Online Safety Policy Co-op Academy Grange

Approved by governors 29 March 2022 To be reviewed by March 2023

Scope of the Policy

This policy applies to all members of the academy community (including staff, students/pupils, volunteers, parents/carers, visitors, community users) who have access to and are users of school/academy digital technology systems, both in and out of the academy.

The Education and Inspections Act 2006 empowers Headteachers to such extent as is reasonable, to regulate the behaviour of students/pupils when they are off the academy site and empowers members of staff to impose disciplinary penalties for inappropriate behaviour. This is pertinent to incidents of online-bullying or other online safety incidents covered by this policy, which may take place outside of the academy, but is linked to membership of the school/academy. The 2011 Education Act increased these powers with regard to the searching for and of electronic devices and the deletion of data (see appendix for template policy). In the case of both acts, action can only be taken over issues covered by the published Behaviour Policy.

The academy will deal with such incidents within this policy and associated behaviour and anti-bullying policies and will, where known, inform parents/carers of incidents of inappropriate online safety behaviour that take place out of school.

Roles and Responsibilities

The following section outlines the online safety roles and responsibilities of individuals and groups within the academy:

Governors

Governors are responsible for the approval of the online safety policy and for reviewing the effectiveness of the policy. This will be carried out by the Governors receiving regular information about online safety incidents and monitoring reports. A member of the Governing Body has taken on the role of Online Safety Governor/Director . The role of the Online Safety Governor/Director will include:

● regular meetings with the Online Safety Co-ordinator/officer

● attendance at Online Safety Group meetings

● regular monitoring of online safety incident logs

● regular monitoring of filtering/change control logs

● reporting to relevant Governors/Board/Committee/meeting

Headteacher/Principal and Senior Leaders

● The Headteacher has a duty of care for ensuring the safety (including online safety) of members of the school community, though the day to day responsibility for online safety will be delegated to the Online Safety Lead.

● The Headteacher and (at least) another member of the Senior Leadership Team should be aware of the procedures to be followed in the event of a serious online safety allegation being made against a member of staff. (see flow chart on dealing with online safety incidents – included in a later section – “Responding to incidents of misuse” and relevant Local Authority/MAT/other relevant body disciplinary procedures).

● The Headteacher/Principal and Senior Leaders are responsible for ensuring that the Online Safety Lead and other relevant staff receive suitable training to enable them to carry out their online safety roles and to train other colleagues, as relevant.

● The Headteacher/Principal and Senior Leaders will ensure that there is a system in place to allow for monitoring and support of those in school who carry out the internal online safety monitoring role. This is to provide a safety net and also support to those colleagues who take on important monitoring roles. (The school/academy will need to describe this and may wish to involve the Local Authority/MAT/other responsible body in this process)

● The Senior Leadership Team will receive regular monitoring reports from the Online Safety Lead.

Online Safety Lead

(It is strongly recommended that each school should have a named member of staff with a day to day responsibility for online safety, some schools may choose to combine this with the Designated Safeguarding Lead role. Schools may choose to appoint a person with a child welfare background, preferably with good knowledge

Page 1

and understanding of the new technologies, rather than a technical member of staff – but this will be the choice of the school)

● leads the Online Safety Group

● takes day to day responsibility for online safety issues and has a leading role in establishing and reviewing the school online safety policies/documents

● ensures that all staff are aware of the procedures that need to be followed in the event of an online safety incident taking place.

● provides training and advice for staff

● liaises with the Local Authority/MAT/relevant body

● liaises with school technical staff

● receives reports of online safety incidents and uses CPOMs to log online safety incidents ● Auditing the record to look for patterns and inform future developments meets regularly with safeguarding /Director to discuss current issues, review incident logs and filtering/change control logs ● attends relevant meetings of Governors/Directors

● reports regularly to Senior Leadership Team

(The school will need to decide how these incidents will be dealt with and whether the investigation/action/sanctions will be the responsibility of the Online Safety Lead or another member of staff e.g. Headteacher/Principal/Senior Leader/Designated Safeguarding Lead/Class teacher/Head of Year etc.)

Network Manager/Technical staff

Those with technical responsibilities are responsible for ensuring:

● that the academy’s technical infrastructure is secure and is not open to misuse or malicious attack ● that the academy meets required online safety technical requirements and any trust guidance that may apply.

● that users may only access the networks and devices through a properly enforced password protection policy

● the filtering policy is applied and updated on a regular basis and that its implementation is not the sole responsibility of any single person (see appendix “Technical Security Policy Template” for good practice) ● that they keep up to date with online safety technical information in order to effectively carry out their online safety role and to inform and update others as relevant

● that the use of the networks/internet/digital technologies are regularly monitored in order that any misuse/attempted misuse can be reported to the Headteacher and Senior Leaders; Online Safety Lead for investigation/action/sanction

● that monitoring software/systems are implemented and updated as agreed in school/academy policies

Teaching and Support Staff

Are responsible for ensuring that:

● they have an up to date awareness of online safety matters and of the current academy online safety policy and practises

● they have read, understood and signed the staff acceptable use policy/agreement (AUP/AUA) ● they report any suspected misuse or problem to the deputy Headteacher or use CPOMs to record the concern where this is appropriate for investigation/action/sanction

● all digital communications with students/pupils/parents/carers should be on a professional level and only carried out using official school systems

● online safety issues are embedded in all aspects of the curriculum and other activities ● students/pupils understand and follow the Online Safety Policy and acceptable use policies ● students/pupils have a good understanding of research skills and the need to avoid plagiarism and uphold copyright regulations

● they monitor the use of digital technologies, mobile devices, cameras, etc. in lessons and other school activities (where allowed) and implement current policies with regard to these devices

● in lessons where internet use is pre-planned students/pupils should be guided to sites checked as suitable for their use and that processes are in place for dealing with any unsuitable material that is found in internet searches

Page 2

Designated Safeguarding Lead/Designated Person/Officer Should be trained in online safety issues and be aware of the potential for serious child protection/safeguarding issues to arise from:

● sharing of personal data

● access to illegal/inappropriate materials

● inappropriate on-line contact with adults/strangers

● potential or actual incidents of grooming

● online-bullying

(N.B. it is important to emphasise that these are safeguarding issues, not technical issues, simply that the technology provides additional means for safeguarding issues to develop. Some schools may choose to combine the roles of Designated Safeguarding Lead and Online Safety Lead).

Online Safety Group

The Online Safety Group provides a consultative group that has wide representation from the school/academy community, with responsibility for issues regarding online safety and the monitoring the Online Safety Policy including the impact of initiatives. Depending on the size or structure of the school/academy this group may be part of the safeguarding group. The group will also be responsible for regular reporting to the Governing Body/Directors.

Members of the Online Safety Group (or other relevant group) will assist the Online Safety Lead (or other relevant person, as above) with:

● the production/review/monitoring of the school online safety policy/documents.

● the production/review/monitoring of the school filtering policy (if the school chooses to have one) and requests for filtering changes.

● mapping and reviewing the online safety/digital literacy curricular provision – ensuring relevance, breadth and progression

● monitoring network/internet/filtering/incident logs

● consulting stakeholders – including parents/carers and the students/pupils about the online safety provision

● monitoring improvement actions identified through use of the 360 degree safe self-review tool (Schools/academies will need to decide the membership of the Online Safety Group. It is recommended that the group should include representation from students/pupils and parents/carers). An Online Safety Group Terms of Reference Template can be found in the appendices

Students/Pupils:

● are responsible for using the school/academy digital technology systems in accordance with the student/pupil acceptable use agreement

● have a good understanding of research skills and the need to avoid plagiarism and uphold copyright regulations

● need to understand the importance of reporting abuse, misuse or access to inappropriate materials and know how to do so

● will be expected to know and understand policies on the use of mobile devices and digital cameras. They should also know and understand policies on the taking/use of images and on online-bullying. ● should understand the importance of adopting good online safety practice when using digital technologies out of school and realise that the school’s/academy’s online safety policy covers their actions out of school, if related to their membership of the school

Parents/carers

Parents/carers play a crucial role in ensuring that their children understand the need to use the internet/mobile devices in an appropriate way. The school/academy will take every opportunity to help parents understand these issues through parents’ evenings, newsletters, letters, website, social media and information about national/local online safety campaigns/literature. Parents and carers will be encouraged to support the school/academy in promoting good online safety practice and to follow guidelines on the appropriate use of:

● digital and video images taken at school events

● access to parents’ sections of the website/Learning Platform and on-line student/pupil records Page 3

● their children’s personal devices in the school/academy (where this is allowed)

Community Users

Community Users who access school/academy systems or programmes as part of the wider school/academy provision will be expected to sign a Community User AUA before being provided with access to school/academy systems. (A community users acceptable use agreement template can be found in the appendices.)

Policy Statements

Education – Students/Pupils

Whilst regulation and technical solutions are very important, their use must be balanced by educating students/pupils to take a responsible approach. The education of students/pupils in online safety/digital literacy is therefore an essential part of the school’s/academy’s online safety provision. Children and young people need the help and support of the school to recognise and avoid online safety risks and build their resilience.

In planning their online safety curriculum schools/academies may wish to refer to:

● DfE Teaching Online Safety in Schools

● Education for a Connected Word Framework

● SWGfL Project Evolve – online safety curriculum programme and resources

Online safety should be a focus in all areas of the curriculum and staff should reinforce online safety messages across the curriculum. The online safety curriculum should be broad, relevant and provide progression, with opportunities for creative activities and will be provided in the following ways: (statements will need to be adapted, depending on school/academy structure and the age of the students/pupils)

● A planned online safety curriculum should be provided as part of Computing/PHSE/other lessons and should be regularly revisited

● Key online safety messages should be reinforced as part of a planned programme of assemblies and tutorial/pastoral activities

● Students/pupils should be taught in all lessons to be critically aware of the materials/content they access on-line and be guided to validate the accuracy of information.

● Students/pupils should be taught to acknowledge the source of information used and to respect copyright when using material accessed on the internet

● Students/pupils should be supported in building resilience to radicalisation by providing a safe environment for debating controversial issues and helping them to understand how they can influence and participate in decision-making. N.B. additional duties for schools/academies under the Counter Terrorism and Securities Act 2015 which requires schools to ensure that children are safe from terrorist and extremist material on the internet.

● Students/pupils should be helped to understand the need for the student/pupil acceptable use agreement and encouraged to adopt safe and responsible use both within and outside school/academy.

● Staff should act as good role models in their use of digital technologies, the internet and mobile devices ● in lessons where internet use is pre-planned, it is best practice that students/pupils should be guided to sites checked as suitable for their use and that processes are in place for dealing with any unsuitable material that is found in internet searches.

● Where students/pupils are allowed to freely search the internet, staff should be vigilant in monitoring the content of the websites the young people visit.

● It is accepted that from time to time, for good educational reasons, students may need to research topics (e.g. racism, drugs, discrimination) that would normally result in internet searches being blocked. In such a situation, staff can request that the Technical Staff (or other relevant designated person) can temporarily remove those sites from the filtered list for the period of study. Any request to do so, should be auditable, with clear reasons for the need.

Education – Parents/carers

Many parents and carers have only a limited understanding of online safety risks and issues, yet they play an essential role in the education of their children and in the monitoring/regulation of the children’s online behaviours. Parents may underestimate how often children and young people come across potentially harmful and inappropriate material on the internet and may be unsure about how to respond.

Page 4

The school/academy will therefore seek to provide information and awareness to parents and carers through: (select/delete as appropriate)

● Curriculum activities

● Letters, newsletters, web site, Learning Platform

● Parents/carers evenings/sessions

● High profile events/campaigns e.g. Safer Internet Day

● Reference to the relevant web sites/publications e.g. swgfl.org.uk, www.saferinternet.org.uk/, http://www.childnet.com/parents-and-carers (see appendix for further links/resources)

Education – The Wider Community

The school/academy will provide opportunities for local community groups/members of the community to gain from the school’s/academy’s online safety knowledge and experience. This may be offered through the following:

● Providing family learning courses in use of new digital technologies, digital literacy and online safety ● Online safety messages targeted towards grandparents and other relatives as well as parents. ● The school/academy website will provide online safety information for the wider community ● Sharing their online safety expertise/good practice with other local schools

● Supporting community groups e.g. Early Years Settings, Childminders, youth/sports/voluntary groups to enhance their online safety provision (possibly supporting the group in the use of Online Compass, an online safety self-review tool for groups such as these - www.onlinecompass.org.uk

Education & Training – Staff/Volunteers

It is essential that all staff receive online safety training and understand their responsibilities, as outlined in this policy. Training will be offered as follows: (select/delete as appropriate)

● A planned programme of formal online safety training will be made available to staff. This will be regularly updated and reinforced. An audit of the online safety training needs of all staff will be carried out regularly. Online Safety BOOST includes unlimited online webinar training for all, or nominated, staff (https://boost.swgfl.org.uk/)

● All new staff should receive online safety training as part of their induction programme, ensuring that they fully understand the school/academy online safety policy and acceptable use agreements. Online Safety BOOST includes an array of presentations and resources that can be presented to new staff (https://boost.swgfl.org.uk/)

● It is expected that some staff will identify online safety as a training need within the performance management process.

● The Online Safety Lead (or other nominated person) will receive regular updates through attendance at external training events (e.g. from SWGfL/LA/other relevant organisations) and by reviewing guidance documents released by relevant organisations.

● This online safety policy and its updates will be presented to and discussed by staff in staff/team meetings/training sessions.

● The Online Safety Lead (or other nominated person) will provide advice/guidance/training to individuals as required. Online Safety BOOST includes an array of presentation resources that the Online Safety coordinator can access to deliver to staff https://boost.swgfl.org.uk/ It includes presenter notes to make it easy to confidently cascade to all staff

Training – Governors/Directors

Governors/Directors should take part in online safety training/awareness sessions, with particular importance for those who are members of any group involved in technology/online safety/health and safety /safeguarding. This may be offered in a number of ways:

● Attendance at training provided by the Local Authority/MAT/National Governors Association/or other relevant organisation (e.g. SWGfL).

● Participation in school/academy training/information sessions for staff or parents (this may include attendance at assemblies/lessons).

Page 5

Technical – infrastructure/equipment, filtering and monitoring If the school/academy has a managed ICT service provided by an outside contractor, it is the responsibility of the school/academy to ensure that the managed service provider carries out all the online safety measures that would otherwise be the responsibility of the school/academy, as suggested below. It is also important that the managed service provider is fully aware of the school/academy online safety policy/acceptable use agreements. The school/academy should also check their Local Authority/MAT /other relevant body policies on these technical issues.

The school/academy will be responsible for ensuring that the school/academy infrastructure/network is as safe and secure as is reasonably possible and that policies and procedures approved within this policy are implemented. It will also need to ensure that the relevant people named in the above sections will be effective in carrying out their online safety responsibilities: (schools/academies will have very different technical infrastructures and differing views as to how these technical issues will be handled – it is therefore essential that this section is fully discussed by a wide range of staff – technical, educational and administrative staff before these statements are agreed and added to the policy:)

A more detailed Technical Security Template Policy can be found in the appendix.

• School/academy technical systems will be managed in ways that ensure that the school/academy meets recommended technical requirements (these may be outlined in Local Authority/MAT/other relevant body policy and guidance)

• There will be regular reviews and audits of the safety and security of school/academy technical systems

• Servers, wireless systems and cabling must be securely located and physical access restricted • All users will have clearly defined access rights to school/academy technical systems and devices. • All users (at KS2 and above) will be provided with a username and secure password by (insert name or

title) who will keep an up to date record of users and their usernames. Users are responsible for the security of their username and password. (Schools/academies may choose to use group or class logons and passwords for KS1 and below, but should consider whether this models good password practice and need to be aware of the associated risks – see appendix)

• The “master/administrator” passwords for the school/academy systems, used by the Network Manager (or other person) must also be available to the Headteacher/Principal or other nominated senior leader and kept in a secure place (e.g. school/academy safe)

• (Insert name or role) is responsible for ensuring that software licence logs are accurate and up to date and that regular checks are made to reconcile the number of licences purchased against the number of software installations (Inadequate licencing could cause the school to breach the Copyright Act which could result in fines or unexpected licensing costs)

• Internet access is filtered for all users. Illegal content (child sexual abuse images) is filtered by the broadband or filtering provider by actively employing the Internet Watch Foundation CAIC list. Content lists are regularly updated and internet use is logged and regularly monitored. (the school/academy will need to decide on the merits of external/internal provision of the filtering service – see appendix). There is a clear process in place to deal with requests for filtering changes (see appendix for more details)

• Internet filtering/monitoring should ensure that children are safe from terrorist and extremist material when accessing the internet. N.B. additional duties for schools/academies under the Counter Terrorism and Securities Act 2015 which requires schools/academies to ensure that children are safe from terrorist and extremist material on the internet. (see appendix for information on “appropriate filtering”).

• The school/academy has provided enhanced/differentiated user-level filtering (allowing different filtering levels for different ages/stages and different groups of users – staff/pupils/students etc) • School/academy technical staff regularly monitor and record the activity of users on the school technical systems and users are made aware of this in the acceptable use agreement. (schools may wish to add details of the monitoring programmes that are used).

• An appropriate system is in place (to be described) for users to report any actual/potential technical incident/security breach to the relevant person, as agreed).

• Appropriate security measures are in place (schools/academies may wish to provide more detail) to protect the servers, firewalls, routers, wireless systems, work stations, mobile devices, etc. from accidental

Page 6

or malicious attempts which might threaten the security of the school systems and data. These are tested regularly. The school infrastructure and individual devices are protected by up to date virus software. • An agreed policy is in place (to be described) for the provision of temporary access of “guests” (e.g. trainee teachers, supply teachers, visitors) onto the school systems.

• An agreed policy is in place (to be described) regarding the extent of personal use that users (staff/students/pupils/community users) and their family members are allowed on school devices that may be used out of school.

• An agreed policy is in place (to be described) that allows staff to/forbids staff from downloading executable files and installing programmes on school devices.

• An agreed policy is in place (to be described) regarding the use of removable media (e.g. memory sticks/CDs/DVDs) by users on school devices. Personal data cannot be sent over the internet or taken off the school site unless safely encrypted or otherwise secured. (see School Personal Data Policy Template in the appendix for further detail)

Mobile Technologies (including BYOD/BYOT)

Mobile technology devices may be school owned/provided or personally owned and might include: smartphone, tablet, notebook/laptop or other technology that usually has the capability of utilising the school’s wireless network. The device then has access to the wider internet which may include the school’s learning platform and other cloud based services such as email and data storage.

All users should understand that the primary purpose of the use mobile/personal devices in a school context is educational. The mobile technologies policy should be consistent with and inter-related to other relevant school polices including but not limited to the safeguarding policy, behaviour policy, bullying policy, acceptable use policy, and policies around theft or malicious damage. Teaching about the safe and appropriate use of mobile technologies should be an integral part of the school’s online safety education programme.

