Information Risk Management Protective Marking Templates

Download Free Information Risk Management Protective Marking

1. What data do organisations need to secure?
The Data Protection Act 1998 came into force on 1 March 2000, bringing the UK in line with a European Directive on Personal Data (95/46/EC). The Act is there to protect the individual rights and freedoms of individuals, especially their right to privacy with respect to the processing of personal data.

The Data Protection Act 1998 requires all organisations, including educational organisations, to hold personal data securely.

Personal data
The Data Protection Act applies to personal data (data that applies to a living person) held on a computer system or on paper. Stricter rules apply to sensitive personal data including (but not limited to) special educational needs, health (mental or physical), religious beliefs, racial or ethnic origin and criminal offences.

The first step for all organisations must therefore be to identify, within all the data they hold, which data counts as 'personal'. A quick reference guide produced by the Information Commissioner's Office (ICO) offers guidance on this.

Personal data must be processed in accordance with certain principles and conditions.

Anyone who processes personal information must comply with eight principles, which make sure that personal information is:
1. Fairly and lawfully processed
2. Processed for limited purposes
3. Adequate, relevant and not excessive
4. Accurate and up to date
5. Not kept for longer than is necessary
6. Processed in line with the individual's rights
7. Secure
8. Not transferred to other countries without adequate protection.

Personal data can only be processed under one or more of the following rules:
- An individual has given consent
- It is part of a contract
- It is a legal obligation
- It is necessary to protect the individual
- It is necessary to carry out public functions
- It is in the legitimate interests of the data controller.

While explicit consent must be obtained in many contexts, consent is not required for the purposes of delivering an education within the education sector. However, the reasons for collecting and processing sensitive personal data must be completely transparent.

It is a legal requirement to protect sensitive personal data. In an educational organisation, 'sensitive' personal data would include, for example, data recording that a pupil was considered 'at risk', or that a member of staff had had extended leave for mental health problems. Individuals entrusted with sensitive personal data, however derived, are accountable for its protection and compliance with the law.

Every item of personal data that is held or processed must be accurate, up to date and held for no longer than necessary. When personal data is no longer relevant to the purpose for which it was originally obtained, and/or has reached the end of the period for which it must legally be retained, it must be securely destroyed in accordance with its relevant protective marking.

Where the educational organisation has contracted a third party to manage all or part of information management through managed services, a policy will need to be in place covering the protection of personal or sensitive data. Responsibility for data security still rests on the educational organisation.

The security of personal data must be maintained, and any disclosure must be properly authorised. There are specific consent requirements in respect of personal data transferred to countries outside the European Economic Area (EEA). You can find further information from the Information Commissioner's Office [http://www.ico.gov.uk].

Other data
Although not defined as personal data, organisations should also secure any data that is critical to the running of their organisation. This might include, for example, all financial data as well as a wide range of correspondence. Educational organisations need to consider the risk of financial loss not only to them but also to another party if there was a breach of security.

2 What should organisations do?

It is a legal requirement of the Data Protection Act 1998 to secure personal data. Data Handling Procedures in Government sets out the measures that government organisations should adopt to protect personal data:
- Users should not remove or copy personal or sensitive personal data from the organisation or authorised premises unless the media is encrypted, is transported securely, and will be stored in a secure location.
- When personal data is required by an authorised user from outside the organisation's premises (for example, by a member of staff, teacher, lecturer, tutor or learner working from their home, or by a contractor) they must have secure remote access to the management information system (MIS) or learning platform.
- Users should protect all portable and mobile devices, including media, used to store and transmit personal data using encryption software.
- Organisations or users should securely delete sensitive personal data or personal data when it is no longer required.

Protective marking
The Cabinet Office recommends applying the Government Protective Marking Scheme to documents, to indicate the level of protection the data requires. Becta recommends that educational organisations apply this scheme, to both paper and electronic documents.

The Protective Marking Scheme has six categories of confidentiality, of which four are applicable to educational institutions. These are, in increasing order: NOT PROTECTIVELY MARKED, PROTECT, RESTRICTED and CONFIDENTIAL.

Educational organisations will typically use NOT PROTECTIVELY MARKED or PROTECT, with some data being RESTRICTED. Section 5 contains guidance on working out the correct protective marking.

Organisations should control access to protected data according to the role of the user. For example, organisations should not as, a matter of course, simply grant every member of staff access to the whole management information system.

Educational organisations should encrypt any data that is marked as PROTECT or higher if this data is removed from, or accessed from outside, any approved secure space. Examples of approved secure spaces include physically secure areas in schools, colleges, universities, local authorities and the premises of support contractors. Educational organisations should also encrypt data marked as PROTECT or higher when it is in transit from one location to another, including transit from one approved secure location to another.

In most cases, electronic transmission (using encrypted email or FTP, for example) and storage of data in electronic format is more secure than paper-based systems.

Where, for example, schools or colleges use managed services for ICT, they should consult their supplier on how to achieve this.

All paper-based secured data should have a header or footer printed on each page containing the Protective Marking. Where paper reports are produced from management information systems organisations should find out from the supplier what their plans are to achieve this automatically. Where printed material is marked as PROTECT or higher, it should be secured in a lockable area or cabinet.

3. Carrying out an information risk assessment
To manage information risk effectively, organisations should carry out a risk assessment. This will show what security measures are already in place and whether they are the most appropriate (and cost effective) available. ISO/IEC 27005 contains a guide to putting in place a full risk management system.

Carrying out an information risk assessment will generally involve:
- Recognising which risks are present
- Judging the size of the risks
- Prioritising the risks.