Information Security Policy

Introduction

The General Data Protection Regulation (GDPR) requires organisations to process personal data securely. That is:

“Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”

This is not a new data protection obligation. Previously, the Data Protection Act 1998 (the 1998 Act) required ‘appropriate technical and organisational measures’. However, GDPR is more specific about what we have to do regarding the security of our information and what are appropriate security measures. Whilst these are broadly equivalent to what was considered good and best practice under the 1998 Act, they are now a legal requirement.

Information is a vital asset to George Watson’s College (“The School”). This policy is concerned with the management and security of the School’s information and information systems, and the responsibilities of those who legitimately process School information on behalf of the School.

This overarching policy document provides an overview of information security and lists the set of Information Security sub-policies which taken together constitute the total Information Security Policy of the School.

Structure

All of these Information Security policies are of equal standing. Although the set should be consistent, for the removal of any doubt, if any inconsistency is found between this overarching policy and any of the sub-policies, this overarching policy will take precedence.

Each of the sub-policies only contains high-level descriptions of requirements and principles. They do not, and are not intended to include detailed descriptions of policy implementation, which will, where necessary, be supplied in the form of separate procedures referenced from the relevant sub-policy.

The sub-policies in the Information Security Policy apply to:

all information systems which are owned by the School, used by the School for business purposes or which are connected to any networks managed by the School
all information which the School processes, irrespective of ownership or form
all staff of the School and any others who may process or access information on behalf of the School.

Some of the sub-policies apply to users of the School systems and are relevant to protect the services provided, the individual user and the School's reputation.

Information Security Principles

The School has adopted the following principles, which underpin this policy:

Information will be protected in line with all relevant School policies and legislation, notably those relating to data protection.
Each body of information, information storage system or an information processing system, will have a nominated owner in the Principal’s Leadership Team (PLT). They will define appropriate use and ensuring that the appropriate security measures are in place to protect the information or system.
Information will be made available solely to those who have a legitimate need for access.
All information will be classified according to an appropriate level of security.
The integrity of information will be maintained.
It is the responsibility of all individuals who have been granted access to information to handle it appropriately in accordance with its classification.
Information will be protected against unauthorised access.
Compliance with the Information Security Policy will be enforced.