E-Safety Policy

1.   Statement
2.   Scope
3.   Related policies, legislation and guidance
4.   Aims
5.   Procedure
6.   Roles and responsibilities
7.   Safeguarding
8.   Filtering and monitoring
9.   Social media
10. Review

Appendix A: Staff Acceptable Use of ICT Agreement
Appendix B: Student Acceptable Use of ICT Agreement
Appendix C: Delivery of online distance learning
Appendix D: Meeting Digital and Technology Standards

1. Statement
The internet and other information and communications technology (ICT) provide great opportunities for learning and personal growth. However, they also present new challenges and can pose serious risks – such as sexual exploitation, grooming, sexting, cyberbullying, radicalisation and intrusion of data privacy – that can have profound and lasting effects on personal safety, mental and physical wellbeing, and the development of healthy relationships. They may also pose serious cybersecurity risks that affect the integrity of the College’s ICT system. Ashbourne therefore makes all efforts, including technical and educational, to help create a safe yet flexible environment for using such technology at the College.

The College maintains a zero-tolerance approach to any forms of abuse including bullying, whether online and/or in person, sexual harassment and violence, racist, sexist and homophobic (or any other trans-related phobias) behaviour and abuse. Students and staff are encouraged to report any concerns or issues, however small, to a trusted member of staff and/or the Designated Safeguarding Lead (DSL) so that appropriate and timely action can be taken and relevant support offered. The DSL will always be informed of concerns raised.

This policy has been developed by the Principal, who is the Lead Compliance Officer (LCO), in collaboration with the Facilities Manager, the Designated Safeguarding Lead and the Director of Studies. It takes into account guidance issued by the Department for Education and should be read in conjunction with the College’s Child Protection and Safeguarding Policy and Procedures and related safeguarding policies, as well as the Acceptable Use of Information and Communication Technology (ICT) agreements for staff and students in the appendices.

(Back to menu)

2. Scope
2.1 This policy relates to the use of information and communication technology, including:

• Email
• The internet
• Virtual Learning Environments
• Social networking platforms and social mobile apps
• Instant messaging, chat rooms, blogs and message boards
• Mobile phones and smart devices
• Handheld game consoles
• Other photographic or electronic equipment.

2.2 This policy applies to all members of the Ashbourne community, including staff, students, parents and visitors, who have access to and/or are users of the College’s ICT systems, whether on or off the premises. In particular, this policy addresses the (mis)use of any of the above technologies, whether on or off College premises, which affects the welfare of others or where the culture or reputation of the College are put at risk.

2.3 Ashbourne uses Apple computers. JAMF software is installed on all Ashbourne devices which prohibits the uploading of any unauthorised software, so protecting against malware/viruses. This enables the College to keep all installed software uniform and up to date as well as preventing corruption of data. It also updates the operating systems and standard software for all of the College’s computers which ensure compatibility and minimises communication issues.

Network provider Meraki, provides the College with a comprehensive, smart, internet filtering system that offers students a safer online experience without excessive blocking. The College also works with Impero, which provides monitoring and software management in accordance with the Acceptable Use Agreement.

Ashbourne staff and students all have access to an Ashbourne College Gmail account. Google alerts users to suspicious login attempts and blocks them. It also filters spam and phishing emails and scans emails for potential viruses.

(Back to menu)

3. Related policies, legislation and guidance
3.1 Related policies

• Anti-bullying Policy
• Child Protection and Safeguarding Policy and Procedures
• Data Protection Policy
• Health and Safety Policy
• Child-on-Child/Peer-on-Peer Abuse Policy
• RSE Policy
• Student Behaviour and Exclusions Policy
• Staff Code of Conduct

3.2 Relevant legislation and guidance

• DfE Meeting Digital and Technology Standards in Schools and Colleges
• DfE The Prevent duty
• Keeping Children Safe in Education (KCSIE)
• NCSC Cyber security training for school staff
• South West Grid for Learning online safety self-review tool
• UK Safer Internet Centre guidance

(Back to menu)

4. Aims
4.1 Identify roles and responsibilities relating to e-safety at Ashbourne.

4.2 Safeguard and promote the welfare of students by minimising and mitigating against cyberbullying and other forms of abuse.

4.3 Encourage students to make good use of the educational opportunities presented by access to the internet and other electronic communication.

4.4 Minimise the risk of harm to the assets and reputation of the College.

4.5 Help students and staff take responsibility for their own e-safety.

4.6 Ensure students and staff use technology safely and securely.

4.7 Educate members of the Ashbourne community about potential threats and harms arising from internet use.

4.8 Maintain robust systems for filtering, monitoring and cybersecurity.

(Back to menu)

5. Procedure
5.1 e-Safety concerns
e-Safety concerns may fall under three core areas: safeguarding, discipline and cybersecurity. For example, cyberbullying and online grooming fall under safeguarding issues; abusive communications between members of the Ashbourne community fall under disciplinary issues; and external email hacking falls under cybersecurity issues. These are not mutually exclusive so concerns may fall under one or all areas in certain circumstances.

Every e-safety concern will be assessed in relation to safeguarding, discipline and cybersecurity risk. Typically, however, e-safety concerns will be dealt with in the following way:

1. Safeguarding issues will be managed by the DSL in accordance with the Child Protection and Safeguarding Policy.
2. Staff discipline issues will be dealt with by line managers, supported by the Director of Studies, in accordance with the Staff Code of Conduct.
3. Student discipline issues will be dealt with by Personal Tutors, supported by the heads of year, in accordance with the Student Behaviour and Exclusions Policy.
4. Filtering and monitoring online use will be dealt with by the Facilities Team in conjunction with the Principal and Safeguarding Team.
5. Cybersecurity issues will be dealt with by the Facilities Team.

