsible person (insert title):

either... be reported to and authorised by a second responsible person prior to changes being made (recommended)

or... be reported to a second responsible person (insert title) every X weeks/months in the form of an audit of the change control logs

be reported to the Online Safety Group every X weeks/months in the form of an audit of the change control logs

All users have a responsibility to report immediately to (insert title) any infringements of the school’s filtering policy of which they become aware or any sites that are accessed, which they believe should have been filtered.

Users must not attempt to use any programmes or software that might allow them to bypass the filtering/security systems in place to prevent access to such materials.

Policy Statements

Internet access is filtered for all users. Differentiated internet access is available for staff and customised filtering changes are managed by the school. Illegal content is filtered by the broadband or filtering provider by actively employing the Internet Watch Foundation CAIC list and other illegal content lists. Filter content lists are regularly updated and internet use is logged and frequently monitored. The monitoring process alerts the school to breaches of the filtering policy, which are then acted upon. There is a clear route for reporting and managing changes to the filtering system. Where personal mobile devices are allowed internet access through the school network, filtering will be applied that is consistent with school practice.

Either - The school/academy maintains and supports the managed filtering service provided by the Internet Service Provider (or other filtering service provider)

Or – The school/academy manages its own filtering service (N.B. If a school/academy decides to remove the external filtering and replace it with another internal filtering system, this should be clearly explained in the policy and evidence provided that the Headteacher/Principal would be able to show, in the event of any legal issue that the school was able to meet its statutory requirements to ensure the safety of staff/students/pupils)

Page 44

The school has provided enhanced/differentiated user-level filtering through the use of the (insert name) filtering programme. (allowing different filtering levels for different ages/stages and different groups of users – staff/pupils/students etc.)

In the event of the technical staff needing to switch off the filtering for any reason, or for any user, this must be logged and carried out by a process that is agreed by the Headteacher/Principal (or other nominated senior leader).

Mobile devices that access the school/academy internet connection (whether school/academy or personal devices) will be subject to the same filtering standards as other devices on the school systems Any filtering issues should be reported immediately to the filtering provider.

Requests from staff for sites to be removed from the filtered list will be considered by the technical staff (insert name or title) (N.B. an additional person should be nominated – to ensure protection for the Network Manager or any other member of staff, should any issues arise re unfiltered access). If the request is agreed, this action will be recorded and logs of such actions shall be reviewed regularly by the Online Safety Group.

Education/Training/Awareness

Pupils/students will be made aware of the importance of filtering systems through the online safety education programme (schools may wish to add details). They will also be warned of the consequences of attempting to subvert the filtering system.

Staff users will be made aware of the filtering systems through: (amend as relevant)

the acceptable use agreement

induction training

staff meetings, briefings, Inset.

Parents will be informed of the school’s filtering policy through the acceptable use agreement and through online safety awareness sessions/newsletter etc. (amend as relevant)

Changes to the Filtering System

In this section the school should provide a detailed explanation of:

how, and to whom, users may request changes to the filtering (whether this is carried out in school or by an external filtering provider)

the grounds on which they may be allowed or denied (schools may choose to allow access to some sites e.g. social networking sites for some users, at some times, or for a limited period of time. There should be strong educational reasons for changes that are agreed).

how a second responsible person will be involved to provide checks and balances (preferably this will be at the time of request, but could be retrospectively through inspection of records/audit of logs) any audit/reporting system

Users who gain access to, or have knowledge of others being able to access, sites which they feel should be filtered (or unfiltered) should report this in the first instance to (insert title) who will decide whether to make school level changes (as above).

Monitoring

Some schools/academies supplement their filtering systems with additional monitoring systems. If this is the case, schools/academies should include information in this section, including – if they wish – details of internal or commercial systems that are in use. They should also ensure that users are informed that monitoring systems are in place.

No filtering system can guarantee 100% protection against access to unsuitable sites. The school will therefore monitor the activities of users on the school network and on school equipment as indicated in the school online safety policy and the acceptable use agreement. Monitoring will take place as follows: (details should be inserted if the school/academy so wishes).

