Appendix A: Staff Acceptable Use of ICT Agreement
Appendix B: Student Acceptable Use of ICT Agreement
Appendix C: Delivery of online distance learning
Appendix D: Meeting Digital and Technology Standards
The internet and other information and communications technology (ICT) provide great opportunities for learning and personal growth. However, they also present new challenges and can pose serious risks – such as sexual exploitation, grooming, sexting, cyberbullying, radicalisation and intrusion of data privacy – that can have profound and lasting effects on personal safety, mental and physical wellbeing, and the development of healthy relationships. They may also pose serious cybersecurity risks that affect the integrity of the College’s ICT system. Ashbourne therefore makes all efforts, including technical and educational, to help create a safe yet flexible environment for using such technology at the College.
The College maintains a zero-tolerance approach to any forms of abuse including bullying, whether online and/or in person, sexual harassment and violence, racist, sexist and homophobic (or any other trans-related phobias) behaviour and abuse. Students and staff are encouraged to report any concerns or issues, however small, to a trusted member of staff and/or the Designated Safeguarding Lead (DSL) so that appropriate and timely action can be taken and relevant support offered. The DSL will always be informed of concerns raised.
This policy has been developed by the Principal, who is the Lead Compliance Officer (LCO), in collaboration with the Facilities Manager, the Designated Safeguarding Lead and the Director of Studies. It takes into account guidance issued by the Department for Education and should be read in conjunction with the College’s Child Protection and Safeguarding Policy and Procedures and related safeguarding policies, as well as the Acceptable Use of Information and Communication Technology (ICT) agreements for staff and students in the appendices.
2.1 This policy relates to the use of information and communication technology, including:
2.2 This policy applies to all members of the Ashbourne community, including staff, students, parents and visitors, who have access to and/or are users of the College’s ICT systems, whether on or off the premises. In particular, this policy addresses the (mis)use of any of the above technologies, whether on or off College premises, which affects the welfare of others or where the culture or reputation of the College are put at risk.
2.3 Ashbourne uses Apple computers. JAMF software is installed on all Ashbourne devices which prohibits the uploading of any unauthorised software, so protecting against malware/viruses. This enables the College to keep all installed software uniform and up to date as well as preventing corruption of data. It also updates the operating systems and standard software for all of the College’s computers which ensure compatibility and minimises communication issues.
Network provider Meraki, provides the College with a comprehensive, smart, internet filtering system that offers students a safer online experience without excessive blocking. The College also works with Impero, which provides monitoring and software management in accordance with the Acceptable Use Agreement.
Ashbourne staff and students all have access to an Ashbourne College Gmail account. Google alerts users to suspicious login attempts and blocks them. It also filters spam and phishing emails and scans emails for potential viruses.
3. Related policies, legislation and guidance
3.1 Related policies
3.2 Relevant legislation and guidance
4.1 Identify roles and responsibilities relating to e-safety at Ashbourne.
4.2 Safeguard and promote the welfare of students by minimising and mitigating against cyberbullying and other forms of abuse.
4.3 Encourage students to make good use of the educational opportunities presented by access to the internet and other electronic communication.
4.4 Minimise the risk of harm to the assets and reputation of the College.
4.7 Educate members of the Ashbourne community about potential threats and harms arising from internet use.
4.8 Maintain robust systems for filtering, monitoring and cybersecurity.
5.1 e-Safety concerns
e-Safety concerns may fall under three core areas: safeguarding, discipline and cybersecurity. For example, cyberbullying and online grooming fall under safeguarding issues; abusive communications between members of the Ashbourne community fall under disciplinary issues; and external email hacking falls under cybersecurity issues. These are not mutually exclusive so concerns may fall under one or all areas in certain circumstances.
Every e-safety concern will be assessed in relation to safeguarding, discipline and cybersecurity risk. Typically, however, e-safety concerns will be dealt with in the following way:
5.2 The liability of the College
Unless negligent under the terms of this policy, the College accepts no responsibility to the student, parents or guardians caused by or arising out of a student’s use of mobile phones, email and the internet whilst at College.