5.2 The liability of the College
Unless negligent under the terms of this policy, the College accepts no responsibility to the student, parents or guardians caused by or arising out of a student’s use of mobile phones, email and the internet whilst at College.

5.3 Take down policy
Should Ashbourne become aware that any resource, image or media have been uploaded which the College does not have the copyright permission to use, it will be removed as soon as practically possible.

5.4 Digital recording
Digital recordings (audio and/or visual) of formal and informal meetings and/or lessons by any member of the Ashbourne community, including students, parents/carers and staff, are not permitted.

5.5 Monitoring and review
e-Safety incidents must be recorded and so will be logged on the College’s Information Management System using the FileMaker academic share database. Should the issue be safeguarding related it will be tagged appropriately with the safeguarding reference and raised with the DSL.

The Principal has responsibility for the implementation and annual review of this policy, in consultation with parents, students and staff. The Principal will consider the record of e-safety incidents and new technologies and will also consider if existing security procedures are adequate.

(Back to menu)

6. Roles and responsibilities
6.1 The Principal
6.1.1 The Principal is responsible for overseeing the safety and wellbeing of all members of the Ashbourne community, including e-safety. The Principal delegates the day-to-day management of issues relating to e-safety to the Facilities Team and the DSL.

6.1.2 The Principal is responsible for ensuring that the Facilities Team, which manages technical e-safety filtering, monitoring and review, receives sufficient support to carry out this task including authorising the acquisition of relevant software as and when necessary. The Principal conducts weekly meetings with the Facilities Team in relation to all aspects of health and safety, including e-safety.

6.1.3 The College takes all reasonable measures to limit exposure to safeguarding risks of those using the ICT systems by having in place appropriate filters and monitoring systems which are designed to protect users from online abuse without “over blocking” or imposing unreasonable restrictions. Filters, monitoring and ensuring their effectiveness is regularly reviewed by the Principal in conjunction with the DSL and Facilities Manager.

6.1.4 The Principal oversees the procedures that follow a serious breach of e-safety or acceptable use, or allegation of such, made by or against a member of the Ashbourne community. The Principal conducts weekly meetings with the DSL relating to all aspects of safeguarding, including e-safety.

6.1.5 The Principal is responsible for ensuring that all staff are prepared for effective filtering and monitoring of online usage. This includes:

• understand their role
• appropriate training
• following policies, processes and procedures
• acting on reports and concerns

6.1.6 The Principal is responsible for ensuring that the e-Safety Policy, and relevant documents, are up to date.

6.2 Facilities Team
The Facilities Manager is part of the Senior Leadership Team and is responsible for the day-to-day maintenance of e-safety in relation to the College’s ICT systems and works closely with the DSL to manage safeguarding concerns. The Facilities Manager is supported in this role by the Facilities Assistant.

Responsibilities include:
6.2.1 Ensuring the College’s infrastructure is secure and not open to malicious attack.

6.2.2 Ensuring that adequate internet filtering is in place across the College’s ICT system.

6.2.3 Ensuring that e-safety breaches are reported to the appropriate person and assisting, where possible, with any necessary follow-up investigations.

6.2.4 Documenting decisions relating to what information is blocked, or allowed, and why.

6.2.5 Ensuring that intuitive monitoring software is up to date and fully operational throughout the College’s ICT system.

6.2.6 Producing risk assessments where required.

6.2.7 Maintaining security through use of privileges and passwords.

6.2.8 Ensuring integrity and consistency of software, including operating systems, used across the College’s devices.

6.2.9 Liaising with the Principal and other relevant parties to discuss current systems, updates and ways in which systems can be improved.

6.2.10 Liaising with the Principal to ensure this policy is up to date and properly distributed and communicated to all members of the Ashbourne Community. This includes requesting, fielding and responding to feedback.

6.3 Designated Safeguarding Lead
The Designated Safeguarding Lead (DSL) is responsible for investigating all e-safety issues that may pose a safeguarding risk; e-safety issues are almost always safeguarding issues and may include serious concerns such as sexting, grooming and cyberbullying. One of the key roles  of the DSL is to see that all members of the Ashbourne community are properly educated to cope with the dangers that may arise from internet use.

The DSL is supported in this role by deputy DSLs. With respect to issues of e-safety, the DSL is required to:

6.3.1 Recognise that e-safety issues most often present a safeguarding risk.

6.3.2 Liaise regularly with the Facilities Team to discuss and investigate e-safety breaches relating to safeguarding.

6.3.3 Organise timely and appropriate staff training in relation to e-safety issues, as part of the College’s safeguarding training.

6.3.4 Working with Facilities Manager and Personal Tutors, provide robust advice regarding online safety, including when accessing online information when away from the College, for the whole Ashbourne community – students, staff, parents and guardians.

6.4 Teaching and operations staff
Teaching and operations staff are responsible for ensuring that:

6.4.1 They have read, understood and signed Ashbourne’s Staff Acceptable Use of ICT Agreement.

6.4.2 They report any suspected misuse or problems through the appropriate channels.

6.5 Students
Students are responsible for ensuring that:

6.5.1 They have read, understood and signed Ashbourne’s Student Acceptable Use Agreement.

6.5.2 They understand the importance of reporting abuse, misuse or access to inappropriate materials.

6.5.3 They are responsible for using the College’s ICT system, and their own devices whilst on the College premises, in a way that complies with the Student Acceptable Use Agreement.