In preparing a mobile technologies policy the school should consider possible issues and risks. These may include: security risks in allowing connections to your school network, filtering of personal devices, breakages and insurance, access to devices for all students, avoiding potential classroom distraction, network connection speeds, types of devices, charging facilities, total cost of ownership. A range of mobile technology implementations is possible

For further reading, please refer to “ NEN Technical Strategy Guidance Note 5 – Bring your own device”

A more detailed Mobile Technologies Template Policy can be found in the appendix. The school may however choose to include these aspects of their policy in a comprehensive acceptable use agreement, rather than in a separate Mobile Technologies Policy. It is suggested that the school should in this overall policy document outline the main points from their agreed policy. A checklist of points to be considered in included below.

● The school acceptable use agreements for staff, pupils/students and parents/carers will give consideration to the use of mobile technologies

● The school allows: (the school should complete the table below to indicate which devices are allowed and define their access to school systems)

1 Authorised device – purchased by the pupil/family through a school-organised scheme. This device may be given full access to the network as if it were owned by the school.

2 The school should add below any specific requirements about the use of mobile/personal devices in school Page 7

Aspects that the school may wish to consider and be included in their online safety policy, mobile technologies policy or acceptable use agreements:

School owned/provided devices:

● Who they will be allocated to

● Where, when and how their use is allowed – times/places/in school/out of school

● If personal use is allowed

● Levels of access to networks/internet (as above)

● Management of devices/installation of apps/changing of settings/monitoring

● Network/broadband capacity

● Technical support

● Filtering of devices

● Access to cloud services

● Data Protection

● Taking/storage/use of images

● Exit processes – what happens to devices/software/apps/stored data if user leaves the school ● Liability for damage

● Staff training

Personal devices:

● Which users are allowed to use personal mobile devices in school (staff/pupils/students/visitors) ● Restrictions on where, when and how they may be used in school

● Storage

● Whether staff will be allowed to use personal devices for school business

● Levels of access to networks/internet (as above)

● Network/broadband capacity

● Technical support (this may be a clear statement that no technical support is available) ● Filtering of the internet connection to these devices

● Data Protection

● The right to take, examine and search users devices in the case of misuse (England only) – N.B. this must also be included in the Behaviour Policy.

● Taking/storage/use of images

● Liability for loss/damage or malfunction following access to the network (likely to be a disclaimer about school responsibility).

● Identification/labelling of personal devices

● How visitors will be informed about school requirements

● How education about the safe and responsible use of mobile devices is included in the school online safety education programmes.

Use of digital and video images

The development of digital imaging technologies has created significant benefits to learning, allowing staff and students/pupils instant use of images that they have recorded themselves or downloaded from the internet. However, staff, parents/carers and students/pupils need to be aware of the risks associated with publishing digital images on the internet. Such images may provide avenues for online-bullying to take place. Digital images may remain available on the internet forever and may cause harm or embarrassment to individuals in the short or longer term. It is common for employers to carry out internet searches for information about potential and existing employees. The school will inform and educate users about these risks and will implement policies to reduce the likelihood of the potential for harm: (select/delete as appropriate)

● When using digital images, staff should inform and educate students/pupils about the risks associated with the taking, use, sharing, publication and distribution of images. In particular they should recognise the risks attached to publishing their own images on the internet e.g. on social networking sites.

Page 8

● Written permission from parents or carers will be obtained before photographs of students/pupils are published on the school website/social media/local press (may be covered as part of the AUA signed by parents or carers at the start of the year - see parents/carers acceptable use agreement in the appendix)

● In accordance with guidance from the Information Commissioner’s Office, parents/carers are welcome to take videos and digital images of their children at school/academy events for their own personal use (as such use in not covered by the Data Protection Act). To respect everyone’s privacy and in some cases protection, these images should not be published/made publicly available on social networking sites, nor should parents/carers comment on any activities involving other students/pupils in the digital/video images.

● Staff and volunteers are allowed to take digital/video images to support educational aims, but must follow school/academy policies concerning the sharing, distribution and publication of those images. Those images should only be taken on school/academy equipment; the personal equipment of staff should not be used for such purposes.

● Care should be taken when taking digital/video images that students/pupils are appropriately dressed and are not participating in activities that might bring the individuals or the school/academy into disrepute. ● Students/pupils must not take, use, share, publish or distribute images of others without their permission ● Photographs published on the website, or elsewhere that include students/pupils will be selected carefully and will comply with good practice guidance on the use of such images.

● Students’/Pupils’ full names will not be used anywhere on a website or blog, particularly in association with photographs.

● Student’s/Pupil’s work can only be published with the permission of the student/pupil and parents or carers.

Data Protection

With effect from 25th May 2018, the data protection arrangements for the UK changed following the European Union General Data Protection Regulation (GDPR). As a result, schools are likely to be subject to greater scrutiny in their care and use of personal data. More detailed guidance is available in the appendices to this document. Schools/academies should ensure that they take account of policies and guidance provided by local authorities/MAT/or other relevant bodies. For schools/academies that wish to carry out a more detailed review of their data protection policies and procedures SWGfL provides a self-review tool – 360data.org.uk

Personal data will be recorded, processed, transferred and made available according to the current data protection legislation.

The school/academy must ensure that:

● it has a Data Protection Policy. (see appendix for template policy)

● it implements the data protection principles and is able to demonstrate that it does so through use of policies, notices and records.

● it has paid the appropriate fee Information Commissioner’s Office (ICO) and included details of the Data Protection Officer (DPO).

● it has appointed an appropriate Data Protection Officer (DPO) who has a high level of understanding of data protection law and is free from any conflict of interest. The school/academy may also wish to appoint a Data Manager and Systems Controllers to support the DPO

● it has an ‘information asset register’ in place and knows exactly what personal data it holds, where this data is held, why and which member of staff has responsibility for managing it

● the information asset register records the lawful basis for processing personal data (including, where relevant, how consent was obtained and refreshed). Where special category data is processed, an additional lawful basis will have also been recorded

● it will hold only the minimum personal data necessary to enable it to perform its function and it will not hold it for longer than necessary for the purposes it was collected for. The school should develop and implement a ‘retention policy” to ensure there are clear and understood policies and routines for the deletion and disposal of data to support this. personal data held must be accurate and up to date where this is necessary for the purpose it is processed for. Have systems in place to identify inaccuracies, such as asking parents to check emergency contact details at suitable intervals

Page 9

● it provides staff, parents, volunteers, teenagers and older children with information about how the school/academy looks after their data and what their rights are in a clear Privacy Notice (see Privacy Notice section in the appendix)

● procedures must be in place to deal with the individual rights of the data subject, e.g. one of the 8 data subject rights applicable is that of Subject Access which enables an individual to see to have a copy of the personal data held about them (subject to certain exceptions which may apply).

● data Protection Impact Assessments (DPIA) are carried out where necessary. For example, to ensure protection of personal data when accessed using any remote access solutions, or entering into a relationship with a new supplier (this may also require ensuring that data processing clauses are included in the supply contract or as an addendum)

● IT system security is ensured and regularly checked. Patches and other security essential updates are applied promptly to protect the personal data on the systems. Administrative systems are securely ring fenced from systems accessible in the classroom/to learners

● it has undertaken appropriate due diligence and has required data processing clauses in contracts in place with any data processors where personal data is processed.

● it understands how to share data lawfully and safely with other relevant data controllers. ● it reports any relevant breaches to the Information Commissioner within 72hrs of becoming aware of the breach in accordance with UK data protection law. It also reports relevant breaches to the individuals affected as required by law. In order to do this, it has a policy for reporting, logging, managing, investigating and learning from information risk incidents.

● If a maintained school/academy, it must have a Freedom of Information Policy which sets out how it will deal with FOI requests.

● all staff receive data protection training at induction and appropriate refresher training thereafter. Staff undertaking particular data protection functions, such as handling requests under the individual’s rights, will receive training appropriate for their function as well as the core training provided to all staff.

When personal data is stored on any mobile device or removable media the:

● data must be encrypted and password protected.

● device must be password protected. (be sure to select devices that can be protected in this way) ● device must be protected by up to date virus and malware checking software

● data must be securely deleted from the device, in line with school/academy policy (below) once it has been transferred or its use is complete.

Staff must ensure that they: (schools/academies may wish to include more detail about their own data/password/encryption/secure transfer processes)

● at all times take care to ensure the safe keeping of personal data, minimising the risk of its loss or misuse

● can recognise a possible breach, understand the need for urgency and know who to report it to within the school

● can help data subjects understands their rights and know how to handle a request whether verbal or written. Know who to pass it to in the school

● where personal data is stored or transferred on mobile or other devices (including USBs) these must be encrypted and password protected.

● will not transfer any school/academy personal data to personal devices except as in line with school policy

● access personal data sources and records only on secure password protected computers and other devices, ensuring that they are properly “logged-off” at the end of any session in which they are using personal data

Page 10

(The school/academy will need to set its own policy as to whether data storage on removal media is allowed, even if encrypted – some organisations do not allow storage of personal data on removable devices.)

The Personal Data Advice and Guidance in the appendix provides more detailed information on the school’s/academy’s responsibilities and on good practice.

Communications

This is an area of rapidly developing technologies and uses. Schools/academies will need to discuss and agree how they intend to implement and use these technologies e.g. some schools do not allow students/pupils to use mobile phones in lessons, while others recognise their educational potential and allow their use. This section may also be influenced by the age of the students/pupils. The table has been left blank for school/academy to choose its own responses.

A wide range of rapidly developing communications technologies has the potential to enhance learning. The following table shows how the school currently considers the benefit of using these technologies for education outweighs their risks/disadvantages:

Staff & other

adultsStudents/Pupils

wed tain

mes

Communication Technologies

Mobile phones may be brought to the school/academy

Use of mobile phones in lessons

Use of mobile phones in social time

Taking photos on mobile phones/cameras

Use of other mobile devices e.g. tablets, gaming devices

Use of personal email addresses in school/academy, or on school/academy network

Use of school/academy email for personal emails

Use of messaging apps

Use of social media

Use of blogs

wed

The school/academy may also wish to add some of the following policy statements about the use of communications technologies, in place of, or in addition to the above table:

When using communication technologies, the school/academy considers the following as good practice:

● The official school/academy email service may be regarded as safe and secure and is monitored. Users should be aware that email communications are monitored. Staff and students/pupils should therefore use

Page 11

only the school/academy email service to communicate with others when in school, or on school/academy systems (e.g. by remote access).

● Users must immediately report, to the nominated person – in accordance with the school/academy policy, the receipt of any communication that makes them feel uncomfortable, is offensive, discriminatory, threatening or bullying in nature and must not respond to any such communication. (Online Safety BOOST includes an anonymous reporting app Whisper – https://boost.swgfl.org.uk/)

● Any digital communication between staff and students/pupils or parents/carers (email, social media, chat, blogs, VLE etc) must be professional in tone and content. These communications may only take place on official (monitored) school/academy systems. Personal email addresses, text messaging or social media must not be used for these communications.

● Whole class/group email addresses may be used at KS1, while students/pupils at KS2 and above will be provided with individual school/academy email addresses for educational use. (Schools/academies may choose to use group or class email addresses for younger age groups e.g. at KS1)

● Students/pupils should be taught about online safety issues, such as the risks attached to the sharing of personal details. They should also be taught strategies to deal with inappropriate communications and be reminded of the need to communicate appropriately when using digital technologies.

● Personal information should not be posted on the school/academy website and only official email addresses should be used to identify members of staff.

Social Media - Protecting Professional Identity

With an increase in use of all types of social media for professional and personal purposes a policy that sets out clear guidance for staff to manage risk and behaviour online is essential. Core messages should include the protection of pupils, the school/academy and the individual when publishing any material online. Expectations for teachers’ professional conduct are set out in ‘Teachers Standards 2012’. Ofsted’s online safety inspection framework reviews how a school/academy protects and educates staff and pupils in their use of technology, including the measures that would be expected to be in place to intervene and support should a particular issue arise. Schools/academies are increasingly using social media as a powerful learning tool and means of communication. It is important that this is carried out in a safe and responsible way.

A more detailed Social Media Template Policy can be found in the appendix. The school/academy may however choose to include these aspects of their policy in a comprehensive acceptable use agreement, rather than in a separate Social Media Policy. It is suggested that the school/academy should, in this overall policy document, outline the main points from their agreed policy. A checklist of points to be considered is included below.

All schools, academies, MATs and local authorities have a duty of care to provide a safe learning environment for pupils and staff. Schools/academies, MATs and local authorities could be held responsible, indirectly for acts of their employees in the course of their employment. Staff members who harass, engage in online bullying, discriminate on the grounds of sex, race or disability or who defame a third party may render the school/academy or local authority/MAT liable to the injured party. Reasonable steps to prevent predictable harm must be in place.

The school/academy provides the following measures to ensure reasonable steps are in place to minimise risk of harm to pupils, staff and the school through:

● Ensuring that personal information is not published

● Training is provided including: acceptable use; social media risks; checking of settings; data protection; reporting issues. Online Safety BOOST includes unlimited webinar training on this subject: https://boost.swgfl.org.uk/

● Clear reporting guidance, including responsibilities, procedures and sanctions

● Risk assessment, including legal risk

School/academy staff should ensure that:

● No reference should be made in social media to students/pupils, parents/carers or school/academy staff ● They do not engage in online discussion on personal matters relating to members of the school community ● Personal opinions should not be attributed to the school /academy or local authority/MAT ● Security settings on personal social media profiles are regularly checked to minimise risk of loss of personal information

When official school/academy social media accounts are established there should be: ● A process for approval by senior leaders

Page 12

● Clear processes for the administration and monitoring of these accounts – involving at least two members of staff

● A code of behaviour for users of the accounts, including

● Systems for reporting and dealing with abuse and misuse

● Understanding of how incidents may be dealt with under school/academy disciplinary procedures

Personal Use:

● Personal communications are those made via a personal social media accounts. In all cases, where a personal account is used which associates itself with the school/academy or impacts on the school/ academy, it must be made clear that the member of staff is not communicating on behalf of the school/academy with an appropriate disclaimer. Such personal communications are within the scope of this policy

● Personal communications which do not refer to or impact upon the school are outside the scope of this policy

● Where excessive personal use of social media in school is suspected, and considered to be interfering with relevant duties, disciplinary action may be taken

● The school/academy permits reasonable and appropriate access to private social media sites

Monitoring of Public Social Media:

● As part of active social media engagement, it is considered good practice to pro-actively monitor the Internet for public postings about the school

● The school should effectively respond to social media comments made by others according to a defined policy or process

The school’s/academy’s use of social media for professional purposes will be checked regularly by the senior risk officer and Online Safety Group to ensure compliance with the school policies. Online Safety BOOST includes Reputation Alerts that highlight any reference to the school/academy in online media (newspaper or social media for example) https://boost.swgfl.org.uk/)

Dealing with unsuitable/inappropriate activities

Some internet activity e.g. accessing child abuse images or distributing racist material is illegal and would obviously be banned from school/academy and all other technical systems. Other activities e.g. cyber-bullying would be banned and could lead to criminal prosecution. There are however a range of activities which may, generally, be legal but would be inappropriate in a school/academy context, either because of the age of the users or the nature of those activities.

The school/academy believes that the activities referred to in the following section would be inappropriate in a school/academy context and that users, as defined below, should not engage in these activities in/or outside the school/academy when using school/academy equipment or systems. The school/academy policy restricts usage as follows:

User ActionsAcc 

Acc

Acc

Un

Un

ept

ept

ept

acc

acc

abl

abl

abl

ept

ept

e

e

e

abl

abl

at

for

e

e

cer

no

an

tai

mi

d

n

nat

ille

tim

ed

gal

es

us

ers

Page 13

Users shall not visit

Internet

sites, make, post,

download, upload,

data

transfer,

communicat e or pass

on, material, remarks,

proposals or

comments that contain or relate to:

●

●

●

●

●

passwords)

X

X

X

X

X

the internet)

Infringing copyright

Page 14

On-line gaming (educational)

On-line gaming (non-educational) On-line gambling

On-line shopping/commerce

File sharing

Use of social media

Use of messaging apps

Use of video broadcasting e.g. Youtube

(The school/academy should agree its own responses and place the ticks in the relevant columns, in the table above. They may also wish to add additional text to the column(s) on the left to clarify issues. The last section of the table has been left blank for schools/academies to decide their own responses)

Responding to incidents of misuse

This guidance is intended for use when staff need to manage incidents that involve the use of online services. It encourages a safe and secure approach to the management of the incident. Incidents might involve illegal or inappropriate activities (see “User Actions” above). Online Safety BOOST includes a comprehensive and interactive ‘Incident Management Tool’ that steps staff through how to respond, forms to complete and action to take when managing reported incidents (https://boost.swgfl.org.uk/)

Page 15

Illegal Incidents

If there is any suspicion that the web site(s) concerned may contain child abuse images, or if there is any other suspected illegal activity, refer to the right hand side of the Flowchart (below and appendix) for responding to online safety incidents and report immediately to the police.

Page 16

Other Incidents

It is hoped that all members of the school/academy community will be responsible users of digital technologies, who understand and follow school/academy policy. However, there may be times when infringements of the policy could take place, through careless or irresponsible or, very rarely, through deliberate misuse.

In the event of suspicion, all steps in this procedure should be followed:

● Have more than one senior member of staff involved in this process. This is vital to protect individuals if accusations are subsequently reported.

● Conduct the procedure using a designated computer that will not be used by young people and if necessary can be taken off site by the police should the need arise. Use the same computer for the duration of the procedure.

● It is important to ensure that the relevant staff should have appropriate internet access to conduct the procedure, but also that the sites and content visited are closely monitored and recorded (to provide further protection).

● Record the URL of any site containing the alleged misuse and describe the nature of the content causing concern. It may also be necessary to record and store screenshots of the content on the machine being used for investigation. These may be printed, signed and attached to the form (except in the case of images of child sexual abuse – see below)

● Once this has been completed and fully investigated the group will need to judge whether this concern has substance or not. If it does, then appropriate action will be required and could include the following: o Internal response or discipline procedures

o Involvement by Local Authority/Academy Group or national/local organisation (as relevant). o Police involvement and/or action

● If content being reviewed includes images of child abuse, then the monitoring should be halted and referred to the Police immediately. Other instances to report to the police would include:

o incidents of ‘grooming’ behaviour

o the sending of obscene materials to a child

o adult material which potentially breaches the Obscene Publications Act

o criminally racist material

o promotion of terrorism or extremism

o offences under the Computer Misuse Act (see User Actions chart above)

o other criminal conduct, activity or materials

● Isolate the computer in question as best you can. Any change to its state may hinder a later police investigation.

It is important that all of the above steps are taken as they will provide an evidence trail for the school/academy and possibly the police and demonstrate that visits to these sites were carried out for safeguarding purposes. The completed form should be retained by the group for evidence and reference purposes.

School/academy actions & sanctions

It is more likely that the school/academy will need to deal with incidents that involve inappropriate rather than illegal misuse. It is important that any incidents are dealt with as soon as possible in a proportionate manner, and that members of the school community are aware that incidents have been dealt with. It is intended that incidents of misuse will be dealt with through normal behaviour/disciplinary procedures as follows: (the school/academy will need to agree upon its own responses and place the ticks in the relevant columns. They may also wish to add additional text to the column(s) on the left to clarify issues. Schools/academies have found it useful to use the charts below at staff meetings/training sessions).