5.3 Take down policy
Should Ashbourne become aware that any resource, image or media have been uploaded which the College does not have the copyright permission to use, it will be removed as soon as practically possible.
5.4 Monitoring and review
e-Safety incidents must be recorded and so will be logged on the College’s Information Management System using the FileMaker academic share database. Should the issue be safeguarding related it will be tagged appropriately with the safeguarding reference and raised with the DSL.
The Principal has responsibility for the implementation and annual review of this policy, in consultation with parents, students and staff. The Principal will consider the record of e-safety incidents and new technologies and will also consider if existing security procedures are adequate.
6. Roles and responsibilities
6.1 The Principal
6.1.1 The Principal is responsible for overseeing the safety and wellbeing of all members of the Ashbourne community, including e-safety. The Principal delegates the day-to-day management of issues relating to e-safety to the Facilities Team and the DSL.
6.1.2 The Principal is responsible for ensuring that the Facilities Team, which manages technical e-safety filtering, monitoring and review, receives sufficient support to carry out this task including authorising the acquisition of relevant software as and when necessary. The Principal conducts weekly meetings with the Facilities Team in relation to all aspects of health and safety, including e-safety.
6.1.3 The College takes all reasonable measures to limit exposure to safeguarding risks of those using the ICT systems by having in place appropriate filters and monitoring systems which are designed to protect users from online abuse without “over blocking” or imposing unreasonable restrictions. Filters, monitoring and ensuring their effectiveness is regularly reviewed by the Principal in conjunction with the DSL and Facilities Manager.
6.1.4 The Principal oversees the procedures that follow a serious breach of e-safety or acceptable use, or allegation of such, made by or against a member of the Ashbourne community. The Principal conducts weekly meetings with the DSL relating to all aspects of safeguarding, including e-safety.
6.1.5 The Principal is responsible for ensuring that all staff are prepared for effective filtering and monitoring of online usage. This includes:
6.1.6 The Principal is responsible for ensuring that the e-Safety Policy, and relevant documents, are up to date.
6.2 Facilities Team
The Facilities Manager is part of the Senior Leadership Team and is responsible for the day-to-day maintenance of e-safety in relation to the College’s ICT systems and works closely with the DSL to manage safeguarding concerns. The Facilities Manager is supported in this role by the Facilities Assistant.
6.2.1 Ensuring the College’s infrastructure is secure and not open to malicious attack.
6.2.2 Ensuring that adequate internet filtering is in place across the College’s ICT system.
6.2.3 Ensuring that e-safety breaches are reported to the appropriate person and assisting, where possible, with any necessary follow-up investigations.
6.2.4 Documenting decisions relating to what information is blocked, or allowed, and why.
6.2.5 Ensuring that intuitive monitoring software is up to date and fully operational throughout the College’s ICT system.
6.2.6 Producing risk assessments where required.
6.2.7 Maintaining security through use of privileges and passwords.
6.2.8 Ensuring integrity and consistency of software, including operating systems, used across the College’s devices.
6.2.9 Liaising with the Principal and other relevant parties to discuss current systems, updates and ways in which systems can be improved.
6.2.10 Liaising with the Principal to ensure this policy is up to date and properly distributed and communicated to all members of the Ashbourne Community. This includes requesting, fielding and responding to feedback.
6.3 Designated Safeguarding Lead
The Designated Safeguarding Lead (DSL) is responsible for investigating all e-safety issues that may pose a safeguarding risk; e-safety issues are almost always safeguarding issues and may include serious concerns such as sexting, grooming and cyberbullying. One of the key roles of the DSL is to see that all members of the Ashbourne community are properly educated to cope with the dangers that may arise from internet use.
The DSL is supported in this role by deputy DSLs. With respect to issues of e-safety, the DSL is required to:
6.3.1 Recognise that e-safety issues most often present a safeguarding risk.
6.3.2 Liaise regularly with the Facilities Team to discuss and investigate e-safety breaches relating to safeguarding.
6.3.3 Organise timely and appropriate staff training in relation to e-safety issues, as part of the College’s safeguarding training.