6.5.4 Students are invited to attend half-term update webinars and receive regular newsletters that include important e-Safety information.

6.6 Year 12 Personal Tutors and GCSE leaders
Year 12 Personal Tutors and GCSE leaders are responsible for:

6.6.1 Teaching subject matter that communicates and reinforces the importance of e-safety, with special regard for safeguarding issues; schemes of work for this content must be agreed with the DSL in advance. Year 12 students will cover these issues in personal tutor groups and  in timetabled PSHEE lessons for GCSE.

6.6.2 Reporting any suspected misuse or concerns through the appropriate channels and taking proactive action where required.

6.7 The Student Council
The Student Council is responsible for:

6.7.1 Communicating e-safety concerns of students to appropriate staff.

6.7.2 Understanding the e-safety policy and procedures.

6.8 The Heads of Faculty
The Heads of Faculty are responsible for:

6.8.1 Communicating e-safety concerns of students to appropriate staff.

6.8.2 Communicating to their faculty staff, during half-termly meetings, relevant e-safety material for teaching and awareness.

6.9 Parents and guardians
Parents and guardians are responsible for:

6.9.1 Reading and understanding the e-Safety Policy and Student Acceptable Use Agreement (Appendix B).

6.9.2 Being vigilant and reporting any concerns they have regarding e-safety to the College.

6.9.3 Taking advantage of parents’ evenings to discuss e-safety with teachers.

6.5.4 Parents are invited to attend half-term update webinars and receive regular newsletters that include important e-Safety information.

(Back to menu)

7. Safeguarding
Safeguarding issues can arise in many forms including online. These can be identified by four key areas, otherwise called the 4Cs:

Content: being exposed to illegal, inappropriate, or harmful content, for example: pornography, fake news, racism, misogyny, self-harm, suicide, anti-Semitism, radicalisation and extremism.
Contact: being subjected to harmful online interaction with other users; for example: peer to peer pressure, commercial advertising and adults posing as children or young adults with the intention to groom or exploit them for sexual, criminal, financial or other purposes.
Conduct: online behaviour that increases the likelihood of, or causes, harm; for example, making, sending and receiving explicit images (e.g. consensual and non- consensual sharing of nudes and semi-nudes and/or pornography, sharing other explicit images and online bullying.
Commerce: risks such as online gambling, inappropriate advertising, phishing and/or financial scams.

Students cover these areas in timetabled PSHEE and Personal Tutor sessions, as well as other issues outlined below including self image, relationships, privacy and security and copyright.

7.1 Self-image
Dissatisfaction with the body may arise from exposure to advertising in various off-line media such as television, magazines and cinema. Social media throws up new challenges; for example, it is important for students to know that ‘celebrity’ vloggers/bloggers may be paid by clothing companies to wear their products. It is also important to recognise that social media companies fund themselves through knowing personal profiles and arranging target advertising. Students should therefore understand privacy settings and be able to distinguish adverts from editorial.

7.2 Online relationships
Ashbourne’s safeguarding programme, with particular regard to Relationships and Sex Education (RSE), should help students communicate with and respond to others; understand the effect of teasing, bullying and other behaviours on themselves and others. Students should also be vigilant when making contact with others online, ensure they do not reveal personal details and never agree to meet people in person. Students will discuss grooming, through the PSHEE and Personal Tutoring programmes, and learn to recognise it, resist and how to find support. Students will also discuss ‘sexting’, child-on-child/peer-on-peer abuse and pornography, also with respect to the law and how it is designed to protect them from abuse and not simply to criminalise, in PSHEE and Personal Tutoring sessions. Students must recognise and learn to resist social pressure to send or share sexts.

7.2.1 Sexting and the law
Taking, distributing, possessing or sharing sexually explicit photos and/or recordings of anyone under the age of 18 is illegal. It does not matter if the person has given consent nor does it matter if the person in possession of such imagery is also under 18. Neither does it matter if the image is a selfie. Any involvement relating to explicit images may be investigated by the police and have serious legal and personal repercussions that could affect future employment and education.

What to do if  someone encounters or receives unsolicited inappropriate images/sexts:

• Do not open.
• Do not forward to anyone.
• Do not print.

Inform the Designated Safeguarding Lead immediately.
Further information can be found in Ashbourne’s Relationships and Sex Education Policy and Child-on-Child/Peer-on-Peer Abuse Policy.

7.2.2 Doxxing
Doxxing is the act of revealing identifying information about someone online with malicious intent. This information may include, for example, real names, addresses, contact numbers, emails and social network accounts, passwords, financial details, photos and other personal details and/or association with others. The information may be obtained from anywhere on the internet and then circulated publicly without the person’s permission. Doxxing may constitute an offence under a number of UK laws such as the Data Protection Act, the Protection from Harassment Act and the Computer Misuse Act.

7.3 Online reputation
All members of the Ashbourne community  have considerable control in managing their online presence; for example, it is possible to:

• Delete or de-activate social media accounts.
• Control the audience that reads online posts and unfriend or block communication to/from anyone.
• Change privacy settings and limit advertising.
• When posting, it is vital to remember that information shared is irrecoverable and that others may re-share it, which may affect digital footprints and personal reputation.

7.4 Cyberbullying
As with grooming, bullying, including cyberbullying, is discussed in PSHEE and Personal Tutoring sessions. The College helps educate students to recognise bullying, how to resist it and what support is available to them.