Actions/Sanctions

Page 17

Students/Pupils Incidents

Ref

er

to

clas s

teac her/ tuto r

Re fer to

He ad of

De pa rt

m

en t/Y ea r/o th

er

Re fer to

He ad tea ch er/ Pri

nci pal

Re fer to Pol ice

Refer to technic al

support staff for action re

filtering/ security etc.

Inf

or

m

pa re

nts /ca rer s

Re m

ov

al

of

ne tw or

k/i

nt

er

ne t

ac

ce

ss

rig hts

Wa rni ng

Furthe r

sancti on e.g. detent ion/ex clusio n

Deliberately accessing or trying to access material that could be considered illegal (see list in earlier section on unsuitable/inappropriate activities).

Unauthorised use of non-educational sites during lessons

Unauthorised/inappropriate use of mobile phone/digital camera/other mobile device

Unauthorised/inappropriate use of social media/ messaging apps/personal email

Unauthorised downloading or uploading of files

Allowing others to access school/academy network by sharing username and passwords

Attempting to access or accessing the school/academy network, using another student’s/pupil’s account

Attempting to access or accessing the school/academy network, using the account of a member of staff

Corrupting or destroying the data of other users

Sending an email, text or message that is regarded as offensive, harassment or of a bullying nature

Continued infringements of the above, following previous warnings or sanctions

Actions which could bring the school/academy into disrepute or breach the integrity of the ethos of the school

Using proxy sites or other means to subvert the school’s/academy’s filtering system

Accidentally accessing offensive or pornographic material and failing to report the incident

Page 18

Deliberately accessing or trying to access offensive or pornographic material

Receipt or transmission of material that infringes the copyright of another person or infringes the Data Protection Act

Actions/Sanctions

Staff Incidents

Ref er

to

line ma nag er

Ref er

to

He adt ea ch er

Pri nci pal

Ref er

to

Lo cal Au th

ori ty/ HR

Ref er

to

Pol ice

Refer to

Techn ical

Suppo rt

Staff

for

action re

filterin g etc.

Wa rni ng

Su sp en sio n

Dis cip lin

ary act ion

Deliberately accessing or trying to access material that could be considered illegal (see list in earlier section on unsuitable/inappropriate activities).

Inappropriate personal use of the internet/social media/personal email

Unauthorised downloading or uploading of files

Allowing others to access school network by sharing username and passwords or attempting to access or accessing the school network, using another person’s account

Careless use of personal data e.g. holding or transferring data in an insecure manner

Deliberate actions to breach data protection or network security rules

Corrupting or destroying the data of other users or causing deliberate damage to hardware or software

Sending an email, text or message that is regarded as offensive, harassment or of a bullying nature

Page 19

Using personal email/social networking/instant messaging/text messaging to carrying out digital communications with students/pupils

Actions which could compromise the staff member’s professional standing

Actions which could bring the school/academy into disrepute or breach the integrity of the ethos of the school/academy

Using proxy sites or other means to subvert the school’s/academy’s filtering system

Accidentally accessing offensive or pornographic material and failing to report the incident

Deliberately accessing or trying to access offensive or pornographic material

Breaching copyright or licensing regulations

Continued infringements of the above, following previous warnings or sanctions

Page 20

Appendix

Copies of the more detailed template policies and agreements, contained in the appendix, can be downloaded from:

SWGfL Online Safety Policy Templates

Acknowledgements

SWGfL would like to acknowledge the contribution of a wide range of individuals and organisations whose policies, documents, advice and guidance have contributed to the development of the online safety policy templates and of the 360 degree safe online safety self-review tool.

Copyright of these template policies is held by SWGfL. Schools/academies and other educational institutions are permitted free use of the Template Policies for the purposes of policy writing, review and development. Any person or organisation wishing to use the document for other purposes should seek consent from SWGfL (onlinesafety@swgfl.org.uk) and acknowledge its use.

Every effort has been made to ensure that the information included in this document is accurate, as at the date of publication in January 2020. However, SWGfL cannot guarantee its accuracy, nor can it accept liability in respect of the use of the material.

© South West Grid for Learning Trust Ltd 2020

Page 21

Appendices

Student/Pupil Acceptable Use Agreement Template – for older students/pupils 29 Student/Pupil Acceptable Use Policy Agreement Template – for younger pupils (Foundation/KS1) 32 Parent/Carer Acceptable Use Agreement Template 33 Staff (and Volunteer) Acceptable Use Policy Agreement Template 38 Acceptable Use Agreement for Community Users Template 41 Responding to incidents of misuse – flow chart 42 Record of reviewing devices/internet sites (responding to incidents of misuse) 43 Reporting Log 44 Training Needs Audit Log 45 School Technical Security Policy Template (including filtering and passwords) 46 School/academy Personal Data Advice and Guidance 53 School/academy policy template: Electronic Devices - Searching & Deletion 63 Mobile Technologies Policy Template (inc. BYOD/BYOT) 68 Social Media Policy Template 71 School Policy Template – Online Safety Group Terms of Reference 76 Legislation 78 Glossary of Terms 85

Page 22

Student/Pupil Acceptable Use Agreement Template – for older students/pupils

Sections that include advice or guidance are written in BLUE. It is anticipated that schools will remove these sections from their final acceptable use document. Schools should review and amend the contents of this agreement to ensure that it is consistent with their online safety policy and other relevant school policies. Due to the number of optional statements and the advice/guidance sections included in this template, it is anticipated that the final document will be more concise. Schools/academies will need to decide on the suitability of the statements/language used and may wish to amend these in light of the age/abilities of the students/pupils.

School/academy policy

Digital technologies have become integral to the lives of children and young people, both within schools and outside school. These technologies are powerful tools, which open up new opportunities for everyone. These technologies can stimulate discussion, promote creativity and stimulate awareness of context to promote effective learning. Young people should have an entitlement to safe access to these digital technologies.

This acceptable use agreement is intended to ensure:

● that young people will be responsible users and stay safe while using the internet and other digital technologies for educational, personal and recreational use.

● that school systems and users are protected from accidental or deliberate misuse that could put the security of the systems and will have good access to digital technologies to enhance their learning and will, in return, expect the students/pupils to agree to be responsible users.

Acceptable Use Agreement

I understand that I must use school systems in a responsible way, to ensure that there is no risk to my safety or to the safety and security of the systems and other users.

For my own personal safety:

● I understand that the school/academy will monitor my use of the systems, devices and digital communications.

● I will keep my username and password safe and secure – I will not share it, nor will I try to use any other person’s username and password. I understand that I should not write down or store a password where it is possible that someone may steal it. 

● I will be aware of “stranger danger”, when I am communicating on-line.

● I will not disclose or share personal information about myself or others when on-line (this could include names, addresses, email addresses, telephone numbers, age, gender, educational details, financial details etc.)

● If I arrange to meet people off-line that I have communicated with on-line, I will do so in a public place and take an adult with me.

● I will immediately report any unpleasant or inappropriate material or messages or anything that makes me feel uncomfortable when I see it on-line.

I understand that everyone has equal rights to use technology as a resource and:

● I understand that the school/academy systems and devices are primarily intended for educational use and that I will not use them for personal or recreational use unless I have permission.

● I will not try (unless I have permission) to make large downloads or uploads that might take up internet capacity and prevent other users from being able to carry out their work.

● I will not use the school/academy systems or devices for on-line gaming, on-line gambling, internet shopping, file sharing, or video broadcasting (e.g. YouTube), unless I have permission of a member of staff to do so. (schools/academies should amend this section to take account of their policy on each of these issues)

Page 23

I will act as I expect others to act toward me:

● I will respect others’ work and property and will not access, copy, remove or otherwise alter any other user’s files, without the owner’s knowledge and permission.

● I will be polite and responsible when I communicate with others, I will not use strong, aggressive or inappropriate language and I appreciate that others may have different opinions.

● I will not take or distribute images of anyone without their permission.

I recognise that the school has a responsibility to maintain the security and integrity of the technology it offers me and to ensure the smooth running of the school/academy:

● I will only use my own personal devices (mobile phones/USB devices etc.) in school if I have permission (schools/academies should amend this section in the light of their mobile devices policies). I understand that, if I do use my own devices in the school/academy, I will follow the rules set out in this agreement, in the same way as if I was using school equipment.

● I understand the risks and will not try to upload, download or access any materials which are illegal or inappropriate or may cause harm or distress to others, nor will I try to use any programmes or software that might allow me to bypass the filtering/security systems in place to prevent access to such materials.

● I will immediately report any damage or faults involving equipment or software, however this may have happened.

● I will not open any hyperlinks in emails or any attachments to emails, unless I know and trust the person/organisation who sent the email, or if I have any concerns about the validity of the email (due to the risk of the attachment containing viruses or other harmful programmes)

● I will not install or attempt to install or store programmes of any type on any school device, nor will I try to alter computer settings.

● I will only use social media sites with permission and at the times that are allowed (schools/academies should amend this section to take account of their policy on access to social media).

When using the internet for research or recreation, I recognise that: ● I should ensure that I have permission to use the original work of others in my own work ● Where work is protected by copyright, I will not try to download copies (including music and videos) ● When I am using the internet to find information, I should take care to check that the information that I

access is accurate, as I understand that the work of others may not be truthful and may be a deliberate attempt to mislead me.

I understand that I am responsible for my actions, both in and out of school:

● I understand that the school/academy also has the right to take action against me if I am involved in incidents of inappropriate behaviour, that are covered in this agreement, when I am out of school and where they involve my membership of the school community (examples would be online-bullying, use of images or personal information).

● I understand that if I fail to comply with this acceptable use agreement, I may be subject to disciplinary action. This could include (schools/academies should amend this section to provide relevant sanctions as per their behaviour policies) loss of access to the school network/internet, detentions, suspensions, contact with parents and in the event of illegal activities involvement of the police.

Please complete the sections on the next page to show that you have read, understood and agree to the rules included in the acceptable use agreement. If you do not sign and return this agreement, access will not be granted to school systems and devices.

Student/Pupil Acceptable Use Agreement Form

This form relates to the student/pupil acceptable use agreement; to which it is attached.

Please complete the sections below to show that you have read, understood and agree to the rules included in the acceptable use agreement. If you do not sign and return this agreement, access will not be granted to school

Page 24

systems. (Schools/academies will need to decide if they require students/pupils to sign, or whether they wish to simply make them aware through education programmes/awareness raising).

I have read and understand the above and agree to follow these guidelines when:

● I use the school/academy systems and devices (both in and out of school)

● I use my own devices in the school/academy (when allowed) e.g. mobile phones, gaming devices USB devices, cameras etc.

● I use my own equipment out of the school/academy in a way that is related to me being a member of this school/academy e.g. communicating with other members of the school, accessing school email, VLE, website etc.

Name of Student/Pupil:

Group/Class:

Signed:

Date:

Parent/Carer Countersignature (optional)

It is for schools/academies to decide whether or not they require parents/carers to sign the parent/carer acceptable use agreement (see template later in this document). This includes a number of other permission forms (including digital and video images/biometric permission/cloud computing permission).

Some schools/academies may, instead, wish to add a countersignature box for parents/carers to this student/pupil acceptable use agreement.

Page 25

Student/Pupil Acceptable Use Policy Agreement Template – for younger pupils (Foundation/KS1)

This is how we stay safe when we use computers:

● I will ask a teacher or suitable adult if I want to use the computers/tablets

● I will only use activities that a teacher or suitable adult has told or allowed me to use

● I will take care of computers/tablets and other equipment ● I will ask for help from a teacher or suitable adult if I am not sure what to do or if I think I have done something wrong

● I will tell a teacher or suitable adult if I see something that upsets me on the screen

● I know that if I break the rules I might not be allowed to use a computer/tablet

Signed (child):

(The school will need to decide whether or not they wish the children to sign the agreement – and at which age - for younger children the signature of a parent/carer should be sufficient)

Signed (parent):

Primary schools using this acceptable use agreement for younger children may also wish to use (or adapt for use) the parent/carer acceptable use agreement (the template can be found later in these templates) as this provides additional permission forms (including the digital and video images permission form).

Page 26

Parent/Carer Acceptable Use Agreement Template

Digital technologies have become integral to the lives of children and young people, both within schools and outside school. These technologies provide powerful tools, which open up new opportunities for everyone. They can stimulate discussion, promote creativity and stimulate awareness of context to promote effective learning. Young people should have an entitlement to safe internet access at all times.

This acceptable use policy is intended to ensure:

● that young people will be responsible users and stay safe while using the internet and other communications technologies for educational, personal and recreational use.

● that school/academy systems and users are protected from accidental or deliberate misuse that could put the security of the systems and users at risk.

● that parents and carers are aware of the importance of online safety and are involved in the education and guidance of young people with regard to their on-line behaviour.

The school will try to ensure that students/pupils will have good access to digital technologies to enhance their learning and will, in return, expect the students/pupils to agree to be responsible users. A copy of the student/pupil acceptable use agreement is attached to this permission form, so that parents/carers will be aware of the school expectations of the young people in their care.

Parents are requested to sign the permission form below to show their support of the school in this important aspect of the school’s work. (Schools/academies will need to decide whether or not they wish parents to sign the acceptable use agreement on behalf of their child)

Permission Form

Parent/Carers Name:

Student/Pupil Name:

As the parent/carer of the above students/pupils, I give permission for my son/daughter to have access to the internet and to ICT systems at school.

Either: (KS2 and above)

I know that my son/daughter has signed an acceptable use agreement and has received, or will receive, online safety education to help them understand the importance of safe use of technology and the internet – both in and out of school.

Or: (KS1)

I understand that the school has discussed the acceptable use agreement with my son/daughter and that they have received, or will receive, online safety education to help them understand the importance of safe use of technology and the internet – both in and out of school.

I understand that the school will take every reasonable precaution, including monitoring and filtering systems, to ensure that young people will be safe when they use the internet and systems. I also understand that the school cannot ultimately be held responsible for the nature and content of materials accessed on the internet and using mobile technologies.

I understand that my son’s/daughter’s activity on the systems will be monitored and that the school will contact me if they have concerns about any possible breaches of the acceptable use agreement.

I will encourage my child to adopt safe use of the internet and digital technologies at home and will inform the school if I have concerns over my child’s online safety.

As the school/academy is collecting personal data by issuing this form, it should inform parents/carers as to:

Page 27

Signed:

Date:

Use of Digital/Video Images

The use of digital/video images plays an important part in learning activities. Students/Pupils and members of staff may use digital cameras to record evidence of activities in lessons and out of school. These images may then be used in presentations in subsequent lessons.

Images may also be used to celebrate success through their publication in newsletters, on the school website and occasionally in the public media. Where an image is publicly shared by any means, only your child’s *delete as relevant* first name/initials will be used.

The school will comply with the Data Protection Act and request parent’s/carers permission before taking images of members of the school. We will also ensure that when images are published that the young people cannot be identified by the use of their names.

In accordance with guidance from the Information Commissioner’s Office, parents/carers are welcome to take videos and digital images of their children at school events for their own personal use (as such use in not covered by the Data Protection Act). To respect everyone’s privacy and in some cases protection, these images should not be published/made publicly available on social networking sites, nor should parents/carers comment on any activities involving other students/pupils in the digital/video images.

Parents/carers are requested to sign the permission form below to allow the school to take and use images of their children and for the parents/carers to agree.

As the school/academy is collecting personal data by issuing this form, it should inform parents/carers as to:

Digital/Video Images Permission Form

Parent/Carers Name: Student/Pupil Name:

Page 28

Signed:

Date:

Use of Cloud Systems Permission Form

Schools that use cloud hosting services may be required to seek parental permission to set up an account for pupils/students.

Schools will need to review and amend the section below, depending on which cloud hosted services are used.

The school uses *insert cloud service provider name* for pupils/students and staff. This permission form describes the tools and pupil/student responsibilities for using these services.

The following services are available to each pupil/student as part of the school’s online presence in *insert cloud service provider name*

Using *insert cloud service provider name* will enable your child to collaboratively create, edit and share files and websites for school related projects and communicate via email with other pupils and members of staff. These services are entirely online and available 24/7 from any internet-connected computer.

The school believes that use of the tools significantly adds to your child’s educational experience.

As the school/academy is collecting personal data and sharing this with a third party, it should inform parents/carers about:

Do you consent to your child to having access to this service? Yes/No

Student/Pupil Name: Parent/Carers Name:

Signed: Date:

Page 29

Use of Biometric Systems in England and Wales

If the school uses biometric systems (e.g. fingerprint/palm recognition technologies) to identify children for access, attendance recording, charging, library lending etc it must (under the “Protection of Freedoms” and Data Protection legislation) seek permission from a parent or carer.

The school uses biometric systems for the recognition of individual children in the following ways (the school should describe here how it uses the biometric system).

Biometric technologies have certain advantages over other automatic identification systems as pupils do not need to remember to bring anything with them (to the canteen or school library) so nothing can be lost, such as a swipe card. 

The school has carried out a data privacy impact assessment and is confident that the use of such technologies is effective and justified in a school context.

No complete images of fingerprints/palms are stored and the original image cannot be reconstructed from the data. Meaning that it is not possible, for example, to recreate a pupil's fingerprint or even the image of a fingerprint from what is in effect a string of numbers.

As the school/academy is collecting special category personal data and *delete as appropriate* sharing this with a third party, it should inform parents/carers about:

Parent/Carers Name:

Student/Pupil Name:

As the parent/carer of the above student/pupil, I agree to the school using biometric

recognition systems, as described above.Yes/No

I understand that the images cannot be used to create a whole fingerprint/palm print of my child and that these images will not be shared with anyone outside the school.

Signed:

Further guidance

Yes/No

● Each parent of the child should be notified by the school/academy that they are planning to process their child's biometrics and notified that they are able to object.

● In order for a school/academy to process children's biometrics at least one parent must consent and no parent has withdrawn consent. This needs to be in writing.

● The child can object or refuse to participate in the processing of their biometric data regardless of parents’ consent.

Page 30

● Schools and colleges must provide reasonable alternative means of accessing services for those pupils who will not be using an automated biometric recognition system.

● Permission only needs to be collected once during the period that the student/pupil attends the school, but new permission is required if there are changes to the biometric systems in use.

Student/Pupil Acceptable Use Agreement

On the following pages we have copied, for the information of parents and carers, the student/pupil acceptable use agreement.

It is suggested that when the student/pupil AUA is written that a copy should be attached to the parents/carers acceptable use agreement to provide information for parents and carers about the rules and behaviours that students/pupils have committed to by signing the form.

Page 31

Staff (and Volunteer) Acceptable Use Policy Agreement Template

Sections that include advice or guidance are written in BLUE. It is anticipated that schools/academies will remove these sections from their final document. Schools should review and amend the contents of this agreement to ensure that it is consistent with their online safety policy and other relevant school policies. Due to the number of optional statements and the advice/guidance sections included in this template, it is anticipated that the final AUP will be more concise.