Audit/Reporting

Logs of filtering change controls and of filtering incidents will be made available to: (schools should amend as relevant)

the second responsible person (insert title)

Page 45

Online Safety Group

Online Safety Governor/Governors committee

External Filtering provider/Local Authority/Police on request

The filtering policy will be reviewed in the response to the evidence provided by the audit logs of the suitability of the current provision. (The evidence might show a large number of requests to remove the filtering from sites – in which case schools might question whether their current level of filtering is too restrictive for educational purposes. Alternatively, a large number of incidents where users try to subvert the filtering system might suggest that improved monitoring/disciplinary action might be necessary).

Further Guidance

Schools/academies may wish to seek further guidance. The following is recommended:

Schools in England (and Wales) are required “to ensure children are safe from terrorist and extremist material when accessing the internet in school, including by establishing appropriate levels of filtering" (Revised Prevent Duty Guidance: for England and Wales, 2015).

The Department for Education ‘Keeping Children Safe in Education’ requires schools to: “ensure appropriate filters and appropriate monitoring systems are in place. Children should not be able to access harmful or inappropriate material from the school or colleges IT system” however, schools will need to “be careful that “over blocking” does not lead to unreasonable restrictions as to what children can be taught with regards to online teaching and safeguarding.”

In response UKSIC produced guidance on – information on “Appropriate Filtering

Somerset Guidance for schools – questions for technical support – this checklist is particularly useful where a school/academy uses external providers for its technical support/security.

SWGfL provides a site for schools to test their filtering to ensure that illegal materials cannot be accessed: SWGfL Test Filtering

Page 46

School/academy Personal Data Advice and Guidance

Suggestions for use

This document is for advice and guidance purposes only. It is anticipated that schools/academies will use this advice alongside their own data protection policy. This document is not intended to provide legal advice and the school/college is encouraged to seek their own legal counsel when considering their management of personal data.

The template uses the terms students/pupils to refer to the children or young people at the institution.

Data Protection Law – A Legislative Context

With effect from 25th May 2018, the data protection arrangements for the UK changed following the implementation of the European Union General Data Protection Regulation (GDPR). This represented a significant shift in legislation and in conjunction with the Data Protection Act 2018 replaced the Data Protection Act 1998.

GDPR - As a European Regulation, the GDPR has direct effect in UK law and automatically applies in the UK until we leave the EU (or until the end of any agreed transition period, if we leave with a deal). After this date, it will form part of UK law under the European Union (Withdrawal) Act 2018, with some technical changes to make it work effectively in a UK context.

Data Protection Act 2018 – this Act sits alongside the GDPR, and tailors how the GDPR applies in the UK and provides the UK-specific details such as; how to handle education and safeguarding information. No Deal Brexit -The Information Commissioner advises that in the event of a no- deal Brexit it is anticipated that the Government of the day will pass legislation to incorporate GDPR into UK law alongside the DPA 2018. Unless your school/academy receives personal data from contacts in the EU there will be little change save to update references to the effective legislation in privacy notices etc.

In this document the term “Data Protection Law” refers to the legislation applicable to data protection and privacy as applicable in the UK from time to time.

Does the Data Protection Law apply to schools?

In short, yes. Any natural or legal person, public authority, agency or other body which processes personal data is considered a ‘data controller’.

A school/academy is, for the purposes of the Data Protection Law, a “public body” and further processes the personal data of numerous data subjects on a daily basis.

Personal data is information that relates to an identified or identifiable living individual (a data subject). Guidance for schools/academies is available on the Information Commissioner’s Office (ICO) website including information about the Data Protection Law.

The ICO’s powers are wide ranging in the event of non-compliance and schools/academies must be aware of the huge impact that a fine or investigation will have on finances and also in the wider community for example in terms of trust.

The Data Protection Law sets out that a data controller must ensure that personal data shall be:

a) processed lawfully, fairly and in a transparent manner in relation to data subjects; b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased

Page 47

or rectified without delay;

e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the Data Protection Law in order to safeguard the rights and freedoms of data subjects; and

f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

These principles of the Data Protection Law drive the need for the school/academy to put in place appropriate privacy notices (to give a data subject information about the personal data processing activities, legal basis of processing and data subject rights) and policies (such as for reporting a breach, managing a data subject access request, training, retention etc.) to demonstrate compliance.

