HomeData Protection GuidelinesStorage & Security
 

Storage Security

High standards of security are essential for all personal information but the more sensitive and confidential the information, the higher the security threshold to protect against the harm that might result from an unauthorised disclosure.

The Data Protection Acts, 1988 and 2003 do not detail specific security measures that a Data Controller must have in place. Rather, Section 2(1)(d) of the 1988 Act places an obligation on Data Controllers to have appropriate measures in place to prevent "unauthorised access to, or alteration, disclosure or destruction of, the data  and against their accidental loss or destruction." The measures must be appropriate in the context of the sensitivity/nature of the data, the risks presented by the processing, the harm which might result from the unlawful processing or unlawful disclosure and the costs of implementing security measures.

Therefore, it is a matter for each school to evaluate its needs in this regard and to set down guidelines for staff on the measures to be adopted to safeguard the data under its control. When determining measures, the following factors need be taken into account:

  • The state of technological development (security measures must be reviewed over time to ensure that they have not become obsolete by technological advances)
  • The cost of implementing measures (larger organisations with greater resources will be expected to implement more advanced security measures, or update their security measures more regularly than smaller bodies)
  • The harm that might result from unauthorised or unlawful processing (schools/ETBs will need to consider if some damage could result or harm could be suffered as a result of their disclosure or processing of the data)
  • in a school context where sensitive personal data is being processed, security safeguards would have to take due account of this
  • The nature of the data concerned (the more sensitive the data, the greater the need to protect it)

It is advisable that technical assistance be employed in designing these security measures.

Students, parents, staff and others expect that the school/ETB will maintain personal data in a safe and confidential manner. If they can see/access details about others, then the question can arise where they see their own information as equally vulnerable. In addition to the potential of a complaint to the Data Protection Commissioner, there can be loss of confidence and potentially reputational damage to the school/ETB. It is therefore important that schools/ETBs ensure that the following general principles are adhered to:

  1. Only authorised people should be able to access, alter, disclose or destroy personal data. A school/ETB as data controller has a duty to limit access to personal data on a “need to know” basis. The more sensitive the data, the greater the duty to limit access to it. Requiring each user to use a unique password to access data is a basic control measure. Such passwords should be changed regularly. A password is only useful if staff understand that it must be kept secure. Passwords should be changed regularly in order to minimise the danger of unauthorised individuals gaining access to data.

  2. A designated person should be responsible for security and for periodic reviews of the measures and practices in place.

  3. For helpful guidance on Data Security issued by the Office of the Data Protection Commissioner

  4. A minimum standard of security would include the following:
    • Access to central IT servers to be restricted in a secure location to a limited number of staff, with appropriate procedures for the accompaniment of any non-authorised staff or contractor
    • Encryption of a suitable strength should be used where appropriate. Full disk encryption is vital where personal data is stored on portable devices, e.g. laptops, USB memory sticks etc.
    • Computer systems should only access the internet through an approved internet firewall or other security device. Firewall and anti-virus software should be regularly updated and routinely renewed before licences expire
    • Access to any personal data within a school/ETB to be restricted to authorised staff on a ‘need-to-know’ basis in accordance with a defined policy
    • Access to computer systems should be password protected with other factors of authentication as appropriate to the sensitivity of the information
    • Information on computer screens and manual files to be kept hidden from callers to the school/ETB office
    • All waste papers, printouts, etc. to be disposed of in a secure manner
    • Have a back-up procedure in operation for computer-held data (which may include off-site back-up)
    • Where the school’s back-up data is held (or “hosted”) off site, they are required by law to have a written contract in place (a “data processing agreement”). The contract/data processing agreement must specify the conditions under which the data may be processed, the security conditions attaching to the processing of the data and that the data must be deleted or returned upon completion or termination of the contract.
    • All reasonable measures should be taken to ensure that staff are made aware of the school's/ETB’s security measures and comply with them. Staff must be fully trained
    • Only authorised people should be able to access, alter, disclose or destroy personal data
    • Where appropriate, Logs and Audit Trails should be utilised to identify who accessed what files, when, and what changes were made. Where logging and audit trails are used and the results reviewed, staff should be informed that logging is in place. Further guidance issued by theOffice of the Data Protection Commissioner is available here
    • A designated person should be responsible for security and for periodic reviews of the measures and practices in place
    • Complete a risk assessment. Guidelines on completing a risk assessment by using the Compliance Checklist can be accessed on this website by clicking here Auditing through a compliance checklist. This should always be done prior to developing a School/ETB Data Protection Policy
    • Ensure that the school/ETB has its own procedure in place for dealing with data security breaches. See Personal Data Security Breach Code of Practice template.
  5. Staff training: The majority of security incidents involve staff/human error. All staff need to have a basic understanding of data protection requirements:
    • How to keep personal information secure – e.g. protecting and regularly changing passwords, locking computers, confidential waste, clear desk etc.
    • To collect only the personal information they need for a particular school/ETB purpose
    • To update records promptly and accurately – e.g. changes of address etc.
    • To use ID procedures before disclosing information
    • How to handle requests from individuals for their personal information – i.e. data subject access requests
    • Ensure that the school/ETB has its own Code of Practice in place for dealing with data breaches See Personal Data Security Breach Code of Practice template.

  6. Guidance on Laptops and Other Portable Devices is also available from “ Protecting the confidentiality of Personal Data Guidance Note (197KB)” (CMOD Department of Finance, December, 2008).

  7. Summary - Security measures
    • Ensure good technical security, e.g. passwords, encryption, firewalls
    • Ensure good physical security, e.g. locks, alarms, CCTV
    • Ensure high staff awareness
    • Ensure confidential disposal of documents e.g. shredding facilities on every floor and boxes for confidential waste which must be brought to a secure location for onward disposal
    • Review access to premises or equipment
    • Regularly review security arrangements where staff members take personal data off site (e.g. Principal taking files home to work on in spare time). Ensure that the physical files are transported and stored under lock and key and that soft copy files are encrypted and password protected.
    • Ensure periodic checks are carried out on the school's/ETB’s security measures and that where gaps arise, measures are taken to rectify these gaps.
    • Where data is transferred to a third party processor, ensure that you have a written contract in place and a procedure for breach
    • Ensure that the school/ETB has its own procedure in place for dealing with data breaches.  See Personal Data Security Breach Code of Practice template.

Given the broader remit in terms of provision of programmes and services outside of the maintenance of schools, (e.g. administration and payment of student support schemes etc.), particular requirements attach to ETBs which should be factored into  the development of any ETB policy on data protection and supporting protocols/procedures concerned with the specific retention and security of such data. The Data Protection Commissioner has provided guidelines on security and data storage.