Measures can be taken to counter cyberbullying:

• Unfriend/block
• Inform the site owner
• Inform the DSL
• Resist pressure to upload embarrassing content
• Log off shared computers at the College
• Flaming – avoid arguments on the internet
• Rumours – it is illegal to post an image/video of someone else without their permission
• Hashtags – carefully consider content before posting; these are available to anyone
• Tweets – restrict to chosen people

7.5 Managing information
All members of the Ashbourne community should be aware of identity theft as a result of phishing and hacking.

Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords, credit card and personal details generally by disguising as a trustworthy entity via email. Most commonly such phishing fraudsters pose as a bank asking assistance in resetting login details. Never open suspicious emails and always be sure that the email address of the sender is authentic.

Hacking is the unauthorised invasion or interception of data usually because ‘foreign’ software (malware or computer viruses) have been unwittingly uploaded onto the device (laptop, i-pad, etc). Protect against this using anti-virus software or as the College does by means of a robust firewall. Only use bona fide software and never use copies (this is illegal of course). Download data from trusted sources and always keep software up to date with the latest version.

Corruption of data – Uploading data infected with a computer virus opens the system and the College’s system to the corruption of data and hence the potential loss of information and damage to the systems as a whole.

7.5.1 Protecting information

7.5.1.1 Usernames and passwords
Each current member of the Ashbourne community has a unique username and password which permits access to the College ICT system. These may only be changed with authorisation from the Facilities Team. Never reveal these details to anyone, as it is equivalent to providing an unfettered hacking opportunity.

7.5.1.2 Backing up data
Always have a second copy of everything produced digitally.

7.5.1.3 Grooming
Be aware of how grooming works online in order to protect personal information and personal safety. Never reveal personal information; never agree to meet anyone encountered online; resist pressure to do things which may be  compromising in any way; be aware and make use of support and help available.

7.5.1.4 Hate speech
Hate speech, potentially leading to actual harm (hate crime), is where the victim, or anyone else, believes they have been attacked based on their race, religion, sex, sexual orientation, gender identity or disability, for example.

7.6 Health, wellbeing, lifestyle
Ashbourne students are encouraged to explore how to maintain physical and emotional wellbeing, positive mental health and a safe and healthy lifestyle, including examining how online technologies can influence, shape and disrupt how we live and behave.

7.7 Privacy and security

7.7.1 Consent, permissions and cookies
All of the Ashbourne community should be aware of the need for national security, safeguarding and personal privacy. The internet is never entirely private so that most users of online services are likely to be giving up personal data which may be collected, used or sold to other services or organisations without their knowledge or, despite the use of cookies, their full consent. This information includes friends, contact, likes, images, videos, voice messages and location.

Everyone should be aware of:

• cookies and how to use permissions to limit access to their data
• the terms and conditions that apply to each app

7.7.2 Data protection
Ashbourne members should be aware of their rights and responsibilities under data protection legislation and to that effect renew their understanding of data protection legislation each year and acknowledge their understanding by signing the Privacy Notice. Ashbourne members should not hold, disclose or share personal information of any other member of the Ashbourne community unless required by law.

7.7.3 Safeguarding and data protection
Safeguarding issues will always come before data protection. When children are suffering from harm or are at risk, concerns must always be shared immediately with the Designated Safeguarding Lead and then the local authority and police, where appropriate.

7.8 Copyright
Copyright is automatic in the UK for the following items; there is need to make an application to protect personal rights as an author:

• Original literary, dramatic, musical or artistic written work
• Non-literary written work such as software
• Recording for film and television
• Broadcasts
• Layout of published editions of written, dramatic and musical works

It is nonetheless possible to copyright any work if preferred, but these rights pertain regardless.

You may sell your copyright and also decide how your work will be used. You may also register with a licensed body who will collect royalties for you and agree licenses with others. You have the right to be identified as the author and may object to any change to the work. If you are an actor you have separate performance rights.

7.8.1 Protection
Copyright protects against copying, distributing, renting or lending of work or performing work in public.

7.8.2 Plagiarism
Plagiarism of any work, whether from the internet or not, may be a civil offence but will certainly lead to the disqualification of any associated work submitted by a student. Please refer to Ashbourne’s Plagiarism Policy.

(Back to menu)

8. Filtering and monitoring
Ashbourne maintains a robust system for filtering and monitoring online use in compliance with KCSIE. The aim of this is to block harmful and inappropriate content without unreasonably impacting teaching and learning, as well as ensuring data security.

It is important to mention, nonetheless, that while the College has systems in place these should not simply replace effective digital citizenship education. Ashbourne believes in creating an environment where all members of the College community understand what is appropriate online behaviour and know how to protect themselves and others.

8.1 Roles and responsibility
The College ensures the effective management of filtering and monitoring systems by assigning clear roles and responsibilities among the senior leadership team, Facilities Team and Designated Safeguarding Lead (DSL), as outlined above in section 6.

The DSL takes lead responsibility for safeguarding and e-safety at the College. This includes overseeing and acting on filtering and monitoring reports, safeguarding concerns and checks to filtering and monitoring systems.

The DSL works closely with other members of the senior leadership team, including the Facilities Manager who is responsible for the technical maintenance and integrity of the College’s systems.

The Facilities Manager takes a lead role in the procurement of systems, identifying risks, carrying out reviews and checks.

All staff and students are briefed on filtering and monitoring and are required to sign and comply with Acceptable Use of ICT Agreements, as appended to this policy.

Staff laptops are also equipped with Jamf software management, providing an additional layer of protection against potentially harmful files.