6.3.4 Working with Facilities Manager and Personal Tutors, provide robust advice regarding online safety, including when accessing online information when away from the College, for the whole Ashbourne community – students, staff, parents and guardians.
6.4 Teaching and operations staff
Teaching and operations staff are responsible for ensuring that:
6.4.1 They have read, understood and signed Ashbourne’s Staff Acceptable Use of ICT Agreement.
6.4.2 They report any suspected misuse or problems through the appropriate channels.
Students are responsible for ensuring that:
6.5.1 They have read, understood and signed Ashbourne’s Student Acceptable Use Agreement.
6.5.2 They understand the importance of reporting abuse, misuse or access to inappropriate materials.
6.5.3 They are responsible for using the College’s ICT system, and their own devices whilst on the College premises, in a way that complies with the Student Acceptable Use Agreement.
6.5.4 Students are invited to attend half-term update webinars and receive regular newsletters that include important e-Safety information.
6.6 Year 12 Personal Tutors and GCSE leaders
Year 12 Personal Tutors and GCSE leaders are responsible for:
6.6.1 Teaching subject matter that communicates and reinforces the importance of e-safety, with special regard for safeguarding issues; schemes of work for this content must be agreed with the DSL in advance. Year 12 students will cover these issues in personal tutor groups and in timetabled PSHEE lessons for GCSE.
6.6.2 Reporting any suspected misuse or concerns through the appropriate channels and taking proactive action where required.
6.7 The Student Council
The Student Council is responsible for:
6.7.1 Communicating e-safety concerns of students to appropriate staff.
6.7.2 Understanding the e-safety policy and procedures.
6.8 The Heads of Faculty
The Heads of Faculty are responsible for:
6.8.1 Communicating e-safety concerns of students to appropriate staff.
6.8.2 Communicating to their faculty staff, during half-termly meetings, relevant e-safety material for teaching and awareness.
6.9 Parents and guardians
Parents and guardians are responsible for:
6.9.3 Taking advantage of parents’ evenings to discuss e-safety with teachers.
6.5.4 Parents are invited to attend half-term update webinars and receive regular newsletters that include important e-Safety information.
Safeguarding issues can arise in many forms including online. These can be identified by four key areas, otherwise called the 4Cs:
Content: being exposed to illegal, inappropriate, or harmful content, for example: pornography, fake news, racism, misogyny, self-harm, suicide, anti-Semitism, radicalisation and extremism.
Contact: being subjected to harmful online interaction with other users; for example: peer to peer pressure, commercial advertising and adults posing as children or young adults with the intention to groom or exploit them for sexual, criminal, financial or other purposes.
Conduct: online behaviour that increases the likelihood of, or causes, harm; for example, making, sending and receiving explicit images (e.g. consensual and non- consensual sharing of nudes and semi-nudes and/or pornography, sharing other explicit images and online bullying.
Commerce: risks such as online gambling, inappropriate advertising, phishing and/or financial scams.
Students cover these areas in timetabled PSHEE and Personal Tutor sessions, as well as other issues outlined below including self image, relationships, privacy and security and copyright.
Dissatisfaction with the body may arise from exposure to advertising in various off-line media such as television, magazines and cinema. Social media throws up new challenges; for example, it is important for students to know that ‘celebrity’ vloggers/bloggers may be paid by clothing companies to wear their products. It is also important to recognise that social media companies fund themselves through knowing personal profiles and arranging target advertising. Students should therefore understand privacy settings and be able to distinguish adverts from editorial.
7.2 Online relationships
Ashbourne’s safeguarding programme, with particular regard to Relationships and Sex Education (RSE), should help students communicate with and respond to others; understand the effect of teasing, bullying and other behaviours on themselves and others. Students should also be vigiliant when making contact with others online, ensure they do not reveal personal details and never agree to meet people in person. Students will discuss grooming, through the PSHEE and Personal Tutoring programmes, and learn to recognise it, resist and how to find support. Students will also discuss ‘sexting’, peer-on-peer/child-on-child abuse and pornography, also with respect to the law and how it is design to protect them from abuse and not simply to criminalise, in PSHEE and Personal Tutoring sessions. Students must recognise and learn to resist social pressure to send or share sexts.