School Policy

New technologies have become integral to the lives of children and young people in today’s society, both within schools/academies and in their lives outside school. The internet and other digital information and communications technologies are powerful tools, which open up new opportunities for everyone. These technologies can stimulate discussion, promote creativity and stimulate awareness of context to promote effective learning. They also bring opportunities for staff to be more creative and productive in their work. All users should have an entitlement to safe access to the internet and digital technologies at all times.

This acceptable use policy is intended to ensure:

● that staff and volunteers will be responsible users and stay safe while using the internet and other communications technologies for educational, personal and recreational use.

● that school/academy systems and users are protected from accidental or deliberate misuse that could put the security of the systems and users at risk.

● that staff are protected from potential risk in their use of technology in their everyday work. The school will try to ensure that staff and volunteers will have good access to digital technology to enhance their work, to enhance learning opportunities for students/pupils learning and will, in return, expect staff and volunteers to agree to be responsible users.

Acceptable Use Policy Agreement

I understand that I must use school systems in a responsible way, to ensure that there is no risk to my safety or to the safety and security of the systems and other users. I recognise the value of the use of digital technology for enhancing learning and will ensure that students/pupils receive opportunities to gain from the use of digital technology. I will, where possible, educate the young people in my care in the safe use of digital technology and embed online safety in my work with young people.

For my professional and personal safety:

● I understand that the school/academy will monitor my use of the school digital technology and communications systems.

● I understand that the rules set out in this agreement also apply to use of these technologies (e.g. laptops, email, VLE etc.) out of school, and to the transfer of personal data (digital or paper based) out of school (schools/academies should amend this section in the light of their policies which relate to the use of school systems and equipment out of school)

● I understand that the school digital technology systems are primarily intended for educational use and that I will only use the systems for personal or recreational use within the policies and rules set down by the school. (schools should amend this section in the light of their policies which relate to the personal use, by staff and volunteers, of school systems)

● I will not disclose my username or password to anyone else, nor will I try to use any other person’s username and password. I understand that I should not write down or store a password where it is possible that someone may steal it.

● I will immediately report any illegal, inappropriate or harmful material or incident, I become aware of, to the appropriate person.

I will be professional in my communications and actions when using school/academy systems:

● I will not access, copy, remove or otherwise alter any other user’s files, without their express permission. Page 32

● I will communicate with others in a professional manner, I will not use aggressive or inappropriate language and I appreciate that others may have different opinions.

● I will ensure that when I take and/or publish images of others I will do so with their permission and in accordance with the school’s policy on the use of digital/video images. I will not use my personal equipment to record these images, unless I have permission to do so. Where these images are published (e.g. on the school website/VLE) it will not be possible to identify by name, or other personal information, those who are featured.

● I will only use social networking sites in school in accordance with the school’s policies. (schools/academies should amend this section to take account of their policy on access to social networking and similar sites)

● I will only communicate with students/pupils and parents/carers using official school systems. Any such communication will be professional in tone and manner. (schools should amend this section to take account of their policy on communications with students/pupils and parents/carers. Staff should be made aware of the risks attached to using their personal email addresses/mobile phones/social networking sites for such communications)

● I will not engage in any on-line activity that may compromise my professional responsibilities.

The school and the local authority have the responsibility to provide safe and secure access to technologies and ensure the smooth running of the school/academy:

● When I use my mobile devices in school, I will follow the rules set out in this agreement, in the same way as if I was using school/academy equipment. I will also follow any additional rules set by the school/academy about such use. I will ensure that any such devices are protected by up to date anti-virus software and are free from viruses. (schools/academies should amend this section in the light of their policies which relate to the use of staff devices)

● I will not use personal email addresses on the school/academy ICT systems. (schools/academies should amend this section in the light of their email policy – some schools/academies will choose to allow the use of staff personal email addresses on the premises).

● I will not open any hyperlinks in emails or any attachments to emails, unless the source is known and trusted, or if I have any concerns about the validity of the email (due to the risk of the attachment containing viruses or other harmful programmes)

● I will ensure that my data is regularly backed up, in accordance with relevant school/academy policies. ● I will not try to upload, download or access any materials which are illegal (child sexual abuse images, criminally racist material, terrorist or extremist material, adult pornography covered by the Obscene Publications Act) or inappropriate or may cause harm or distress to others. I will not try to use any programmes or software that might allow me to bypass the filtering/security systems in place to prevent access to such materials.

● I will not try (unless I have permission) to make large downloads or uploads that might take up internet capacity and prevent other users from being able to carry out their work.

● I will not install or attempt to install programmes of any type on a machine, or store programmes on a computer, nor will I try to alter computer settings, unless this is allowed in school/academy policies. (schools/academies should amend this section in the light of their policies on installing programmes/altering settings)

● I will not disable or cause any damage to school/academy equipment, or the equipment belonging to others.

● I will only transport, hold, disclose or share personal information about myself or others, as outlined in the School/Academy/LA Personal Data Policy (or other relevant policy). Where digital personal data is transferred outside the secure local network, it must be encrypted. Paper based documents containing personal data must be held in lockable storage.

● I understand that data protection policy requires that any staff or student/pupil data to which I have access, will be kept private and confidential, except when it is deemed necessary that I am required by law or by school/academy policy to disclose such information to an appropriate authority.

● I will immediately report any damage or faults involving equipment or software, however this may have happened.

Page 33

When using the internet in my professional capacity or for school sanctioned personal use:

● I will ensure that I have permission to use the original work of others in my own work ● Where work is protected by copyright, I will not download or distribute copies (including music and videos).

I understand that I am responsible for my actions in and out of the school/academy:

● I understand that this acceptable use policy applies not only to my work and use of school/academy digital technology equipment in school, but also applies to my use of school/academy systems and equipment off the premises and my use of personal equipment on the premises or in situations related to my employment by the school/academy

● I understand that if I fail to comply with this acceptable use agreement, I could be subject to disciplinary action. This could include (schools/academies should amend this section to provide relevant sanctions as per their behaviour policies) a warning, a suspension, referral to Governors/directors and/or the Local Authority and in the event of illegal activities the involvement of the police.

I have read and understand the above and agree to use the school digital technology systems (both in and out of school) and my own devices (in school and when carrying out communications related to the school) within these guidelines.

Staff/Volunteer Name:

Signed:

Date:

Page 34

Acceptable Use Agreement for Community Users Template

This acceptable use agreement is intended to ensure:

● that community users of school/academy digital technologies will be responsible users and stay safe while using these systems and devices

● that school/academy systems, devices and users are protected from accidental or deliberate misuse that could put the security of the systems and users at risk.

● that users are protected from potential harm in their use of these systems and devices

Acceptable Use Agreement

I understand that I must use school systems and devices in a responsible way, to ensure that there is no risk to my safety or to the safety and security of the systems, devices and other users. This agreement will also apply to any personal devices that I bring into the school/academy:

● I understand that my use of school/academy systems and devices will be monitored ● I will not use a personal device that I have brought into school for any activity that would be inappropriate in a school setting.

● I will not try to upload, download or access any materials which are illegal (child sexual abuse images, criminally racist material, terrorist and extremist material, adult pornography covered by the Obscene Publications Act) or inappropriate or may cause harm or distress to others. I will not try to use any programmes or software that might allow me to bypass the filtering/security systems in place to prevent access to such materials.

● I will immediately report any illegal, inappropriate or harmful material or incident, I become aware of, to the appropriate person.

● I will not access, copy, remove or otherwise alter any other user’s files, without permission. ● I will ensure that if I take and/or publish images of others I will only do so with their permission. I will not use my personal equipment to record these images, without permission. If images are published it will not be possible to identify by name, or other personal information, those who are featured.

● I will not publish or share any information I have obtained whilst in the school on any personal website, social networking site or through any other means, unless I have permission from the school. ● I will not, without permission, make large downloads or uploads that might take up internet capacity and prevent other users from being able to carry out their work.

● I will not install or attempt to install programmes of any type on a school device, nor will I try to alter computer settings, unless I have permission to do so.

● I will not disable or cause any damage to school/academy equipment, or the equipment belonging to others.

● I will immediately report any damage or faults involving equipment or software, however this may have happened.

● I will ensure that I have permission to use the original work of others in my own work ● Where work is protected by copyright, I will not download or distribute copies (including music and videos).

● I understand that if I fail to comply with this acceptable use agreement, the school/academy has the right to remove my access to school systems/devices

I have read and understand the above and agree to use the school digital technology systems (both in and out of school) and my own devices (in school and when carrying out communications related to the school) within these guidelines.

As the school/academy is collecting personal data by issuing this form, it should inform community users about:

Name: Signed: Date:………………………………………. Page 35

Responding to incidents of misuse – flow chart Page 36

Record of reviewing devices/internet sites (responding to incidents of misuse)

Group:

Date:

Reason for investigation:

Details of first reviewing person

Name:

Position:

Signature:

Details of second reviewing person

Name:

Position:

Signature:

Name and location of computer used for review (for web sites)

Web site(s) address/device Reason for concern

Conclusion and Action proposed or taken

Page 37

Page 38

Page 39

School Technical Security Policy Template (including filtering and passwords)

Suggestions for use

Within this template sections which include information or guidance are shown in BLUE. It is anticipated that schools would remove these sections from their completed policy document, though this will be a decision for the group that produces the policy.

Where sections in the template are written in italics it is anticipated that schools would wish to consider whether or not to include that section or statement in their completed policy.

Where sections are highlighted in BOLD text, it is the view of the SWGfL Online Safety Group that these would be an essential part of a school online safety policy.

The template uses various terms such as school/academy; students/pupils. Users will need to choose which term to use for their circumstances and delete the other accordingly.

Introduction

Effective technical security depends not only on technical measures, but also on appropriate policies and procedures and on good user education and training. The school will be responsible for ensuring that the school infrastructure/network is as safe and secure as is reasonably possible and that:

● users can only access data to which they have right of access

● no user should be able to access another’s files (other than that allowed for monitoring purposes within the school’s policies).

● access to personal data is securely controlled in line with the school’s personal data policy ● logs are maintained of access by users and of their actions while users of the system ● there is effective guidance and training for users

● there are regular reviews and audits of the safety and security of school computer systems ● there is oversight from senior leaders and these have impact on policy and practice. If the school/academy has a managed ICT service provided by an outside contractor, it is the responsibility of the school to ensure that the managed service provider carries out all the online safety measures that might otherwise be carried out by the school/academy itself (as suggested below). It is also important that the managed service provider is fully aware of the school/academy online safety policy/acceptable use agreements). The school/academy should also check their Local Authority/Academy Group/other relevant body policies/guidance on these technical issues.

Responsibilities

The management of technical security will be the responsibility of (insert title) (schools/academies will probably choose the Network Manager/Technical Staff/Head of Computing or other relevant responsible person)

Technical Security

Policy statements

The school/academy will be responsible for ensuring that their infrastructure/network is as safe and secure as is reasonably possible and that policies and procedures approved within this policy are implemented. It will also need to ensure that the relevant people receive guidance and training and will be effective in carrying out their responsibilities:

● school/academy technical systems will be managed in ways that ensure that the school/academy meets recommended technical requirements (if not managed by the Local Authority, these may be outlined in Local Authority/other relevant body technical/online safety policy and guidance)

● there will be regular reviews and audits of the safety and security of school/academy technical systems

● servers, wireless systems and cabling must be securely located and physical access restricted Page 40

● appropriate security measures are in place to protect the servers, firewalls, switches, routers, wireless systems, work stations, mobile devices etc from accidental or malicious attempts which might threaten the security of the school/academy systems and data

● responsibilities for the management of technical security are clearly assigned to appropriate and well trained staff (this may be at school/academy, local authority or managed provider level) ● all users will have clearly defined access rights to school/academy technical systems. Details of the access rights available to groups of users will be recorded by the network manager/technical staff/other person and will be reviewed, at least annually, by the online safety group.

● users will be made responsible for the security of their username and password, must not allow other users to access the systems using their log on details and must immediately report any suspicion or evidence that there has been a breach of security (see password section below)

● (insert name or role) is responsible for ensuring that software licence logs are accurate and up to date and that regular checks are made to reconcile the number of licences purchased against the number of software installations (Inadequate licencing could cause the school/academy to breach the Copyright Act which could result in fines or unexpected licensing costs)

● mobile device security and management procedures are in place (where mobile devices are allowed access to school/academy systems). (schools/colleges may wish to add details of the mobile device security procedures that are in use).

● school/academy/local authority/managed service provider/technical staff regularly monitor and record the activity of users on the school/academy technical systems and users are made aware of this in the acceptable use agreement. (schools/colleges may wish to add details of the monitoring programmes that are used)

● remote management tools are used by staff to control workstations and view users activity ● an appropriate system is in place (to be described) for users to report any actual/potential technical incident to the online safety co-ordinator/network manager/technician (or other relevant person, as agreed) ● an agreed policy is in place (to be described) for the provision of temporary access of “guests”, (e.g. trainee teachers, supply teachers, visitors) onto the school/academy system

● an agreed policy is in place (to be described) regarding the downloading of executable files and the installation of programmes on school/academy devices by users

● an agreed policy is in place (to be described) regarding the extent of personal use that users (staff/learners/community users) and their family members are allowed on school/academy devices that may be used out of school/academy

● an agreed policy is in place (to be described) regarding the use of removable media (e.g. memory sticks/CDs/DVDs) by users on school/academy devices (see school/academy personal data policy template in the appendix for further detail)

● the school/academy infrastructure and individual workstations are protected by up to date software to protect against malicious threats from viruses, worms, trojans etc.

● personal data cannot be sent over the internet or taken off the school/academy site unless safely encrypted or otherwise secured. (see school/academy personal data policy template in the appendix for further detail)

Password Security

A safe and secure username/password system is essential if the above is to be established and will apply to all school/academy technical systems, including networks, devices, email and learning platform). You can find out more about passwords, why they are important and how to manage them in our blog article. You may wish to share this with staff members to help explain the significance of passwords as this is helpful in explaining why they are necessary and important. Where sensitive data is in use – particularly when accessed on mobile devices – schools/academies may wish to use more secure forms of authentication e.g. two factor authentication.

Further guidance can be found from the National Cyber Security Centre and SWGfL “Why password security is important”

Policy Statements:

● These statements apply to all users.

● All school/academy networks and systems will be protected by secure passwords. ● All users have clearly defined access rights to school/academy technical systems and devices. Details of the access rights available to groups of users will be recorded by the Network Manager (or other person) and will be reviewed, at least annually, by the online safety group (or other group).

Page 41

● All users (adults and students/pupils) have responsibility for the security of their username and password, must not allow other users to access the systems using their log on details and must immediately report any suspicion or evidence that there has been a breach of security. ● Passwords must not be shared with anyone.

● All users will be provided with a username and password by xxxxx (insert name or title) (see section on password generation in technical notes) who will keep an up to date record of users and their usernames.

Password requirements:

● Passwords should be long. Good practice highlights that passwords over 12 characters in length are considerably more difficult to compromise than shorter passwords. Passwords generated by using a combination of unconnected words that are over 16 characters long are extremely difficult to crack. Password length trumps any other special requirements such as uppercase/lowercase letters, number and special characters. Passwords should be easy to remember, but difficult to guess or crack.

● Passwords should be different for different accounts, to ensure that other systems are not put at risk if one is compromised and should be different for systems used inside and outside of school/academy ● Passwords must not include names or any other personal information about the user that might be known by others

● Passwords must be changed on first login to the system

● The school/academy may wish to recommend to staff and students/pupils (depending on age) that they make use of a ‘password vault’ these can store passwords in an encrypted manner and can generate very difficult to crack passwords. There may be a charge for these services.

● Passwords should not be set to expire as long as they comply with the above, but should be unique to each service the user logs into.

Learner passwords:

Primary schools will need to decide at which point they will allocate individual usernames and passwords to pupils. They may choose to use class logons for Foundation Phase (though increasingly children are using their own passwords to access programmes). Schools/colleges need to be aware of the risks associated with not being able to identify any individual who may have infringed the rules set out in the policy and the acceptable use agreement (AUA). Use by students/pupils in this way should always be supervised and members of staff should never use a class log on for their own network/internet access. Schools/colleges should also consider the implications of using whole class logons when providing access to learning environments and applications, which may be used outside school/academy.

● Records of learner usernames and passwords for foundation phase students/pupils can be kept in an electronic or paper-based form, but they must be securely kept when not required by the user. Password complexity in foundation phase should be reduced (for example 6-character maximum) and should not include special characters. Where external systems have different password requirements the use of random words or sentences should be encouraged.

● Password requirements for students/pupils at Key Stage 2 and above should increase as students’/pupils progress through school/academy.

● Users will be required to change their password if it is compromised. Some schools/colleges may choose to reset passwords at the start of each academic year to avoid large numbers of forgotten password reset requests where there is no user-controlled reset process. (Note: passwords should not be regularly changed but should be secure and unique to each account.)

● Students/pupils will be taught the importance of password security, this should include how passwords are compromised, and why these password rules are important.

Schools/colleges may wish to add to this list for all or some students/pupils any of the relevant policy statements from the staff section above.

Notes for technical staff/teams

● Each administrator should have an individual administrator account, as well as their own user account with access levels set at an appropriate level. Consideration should also be given to using two factor authentication for such accounts.

● An administrator account password for the school/academy systems should also be kept in a secure place e.g. school/academy safe. This account and password should only be used to recover or revoke

Page 42

access. Other administrator accounts should not have the ability to delete this account. (A school/academy should never allow one user to have sole administrator access)

● Any digitally stored administrator passwords should be hashed using a suitable algorithm for storing passwords (e.g. Bcrypt or Scrypt). Message Digest algorithms such as MD5, SHA1, SHA256 etc. should not be used.

● It is good practice that where passwords are used there is a user-controlled password reset process to enable independent, but secure re-entry to the system. This ensures that only the owner has knowledge of the password.

● Where user-controlled reset is not possible, passwords for new users, and replacement passwords for existing users will be allocated by xxxxx (insert title) (schools/colleges may wish to have someone other than the school’s/college’s technical staff carrying out this role e.g. an administrator who is easily accessible to users). Good practice is that the password generated by this change process should be system generated and only known to the user. This password should be temporary and the user should be forced to change their password on first login. The generated passwords should also be long and random.

● Where automatically generated passwords are not possible, then a good password generator should be used by xxxxx (insert title) to provide the user with their initial password. There should be a process for the secure transmission of this password to limit knowledge to the password creator and the user. The password should be temporary and the user should be forced to change their password on the first login.

● Requests for password changes should be authenticated by (the responsible person) to ensure that the new password can only be passed to the genuine user (the school/academy will need to decide how this can be managed – possibly by requests being authorised by a line manager for a request by a member of staff or by a member of staff for a request by a learner)

● Suitable arrangements should be in place to provide visitors with appropriate access to systems which expires after use. (For example, your technical team may provide pre-created user/password combinations that can be allocated to visitors, recorded in a log, and deleted from the system after use.)

● In good practice, the account is “locked out” following six successive incorrect log-on attempts. ● Passwords shall not be displayed on screen, and shall be securely hashed when stored (use of one-way encryption).