8.2 Filtering and monitoring standards
Ashbourne applies a multi-layered approach to meet expected standards that maintain a secure digital environment. The systems used include the Cisco Meraki Firewall, Google’s SafeSearch and Jamf software management. Notably, Cisco Meraki Firewall system is continually updated by Cisco Systems Inc., an active member of the Internet Watch Foundation since 2008.

8.3 Blocking harmful and inappropriate content
Safety mechanisms to block harmful and inappropriate content are integral to the College’s Cisco Meraki Firewall, Google SafeSearch and Google Suite systems. These filtering measures apply to all activities conducted on the College’s network, regardless of whether students use their personal devices, ensuring comprehensive protection.

8.4 Effective monitoring strategies
Ashbourne employs comprehensive monitoring strategies, which include active monitoring of the network logs by the Facilities Team. This ensures prompt identification, appropriate consultation with other members of the senior leadership team and DSL and resolution of potential issues, in order to provide a secure and safe online experience for all users.

8.5 Review of filtering and monitoring provision
Ashbourne conducts an annual review of the filtering and monitoring provisions, as part of the annual e-Safety review. This involves members of the senior leadership team, Facilities Team, DSL and collaboration from ICT service providers. The review and its outcomes are recorded for reference and can be made available to those entitled to inspect that information.

9. Social Media
9.1. Use of Ashbourne’s social media channels

Ashbourne social media posts may include:

• Announcements for such things as student achievements, College events and alumni updates
• Press releases
• Marketing campaigns

Ashbourne does not not automatically follow back everyone using its social media. Being followed, using hashtags and mentions of other social media accounts does not imply endorsement from the College.

Ashbourne welcomes feedback and will try to respond to comments where possible and where right to do so. However, the College is not able to reply individually to all messages received.

The use of ‘like’, ‘share’ or ‘comment’ on one of the College’s posts will be publicly visible. Ashbourne may use contact information and/or usernames to respond to messages and/or comments sent to College.

Publicly made posts on the College’s social media may be shared with and/or re-published for Ashbourne’s followers. Usernames of followers are publicly available on our social media channels.

Ashbourne may also receive information from third parties, such as other social media users, if a user is mentioned, tagged or photo shared. The College may tag or share photos or content when uploading to social media platforms.

The College may use analytics or third parties to analyse its social media channels for trends, insights and engagements.

Users may unsubscribe and/or unfollow at any stage.

9.2 Expected behaviour when using Ashbourne social media
The College expects its social media users to offer the same courtesy that it offers them:

• All users must comply with the social media platforms’ terms of use.
• Users are responsible for any content posted, i.e. content the user chooses to share.
• On Facebook Ashbourne will remove, in whole or in part, or ignore posts that are considered inappropriate or private.

The College will remove, block, ban and, if necessary, report users to the associated social media platforms, who violate acceptable norms with direct messages that:

• bully, harass or intimidate
• are unlawful, libellous, defamatory, abusive, threatening, harmful, obscene, profane, sexually oriented or racially abusive
• are deceptive or misleading
• infringe or violate someone else’s rights
• violate the law or intellectual property rights
• are spam (persistent negative and/or abusive tweeting in which the aim is to provoke response)
• advertise products or services
• are irrelevant, off topic, disruptive or repetitive

The College will also remove or ban any users who:

• encourage others to post such messages
• use offensive images as their profile picture
• have an offensive username.

(Back to menu)

10. Policy review
This policy is reviewed annually by members of the senior leadership team, DSL, Facilities Team and in collaboration with external providers. The review takes into account all reports, breaches and outcomes as well as changes in legislation and/or statutory guidance and pertinent technology developments and risks.

Appendix A: Staff Acceptable Use of ICT Agreement

Appendix B: Student Acceptable Use of ICT Agreement

Appendix C: Delivery of online distance learning
Ashbourne has a duty of care to provide the highest standard of education it can and, when circumstances require, believes that an online audio-visual communication tool for learning is necessary to deliver high-quality lessons. The College takes very seriously the need to maintain the highest standards of safeguarding and risk management. Therefore, in order to conduct online audio-visual lessons all staff and students must comply with the following:

1. All lessons must be carried out according to the normal timetable; no lessons outside of normal class hours.
   Teachers will update Ashbourne FileMaker to register student attendance.
2. Lessons will be conducted using GoogleMeet – teachers may choose to use a number of additional tools to support students (e.g. GoogleDocs).
3. Teachers must only use College accounts and software tools to conduct lessons or communicate with students; this means logging out of personal accounts.
4. Lessons will be by invitation: only teachers will initiate and close lessons.
5. The same high standards of personal and professional conduct that are expected in the classroom, from both students and teachers, apply during online lessons, including the use of the integrated chat function. This means maintaining professional teaching standards, using appropriate language, attendance, behaviour and attire.
6. Ashbourne lanyards must be worn and visible, and a suitable dress code maintained in line with College expectations for both students and staff at all times during the lessons.
7. The recording of lessons is not permitted.
8. Teachers must ensure they conduct their audio-visual lessons from a suitable environment, if not in the classroom, and take into consideration what background may appear in the video. No one else should be in the room, if the lesson is not taking place at the College, whilst the lesson is taking place. Teachers must also be vigilant to ensure their audio and visual functions are switched off at the end of the lesson and be aware that some applications can auto-generate captions.
9. Students must also make suitable arrangements to take their audio-visual lessons in an appropriate room; no one else should be in the room whilst the lesson is taking place, including parents. Teachers should be aware, however, that this may not be possible for some students and that parents may also share the same room while online lessons are taking place.
10. If a parent has concerns about any aspect of a lesson they should contact the College directly to discuss it and not raise issues during the lesson itself. All concerns and complaints are taken very seriously and will be dealt with in line with Ashbourne’s Complaints Policy where appropriate.
11. Students will be able to use the audio and visual functions for their lessons, as advised by the local authority; students may be asked to switch off these functions if it will improve connectivity and clearer delivery for the student. Teachers must monitor when students’ cameras and audio are switched on or off.
12. One-to-one lessons and group-classified lessons with only one student will be carried out using audio and visual functions.
13. To avoid disruption from unsolicited pop-ups as well as the exposure of personal data, students and staff must turn off all notifications on their device used for lessons.
14. Ashbourne will conduct spot monitoring of lessons to check compliance.
15. Teachers should be mindful that students working from home may feel lonely, bored or anxious; it is vital to ensure they have regular breaks and where possible be offered strategies for working productively at home. Any concerns about students’ wellbeing should be communicated through the Academic Share on FileMaker and directly with the Personal Tutor. More serious concerns should be communicated directly to the Safeguarding Team and through the Safeguarding Share on FileMaker.