7.2.1 Sexting and the law
Taking, distributing, possessing or sharing sexually explicit photos of anyone under the age of 18 is illegal. It does not matter if the person has given consent nor does it matter if the person in possession of such images is also under 18. Neither does it matter if the image is a selfie. Any involvement relating to explicit images may be investigated by the police and have serious legal and personal repercussions that could affect future employment and education.
What to do if someone encounters or receives unsolicited inappropriate images/sexts:
Inform the Designated Safeguarding Lead immediately.
Further information can be found in Ashbourne’s Relationships and Sex Education Policy and Child-on-Child/Peer-on-Peer Abuse Policy.
7.3 Online reputation
All members of the Ashbourne community have considerable control in managing their online presence; for example, it is possible to:
As with grooming, bullying, including cyberbullying, is discussed in PSHEE and Personal Tutoring sessions. The College helps educate students to recognise bullying, how to resist it and what support is available to them.
Measures can be taken to counter cyberbullying:
7.5 Managing information
All members of the Ashbourne community should be aware of identity theft as a result of phishing and hacking.
Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords, credit card and personal details generally by disguising as a trustworthy entity via email. Most commonly such phishing fraudsters pose as a bank asking assistance in resetting login details. Never open suspicious emails and always be sure that the email address of the sender is authentic.
Hacking is the unauthorised invasion or interception of data usually because ‘foreign’ software (malware or computer viruses) have been unwittingly uploaded onto the device (laptop, i-pad, etc). Protect against this using anti-virus software or as the College does by means of a robust firewall. Only use bona fide software and never use copies (this is illegal of course). Download data from trusted sources and always keep software up to date with the latest version.
Corruption of data – Uploading data infected with a computer virus opens the system and the College’s system to the corruption of data and hence the potential loss of information and damage to the systems as a whole.
7.5.1 Protecting information
188.8.131.52 Usernames and passwords
Each current member of the Ashbourne community has a unique username and password which permits access to the College ICT system. These may only be changed with authorisation from the Facilities Team. Never reveal these details to anyone, as it is equivalent to providing an unfettered hacking opportunity.
184.108.40.206 Backing up data
Always have a second copy of everything produced digitally.
Be aware of how grooming works online in order to protect personal information and personal safety. Never reveal personal information; never agree to meet anyone encountered online; resist pressure to do things which may be compromising in any way; be aware and make use of support and help available.
220.127.116.11 Hate speech
Hate speech, potentially leading to actual harm (hate crime), is where the victim, or anyone else, believes they have been attacked based on their race, religion, sex, sexual orientation, gender identity or disability, for example.
7.6 Health, wellbeing, lifestyle
Ashbourne students are encouraged to explore how to maintain physical and emotional wellbeing, positive mental health and a safe and healthy lifestyle, including examining how online technologies can influence, shape and disrupt how we live and behave.
7.7 Privacy and security
7.7.1 Consent, permissions and cookies
Everyone should be aware of:
7.7.2 Data protection
Ashbourne members should be aware of their rights and responsibilities under data protection legislation and to that effect renew their understanding of data protection legislation each year and acknowledge their understanding by signing the Privacy Notice. Ashbourne members should not hold, disclose or share personal information of any other member of the Ashbourne community unless required by law.
7.7.3 Safeguarding and data protection
Safeguarding issues will always come before data protection. When children are suffering from harm or are at risk, concerns must always be shared immediately with the Designated Safeguarding Lead and then the local authority and police, where appropriate.
Copyright is automatic in the UK for the following items; there is need to make an application to protect personal rights as an author:
It is nonetheless possible to copyright any work if preferred, but these rights pertain regardless.