Training/Awareness:

It is essential that users should be made aware of the need for keeping passwords secure, and the risks attached to unauthorised access/data loss. This should apply to even the youngest of users. It is also essential that users be taught how passwords are compromised, so they understand why things should be done a certain way. Please see our blog for more details on this.

Members of staff will be made aware of the school/academy’s password policy: ● at induction

● through the school/academy’s online safety policy and password security policy

● through the acceptable use agreement

Students/pupils will be made aware of the school’s/college’s password policy: ● in lessons (the school/academy should describe how this will take place)

● through the acceptable use agreement

Audit/Monitoring/Reporting/Review:

The responsible person (insert title) will ensure that full records are kept of:

● User Ids and requests for password changes

● User logons

● Security incidents related to this policy

Filtering

Introduction

The filtering of internet content provides an important means of preventing users from accessing material that is illegal or is inappropriate in an educational context. The filtering system cannot, however, provide a 100% guarantee that it will do so, because the content on the web changes dynamically and new technologies are constantly being developed. It is important, therefore, to understand that filtering is only one element in a larger

Page 43

strategy for online safety and acceptable use. It is important that the school has a filtering policy to manage the associated risks and to provide preventative measures which are relevant to the situation in this school.

Many users are not aware of the flexibility provided by many filtering services at a local level for schools/academies. Where available, schools/academies should use this flexibility to meet their learning needs and reduce some of the frustrations occasionally felt by users who wish to maximise the use of the new technologies.

Schools/academies need to consider carefully the issues raised and decide:

● Whether they will use the provided filtering service without change or to allow flexibility for sites to be added or removed from the filtering list for their organisation

● Whether to introduce differentiated filtering for different groups/ages of users

● Whether to remove filtering controls for some internet use (e.g. social networking sites) at certain times of the day or for certain users

● Who has responsibility for such decisions and the checks and balances put in place ● What other system and user monitoring systems will be used to supplement the filtering system and how these will be used

DfE Keeping Learners Safe in Education requires schools to have “appropriate filtering”. Guidance can be found on the UK Safer Internet Centre site.

Schools may wish to test their filtering for protection against illegal materials at: SWGfL Test Filtering

Responsibilities

The responsibility for the management of the school’s filtering policy will be held by (insert title). They will manage the school filtering, in line with this policy and will keep records/logs of changes and of breaches of the filtering systems.

To ensure that there is a system of checks and balances and to protect those responsible, changes to the school filtering service must (schools should choose their relevant responses):

● be logged in change control logs

● be reported to a second responsible person (insert title):

● either... be reported to and authorised by a second responsible person prior to changes being made (recommended)

● or... be reported to a second responsible person (insert title) every X weeks/months in the form of an audit of the change control logs

● be reported to the Online Safety Group every X weeks/months in the form of an audit of the change control logs

All users have a responsibility to report immediately to (insert title) any infringements of the school’s filtering policy of which they become aware or any sites that are accessed, which they believe should have been filtered.

Users must not attempt to use any programmes or software that might allow them to bypass the filtering/security systems in place to prevent access to such materials.

Policy Statements

Internet access is filtered for all users. Differentiated internet access is available for staff and customised filtering changes are managed by the school. Illegal content is filtered by the broadband or filtering provider by actively employing the Internet Watch Foundation CAIC list and other illegal content lists. Filter content lists are regularly updated and internet use is logged and frequently monitored. The monitoring process alerts the school to breaches of the filtering policy, which are then acted upon. There is a clear route for reporting and managing changes to the filtering system. Where personal mobile devices are allowed internet access through the school network, filtering will be applied that is consistent with school practice.

● Either - The school/academy maintains and supports the managed filtering service provided by the Internet Service Provider (or other filtering service provider)

● Or – The school/academy manages its own filtering service (N.B. If a school/academy decides to remove the external filtering and replace it with another internal filtering system, this should be clearly explained in the policy and evidence provided that the Headteacher/Principal would be able to show, in the event of any legal issue that the school was able to meet its statutory requirements to ensure the safety of staff/students/pupils)

Page 44

● The school has provided enhanced/differentiated user-level filtering through the use of the (insert name) filtering programme. (allowing different filtering levels for different ages/stages and different groups of users – staff/pupils/students etc.)

● In the event of the technical staff needing to switch off the filtering for any reason, or for any user, this must be logged and carried out by a process that is agreed by the Headteacher/Principal (or other nominated senior leader).

● Mobile devices that access the school/academy internet connection (whether school/academy or personal devices) will be subject to the same filtering standards as other devices on the school systems ● Any filtering issues should be reported immediately to the filtering provider.

● Requests from staff for sites to be removed from the filtered list will be considered by the technical staff (insert name or title) (N.B. an additional person should be nominated – to ensure protection for the Network Manager or any other member of staff, should any issues arise re unfiltered access). If the request is agreed, this action will be recorded and logs of such actions shall be reviewed regularly by the Online Safety Group.

Education/Training/Awareness

Pupils/students will be made aware of the importance of filtering systems through the online safety education programme (schools may wish to add details). They will also be warned of the consequences of attempting to subvert the filtering system.

Staff users will be made aware of the filtering systems through: (amend as relevant)

● the acceptable use agreement

● induction training

● staff meetings, briefings, Inset.

Parents will be informed of the school’s filtering policy through the acceptable use agreement and through online safety awareness sessions/newsletter etc. (amend as relevant)

Changes to the Filtering System

In this section the school should provide a detailed explanation of:

● how, and to whom, users may request changes to the filtering (whether this is carried out in school or by an external filtering provider)

● the grounds on which they may be allowed or denied (schools may choose to allow access to some sites e.g. social networking sites for some users, at some times, or for a limited period of time. There should be strong educational reasons for changes that are agreed).

● how a second responsible person will be involved to provide checks and balances (preferably this will be at the time of request, but could be retrospectively through inspection of records/audit of logs) ● any audit/reporting system

Users who gain access to, or have knowledge of others being able to access, sites which they feel should be filtered (or unfiltered) should report this in the first instance to (insert title) who will decide whether to make school level changes (as above).

Monitoring

Some schools/academies supplement their filtering systems with additional monitoring systems. If this is the case, schools/academies should include information in this section, including – if they wish – details of internal or commercial systems that are in use. They should also ensure that users are informed that monitoring systems are in place.

No filtering system can guarantee 100% protection against access to unsuitable sites. The school will therefore monitor the activities of users on the school network and on school equipment as indicated in the school online safety policy and the acceptable use agreement. Monitoring will take place as follows: (details should be inserted if the school/academy so wishes).

Audit/Reporting

Logs of filtering change controls and of filtering incidents will be made available to: (schools should amend as relevant)

● the second responsible person (insert title)

Page 45

● Online Safety Group

● Online Safety Governor/Governors committee

● External Filtering provider/Local Authority/Police on request

The filtering policy will be reviewed in the response to the evidence provided by the audit logs of the suitability of the current provision. (The evidence might show a large number of requests to remove the filtering from sites – in which case schools might question whether their current level of filtering is too restrictive for educational purposes. Alternatively, a large number of incidents where users try to subvert the filtering system might suggest that improved monitoring/disciplinary action might be necessary).

Further Guidance

Schools/academies may wish to seek further guidance. The following is recommended:

Schools in England (and Wales) are required “to ensure children are safe from terrorist and extremist material when accessing the internet in school, including by establishing appropriate levels of filtering" (Revised Prevent Duty Guidance: for England and Wales, 2015).

The Department for Education ‘Keeping Children Safe in Education’ requires schools to: “ensure appropriate filters and appropriate monitoring systems are in place. Children should not be able to access harmful or inappropriate material from the school or colleges IT system” however, schools will need to “be careful that “over blocking” does not lead to unreasonable restrictions as to what children can be taught with regards to online teaching and safeguarding.”

In response UKSIC produced guidance on – information on “Appropriate Filtering”

Somerset Guidance for schools – questions for technical support – this checklist is particularly useful where a school/academy uses external providers for its technical support/security.

SWGfL provides a site for schools to test their filtering to ensure that illegal materials cannot be accessed: SWGfL Test Filtering

Page 46

School/academy Personal Data Advice and Guidance

Suggestions for use

This document is for advice and guidance purposes only. It is anticipated that schools/academies will use this advice alongside their own data protection policy. This document is not intended to provide legal advice and the school/college is encouraged to seek their own legal counsel when considering their management of personal data.

The template uses the terms students/pupils to refer to the children or young people at the institution.

Data Protection Law – A Legislative Context

With effect from 25th May 2018, the data protection arrangements for the UK changed following the implementation of the European Union General Data Protection Regulation (GDPR). This represented a significant shift in legislation and in conjunction with the Data Protection Act 2018 replaced the Data Protection Act 1998.

GDPR - As a European Regulation, the GDPR has direct effect in UK law and automatically applies in the UK until we leave the EU (or until the end of any agreed transition period, if we leave with a deal). After this date, it will form part of UK law under the European Union (Withdrawal) Act 2018, with some technical changes to make it work effectively in a UK context.

Data Protection Act 2018 – this Act sits alongside the GDPR, and tailors how the GDPR applies in the UK and provides the UK-specific details such as; how to handle education and safeguarding information. No Deal Brexit -The Information Commissioner advises that in the event of a no- deal Brexit it is anticipated that the Government of the day will pass legislation to incorporate GDPR into UK law alongside the DPA 2018. Unless your school/academy receives personal data from contacts in the EU there will be little change save to update references to the effective legislation in privacy notices etc.

In this document the term “Data Protection Law” refers to the legislation applicable to data protection and privacy as applicable in the UK from time to time.

Does the Data Protection Law apply to schools?

In short, yes. Any natural or legal person, public authority, agency or other body which processes personal data is considered a ‘data controller’.

A school/academy is, for the purposes of the Data Protection Law, a “public body” and further processes the personal data of numerous data subjects on a daily basis.

Personal data is information that relates to an identified or identifiable living individual (a data subject). Guidance for schools/academies is available on the Information Commissioner’s Office (ICO) website including information about the Data Protection Law.

The ICO’s powers are wide ranging in the event of non-compliance and schools/academies must be aware of the huge impact that a fine or investigation will have on finances and also in the wider community for example in terms of trust.

The Data Protection Law sets out that a data controller must ensure that personal data shall be:

a) processed lawfully, fairly and in a transparent manner in relation to data subjects; b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;

c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased

Page 47

or rectified without delay;

e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the Data Protection Law in order to safeguard the rights and freedoms of data subjects; and

f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

These principles of the Data Protection Law drive the need for the school/academy to put in place appropriate privacy notices (to give a data subject information about the personal data processing activities, legal basis of processing and data subject rights) and policies (such as for reporting a breach, managing a data subject access request, training, retention etc.) to demonstrate compliance.

Data Mapping to identify personal data, data subjects and processing activities

The school/academy and its employees will collect and/ or process a wide range of information concerning numerous data subjects and some of this information will include personal data. Further, the school/academy may need to share some personal data with third parties. To be able to demonstrate and plan compliance and it is important that the school/academy has a data map of these activities; it can then make sure that the correct privacy notices are provided, put in place security measures to keep the personal data secure and other steps to avoid breach and also put in place data processing agreements with the third parties.

The data map should identify what personal data held in digital format or on paper records in a school/ academy, where it is stored, why it is processed and how long it is retained.

In a typical data map for a school/academy the data subjects and personal data will include, but is not limited to:

● Parents, legal guardians, governors – and personal data of names, addresses, contact details ● Learners - curricular / academic data e.g. class lists, learner progress records, reports, references, contact details, health and SEN reports

● Staff and contractors - professional records e.g. employment history, taxation and national insurance records, appraisal records and references, health records

Some types of personal data are designated as ‘special category’ being personal data; “revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”

This should be identified separately and to lawfully process special category data, you must identify both a lawful basis and a separate condition for processing special category data. You should decide and document this before you start processing the data.

The school/academy will need to identify appropriate lawful process criteria for each type of personal data and if this is not possible such activities should be discontinued. The lawful processing criteria can be summarised as:

(a) Consent: the data subject has given clear consent for you to process their personal data for a specific purpose (see below for further guidance) 

(b) Contract: the processing is necessary for a contract you have with the data subject (c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations). 

(d) Vital interests: the processing is necessary to protect someone’s life. (e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law. 

Page 48

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s 

personal data which overrides those legitimate interests. (This cannot apply if 

you are a public authority processing data to perform your official tasks) Please 

also be aware that these criteria must be supported by a written legitimate 

interest assessment. 

No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the data subject.

Several of the lawful purpose criteria may relate to a particular specified purpose – a legal obligation, a contract with the individual, protecting someone’s vital interests, or performing your public tasks. If you are processing for these purposes then the appropriate lawful basis may well be obvious, so it is helpful to consider these first. 

As a public authority, and if you can demonstrate that the processing is to perform your tasks as set down in UK law, then you are able to use the public task basis. If not, you may still be able to consider consent or legitimate interests in some cases, depending on the nature of the processing and your relationship with the data subject. There is no absolute ban on public authorities using consent or legitimate interests as their lawful basis, but the Data Protection law does restrict public authorities’ use of these two criteria. 

The majority of processing of personal data conducted by public authorities will fall within Article 6(1)(e) GDPR, that “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller” however careful consideration must be given to any processing, especially in more novel areas. As you can see, consent is just one of several possible lawful processing criteria.

Consent has changed as a result of the GDPR and is now defined as: “in relation to the processing of personal data relating to an individual, means a freely given, specific, informed and unambiguous indication of the individual’s wishes by which the individual, by a statement or by a clear affirmative action, signifies agreement to the processing of the personal data”

This means that where a school/academy is relying on consent as the basis for processing personal data that consent has to be clear, meaning that pre-ticked boxes, opt-out or implied consent are no longer suitable. The GDPR does not specify an age of consent for general processing but schools/academies should consider the capacity of pupils to freely give their informed consent.

The Information Commissioner’s Office (ICO) gives clear advice on when it’s appropriate to use consent as a lawful base. It states:

“Consent is appropriate if you can offer people real choice and control over how you use their data and want to build their trust and engagement. But if you cannot offer a genuine choice, consent is not appropriate. If you would still process the personal data without consent, asking for consent is misleading and inherently unfair.”

You should only use consent if none of the other lawful bases is appropriate. If you do so, you must be able to cope with people saying no (and/or changing their minds), so it’s important that you only use consent for optional extras, rather than for core information the school requires in order to function. Examples;

– consent would be appropriate for considering whether a child's photo could be published in any way.

– if your school or academy requires learner details to be stored in an MIS, it would not be appropriate to rely on consent if the learner cannot opt out of this. In this case, you could apply the public task lawful base.

Content of Privacy Notices

Privacy Notices are a key compliance requirement as they ensure that each data subject is aware of the following points when data is collected/ processed by a data controller:

● Who the controller of the personal data is

Page 49

● What personal data is being processed and the lawful purpose of this processing

● where and how the personal data was sourced

● to whom the personal data may be disclosed

● how long the personal data may be retained

● data subject’s rights and how to exercise them or make a complaint

In order to comply with the fair processing requirements in data protection law, the school/academy will inform parents/carers of all learners of the data they collect, process and hold on the learners, the purposes for which the data is held and the third parties (e.g. LA etc.) to whom it may be passed. This privacy notice will be passed to parents/carers for example in the prospectus, newsletters, reports or a specific letter / communication or you could publish it on your website and keep it updated there. Parents/carers of young people who are new to the school/academy will be provided with the privacy notice through an appropriate mechanism.

In some circumstances you may also require privacy notices for children / learners as data subjects as children have the same rights as adults over their personal data. These include the rights to access their personal data; request rectification; object to processing and have their personal data erased. The policies that explain this should be clear and age appropriate.

Data subject’s right of access

Data subjects have a number of rights in connection with their personal data. They have the right:

● to be informed – Privacy Notices

● of access – Subject Access Requests

● to rectification – correcting errors

● to erasure – deletion of data when there is no compelling reason to keep it

● to restrict processing – blocking or suppression of processing

● to portability – unlikely to be used in a school/academy context

● to object – objection based on grounds pertaining to their situation

● related to automated decision making, including profiling

Several of these could impact schools and academies, such as the right of access. You need to put procedures in place to deal with Subject Access Requests. These are written or verbal requests to see all or a part of the personal data held by the Controller in connection with the data subject. Controllers normally have 1 calendar month to provide the information, unless the case is unusually complex in which case an extension can be obtained.

A school/academy must not disclose personal data even if requested in a Subject Access Request;

● if doing so would cause serious harm to the individual

● child abuse data

● adoption records

● statements of special educational needs

Your school or academy must provide the information free of charge. However, if the request is clearly unfounded or excessive – and especially if this is a repeat request – you may charge a reasonable fee.

Breaches and how to manage a breach

Recent publicity about data breaches suffered by organisations and individuals continues to make the area of personal data protection a current and high profile issue for schools, academies and other organisations. It is important that the school/academy has a clear and well understood personal data handling policy in order to minimise the risk of personal data breaches.

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.

Page 50

A breach may arise from a theft, a deliberate attack on your systems, the unauthorised or malicious use of personal data by a member of staff, accidental loss, or equipment failure. In addition:

● no school/academy or individual would want to be the cause of a data breach, particularly as the impact of data loss on individuals can be severe, put individuals at risk and affect personal, professional or organisational reputation

● schools/academies are “data rich” and the introduction of electronic storage and transmission of data has created additional potential for the loss of data

● the school/academy will want to avoid the criticism and negative publicity that could be generated by any personal data breach

Schools / academies have always held personal data on the learners in their care, and increasingly this data is held digitally and accessible not just in school/academy but also from remote locations. It is important to stress that the Data Protection Laws apply to all forms of personal data, regardless of whether it is held on paper or in electronic format. However, as it is part of an overall online safety policy template, this document will place particular emphasis on data which is held or transferred digitally.

Schools / Academies will need to carefully review their policy, in the light of pertinent Local Authority regulations and guidance and changes in legislation.

All significant data protection incidents must be reported through the DPO to the Information Commissioner’s Office based upon the local incident handling policy and communication plan. The new laws require that this notification should take place within 72 hours of the breach being detected, where feasible.

If you experience a personal data breach you need to consider whether this poses a risk to people. You need to consider the likelihood and severity of any risk to people’s rights and freedoms, following the breach. When you’ve made this assessment, if it’s likely there will be a risk then you must notify the ICO; if it’s unlikely then you don’t have to report it. You do not need to report every breach to the ICO.

The school/academy should have a policy for reporting, logging, managing and recovering from information risk incidents, which establishes a:

● “responsible person” for each incident

● communications plan, including escalation procedure

● plan of action for rapid resolution

● plan of action of non-recurrence and further awareness raising

Privacy by Design and Data Protection Impact Assessments (DPIA) Data Protection Impact Assessments (DPIA) identify and address privacy risks early on in any project so that you can mitigate them before the project goes live.

DPIAs should be carried out by Data Managers (where relevant) under the support and guidance of the DPO. Ideally you should conduct a DPIA before processing activity starts. However, some may need to be retrospective in the early stages of compliance activity.