Data Mapping to identify personal data, data subjects and processing activities

The school/academy and its employees will collect and/ or process a wide range of information concerning numerous data subjects and some of this information will include personal data. Further, the school/academy may need to share some personal data with third parties. To be able to demonstrate and plan compliance and it is important that the school/academy has a data map of these activities; it can then make sure that the correct privacy notices are provided, put in place security measures to keep the personal data secure and other steps to avoid breach and also put in place data processing agreements with the third parties.

The data map should identify what personal data held in digital format or on paper records in a school/ academy, where it is stored, why it is processed and how long it is retained.

In a typical data map for a school/academy the data subjects and personal data will include, but is not limited to:

Parents, legal guardians, governors – and personal data of names, addresses, contact details Learners - curricular / academic data e.g. class lists, learner progress records, reports, references, contact details, health and SEN reports

Staff and contractors - professional records e.g. employment history, taxation and national insurance records, appraisal records and references, health records

Some types of personal data are designated as ‘special category’ being personal data; “revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”

This should be identified separately and to lawfully process special category data, you must identify both a lawful basis and a separate condition for processing special category data. You should decide and document this before you start processing the data.

The school/academy will need to identify appropriate lawful process criteria for each type of personal data and if this is not possible such activities should be discontinued. The lawful processing criteria can be summarised as:

(a) Consent: the data subject has given clear consent for you to process their personal data for a specific purpose (see below for further guidance) 

(b) Contract: the processing is necessary for a contract you have with the data subject (c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations). 

(d) Vital interests: the processing is necessary to protect someone’s life. (e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law. 

Page 48

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s 

personal data which overrides those legitimate interests. (This cannot apply if 

you are a public authority processing data to perform your official tasks) Please 

also be aware that these criteria must be supported by a written legitimate 

interest assessment. 

No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the data subject.

Several of the lawful purpose criteria may relate to a particular specified purpose – a legal obligation, a contract with the individual, protecting someone’s vital interests, or performing your public tasks. If you are processing for these purposes then the appropriate lawful basis may well be obvious, so it is helpful to consider these first. 

As a public authority, and if you can demonstrate that the processing is to perform your tasks as set down in UK law, then you are able to use the public task basis. If not, you may still be able to consider consent or legitimate interests in some cases, depending on the nature of the processing and your relationship with the data subject. There is no absolute ban on public authorities using consent or legitimate interests as their lawful basis, but the Data Protection law does restrict public authorities’ use of these two criteria. 

The majority of processing of personal data conducted by public authorities will fall within Article 6(1)(e) GDPR, that “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller” however careful consideration must be given to any processing, especially in more novel areas. As you can see, consent is just one of several possible lawful processing criteria.

Consent has changed as a result of the GDPR and is now defined as: “in relation to the processing of personal data relating to an individual, means a freely given, specific, informed and unambiguous indication of the individual’s wishes by which the individual, by a statement or by a clear affirmative action, signifies agreement to the processing of the personal data”

This means that where a school/academy is relying on consent as the basis for processing personal data that consent has to be clear, meaning that pre-ticked boxes, opt-out or implied consent are no longer suitable. The GDPR does not specify an age of consent for general processing but schools/academies should consider the capacity of pupils to freely give their informed consent.

The Information Commissioner’s Office (ICO) gives clear advice on when it’s appropriate to use consent as a lawful base. It states:

“Consent is appropriate if you can offer people real choice and control over how you use their data and want to build their trust and engagement. But if you cannot offer a genuine choice, consent is not appropriate. If you would still process the personal data without consent, asking for consent is misleading and inherently unfair.”

You should only use consent if none of the other lawful bases is appropriate. If you do so, you must be able to cope with people saying no (and/or changing their minds), so it’s important that you only use consent for optional extras, rather than for core information the school requires in order to function. Examples;

consent would be appropriate for considering whether a child's photo could be published in any way.

if your school or academy requires learner details to be stored in an MIS, it would not be appropriate to rely on consent if the learner cannot opt out of this. In this case, you could apply the public task lawful base.