You may sell your copyright and also decide how your work will be used. You may also register with a licensed body who will collect royalties for you and agree licenses with others. You have the right to be identified as the author and may object to any change to the work. If you are an actor you have separate performance rights.
Copyright protects against copying, distributing, renting or lending of work or performing work in public.
Plagiarism of any work, whether from the internet or not, may be a civil offence but will certainly lead to the disqualification of any associated work submitted by a student. Please refer to Ashbourne’s Plagiarism Policy.
8. Filtering and monitoring
Ashbourne maintains a robust system for filtering and monitoring online use in compliance with KCSIE. The aim of this is to block harmful and inappropriate content without unreasonably impacting teaching and learning, as well as ensuring data security.
It is important to mention, nonetheless, that while the College has systems in place these should not simply replace effective digital citizenship education. Ashbourne believes in creating an environment where all members of the College community understand what is appropriate online behaviour and know how to protect themselves and others.
8.1 Roles and responsibility
The College ensures the effective management of filtering and monitoring systems by assigning clear roles and responsibilities among the senior leadership team, Facilities Team and Designated Safeguarding Lead (DSL), as outlined above in section 6.
The DSL takes lead responsibility for safeguarding and e-safety at the College. This includes overseeing and acting on filtering and monitoring reports, safeguarding concerns and checks to filtering and monitoring systems.
The DSL works closely with other members of the senior leadership team, including the Facilities Manager who is responsible for the technical maintenance and integrity of the College’s systems.
The Facilities Manager takes a lead role in the procurement of systems, identifying risks, carrying out reviews and checks.
All staff and students are briefed on filtering and monitoring and are required to sign and comply with Acceptable Use of ICT Agreements, as appended to this policy.
Staff laptops are also equipped with Jamf software management, providing an additional layer of protection against potentially harmful files.
8.2 Filtering and monitoring standards
Ashbourne applies a multi-layered approach to meet expected standards that maintain a secure digital environment. The systems used include the Cisco Meraki Firewall, Google’s SafeSearch and Jamf software management. Notably, Cisco Meraki Firewall system is continually updated by Cisco Systems Inc., an active member of the Internet Watch Foundation since 2008.
8.3 Blocking harmful and inappropriate content
Safety mechanisms to block harmful and inappropriate content are integral to the College’s Cisco Meraki Firewall, Google SafeSearch and Google Suite systems. These filtering measures apply to all activities conducted on the College’s network, regardless of whether students use their personal devices, ensuring comprehensive protection.
8.4 Effective monitoring strategies
Ashbourne employs comprehensive monitoring strategies, which include active monitoring of the network logs by the Facilities Team. This ensures prompt identification, appropriate consultation with other members of the senior leadership team and DSL and resolution of potential issues, in order to provide a secure and safe online experience for all users.
8.5 Review of filtering and monitoring provision
Ashbourne conducts an annual review of the filtering and monitoring provisions, as part of the annual e-Safety review. This involves members of the senior leadership team, Facilities Team, DSL and collaboration from ICT service providers. The review and its outcomes are recorded for reference and can be made available to those entitled to inspect that information.
9. Social Media
9.1. Use of Ashbourne’s social media channels
Ashbourne social media posts may include:
Ashbourne does not not automatically follow back everyone using its social media. Being followed, using hashtags and mentions of other social media accounts does not imply endorsement from the College.
Ashbourne welcomes feedback and will try to respond to comments where possible and where right to do so. However, the College is not able to reply individually to all messages received.
The use of ‘like’, ‘share’ or ‘comment’ on one of the College’s posts will be publicly visible. Ashbourne may use contact information and/or usernames to respond to messages and/or comments sent to College.
Publicly made posts on the College’s social media may be shared with and/or re-published for Ashbourne’s followers. Usernames of followers are publicly available on our social media channels.
Ashbourne may also receive information from third parties, such as other social media users, if a user is mentioned, tagged or photo shared. The College may tag or share photos or content when uploading to social media platforms.
The College may use analytics or third parties to analyse its social media channels for trends, insights and engagements.
Users may unsubscribe and/or unfollow at any stage.