All members of the Ashbourne community will be briefed about these arrangements.

(Back to menu)

Appendix D: Meeting Digital and Technology Standards

1. Broadband internet standards for schools and colleges
The College uses a high-speed 1GB fibre internet leased line connection provided by BT.

1.1 Backup
The leased line has a 50mb broadband backup and 4G routers ready for deployment when needed.

Each service has its own router. Currently, there is no router programming to provide automatic failover to services when required.

The College is in the process of ensuring that each device has access to a second, independent power supply as backup. There is no redundant power option currently.

1.2 Security and safeguarding  
The College uses a Cisco Meraki MX100 Firewall security device to protect the College network from malicious attacks and unauthorised access.

The content filtering system is contained within this device. The filtering system reports on any unauthorised content that is being accessed on the network and reports the user profile to the IT Department. Additional monitoring is also conducted by our IT Department in the libraries and all staff are instructed to be alert for any students accessing inappropriate content or otherwise engaging in inappropriate activities online.

The filtering, monitoring and Firewall system blocks access via VPNs and Proxies.

1.3 References

• KCSIE
• Safer Internet Centre
• UKCIS
• Online Safety Self-Review for Schools

2. Network switching standards for schools and colleges
Cisco Meraki provides two switches in a stack with 40Gbps interconnectivity. The switches provide POE and adhere to IEEE 802.3af.at and are LLDP enabled. They are both linked to the server with a single 10Gbps connection. This will move to two connections when the College upgrades.

Ashbourne’s switches currently have a minimum 512MB of core memory and the following Switch specifications:

• Meraki MX100 switches have dedicated ram of 4gb
• They support 32,000 MAC addresses
• They support spanning tree protocols
• They use non-blocking switch fabric
• They are Energy Efficient Ethernet compliant according to the IEEE standard 802.3az
• Any administrative accounts for the switches that may make configuration changes are limited and have two factor authentication. Access to administrative accounts are controlled by the Head of IT.

2.1 Centrally managed network switching infrastructure
Cisco has a web-based switch platform which enables monitoring, alerts  and reporting. The core network switches are connected to at least 1UPS.

Currently the College has:
1 power supply per switch
1 management module
1 connection for each switch to other critical infrastructure such as routers, servers and other switches.

3. Network cabling standards for schools and colleges
The College uses optical fibre for broadband and connections between buildings. The classroom and administration infrastructure runs on Cat 5E cabling. The Facilities Team carried out the installation of the cabling and undertakes regular fluke-testing to ensure continuity. Any faulty network cables are promptly replaced and connectivity is maintained via WiFi during the replacement period.

• British Standards 6701, 50173 and 50174
  The College is committed to upgrading the cabling system in compliance with these standards in due course.
• BS 6701: Telecommunications Equipment and Cabling
  The College will engage professional technicians to confirm compliance with fire safety and other specific requirements to ensure installation, termination and labelling follow standard guidelines.
• BS EN 50173: Information Technology – Cabling Systems
  Ensures that all components such as patch panels, connectors and outlets match the appropriate cabling performance and that the installation and testing adhere to the standard’s specifications.
• BS EN 50174: Cabling Installation
  Ensures adherence to the standard’s guidelines for proper routing, containment, grounding and bonding. The standard also requires complete documentation of the installation and any subsequent changes.

3.1 Copper cabling
The College’s current cabling is Cat 5E and meets the requirements for all current needs. This will be upgraded to Cat 6 should there be a need to improve resilience and/or bandwidth performance. All equipment is installed using a star network approach, and therefore if one element of the network is disabled it will not affect other parts of the system. The length of any cable in our network is no longer than 90 metres and conforms to bend radius standards. There are no splices in any cables run and the cabling runs separately to any power and other cabling to ensure there is no interference.

3.2 Optical fibre cabling
The College has a minimum 16 core OM4 which complies with BS 6701, 50173, 50174. There is no splicing and the optical fibre between buildings is located underground.

3.3 Installation complying with manufacturers guidance
The installation should comply with BS 6701, 50173, 50174 with regard to specification, installation, operation and maintenance. The installation partners should have the appropriate qualifications and provide an appropriate test report after installation. There should be a minimum 20 year manufacturer’s warranty.