The risk assessment will involve:

● recognising the risks that are present

● judging the level of the risks (both the likelihood and consequences)

● prioritising the risks.

According to the ICO a DPIA should contain:

● a description of the processing operations and the purpose

● an assessment of the necessity and proportionality of the processing in relation to the purpose ● an assessment of the risks to individuals

● the measures in place to address risk, including security and to demonstrate that you comply.

Or more simply and fully:

● who did you talk to about this?

Page 51

● what is going to happen with the data and how – collection, storage, usage, disposal ● how much personal data will be handled (number of subjects)

● why you need use personal data in this way

● what personal data (including if it’s in a ‘special category’) are you using

● at what points could the data become vulnerable to a breach (loss, stolen, malicious) ● what the risks are to the rights of the individuals if the data was breached

● what are you going to do in order to reduce the risks of data loss and prove you are compliant with the law.

DPIA is an ongoing process and should be re-visited at least annually to verify that nothing has changed since the processing activity started.

Secure storage of and access to data

The school/academy should ensure that systems are set up so that the existence of protected files is hidden from unauthorised users and that users will be assigned a clearance that will determine which files are accessible to them. Access to protected data will be controlled according to the role of the user. Members of staff will not, as a matter of course, be granted access to the whole management information system.

Good practice suggests that all users will use strong passwords made up from a combination of simpler words. User passwords must never be shared.

Personal data may only be accessed on machines that are securely protected. Any device that can be used to access personal data must be locked if left (even for very short periods) and set to auto lock if not used for five minutes.

All storage media must be stored in an appropriately secure and safe environment that avoids physical risk, loss or electronic degradation.

Personal data should only be stored on school/academy equipment. Private equipment (i.e. owned by the users) must not be used for the storage of school/academy personal data.

When personal data is stored on any portable computer system, USB stick or any other removable media:

● The data must be encrypted and password protected

● The device must be password protected

● The device must offer approved virus and malware checking software

● The data must be securely deleted from the device, in line with school/academy policy once it has been transferred or its use is complete.

The school/academy will need to set its own policy as to whether data storage on removal media is allowed, even if encrypted. Some organisations do not allow storage of personal data on removable devices.

The school/academy should have a clear policy and procedures for the automatic backing up, accessing and restoring of all data held on school/academy systems, including off-site backups.

The school/academy should have clear policy and procedures for the use of “Cloud Based Storage Systems” (for example Dropbox, Microsoft 365, Google Drive) and is aware that data held in remote and cloud storage is still required to be protected in line with the Data Protection Act. The school/academy will ensure that it is satisfied with controls put in place by remote / cloud based data services providers to protect the data.

As a Data Controller, the school/academy is responsible for the security of any data passed to a “third party”. Specific data processing clauses must be included in all contracts where personal data is likely to be passed to a third party.

All paper based personal data must be held in lockable storage, whether on or off site.

Secure transfer of data and access out of school

The school/academy recognises that personal data may be accessed by users out of school/academy or transferred to the local authority or other agencies. In these circumstances:

Page 52

● Users may not remove or copy sensitive or restricted or protected personal data from the school/academy or authorised premises without permission and unless the media is encrypted and password protected and is transported securely for storage in a secure location

● Users must take particular care that computers or removable devices which contain personal data must not be accessed by other users (e.g. family members) when out of school/academy

● When restricted or protected personal data is required by an authorised user from outside the organisation’s premises (for example, by a member of staff to work from their home), they should preferably have secure remote access to the management information system or learning platform

● If secure remote access is not possible, users must only remove or copy personal or sensitive data from the organisation or authorised premises if the storage media, portable or mobile device is encrypted and is transported securely for storage in a secure location

● Users must protect all portable and mobile devices, including media, used to store and transmit personal information using approved encryption software

● Particular care should be taken if data is taken or transferred to another country, particularly outside Europe, and advice should be taken from the local authority (if relevant) in this event.

Disposal of personal data

The school/academy should implement a document retention schedule that defines the length of time personal data is held before secure destruction. The Information and Records Management Society Toolkit for schools provides support for this process. The school/academy must ensure the safe destruction of personal data when it is no longer required.

The disposal of personal data, in either paper or electronic form, must be conducted in a way that makes reconstruction highly unlikely. Electronic files must be securely disposed of, and other media must be shredded, incinerated or otherwise disintegrated.

A Destruction Log should be kept of all data that is disposed of. The log should include the document ID, classification, date of destruction, method and authorisation.

Demonstrating Compliance - Audit Logging / Reporting / Incident Handling

Organisations are required to keep records of processing activity. The data map referred to above will assist here. Records must include:

● the name and contact details of the data controller

● where applicable, the name and contact details of the joint controller and data protection officer ● the purpose of the processing

● to whom the data has been/will be disclosed

● description of data subject and personal data

● where relevant the countries it has been transferred to

● under which condition for processing the personal data has been collected

● under what lawful basis processing is being carried out

● where necessary, how it is retained and destroyed

● a general description of the technical and organisational security measures.

Clearly, in order to maintain these records good auditing processes must be followed, both at the start of the exercise and on-going throughout the lifetime of the requirement. Therefore, audit logs will need to be kept to:

● provide evidence of the processing activity and the DPIA

● record where, why, how and to whom personal data has been shared

● log the disposal and destruction of the personal data

● enable the school/academy to target training at the most at-risk data

Page 53

● record any breaches that impact on the personal data

Fee

The school/academy should pay the relevant annual fee to the Information Commissioner’s Office (ICO). Failure to renew may render the school/academy to a penalty in additional to other fines possible under the Data Protection Law.

Responsibilities

Every maintained school/academy is required to appoint a Data Protection Officer as a core function of ‘the business’

The Data Protection Officer (DPO) can be internally or externally appointed.

They must have:

● expert knowledge

● timely and proper involvement in all issues relating to data protection

● the necessary resources to fulfil the role

● access to the necessary personal data processing operations

● a direct reporting route to the highest management level

The data controller must:

● not give the DPO instructions regarding the performance of tasks

● ensure that the DPO does not perform a duty or role that would lead to a conflict of interests ● not dismiss or penalise the DPO for performing the tasks required of them

As a minimum a Data Protection Officer must:

● inform, as necessary, the controller, a processor or an employee of their obligations under the data protection laws

● provide advice on a data protection impact assessment

● co-operate with the Information Commissioner

● act as the contact point for the Information Commissioner

● monitor compliance with policies of the controller in relation to the protection of personal data ● monitor compliance by the controller with Data Protection Law

The school/academy may also wish to appoint a Data Manager. Schools/academies are encouraged to separate this role from that of Data Protection Officer, where possible. This person will keep up to date with current legislation and guidance and will:

● determine and take responsibility for the school’s / academy’s information risk policy and risk assessment ● oversee the System Controllers

The school/academy may also wish to appoint System Controllers for the various types of data being held (e.g. learner information / staff information / assessment data etc.). System Controllers will manage and address risks to the information and will understand:

● what information is held, for how long and for what purpose

● how information has been amended or added to over time, and

● who has access to the data and why.

Everyone in the school/academy has the responsibility of handling protected or sensitive data in a safe and secure manner.

Page 54

Governors are required to comply fully with this policy in the event that they have access to personal data, when engaged in their role as a Governor (either in the school/academy or elsewhere if on school/academy business).

Training & awareness

All staff must receive data handling awareness / data protection training and will be made aware of their responsibilities. This should be undertaken regularly. You can do this through:

● Induction training for new staff

● Staff meetings / briefings / INSET

● Day to day support and guidance from System Controllers

Freedom of Information Act

All schools / academies must have a Freedom of Information Policy which sets out how it will deal with FOI requests. FOI aims to increase transparency and accountability in public sector organisations as part of a healthy democratic process. Whilst FOI requests are submitted by an individual, the issue is for the school/academy to consider whether the requested information should be released into the public domain. FOI links to Data Protection Law whenever a request includes personal data. Good advice would encourage the school/academy to:

● delegate to the Headteacher day-to-day responsibility for FOI policy and the provision of advice, guidance, publicity and interpretation of the school's/academy’s policy

● consider designating an individual with responsibility for FOI, to provide a single point of reference, coordinate FOI and related policies and procedures, take a view on possibly sensitive areas and consider what information and training staff may need

● consider arrangements for overseeing access to information and delegation to the appropriate governing body

● proactively publish information with details of how it can be accessed through a Publication Scheme (see Model Publication Scheme below) and review this annually

● ensure that a well-managed records management and information system exists in order to comply with requests

● ensure a record of refusals and reasons for refusals is kept, allowing the school/academy to review its access policy on an annual basis

Model Publication Scheme

The Information Commissioner’s Office provides schools and organisations with a model publication scheme which they should complete. The school's / academy’s publication scheme should be reviewed annually.

The ICO produce guidance on the model publication scheme for schools. This is designed to support schools / academies complete the Guide to Information for Schools.

Parental permission for use of cloud hosted services

Schools/academies that use cloud hosting services are advised to seek appropriate consent to set up an account for learners.

Use of Biometric Information

Biometric information is special category data. The Protection of Freedoms Act 2012, included measures that affect schools/academies that use biometric recognition systems, such as fingerprint identification and facial scanning:

● For all pupils in schools/academies under 18, they must obtain the written consent of a parent before they take and process their child’s biometric data

● They must treat the data with appropriate care and must comply with data protection principles as set out in the Data Protection Law

● They must provide alternative means for accessing services where a parent or pupil has refused consent Page 55

New advice to schools/academies makes it clear that they are not able to use pupils’ biometric data without parental consent. Schools/academies may wish to incorporate the parental permission procedures into revised consent processes. (see Appendix Parent / Carer Acceptable Use Agreement)

Privacy and Electronic Communications

Schools/academies should be aware that they are subject to the Privacy and Electronic Communications Regulations in the operation of their websites.

School/academy policy template: Electronic Devices - Searching & Deletion

The Education Act 2012, the basis of this template, sets out what the law is presumed to be, based on prior legal and educational knowledge, and common sense. Rights and responsibilities regarding physical contact and personal data are still evolving rapidly. So too are social, entertainment and educational technologies and the skills necessary to use them safely and prudently. This is particularly so where those who are under 18 are involved.

No existing law or policy can fully insulate anyone from the risk involved in searching for, access to or deletion of the personal data of others. Anyone refraining from any such search, access or deletion when hindsight shows circumstances merit such actions may however be at significant risk and may put seriously at risk the wellbeing of children entrusted to their care. This template cannot therefore be relied on as justification for any act or lack of action by anyone – there is no substitute for the proper and well documented exercise of adequately informed professional judgement.

It is for each school’s/academy’s Headteacher/Principal and Governors/directors to set, apply and monitor application of their own policies as guided by their head teacher, local authority and official guidance, especially if the school is local authority maintained. This template is intended as an aide to this. South West Grid for Learning Trust does not and cannot accept and does not have responsibility for any school’s policy on this or any other matter.

Within this template, sections which include information or guidance are shown in BLUE. It is anticipated that schools will remove these sections from their completed policy documents, though this will be for the school’s relevant policy advisory group to recommend and for the head teacher and other governors to decide upon.

Where sections in the template are written in italics it is anticipated that schools would wish to consider whether or not to include that section or statement in their completed policy.

Where sections are highlighted in BOLD text, it is the view of the SWGfL Online Safety Group that these ought to be an essential part of a school online safety policy.

The template uses the term students/pupils to refer to the children/young people attending the learning institution and the term Headteacher/Principal. Schools will need to choose which terms to use and delete the others accordingly.

Introduction

The changing face of information technologies and ever increasing pupil/student use of these technologies has meant that the Education Acts have had to change in an attempt to keep pace. Within Part 2 of the Education Act 2011 (Discipline) there have been changes to the powers afforded to schools by statute to search pupils in order to maintain discipline and ensure safety. Schools are required to ensure they have updated policies which take these changes into account. No such policy can on its own guarantee that the school will not face legal challenge,

Page 56

but having a robust policy which takes account of the Act and applying it in practice will however help to provide the school with justification for what it does.

The particular changes we deal with here are the added power to search for items ‘banned under the school rules’ and the power to ‘delete data’ stored on seized electronic devices.

Items banned under the school rules are determined and publicised by the Headteacher (section 89 Education and Inspections Act 1996).

An item banned by the school rules may only be searched for under these new powers if it has been identified in the school rules as an item that can be searched for. It is therefore important that there is a school policy which sets out clearly and unambiguously the items which:

● are banned under the school rules; and

● are banned AND can be searched for by authorised school staff

The act allows authorised persons to examine data on electronic devices if they think there is a good reason to do so. In determining a ‘good reason’ to examine or erase the data or files the authorised staff member must reasonably suspect that the data or file on the device in question has been, or could be, used to cause harm, to disrupt teaching or could break the school rules.

Following an examination, if the person has decided to return the device to the owner, or to retain or dispose of it, they may erase any data or files, if they think there is a good reason to do so.

The Head Teacher/Principal must publicise the school behaviour policy, in writing, to staff, parents/carers and students/pupils at least once a year. (There should therefore be clear links between the search etc. policy and the behaviour policy).

DfE advice on these sections of the Education Act 2011 can be found in the document: “Screening, searching and confiscation – Advice for head teachers, staff and governing bodies” (2014 and updated January 2018)

http://www.education.gov.uk/schools/pupilsupport/behaviour/behaviourpolicies/f0076897/screening-searchi ng-and-confiscation

It is recommended that Headteachers/Principals (and, at the least, other senior leaders) should be familiar with this guidance.

Relevant legislation:

● Education Act 1996

● Education and Inspections Act 2006

● Education Act 2011 Part 2 (Discipline)

● The School Behaviour (Determination and Publicising of Measures in Academies) Regulations 2012 ● Health and Safety at Work etc. Act 1974

● Obscene Publications Act 1959

● Children Act 1989

● Human Rights Act 1998

● Computer Misuse Act 1990

This is not a full list of Acts involved in the formation of this advice. Further information about relevant legislation can be found via the above link to the DfE advice document.

Responsibilities

The Headteacher/Principal is responsible for ensuring that the school policies reflect the requirements contained within the relevant legislation. The formulation of these policies may be delegated to other individuals or groups. The policies will normally be taken to Governors for approval. The Headteacher/Principal will need to authorise those staff who are allowed to carry out searches.

This policy has been written by and will be reviewed by: insert relevant names/roles/group

The Headteacher/Principal has authorised the following members of staff to carry out searches for and of electronic devices and the deletion of data/files on those devices: (the policy should here list those staff/roles given such authority. A Headteacher/Principal may choose to authorise all staff willing to be authorised, but should consider training needs in making this decision).

Page 57

The Headteacher/Principal may authorise other staff members in writing in advance of any search they may undertake, subject to appropriate training.

Members of staff (other than Security Staff) cannot be required to carry out such searches. They can each choose whether or not they wish to be an authorised member of staff.

Training/Awareness

It is essential that all staff should be made aware of and should implement the school’s policy. Members of staff should be made aware of the school’s policy on "Electronic devices – searching and deletion":

● at induction

● at regular updating sessions on the school’s online safety policy

Members of staff authorised by the Headteacher/Principal to carry out searches for and of electronic devices and to access and delete data/files from those devices should receive training that is specific and relevant to this role.

Specific training is required for those staff who may need to judge whether material that is accessed is inappropriate or illegal.

Policy Statements

Search:

The school Behaviour Policy refers to the policy regarding searches with and without consent for the wide range of items covered within the Education Act 2011 and lists those items. This policy refers only to the searching for and of electronic devices and the deletion of data/files on those devices.

The school will already have a policy relating to whether or not mobile phones and other electronic devices are banned, or are allowed only within certain conditions. The school should therefore consider including one of the following statements in the policy:

Either:

Pupils/students are not allowed to bring mobile phones or other personal electronic devices to school or use them in the school.

Or

Pupils/students are allowed to bring mobile phones or other personal electronic devices to school and use them only within the rules laid down by the school. (you should refer to the relevant policy or to list here the conditions under which they are allowed)

If pupils/students breach these roles:

Either:

The sanctions for breaking these rules will be: (list here)

Or

The sanctions for breaking these rules can be found in the (name the policy - for many schools this will be the Behaviour Policy)

Authorised staff (defined in the responsibilities section above) have the right to search for such electronic devices where they reasonably suspect that the data or file on the device in question has been, or could be, used to cause harm, to disrupt teaching or break the school rules.

● Searching with consent - Authorised staff may search with the pupil’s consent for any item ● Searching without consent - Authorised staff may only search without the pupil’s consent for anything which is either ‘prohibited’ (as defined in Section 550AA of the Education Act 1996) or appears in the school rules as an item which is banned and may be searched for

Page 58

In carrying out the search:

The authorised member of staff must have reasonable grounds for suspecting that a student/pupil is in possession of a prohibited item i.e. an item banned by the school rules and which can be searched for. (Whether there are ‘reasonable grounds’ is a matter decided on by reference to the circumstances witnessed by, or reported to, someone who is authorised and who exercises properly informed professional judgment and has received appropriate training).

The authorised member of staff should take reasonable steps to check the ownership of the mobile phone/personal electronic device before carrying out a search. (The powers included in the Education Act do not extend to devices owned (or mislaid) by other parties e.g. a visiting parent or contractor, only to devices in the possession of pupils/students.)

The authorised member of staff should take care that, where possible, searches should not take place in public places e.g. an occupied classroom, which might be considered as exploiting the student/pupil being searched.

The authorised member of staff carrying out the search must be the same gender as the student/pupil being searched; and there must be a witness (also a staff member) and, if at all possible, they too should be the same gender as the student/pupil being searched.

There is a limited exception to this rule: Authorised staff can carry out a search of a student/pupil of the opposite gender including without a witness present, but only where you reasonably believe that there is a risk that serious harm will be caused to a person if you do not conduct the search immediately and where it is not reasonably practicable to summon another member of staff.

Extent of the search:

The person conducting the search may not require the student/pupil to remove any clothing other than outer clothing.

Outer clothing means clothing that is not worn next to the skin or immediately over a garment that is being worn as underwear (outer clothing includes hats; shoes; boots; coat; blazer; jacket; gloves and scarves).

‘Possessions’ means any goods over which the student/pupil has or appears to have control – this includes desks, lockers and bags. (schools will need to take account of their normal policies regarding religious garments/headwear and may wish to refer to it in this policy)

A student’s/pupil’s possessions can only be searched in the presence of the student/pupil and another member of staff, except where there is a risk that serious harm will be caused to a person if the search is not conducted immediately and where it is not reasonably practicable to summon another member of staff.

The power to search without consent enables a personal search, involving removal of outer clothing and searching of pockets; but not an intimate search going further than that, which only a person with more extensive powers (e.g. a police officer) can do.

Use of Force – force cannot be used to search without consent for items banned under the school rules regardless of whether the rules say an item can be searched for.

Electronic devices

An authorised member of staff finding an electronic device may access and examine any data or files on the device if they think there is a good reason to do so (i.e. the staff member must reasonably suspect that the data or file on the device in question has been, or could be, used to cause harm, to disrupt teaching or break the school rules).