The College will remove, block, ban and, if necessary, report users to the associated social media platforms, who violate acceptable norms with direct messages that:
The College will also remove or ban any users who:
10. Policy review
This policy is reviewed annually by members of the senior leadership team, DSL, Facilities Team and in collaboration with external providers. The review takes into account all reports, breaches and outcomes as well as changes in legislation and/or statutory guidance and pertinent technology developments and risks.
|Authorised by||The Principal|
|Effective date of the policy||September 2023|
|Circulation||Teaching staff / all staff / parents / Students on request|
|Review date||September 2024|
Appendix A: Staff Acceptable Use of ICT Agreement
Appendix B: Student Acceptable Use of ICT Agreement
Appendix C: Delivery of online distance learning
Ashbourne has a duty of care to provide the highest standard of education it can and, when circumstances require, believes that an online audio-visual communication tool for learning is necessary to deliver high-quality lessons. The College takes very seriously the need to maintain the highest standards of safeguarding and risk management. Therefore, in order to conduct online audio-visual lessons all staff and students must comply with the following:
All members of the Ashbourne community will be briefed about these arrangements.
1. Broadband internet standards for schools and colleges
The College uses a high-speed 1GB fibre internet leased line connection provided by BT.
The leased line has a 50mb broadband backup and 4G routers ready for deployment when needed.
Each service has its own router. Currently, there is no router programming to provide automatic failover to services when required.
The College is in the process of ensuring that each device has access to a second, independent power supply as backup. There is no redundant power option currently.
1.2 Security and safeguarding The College uses a Cisco Meraki MX100 Firewall security device to protect the College network from malicious attacks and unauthorised access.
The content filtering system is contained within this device. The filtering system reports on any unauthorised content that is being accessed on the network and reports the user profile to the IT Department. Additional monitoring is also conducted by our IT Department in the libraries and all staff are instructed to be alert for any students accessing inappropriate content or otherwise engaging in inappropriate activities online. The filtering, monitoring and Firewall system blocks access via VPNs and Proxies.
2. Network switching standards for schools and colleges
Cisco Meraki provides two switches in a stack with 40Gbps interconnectivity. The switches provide POE and adhere to IEEE 802.3af.at and are LLDP enabled. They are both linked to the server with a single 10Gbps connection. This will move to two connections when the College upgrades.
Ashbourne’s switches currently have a minimum 512MB of core memory and the following Switch specifications:
2.1 Centrally managed network switching infrastructure
Cisco has a web-based switch platform which enables monitoring, alerts and reporting. The core network switches are connected to at least 1UPS.
Currently the College has:
1 power supply per switch
1 management module
1 connection for each switch to other critical infrastructure such as routers, servers and other switches.
3. Network cabling standards for schools and colleges
The College uses optical fibre for broadband and connections between buildings. The classroom and administration infrastructure runs on Cat 5E cabling. The Facilities Team carried out the installation of the cabling and undertakes regular fluke-testing to ensure continuity. Any faulty network cables are promptly replaced and connectivity is maintained via WiFi during the replacement period.
3.1 Copper cabling
The College’s current cabling is Cat 5E and meets the requirements for all current needs. This will be upgraded to Cat 6 should there be a need to improve resilience and/or bandwidth performance. All equipment is installed using a star network approach, and therefore if one element of the network is disabled it will not affect other parts of the system. The length of any cable in our network is no longer than 90 metres and conforms to bend radius standards. There are no splices in any cables run and the cabling runs separately to any power and other cabling to ensure there is no interference.
3.2 Optical fibre cabling
The College has a minimum 16 core OM4 which complies with BS 6701, 50173, 50174. There is no splicing and the optical fibre between buildings is located underground.
3.3 Installation complying with manufacturers guidance
The installation should comply with BS 6701, 50173, 50174 with regard to specification, installation, operation and maintenance. The installation partners should have the appropriate qualifications and provide an appropriate test report after installation. There should be a minimum 20 year manufacturer’s warranty.