Content of Privacy Notices

Privacy Notices are a key compliance requirement as they ensure that each data subject is aware of the following points when data is collected/ processed by a data controller:

Who the controller of the personal data is

Page 49

What personal data is being processed and the lawful purpose of this processing

where and how the personal data was sourced

to whom the personal data may be disclosed

how long the personal data may be retained

data subject’s rights and how to exercise them or make a complaint

In order to comply with the fair processing requirements in data protection law, the school/academy will inform parents/carers of all learners of the data they collect, process and hold on the learners, the purposes for which the data is held and the third parties (e.g. LA etc.) to whom it may be passed. This privacy notice will be passed to parents/carers for example in the prospectus, newsletters, reports or a specific letter / communication or you could publish it on your website and keep it updated there. Parents/carers of young people who are new to the school/academy will be provided with the privacy notice through an appropriate mechanism.

In some circumstances you may also require privacy notices for children / learners as data subjects as children have the same rights as adults over their personal data. These include the rights to access their personal data; request rectification; object to processing and have their personal data erased. The policies that explain this should be clear and age appropriate.

Data subject’s right of access

Data subjects have a number of rights in connection with their personal data. They have the right:

to be informed – Privacy Notices

of access – Subject Access Requests

to rectification – correcting errors

to erasure – deletion of data when there is no compelling reason to keep it

to restrict processing – blocking or suppression of processing

to portability – unlikely to be used in a school/academy context

to object – objection based on grounds pertaining to their situation

related to automated decision making, including profiling

Several of these could impact schools and academies, such as the right of access. You need to put procedures in place to deal with Subject Access Requests. These are written or verbal requests to see all or a part of the personal data held by the Controller in connection with the data subject. Controllers normally have 1 calendar month to provide the information, unless the case is unusually complex in which case an extension can be obtained.

A school/academy must not disclose personal data even if requested in a Subject Access Request;

if doing so would cause serious harm to the individual

child abuse data

adoption records

statements of special educational needs

Your school or academy must provide the information free of charge. However, if the request is clearly unfounded or excessive – and especially if this is a repeat request – you may charge a reasonable fee.

Breaches and how to manage a breach

Recent publicity about data breaches suffered by organisations and individuals continues to make the area of personal data protection a current and high profile issue for schools, academies and other organisations. It is important that the school/academy has a clear and well understood personal data handling policy in order to minimise the risk of personal data breaches.

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.

Page 50

A breach may arise from a theft, a deliberate attack on your systems, the unauthorised or malicious use of personal data by a member of staff, accidental loss, or equipment failure. In addition:

no school/academy or individual would want to be the cause of a data breach, particularly as the impact of data loss on individuals can be severe, put individuals at risk and affect personal, professional or organisational reputation

schools/academies are “data rich” and the introduction of electronic storage and transmission of data has created additional potential for the loss of data

the school/academy will want to avoid the criticism and negative publicity that could be generated by any personal data breach

Schools / academies have always held personal data on the learners in their care, and increasingly this data is held digitally and accessible not just in school/academy but also from remote locations. It is important to stress that the Data Protection Laws apply to all forms of personal data, regardless of whether it is held on paper or in electronic format. However, as it is part of an overall online safety policy template, this document will place particular emphasis on data which is held or transferred digitally.

Schools / Academies will need to carefully review their policy, in the light of pertinent Local Authority regulations and guidance and changes in legislation.

All significant data protection incidents must be reported through the DPO to the Information Commissioner’s Office based upon the local incident handling policy and communication plan. The new laws require that this notification should take place within 72 hours of the breach being detected, where feasible.

If you experience a personal data breach you need to consider whether this poses a risk to people. You need to consider the likelihood and severity of any risk to people’s rights and freedoms, following the breach. When you’ve made this assessment, if it’s likely there will be a risk then you must notify the ICO; if it’s unlikely then you don’t have to report it. You do not need to report every breach to the ICO.

The school/academy should have a policy for reporting, logging, managing and recovering from information risk incidents, which establishes a:

“responsible person” for each incident

communications plan, including escalation procedure

plan of action for rapid resolution

plan of action of non-recurrence and further awareness raising