The examination of the data/files on the device should go only as far as is reasonably necessary to establish the facts of the incident. Any further intrusive examination of personal data may leave the school open to legal challenge. It is important that authorised staff should have training and sufficient knowledge of electronic devices and data storage.

If inappropriate material is found on the device it is up to the authorised member of staff to decide whether they should delete that material, retain it as evidence (of a criminal offence or a breach of school discipline) or whether the material is of such seriousness that it requires the involvement of the police. Examples of illegal activity would include:

● child sexual abuse images (including images of one child held by another child)

● adult material which potentially breaches the Obscene Publications Act

Page 59

● criminally racist material

● other criminal conduct, activity or materials

Members of staff may require support in judging whether the material is inappropriate or illegal. One or more Senior Leaders should receive additional training to assist with these decisions. Care should be taken not to delete material that might be required in a potential criminal investigation.

The school should also consider their duty of care responsibility in relation to those staff who may access disturbing images or other inappropriate material whilst undertaking a search. Seeing such material can be most upsetting. There should be arrangements in place to support such staff. The school may wish to add further detail about these arrangements.

Further guidance on reporting the incident to the police and the preservation of evidence can be found in the SWGfL flow chart in the main School Template Policies document. Local authorities/local safeguarding partnerships may also have further guidance, specific to their area.

Deletion of Data

Following an examination of an electronic device, if the authorised member of staff has decided to return the device to the owner, or to retain or dispose of it, they may erase any data or files, if they think there is a good reason to do so. (i.e. the staff member must reasonably suspect that the data or file on the device in question has been, or could be, used to cause harm, to disrupt teaching or break the school rules).

If inappropriate material is found on the device, it is up to the authorised member of staff to decide whether they should delete that material, retain it as evidence (of a possible criminal offence or a breach of school discipline) or whether the material is of such seriousness that it requires the involvement of the police. (It is recommended that members of staff should know who to contact, within school, for further guidance before taking action and that the person or persons is or are named within this policy).

A record should be kept of the reasons for the deletion of data/files. (DfE guidance states and other legal advice recommends that there is no legal reason to do this, best practice suggests that the school can refer to relevant documentation created at the time of any search or data deletion in the event of a pupil /student, parental or other interested party complaint or legal challenge. Records will also help the school to review online safety incidents, learn from what has happened and adapt and report on application of policies as necessary).

Care of Confiscated Devices

School staff are reminded of the need to ensure the safe keeping of confiscated devices, to avoid the risk of compensation claims for damage/loss of such devices (particularly given the possible high value of some of these devices).

The school may wish to add a disclaimer to the relevant section of the Behaviour Policy which may assist in covering the school against damage/loss claims.

Audit/Monitoring/Reporting/Review

The responsible person (insert title) will ensure that full records are kept of incidents involving the searching for and of mobile phones and electronic devices and the deletion of data/files. (a template log sheet can be found in the appendices to the School Online Safety Template Policies)

These records will be reviewed by ... (Online Safety Officer/Online Safety Committee/Online Safety Governor) at regular intervals (state the frequency).

This policy will be reviewed by the head teacher and governors annually and in response to changes in guidance and evidence gained from the records.

The school is required is publish its Behaviour Policy to parents annually (including on its website) – the Behaviour Policy should be cross referenced with this policy on search and deletion. DfE guidance can be found at: https://www.gov.uk/government/publications/searching-screening-and-confiscation

Page 60

Mobile Technologies Policy Template (inc. BYOD/BYOT)

Mobile technology devices may be a school owned/provided or privately owned smartphone, tablet, notebook/laptop or other technology that usually has the capability of utilising the school’s wireless network. The device then has access to the wider internet which may include the school’s learning platform and other cloud based services such as email and data storage.

The absolute key to considering the use of mobile technologies is that the pupils/students, staff and wider school/academy community understand that the primary purpose of having their personal device at school is educational and that this is irrespective of whether the device is school/academy owned/provided or personally owned. The mobile technologies policy should sit alongside a range of polices including but not limited to the safeguarding policy, anti-bullying policy, acceptable use policy, policies around theft or malicious damage and the behaviour policy. Teaching about the safe and appropriate use of mobile technologies should be included in the online safety education programme.

Potential Benefits of Mobile Technologies

Research has highlighted the widespread uptake of mobile technologies amongst adults and children of all ages. Web-based tools and resources have changed the landscape of learning. Students now have at their fingertips unlimited access to digital content, resources, experts, databases and communities of interest. By effectively maximizing the use of such resources, schools not only have the opportunity to deepen student learning, but they can also develop digital literacy, fluency and citizenship in students/pupils that will prepare them for the high tech world in which they will live, learn and work.

Considerations

There are a number of issues and risks to consider when implementing mobile technologies, these include; security risks in allowing connections to your school/academy network, filtering of personal devices, breakages and insurance, access to devices for all students/pupils, avoiding potential classroom distraction, network connection speeds, types of devices, charging facilities, total cost of ownership

Schools/academies may consider implementing the use of mobile technologies as a means of reducing expenditure on school provided devices. However, it is important to remember that the increased network management costs and overheads involved in implementing this properly are likely to counterbalance or outweigh any savings.

The use of mobile technologies brings both real benefits and challenges for the whole school/academy community – including teachers - and the only effective way for a school to implement these successfully is to involve the whole school community from the outset. Before the school/academy embarks on this path, the risks and benefits must be clearly identified and shared with all stakeholders.

A range of mobile technology implementations is possible. The school/academy should consider the following statements and remove those that do not apply to their planned implementation approach.

● The school/academy acceptable use agreements for staff, pupils/students and parents/carers will give consideration to the use of mobile technologies

● The school allows: (the school/academy should complete the table below to indicate which devices are allowed and define their access to school/academy systems)

School/academy/devices Personal devices

Page 61

● The school/academy has provided technical solutions for the safe use of mobile technology for school/academy devices/personal devices (delete/amend as appropriate):

o All school/academy devices are controlled though the use of Mobile Device Management software

o Appropriate access control is applied to all mobile devices according to the requirements of the user (e.g Internet only access, network access allowed, shared folder network access) o The school/academy has addressed broadband performance and capacity to ensure that core educational and administrative activities are not negatively affected by the increase in the number of connected devices

o For all mobile technologies, filtering will be applied to the internet connection and attempts to bypass this are not permitted

o Appropriate exit processes are implemented for devices no longer used at a school/academy location or by an authorised user. These may include; revoking the link between MDM software and the device, removing proxy settings, ensuring no sensitive data is removed from the network, uninstalling school-licenced software etc.

o All school/academy devices are subject to routine monitoring

o Pro-active monitoring has been implemented to monitor activity

● When personal devices are permitted:

o All personal devices are restricted through the implementation of technical solutions that provide appropriate levels of network access

o Personal devices are brought into the school/academy entirely at the risk of the owner and the decision to bring the device in to the school/academy lies with the user (and their parents/carers) as does the liability for any loss or damage resulting from the use of the device in school

o The school accepts no responsibility or liability in respect of lost, stolen or damaged devices while at school or on activities organised or undertaken by the school (the school recommends insurance is purchased to cover that device whilst out of the home)

o The school/academy accepts no responsibility for any malfunction of a device due to changes made to the device while on the school/academy network or whilst resolving any connectivity issues o The school/academy recommends that the devices are made easily identifiable and have a protective case to help secure them as the devices are moved around the school. Pass-codes or PINs should be set on personal devices to aid security

o The school/academy is not responsible for the day to day maintenance or upkeep of the users personal device such as the charging of any device, the installation of software updates or the resolution of hardware issues

● Users are expected to act responsibly, safely and respectfully in line with current acceptable use agreements, in addition;

o Devices may not be used in tests or exams

3 Authorised device – purchased by the pupil/family through a school-organised scheme. This device may be given full access to the network as if it were owned by the school

4 The school/academy should add below any specific requirements about the use of personal devices in the school/academy e.g. storing in a secure location, use during the day, liability, taking images etc

Page 62

o Visitors should be provided with information about how and when they are permitted to use mobile technology in line with local safeguarding arrangements

o Users are responsible for keeping their device up to date through software, security and app updates. The device is virus protected and should not be capable of passing on infections to the network

o Users are responsible for charging their own devices and for protecting and looking after their devices while in the school/academy

o Personal devices should be charged before being brought to the school/academy as the charging of personal devices is not permitted during the school/academy day

o Devices must be in silent mode on the school/academy site and on school buses o School/academy devices are provided to support learning. It is expected that pupils/students will bring devices to the school/academy as required.

o Confiscation and searching (England) - the school/academy has the right to take, examine and search any device that is suspected of unauthorised use, either technical or inappropriate. o The changing of settings (exceptions include personal settings such as font size, brightness,

etc…) that would stop the device working as it was originally set up and intended to work is not permitted

o The software/apps originally installed by the school/academy must remain on the school/academy owned device in usable condition and be easily accessible at all times. From time to time the school/academy may add software applications for use in a particular lesson. Periodic checks of devices will be made to ensure that users have not removed required apps

o The school/academy will ensure that devices contain the necessary apps for school/academy work. Apps added by the school/academy will remain the property of the school/academy and will not be accessible to students/pupils on authorised devices once they leave the school/academy roll. Any apps bought by the user on their own account will remain theirs.

o Users should be mindful of the age limits for app purchases and use and should ensure they read the terms and conditions before use.

o Users must only photograph people with their permission. Users must only take pictures or videos that are required for a task or activity. All unnecessary images or videos will be deleted immediately

o Devices may be used in lessons in accordance with teacher direction

o Staff owned devices should not be used for personal purposes during teaching sessions, unless in exceptional circumstances

o Printing from personal devices will not be possible

Insurance

Schools/academies that have implemented an authorised device approach (1:1 deployment) may wish to consider how they will insure these devices and should include details of the claims process in this policy.

Social Media Policy Template

Social media (e.g. Facebook, Twitter, LinkedIn) is a broad term for any kind of online platform which enables people to directly interact with each other. However, some games, for example Minecraft or World of Warcraft and video sharing platforms such as You Tube have social media elements to them.

The school/academy recognises the numerous benefits and opportunities which a social media presence offers. Staff, parents/carers and pupils/students are actively encouraged to find creative ways to use social media. However, there are some risks associated with social media use, especially around the issues of safeguarding, bullying and personal reputation. This policy aims to encourage the safe use of social media by the school/academy, its staff, parents, carers and children.

Scope

This policy is subject to the school’s/academy’s codes of conduct and acceptable use agreements. This policy:

Page 63

● Applies to all staff and to all online communications which directly or indirectly, represent the school/academy.

● Applies to such online communications posted at any time and from anywhere. ● Encourages the safe and responsible use of social media through training and education ● Defines the monitoring of public social media activity pertaining to the school/academy

The school/academy respects privacy and understands that staff and pupils/students may use social media forums in their private lives. However, personal communications likely to have a negative impact on professional standards and/or the school’s reputation are within the scope of this policy.

Professional communications are those made through official channels, posted on a school account or using the school/academy name. All professional communications are within the scope of this policy.

Personal communications are those made via a personal social media accounts. In all cases, where a personal account is used which associates itself with, or impacts on, the school/academy, it must be made clear that the member of staff is not communicating on behalf of the school/academy with an appropriate disclaimer. Such personal communications are within the scope of this policy.

Personal communications which do not refer to or impact upon the school/academy are outside the scope of this policy.

Digital communications with pupils/students are also considered. Staff may use social media to communicate with learners via a school/academy social media account for teaching and learning purposes but must consider whether this is appropriate and consider the potential implications.

Organisational control

Roles & Responsibilities

● SLT

o Facilitating training and guidance on Social Media use.

o Developing and implementing the Social Media policy

o Taking a lead role in investigating any reported incidents.

o Making an initial assessment when an incident is reported and involving appropriate staff and external agencies as required.

o Receive completed applications for Social Media accounts

o Approve account creation

● Administrator/Moderator

o Create the account following SLT approval

o Store account details, including passwords securely

o Be involved in monitoring and contributing to the account

o Control the process for managing an account after the lead staff member has left the organisation (closing or transferring)

● Staff

o Know the contents of and ensure that any use of social media is carried out in line with this and other relevant policies

o Attending appropriate training

o Regularly monitoring, updating and managing content he/she has posted via school/academy accounts

o Adding an appropriate disclaimer to personal accounts when naming the school/academy

Process for creating new accounts

The school/academy community is encouraged to consider if a social media account will help them in their work, e.g. a history department Twitter account, or a “Friends of the school” Facebook page. Anyone wishing to create such an account must present a business case to the Leadership Team which covers the following points:-

● The aim of the account

● The intended audience

● How the account will be promoted

● Who will run the account (at least two staff members should be named)

● Will the account be open or private/closed

Page 64

Following consideration by the SLT an application will be approved or rejected. In all cases, the SLT must be satisfied that anyone running a social media account on behalf of the school/academy has read and understood this policy and received appropriate training. This also applies to anyone who is not directly employed by the school/academy, including volunteers or parents.

Monitoring

School/academy accounts must be monitored regularly and frequently (preferably 7 days a week, including during holidays). Any comments, queries or complaints made through those accounts must be responded to within 24 hours (or on the next working day if received at a weekend) even if the response is only to acknowledge receipt. Regular monitoring and intervention is essential in case a situation arises where bullying or any other inappropriate behaviour arises on a school/academy social media account.

Behaviour

● The school/academy requires that all users using social media adhere to the standard of behaviour as set out in this policy and other relevant policies.

● Digital communications by staff must be professional and respectful at all times and in accordance with this policy. Staff will not use social media to infringe on the rights and privacy of others or make ill-considered comments or judgments about staff. School/academy social media accounts must not be used for personal gain. Staff must ensure that confidentiality is maintained on social media even after they leave the employment of the school/academy.

● Users must declare who they are in social media posts or accounts. Anonymous posts are discouraged in relation to school activity.

● If a journalist makes contact about posts made using social media staff must follow the school/academy media policy before responding.

● Unacceptable conduct, (e.g. defamatory, discriminatory, offensive, harassing content or a breach of data protection, confidentiality, copyright) will be considered extremely seriously by the school/academy and will be reported as soon as possible to a relevant senior member of staff, and escalated where appropriate.

● The use of social media by staff while at work may be monitored, in line with school/academy policies. The school/academy permits reasonable and appropriate access to private social media sites. However, where excessive use is suspected, and considered to be interfering with relevant duties, disciplinary action may be taken

● The school/academy will take appropriate action in the event of breaches of the social media policy. Where conduct is found to be unacceptable, the school/academy will deal with the matter internally. Where conduct is considered illegal, the school/academy will report the matter to the police and other relevant external agencies, and may take action according to the disciplinary policy.

Legal considerations

● Users of social media should consider the copyright of the content they are sharing and, where necessary, should seek permission from the copyright holder before sharing.

● Users must ensure that their use of social media does not infringe upon relevant data protection laws, or breach confidentiality.

Handling abuse

● When acting on behalf of the school/academy, handle offensive comments swiftly and with sensitivity. ● If a conversation turns and becomes offensive or unacceptable, school/academy users should block, report or delete other users or their comments/posts and should inform the audience exactly why the action was taken

● If you feel that you or someone else is subject to abuse by colleagues through use of a social networking site, then this action must be reported using the agreed school/academy protocols.

Tone

The tone of content published on social media should be appropriate to the audience, whilst retaining appropriate levels of professional standards. Key words to consider when composing messages are:

● Engaging

● Conversational

Page 65

● Informative

● Friendly (on certain platforms, e.g. Facebook)

Use of images

School/academy use of images can be assumed to be acceptable, providing the following guidelines are strictly adhered to.

● Permission to use any photos or video recordings should be sought in line with the school’s/academy’s digital and video images policy. If anyone, for any reason, asks not to be filmed or photographed then their wishes should be respected.

● Under no circumstances should staff share or upload student/pupil pictures online other than via school/academy owned social media accounts

● Staff should exercise their professional judgement about whether an image is appropriate to share on school/academy social media accounts. Students/pupils should be appropriately dressed, not be subject to ridicule and must not be on any school/academy list of children whose images must not be published.

● If a member of staff inadvertently takes a compromising picture which could be misconstrued or misused, they must delete it immediately.

Personal use

● Staff

o Personal communications are those made via a personal social media accounts. In all cases, where a personal account is used which associates itself with the school or impacts on the school/academy, it must be made clear that the member of staff is not communicating on behalf of the school/academy with an appropriate disclaimer. Such personal communications are within the scope of this policy.

o Personal communications which do not refer to or impact upon the school/academy are outside the scope of this policy.

o Where excessive personal use of social media in school/academy is suspected, and considered to be interfering with relevant duties, disciplinary action may be taken

o The school/academy permits reasonable and appropriate access to private social media sites. ● Pupil/Students

o Staff are not permitted to follow or engage with current or prior pupils/students of the school/academy on any personal social media network account.

o The school’s/academy’s education programme should enable the pupils/students to be safe and responsible users of social media.

o Pupils/students are encouraged to comment or post appropriately about the school/academy. Any offensive or inappropriate comments will be resolved by the use of the school’s/academy’s behaviour policy

● Parents/Carers

o If parents/carers have access to a school learning platform where posting or commenting is enabled, parents/carers will be informed about acceptable use.

o The school/academy has an active parent/carer education programme which supports the safe and positive use of social media. This includes information on the website.

o Parents/Carers are encouraged to comment or post appropriately about the school/academy. In the event of any offensive or inappropriate comments being made, the school/academy will ask the parent/carer to remove the post and invite them to discuss the issues in person. If necessary, refer parents to the school’s/academy’s complaints procedures.

Monitoring posts about the school

● As part of active social media engagement, it is considered good practice to pro-actively monitor the Internet for public postings about the school/academy.

● The school/academy should effectively respond to social media comments made by others according to a defined policy or process.

Page 66

Appendix

Managing your personal use of Social Media:

● “Nothing” on social media is truly private

● Social media can blur the lines between your professional and private life. Don’t use the school/academy logo and/or branding on personal accounts

● Check your settings regularly and test your privacy

● Keep an eye on your digital footprint

● Keep your personal information private

● Regularly review your connections – keep them to those you want to be connected to ● When posting online consider; Scale, Audience and Permanency of what you post

● If you want to criticise, do it politely.

● Take control of your images – do you want to be tagged in an image? What would children or parents say about you if they could see your images?

● Know how to report a problem

Managing school/academy social media accounts

The Do’s

● Check with a senior leader before publishing content that may have controversial implications for the school

● Use a disclaimer when expressing personal views

● Make it clear who is posting content

● Use an appropriate and professional tone

● Be respectful to all parties

● Ensure you have permission to ‘share’ other peoples’ materials and acknowledge the author ● Express opinions but do so in a balanced and measured manner

● Think before responding to comments and, when in doubt, get a second opinion

● Seek advice and report any mistakes using the school’s reporting process

● Consider turning off tagging people in images where possible

The Don’ts

● Don’t make comments, post content or link to materials that will bring the school/academy into disrepute ● Don’t publish confidential or commercially sensitive material

● Don’t breach copyright, data protection or other relevant legislation

● Consider the appropriateness of content for any audience of school/academy accounts, and don’t link to, embed or add potentially inappropriate content

● Don’t post derogatory, defamatory, offensive, harassing or discriminatory content

● Don’t use social media to air internal grievances

Acknowledgements

With thanks to Rob Simmonds of Well Chuffed Comms (wellchuffedcomms.com) and Chelmsford College for allowing the use of their policies in the creation of this policy.