4. Wireless network standards for schools and colleges
Ashbourne’s wireless network is established using Cisco Meraki Access Points strategically installed to ensure comprehensive coverage and seamless connectivity while moving around the buildings. It is managed through the Meraki Dashboard, a web-based platform. The network differentiates between staff and student SSIDs, each password-protected using a robust sequence of numbers, letters, and capital letters.
The wireless standard is WiFi5 (802.11ac) and all access points have 5Gb speeds. It supports segregation between staff and students but does not permit guest users. QoS prioritises voice and internet access.
4.1 Full functionality
This is monitored by our Cisco console.
4.2 Central management
As above this is administrated by the Cisco web-based portal which controls, configures and reports on wireless performance. For example if one point goes down the console will alert the Facilities Team.
4.3 Security features
The College does not allow guest users to access to the network. All other users are authorised by one-step passwords. Cisco firewall protects against interception.
The College will consider installing certificate-based authentication and multi-factor identification.
5. Cyber security standards for schools and colleges
Access to the College’s databases and Google Suite (user account management) requires 2-factor authentication. All data handling complies with data protection legislation. Sensitive personal data is processed with the individual’s explicit consent unless exceptional circumstances apply.
Business continuity: criteria for implementing cyber attack response plan A cyber attack may arise due to unauthorised access to the College’s systems and include, for example, data theft, malware, phishing attacks, systems failure and compromised digital accounts.
A Cisco Meraki firewall protects each device on the network and offers the facility to change the default administrative password and disabling remote access.
The College will require software to protect devices when accessing untrusted networks.
5.2 Network devices are security enabled, properly configured, up to date and entered in inventory log
5.3 Authorised users only
Students have no access to the College databases. Staff have access to academic records but only the administration and admissions teams have access to various other records including personal and sensitive personal data. Personal details such as address, previous schools etc are available to both administration and admissions teams. Financial data is available only to the finance officers and some members of the SLT. Safeguarding records are accessible to the DSL, DDSLs and some members of the SLT. Staff records through the SCR are accessible to the Head of Administration and their assistant plus some members of the SLT. The Head of Facilities has universal access and is able to update and change software; create new accounts and change privileges on existing accounts. They have a separate account for everyday, non-administrative network use.
For access to the FileMaker databases, passwords are created by the Head of Facilities; otherwise Google does not permit the use of weak passwords. Passwords are changed if compromised and, for FileMaker, they are deleted when the corresponding member of staff is no longer employed by the College. Passwords for Google accounts are suspended so as not to destroy data. Ashbourne employs different accounts with different passwords for different purposes and does not use global administrative accounts for routine business purposes.
5.4 Sensitive or personal data protected by multi-factor authentication
Access to the tables for the SCR and Safeguarding is limited to a very few members of the administration team and is protected with 2-factor authentication.
5.5 Anti-malware software
All platforms on the network are Apple based and provided with built in anti-malware. The College uses Gmail and benefits from anti-malware protection provided by Google Suite. JAMF software prevents uploading of any unauthorised software and also eliminates access to executable files.
Google filters and scans all websites on the web, confirming authenticity by means of valid SSL certificates. The Meraki firewall also provides another layer of security.
All of these prevent access to potential malicious websites, unless risk assessed, authorised and documented against a specific business requirement.
5.6 Security of applications
JAMF is installed and mediates external access across the entire network. It prevents unauthorised uploading or downloading of any application.
5.7 Licensed software
Company policy prohibits the use of any unlicensed software or devices. As above JAMF prevents the installation of any unauthorised software.
The College holds two copies onsite and one offsite with two hard drives onsite and one offsite. Backups occur nightly and monthly.
5.9 Cyber attacks
These could include: data theft, unauthorised copying of data, data tampering, damaged or disrupted data or any unauthorised access.
The College will report all such incidents to the DFE, the National Cyber Security Centre and Action Fraud.