4. Wireless network standards for schools and colleges
Ashbourne’s wireless network is established using Cisco Meraki Access Points strategically installed to ensure comprehensive coverage and seamless connectivity while moving around the buildings. It is managed through the Meraki Dashboard, a web-based platform. The network differentiates between staff and student SSIDs, each password-protected using a robust sequence of numbers, letters, and capital letters.

The wireless standard is WiFi5 (802.11ac) and all access points have 5Gb speeds. It supports segregation between staff and students but does not permit guest users. QoS prioritises voice and internet access.

4.1 Full functionality
This is monitored by our Cisco console.

4.2 Central management
As above this is administrated by the Cisco web-based portal which controls, configures and reports on wireless performance. For example if one point goes down the console will alert the Facilities Team.

• It provides active signal management.
• Configures, monitors and alerts on performance.
• It carries a warranty and supports licenses, software enhancement and firmware updates.
• Training is provided as well as a helpline.
• It is scalable and can accommodate future bandwidth requirements.
• It provides the opportunity to return to the original configuration as required.

4.3 Security features
The College does not allow guest users to access to the network. All other users are authorised by one-step passwords. Cisco firewall protects against interception.

• Each building has its own VLAN
• ACLs (access control lists) are configured into the system.
• WPA2 is installed.
• Wireless intrusion protection is provided by Cisco’s Air Marshall.

The College will consider installing certificate-based authentication and multi-factor identification.

5. Cyber security standards for schools and colleges
Access to the College’s databases and Google Suite (user account management) requires 2-factor authentication. All data handling complies with data protection legislation. Sensitive personal data is processed with the individual’s explicit consent unless exceptional circumstances apply.

Business continuity: criteria for implementing cyber attack response plan
A cyber attack may arise due to unauthorised access to the College’s systems and include, for example, data theft, malware, phishing attacks, systems failure and compromised digital accounts.

5.1 Firewall
A Cisco Meraki firewall protects each device on the network and offers the facility to change the default administrative password and disabling remote access.

• It protects administrators’ access through multi-factor authentication and keeps firmware up to date.
• It monitors and logs all access to the network and blocks unauthorised inbound access.
• In the case of teachers and admin, inbound traffic is permitted to facilitate administrative tasks. In the main this allows access to certain tables in the College FileMaker database system (tutor grade sheets for example).
• All other access to the network is via Cisco’s VPN.

The College will require software to protect devices when accessing untrusted networks.

5.2 Network devices are security enabled, properly configured, up to date and entered in inventory log

• A list of all devices is kept by JAMF software and all devices are auto-locked.
• Unused accounts are removed and JAMF allows changes to be made to default passwords.
• Two factor authentication is required for access to sensitive personal data.
• JAMF prohibits unwanted software to be uploaded or downloaded and Cisco Meraki filters and monitors access to the network.
• Limited password attempts are enforced and all passwords are robust.
• There is no conflict of security between Meraki and JAMF or any other software.
• Devices are never accessed physically and are controlled by a web-based platform.

5.3 Authorised users only
Students have no access to the College databases. Staff have access to academic records but only the administration and admissions teams have access to various other records including personal and sensitive personal data. Personal details such as address, previous schools etc are available to both administration and admissions teams.  Financial data is available only to the finance officers and some members of the SLT. Safeguarding records are accessible to the DSL, DDSLs and some members of the SLT. Staff records through the SCR are accessible to the Head of Administration and their assistant plus some members of the SLT. The Head of Facilities has universal access and is able to update and change software; create new accounts and change privileges on existing accounts. They have a separate account for everyday, non-administrative network use.

5.3.1 Passwords
For access to the FileMaker databases, passwords are created by the Head of Facilities; otherwise Google does not permit the use of weak passwords. Passwords are changed if compromised and, for FileMaker, they are deleted when the corresponding member of staff is no longer employed by the College. Passwords for Google accounts are suspended so as not to destroy data. Ashbourne employs different accounts with different passwords for different purposes and does not use global administrative accounts for routine business purposes.

5.4 Sensitive or personal data protected by multi-factor authentication
Access to the tables for the SCR and Safeguarding is limited to a very few members of the administration team and is protected with 2-factor authentication.

5.5 Anti-malware software
All platforms on the network are Apple based and provided with built in anti-malware. The College uses Gmail and benefits from anti-malware protection provided by Google Suite. JAMF software prevents uploading of any unauthorised software and also eliminates access to executable files.

Google filters and scans all websites on the web, confirming authenticity by means of valid SSL certificates. The Meraki firewall also provides another layer of security.

All of these prevent access to potential malicious websites, unless risk assessed, authorised and documented against a specific business requirement.

5.6 Security of applications
JAMF is installed and mediates external access across the entire network. It prevents unauthorised uploading or downloading of any application.

5.7 Licensed software
Company policy prohibits the use of any unlicensed software or devices. As above JAMF prevents the installation of any unauthorised software.

5.8 Backups
The College holds two copies onsite and one offsite with two hard drives onsite and one offsite. Backups occur nightly and monthly.

5.9 Cyber attacks
These could include: data theft, unauthorised copying of data, data tampering, damaged or disrupted data or any unauthorised access.

The College will report all such incidents to the DFE, the National Cyber Security Centre and Action Fraud.

5.10 Data Protection impact assessments
The College’s systems have been designed to make the risk of data being compromised as small as possible. This has been risk assessed which is reviewed annually. All data is transferred using secure web platforms. The College will check the integrity, confidentiality and availability of the data from time to time and the accuracy and completeness of any data which has been restored. Internal data is not encrypted but emails rely on Google encryption.

Should there be a breach in the security of data, especially with relation to personal data and sensitive personal data, the College would assess the degree of compromise or damage and whether any additional resources are required to restore security.