Page 67

School Policy Template – Online Safety Group Terms of Reference

1. Purpose

To provide a consultative group that has wide representation from the [school/academy] community, with responsibility for issues regarding online safety and the monitoring the online safety policy including the impact of initiatives. Depending on the size or structure of the school/academy this group may be part of the safeguarding group. The group will also be responsible for regular reporting to the Full Governing Body.

2. Membership

2.1. The online safety group will seek to include representation from all stakeholders.

The composition of the group should include (N.B. in small schools/academies one member of staff may hold more than one of these posts):

[add/delete where appropriate]

● SLT member/s

● Child Protection/Safeguarding officer

● Teaching staff member

● Support staff member

● Online safety coordinator (not ICT coordinator by default)

● Governor

● Parent/Carer

● ICT Technical Support staff (where possible)

● Community users (where appropriate)

● Student/pupil representation – for advice and feedback. Student/pupil voice is essential in the make-up of the online safety group, but students/pupils would only be expected to take part in committee meetings where deemed relevant.

2.2. Other people may be invited to attend the meetings at the request of the Chairperson on behalf of the committee to provide advice and assistance where necessary.

2.3. Committee members must declare a conflict of interest if any incidents being discussed directly involve themselves or members of their families.

2.4. Committee members must be aware that many issues discussed by this group could be of a sensitive or confidential nature

2.5. When individual members feel uncomfortable about what is being discussed they should be allowed to leave the meeting with steps being made by the other members to allow for these sensitivities

3. Chairperson

The Committee should select a suitable Chairperson from within the group. Their responsibilities include:

● Scheduling meetings and notifying committee members;

● Inviting other people to attend meetings when required by the committee;

● Guiding the meeting according to the agenda and time available;

● Ensuring all discussion items end with a decision, action or definite outcome;

● Making sure that notes are taken at the meetings and that these with any action points are distributed as necessary

4. Duration of Meetings

Meetings shall be held [insert frequency] for a period of [insert number] hour(s). A special or extraordinary meeting may be called when and if deemed necessary.

5. Functions

These are to assist the Online Safety Lead (or other relevant person) with the following [add/delete where relevant]:

● To keep up to date with new developments in the area of online safety

Page 68

● To (at least) annually review and develop the online safety policy in line with new technologies and incidents

● To monitor the delivery and impact of the online safety policy

● To monitor the log of reported online safety incidents (anonymous) to inform future areas of teaching/learning/training.

● To co-ordinate consultation with the whole school/academy community to ensure stakeholders are up to date with information, training and/or developments in the area of online safety. This could be carried out through [add/delete as relevant]:

● Staff meetings

● Student/pupil forums (for advice and feedback)

● Governors meetings

● Surveys/questionnaires for students/pupils, parents/carers and staff

● Parents evenings

● Website/VLE/Newsletters

● Online safety events

● Internet Safety Day (annually held on the second Tuesday in February)

● Other methods

● To ensure that monitoring is carried out of Internet sites used across the school/academy ● To monitor filtering/change control logs (e.g. requests for blocking/uN.B.locking sites). ● To monitor the safe use of data across the school/academy

● To monitor incidents involving cyberbullying for staff and pupils

6. Amendments

The terms of reference shall be reviewed annually from the date of approval. They may be altered to meet the current needs of all committee members, by agreement of the majority

The above Terms of Reference for [insert name of organisation] have been agreed

Signed by (SLT):

Date:

Date for review:

Acknowledgement

This template terms of reference document is based on one provided to schools/academies by Somerset County Council

Legislation

Schools/academies should be aware of the legislative framework under which this online safety policy template and guidance has been produced. It is important to note that in general terms an action that is illegal if committed offline is also illegal if committed online.

Page 69

It is recommended that legal advice is sought in the advent of an online safety issue or situation.

Computer Misuse Act 1990

This Act makes it an offence to:

• Erase or amend data or programs without authority;

• Obtain unauthorised access to a computer;

• “Eavesdrop” on a computer;

• Make unauthorised use of computer time or facilities;

• Maliciously corrupt or erase data or programs;

• Deny access to authorised users.

School/academies may wish to view the National Crime Agency website which includes information about “Cyber crime – preventing young people from getting involved”. Each region in England (& Wales) has a Regional Organised Crime Unit (ROCU) Cyber-Prevent team that works with schools to encourage young people to make positive use of their cyber skills. There is a useful summary of the Act on the NCA site.

Data Protection Act 1998

This protects the rights and privacy of individual’s data. To comply with the law, information about individuals must be collected and used fairly, stored safely and securely and not disclosed to any third party unlawfully. The Act states that person data must be:

• Fairly and lawfully processed.

• Processed for limited purposes.

• Adequate, relevant and not excessive.

• Accurate.

• Not kept longer than necessary.

• Processed in accordance with the data subject’s rights.

• Secure.

• Not transferred to other countries without adequate protection.

The Data Protection Act 2018:

Updates the 1998 Act, incorporates the General Data Protection Regulations (GDPR) and aims to: • Facilitate the secure transfer of information within the European Union.

• Prevent people or organisations from holding and using inaccurate information on individuals. This applies to information regarding both private lives or business.

• Give the public confidence about how businesses can use their personal information. • Provide data subjects with the legal right to check the information businesses hold about them. They can also request for the data controller to destroy it.

• Give data subjects greater control over how data controllers handle their data.

• Place emphasis on accountability. This requires businesses to have processes in place that demonstrate how they’re securely handling data.

• Require firms to keep people’s personal data safe and secure. Data controllers must ensure that it is not misused.

• Require the data user or holder to register with the Information Commissioner.

All data subjects have the right to:

• Receive clear information about what you will use their data for.

• Access their own personal information.

• Request for their data to be revised if out of date or erased. These are known as the right to rectification and the right to erasure

• Request information about the reasoning behind any automated decisions, such as if computer software denies them access to a loan.

• Prevent or query about the automated processing of their personal data.

Page 70

Freedom of Information Act 2000

The Freedom of Information Act gives individuals the right to request information held by public authorities. All public authorities and companies wholly owned by public authorities have obligations under the Freedom of Information Act. When responding to requests, they have to follow a number of set procedures.

Communications Act 2003

Sending by means of the Internet a message or other matter that is grossly offensive or of an indecent, obscene or menacing character; or sending a false message by means of or persistently making use of the Internet for the purpose of causing annoyance, inconvenience or needless anxiety is guilty of an offence liable, on conviction, to imprisonment. This wording is important because an offence is complete as soon as the message has been sent: there is no need to prove any intent or purpose.

Malicious Communications Act 1988

It is an offence to send an indecent, offensive, or threatening letter, electronic communication or other article to another person.

Regulation of Investigatory Powers Act 2000

It is an offence for any person to intentionally and without lawful authority intercept any communication. Monitoring or keeping a record of any form of electronic communications is permitted, in order to:

• Establish the facts;

• Ascertain compliance with regulatory or self-regulatory practices or procedures;

• Demonstrate standards, which are or ought to be achieved by persons using the system; • Investigate or detect unauthorised use of the communications system;

• Prevent or detect crime or in the interests of national security;

• Ensure the effective operation of the system.

• Monitoring but not recording is also permissible in order to:

• Ascertain whether the communication is business or personal;

• Protect or support help line staff.

• The school reserves the right to monitor its systems and communications in line with its rights under this act.

Trade Marks Act 1994

This provides protection for Registered Trade Marks, which can be any symbol (words, shapes or images) that are associated with a particular set of goods or services. Registered Trade Marks must not be used without permission. This can also arise from using a Mark that is confusingly similar to an existing Mark.

Copyright, Designs and Patents Act 1988

It is an offence to copy all, or a substantial part of a copyright work. There are, however, certain limited user permissions, such as fair dealing, which means under certain circumstances permission is not needed to copy small amounts for non-commercial research or private study. The Act also provides for Moral Rights, whereby authors can sue if their name is not included in a work they wrote, or if the work has been amended in such a way as to impugn their reputation. Copyright covers materials in print and electronic form, and includes words, images, and sounds, moving images, TV broadcasts and other media (e.g. YouTube).

Telecommunications Act 1984

It is an offence to send a message or other matter that is grossly offensive or of an indecent, obscene or menacing character. It is also an offence to send a message that is intended to cause annoyance, inconvenience or needless anxiety to another that the sender knows to be false.

Criminal Justice & Public Order Act 1994

This defines a criminal offence of intentional harassment, which covers all forms of harassment, including sexual. A person is guilty of an offence if, with intent to cause a person harassment, alarm or distress, they:

• Use threatening, abusive or insulting words or behaviour, or disorderly behaviour; or Page 71

• Display any writing, sign or other visible representation, which is threatening, abusive or insulting, thereby causing that or another person harassment, alarm or distress.

Racial and Religious Hatred Act 2006

This Act makes it a criminal offence to threaten people because of their faith, or to stir up religious hatred by displaying, publishing or distributing written material which is threatening. Other laws already protect people from threats based on their race, nationality or ethnic background.

Protection from Harassment Act 1997

A person must not pursue a course of conduct, which amounts to harassment of another, and which he knows or ought to know amounts to harassment of the other. A person whose course of conduct causes another to fear, on at least two occasions, that violence will be used against him is guilty of an offence if he knows or ought to know that his course of conduct will cause the other so to fear on each of those occasions.

Protection of Children Act 1978

It is an offence to take, permit to be taken, make, possess, show, distribute or advertise indecent images of children in the United Kingdom. A child for these purposes is anyone under the age of 18. Viewing an indecent image of a child on your computer means that you have made a digital image. An image of a child also covers pseudo-photographs (digitally collated or otherwise). A person convicted of such an offence may face up to 10 years in prison

Sexual Offences Act 2003

A grooming offence is committed if you are over 18 and have communicated with a child under 16 at least twice (including by phone or using the Internet) it is an offence to meet them or travel to meet them anywhere in the world with the intention of committing a sexual offence. Causing a child under 16 to watch a sexual act is illegal, including looking at images such as videos, photos or webcams, for your own gratification. It is also an offence for a person in a position of trust to engage in sexual activity with any person under 18, with whom they are in a position of trust. (Typically, teachers, social workers, health professionals, connexions staff fall in this category of trust). Any sexual intercourse with a child under the age of 13 commits the offence of rape.

Public Order Act 1986

This Act makes it a criminal offence to stir up racial hatred by displaying, publishing or distributing written material which is threatening. Like the Racial and Religious Hatred Act 2006 it also makes the possession of inflammatory material with a view of releasing it a criminal offence. Children, Families and Education Directorate page 38 April 2007.

Obscene Publications Act 1959 and 1964

Publishing an “obscene” article is a criminal offence. Publishing includes electronic transmission.

Human Rights Act 1998

This does not deal with any particular issue specifically or any discrete subject area within the law. It is a type of “higher law”, affecting all other laws. In the school context, human rights to be aware of include:

• The right to a fair trial

• The right to respect for private and family life, home and correspondence

• Freedom of thought, conscience and religion

• Freedom of expression

• Freedom of assembly

• Prohibition of discrimination

• The right to education

These rights are not absolute. The school is obliged to respect these rights and freedoms, balancing them against those rights, duties and obligations, which arise from other relevant legislation.

Page 72

The Education and Inspections Act 2006

Empowers Headteachers, to such extent as is reasonable, to regulate the behaviour of students/pupils when they are off the school site and empowers members of staff to impose disciplinary penalties for inappropriate behaviour.

The Education and Inspections Act 2011

Extended the powers included in the 2006 Act and gave permission for Headteachers (and nominated staff) to search for electronic devices. It also provides powers to search for data on those devices and to delete data.

(see template policy in these appendices and for DfE guidance -

http://www.education.gov.uk/schools/pupilsupport/behaviour/behaviourpolicies/f0076897/screening-searchi ng-and-confiscation)

The Protection of Freedoms Act 2012

Requires schools to seek permission from a parent/carer to use Biometric systems

The School Information Regulations 2012

Requires schools to publish certain information on its website:

https://www.gov.uk/guidance/what-maintained-schools-must-publish-online

Serious Crime Act 2015

Introduced new offence of sexual communication with a child. Also created new offences and orders around gang crime (including CSE)

Criminal Justice and Courts Act 2015

Revenge porn – as it is now commonly known – involves the distribution of private and personal explicit images or video footage of an individual without their consent, with the intention of causing them embarrassment and distress. Often revenge porn is used maliciously to shame ex-partners. Revenge porn was made a specific offence in the Criminal Justice and Courts Act 2015. The Act specifies that if you are accused of revenge porn and found guilty of the criminal offence, you could be prosecuted and face a sentence of up to two years in prison.

For further guidance or support please contact the Revenge Porn Helpline

Page 73

Links to other organisations or documents

The following links may help those who are developing or reviewing a school online safety policy and creating their online safety provision:

UK Safer Internet Centre

Safer Internet Centre – https://www.saferinternet.org.uk/

South West Grid for Learning - https://swgfl.org.uk/products-services/online-safety/ Childnet – http://www.childnet-int.org/

Professionals Online Safety Helpline - http://www.saferinternet.org.uk/about/helpline Revenge Porn Helpline - https://revengepornhelpline.org.uk/

Internet Watch Foundation - https://www.iwf.org.uk/

Report Harmful Content - https://reportharmfulcontent.com/

CEOP

CEOP - http://ceop.police.uk/

ThinkUKnow - https://www.thinkuknow.co.uk/

Others

LGfL – Online Safety Resources

Kent – Online Safety Resources page

INSAFE/Better Internet for Kids - https://www.betterinternetforkids.eu/

UK Council for Internet Safety (UKCIS) -

https://www.gov.uk/government/organisations/uk-council-for-internet-safety

Netsmartz - http://www.netsmartz.org/

Tools for Schools

Online Safety BOOST – https://boost.swgfl.org.uk/

360 Degree Safe – Online Safety self-review tool – https://360safe.org.uk/

360Data – online data protection self-review tool: www.360data.org.uk

SWGfL Test filtering - http://testfiltering.com/

UKCIS Digital Resilience Framework -

https://www.gov.uk/government/publications/digital-resilience-framework

Bullying/Online-bullying/Sexting/Sexual Harassment

Enable – European Anti Bullying programme and resources (UK coordination/participation through SWGfL & Diana Awards) - http://enable.eun.org/

SELMA – Hacking Hate - https://selma.swgfl.co.uk

Scottish Anti-Bullying Service, Respectme - http://www.respectme.org.uk/

Scottish Government - Better relationships, better learning, better behaviour -

http://www.scotland.gov.uk/Publications/2013/03/7388

DfE - Cyberbullying guidance -

https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/374850/Cyberbullying_Advice _for_Headteachers_and_School_Staff_121114.pdf

Childnet – Cyberbullying guidance and practical PSHE toolkit: 

http://www.childnet.com/our-projects/cyberbullying-guidance-and-practical-toolkit Childnet – Project deSHAME – Online Sexual Harrassment

UKSIC – Sexting Resources

Anti-Bullying Network – http://www.antibullying.net/cyberbullying1.htm

Page 74

Ditch the Label – Online Bullying Charity

Diana Award – Anti-Bullying Campaign

Social Networking

Digizen – Social Networking

UKSIC - Safety Features on Social Networks

Children’s Commissioner, TES and Schillings – Young peoples’ rights on social media

Curriculum

SWGfL Evolve - https://projectevolve.co.uk

UKCCIS – Education for a connected world framework

Teach Today – www.teachtoday.eu/

Insafe - Education Resources

Data Protection

360data - free questionnaire and data protection self review tool ICO Guides for Education (wide range of sector specific guides)

DfE advice on Cloud software services and the Data Protection Act IRMS - Records Management Toolkit for Schools

NHS - Caldicott Principles (information that must be released)

ICO Guidance on taking photos in schools

Dotkumo - Best practice guide to using photos

Professional Standards/Staff Training

DfE – Keeping Children Safe in Education

DfE - Safer Working Practice for Adults who Work with Children and Young People Childnet – School Pack for Online Safety Awareness

UK Safer Internet Centre Professionals Online Safety Helpline

Infrastructure/Technical Support

UKSIC – Appropriate Filtering and Monitoring

SWGfL Safety & Security Resources

Somerset - Questions for Technical Support

NCA – Guide to the Computer Misuse Act

NEN – Advice and Guidance Notes

Working with parents and carers

Online Safety BOOST Presentations - parent’s presentation

Vodafone Digital Parents Magazine

Childnet Webpages for Parents & Carers

Get Safe Online - resources for parents

Teach Today - resources for parents workshops/education

Internet Matters

Prevent

Prevent Duty Guidance

Prevent for schools – teaching resources

NCA – Cyber Prevent

Page 75

Childnet – Trust Me

Research

Ofcom –Media Literacy Research

Further links can be found at the end of the UKCIS Education for a Connected World Framework Page 76

Glossary of Terms

AUP/AUA Acceptable Use Policy/Agreement – see templates earlier in this document

CEOP Child Exploitation and Online Protection Centre (part of National Crime Agency, UK Police, dedicated to protecting children from sexual abuse, providers of the Think U Know programmes.

CPD Continuous Professional Development

FOSI Family Online Safety Institute

ICO Information Commissioners Office

ICT Information and Communications Technology

INSET In Service Education and Training

IP address The label that identifies each computer to other computers using the IP (internet protocol) ISP Internet Service Provider

ISPA Internet Service Providers’ Association

IWF Internet Watch Foundation

LA Local Authority

LAN Local Area Network

MAT Multi Academy Trust

MIS Management Information System

NEN National Education Network – works with the Regional Broadband Consortia (e.g. SWGfL) to provide the safe broadband provision to schools across Britain.

Ofcom Office of Communications (Independent communications sector regulator)

SWGfL South West Grid for Learning Trust – the Regional Broadband Consortium of SW Local Authorities – is the provider of broadband and other services for schools and other organisations in the SW

TUK Think U Know – educational online safety programmes for schools, young people and parents.

UKSIC UK Safer Internet Centre – EU funded centre. Main partners are SWGfL, Childnet and Internet Watch Foundation.

UKCIS UK Council for Internet Safety

VLE Virtual Learning Environment (a software system designed to support teaching and learning in an educational setting,

WAP Wireless Application Protocol

A more comprehensive glossary can be found at the end of the UKCIS Education for a Connected World Framework

Copyright of the SWGfL School Online Safety Policy Templates is held by SWGfL. Schools and other educational institutions are permitted free use of the templates. Any person or organisation wishing to use the document for other purposes should seek consent from SWGfL and acknowledge its use.

Every reasonable effort has been made to ensure that the information included in this template is accurate, as at the date of publication in January 2020. However, SWGfL cannot guarantee its accuracy, nor can it accept liability in respect of the use of the material whether in whole or in part and whether modified or not. Suitable legal/professional advice should be sought if any difficulty arises in respect of any aspect of this new legislation or generally to do with school conduct or discipline.

Page 77