5.10 Data Protection impact assessments
The College’s systems have been designed to make the risk of data being compromised as small as possible. This has been risk assessed which is reviewed annually. All data is transferred using secure web platforms. The College will check the integrity, confidentiality and availability of the data from time to time and the accuracy and completeness of any data which has been restored. Internal data is not encrypted but emails rely on Google encryption.
Should there be a breach in the security of data, especially with relation to personal data and sensitive personal data, the College would assess the degree of compromise or damage and whether any additional resources are required to restore security.
All staff are inducted with a privacy notice which informs them of their rights and responsibilities with regard to data protection. In addition, the College refreshes staff understanding of cyber security formally once each year and through email communication should the need arise.
6. Filtering and monitoring standards for schools and colleges
This is dealt with in section 8 of the main body of this e-Safety Policy.
6.1 Actions to mitigate the impact of the disruption
6.2 Data protection impact assessment
In instances where personal or sensitive information is suspected to have been breached the Data Protection Policy procedures will come into use.
A cyber attack causing data breaches of sensitive medical or safeguarding information, or illegal access by persons outside of Ashbourne, would need to be managed by following the procedures below:
7. Cloud solution standards for schools and colleges
The College uses Google Suite and Drive for cloud storage of some records. Access is managed by the Facilities Team via Google’s web platform. Google Suite maintains backups of primary data for disaster recovery and business continuity. The service guarantees a 99.9% uptime, ensuring the reliable availability of cloud solutions.
The College is seeking confirmation that the data is held in the UK; the length of time for which the data is held; and the frequency of backups.
7.1 To ensure best performance the College has reviewed its compliance with:
7.2 The College uses data transfer on a regular basis for salaries and is investigating secure transfer with respect to:
7.3 Data Protection impact assessment
The College’s data impact assessment is ongoing. Most of the relevant data is personal rather than sensitive, other than salaries.
7.4 National Cyber Security Centre (NCSC)
The College refers to the NCSC for cloud security principles.
Other than the College’s accountants and bank, it does not authorise third parties to process data.
For user account creation College has an approval and removal process for any member of the Ashbourne community who joins or leaves. As stated previously, the College provides one centrally managed account with one log-in for each user. There is a well-established protocol for anyone who joins or leaves the network. Privileges differ according to status: teacher, student, administration or admissions. The College is in the process of documenting the protocol for joining or leaving.
7.5 Data sharing agreement
The College is seeking confirmation from Google that, in the event of a data breach, it will be dealt with promptly. All such breaches have been considered under paragraph 6 of this policy.
8. Servers and storage
The College maintains two onsite servers, one for the system database, FileMaker, and one for records/files storage.
Meraki manages the network and automatically reports any faults. It also updates system software automatically.
As above, the College has one spare server in the event of the malfunctioning of either of the servers.
8.2 Servers follow data protection legislation
The College ensures against physical damage to the system by providing one spare server. The College will also duplicate the Meraki network hardware, MX100 firewall going forward. Currently, the College has one spare switch to backup the existing two switches. The firewall guards against virtual damage from cyber attacks.
The College also mitigates against human error by restricting access to certain levels of the system; restricting uploading and downloading of foreign software; and training staff against phishing and related scams.
The College will check to ensure that the system meets cybersecurity standards. This includes potentially upgrading the space which houses our servers.
All of our hardware and software is licensed.
8.3 Data Protection impact assessment (DPIA)
The Compliance Officer is responsible for identifying personal and sensitive personal data.
The Facilities Manager is responsible for creating a DPIA for digital data protection, and is also responsible for account creation including password control and restricting access.
The College is investigating secure means for encrypting data which is transferred outside the College environment (e.g. financial services).
8.3 All servers and storage are energy efficient
Powersave operates on all devices when inactive. This does not impair performance, prevent backups or risks damage to equipment. The College is seeking confirmation that the server has an Energy Star Label.
8.4 Servers are housed in an appropriate physical environment
The College is in the process of creating this space so that it meets or exceeds the required 3400 x 2200 dimensions for a 1000 x 800 cabinet.
The College will ensure that the devices are:
There should be:
The servers used are designed to be energy–power efficient. The servers are securely housed and protected.