5.11 Training
All staff are inducted with a privacy notice which informs them of their rights and responsibilities with regard to data protection. In addition, the College refreshes staff understanding of cyber security formally once each year and through email communication should the need arise.

6. Filtering and monitoring standards for schools and colleges
This is dealt with in section 8 of the main body of this e-Safety Policy.

6.1 Actions to mitigate the impact of the disruption

• In the event of a perceived or actual cyber attack the College will disconnect all systems from the internet until the issue has been resolved.
• Offline copies of the database will be shared with relevant staff that require them and teachers would be required to complete paper registers until the systems are back up and running.
• Pertinent authorities will be notified promptly in the event of a confirmed cyber attack. Additionally, parents and students will be informed with guidance on protective measures and potential implications. The College will engage cybersecurity professionals, if necessary, to investigate the nature and extent of the breach and to assist in the restoration of compromised systems. This contingency plan in response to a cyber attack is tested regularly.

6.2 Data protection impact assessment
In instances where personal or sensitive information is suspected to have been breached the Data Protection Policy procedures will come into use.

A cyber attack causing data breaches of sensitive medical or safeguarding information, or illegal access by persons outside of Ashbourne, would need to be managed by following the procedures below:

• Report any serious incidents to the ICO and follow up with any recommendations including liaising with law enforcement.
• Undergoing a review of the firewall and other aspects of the network to bolster security.
• Notifying affected parties promptly and providing advice and support.
• Review and re-educate all members of the Ashbourne community on effective digital citizenship.

7. Cloud solution standards for schools and colleges

The College uses Google Suite and Drive for cloud storage of some records. Access is managed by the Facilities Team via Google’s web platform. Google Suite maintains backups of primary data for disaster recovery and business continuity. The service guarantees a 99.9% uptime, ensuring the reliable availability of cloud solutions.

The College is seeking confirmation that the data is held in the UK; the length of time for which the data is held; and the frequency of backups.

7.1 To ensure best performance the College has reviewed its compliance with:

• Network switches for schools and colleges.
• Network cabling for schools and colleges.
• Wireless network standards for schools and colleges.

7.2 The College uses data transfer on a regular basis for salaries and is investigating secure transfer with respect to:

• Encryption
• Transfer by open standards
• Linking through secure documented application programs.

7.3 Data Protection impact assessment
The College’s data impact assessment is ongoing. Most of the relevant data is personal rather than sensitive, other than salaries.

7.4 National Cyber Security Centre (NCSC)
The College refers to the NCSC for cloud security principles.

Other than the College’s accountants and bank, it does not authorise third parties to process data.

For user account creation College has an approval and removal process for any member of the Ashbourne community who joins or leaves. As stated previously, the College provides one centrally managed account with one log-in for each user. There is a well-established protocol for anyone who joins or leaves the network. Privileges differ according to status: teacher, student, administration or admissions. The College is in the process of documenting the protocol for joining or leaving.

7.5 Data sharing agreement
The College is seeking confirmation from Google that, in the event of a data breach, it will be dealt with promptly. All such breaches have been considered under paragraph 6 of this policy.

8. Servers and storage
The College maintains two onsite servers, one for the system database, FileMaker, and one for records/files storage.

• The College requires an upgrade to dual power supplies for both or provide mirroring servers.
• The servers are backed up daily, with backup copies stored on and offsite.
• Each server is provided with a UPS.
• Mirroring is not provided for currently but the College is investigating RAID arrays or similar.
• In the event of a fault with either server there is one backup at all times. This also serves in lieu of warranties which may have expired.
• Firewall software is provided by Meraki; a duplicate needs to be acquired. The College also needs to confirm cyber security standards are met.

8.1 Servers
Meraki manages the network and automatically reports any faults. It also updates system software automatically.

As above, the College has one spare server in the event of the malfunctioning of either of the servers.

8.2 Servers follow data protection legislation
The College ensures against physical damage to the system by providing one spare server. The College will also duplicate the Meraki network hardware, MX100 firewall going forward. Currently, the College has one spare switch to backup the existing two switches. The firewall guards against virtual damage from cyber attacks.

The College also mitigates against human error by restricting access to certain levels of the system; restricting uploading and downloading of foreign software; and training staff against phishing and related scams.

The College will check to ensure that the system meets cybersecurity standards. This includes potentially upgrading the space which houses our servers.

All of our hardware and software is licensed.

8.3 Data Protection impact assessment (DPIA)
The Compliance Officer is responsible for identifying personal and sensitive personal data.

The Facilities Manager is responsible for creating a DPIA for digital data protection, and is also responsible for account creation including password control and restricting access.

The College is investigating secure means for encrypting data which is transferred outside the College environment (e.g. financial services).

8.3 All servers and storage are energy efficient
Powersave operates on all devices when inactive. This does not impair performance, prevent backups or risks damage to equipment. The College is seeking confirmation that the server has an Energy Star Label.

8.4 Servers are housed in an appropriate physical environment
The College is in the process of creating this space so that it meets or exceeds the required 3400 x 2200 dimensions for a 1000 x 800 cabinet.

The College will ensure that the devices are:

• wall mounted or mounted in a cabinet.
• free from flammable materials.
• have independent, dedicated power supplies.
• have access to adequate cooling or mechanical ventilation.

There should be:

• no windows
• no liquids
• no laptops
• no water or tanks
• no heaters or boilers
• no dust

The servers used are designed to be energy–power efficient. The servers are securely housed and protected.

(Back to menu)