October 2012
e-Safety Policy Template Please Note: This guidance is for information only and is not intended to replace legal advice when faced with a risk decision.
This work, with the exception of logos, and any other content marked with a separate copyright notice, is licensed under a Creative Commons Attribution 3.0 Unported Licence. Attribution should be “© JISC Legal – www.jisclegal.ac.uk – used under Creative Commons Attribution 3.0 Unported Licence” (with clickable URLs where possible). The use of logos in the work is licensed for use only on non-derivative copies. Further information at www.jisclegal.ac.uk/CopyrightPolicy.
Table of Contents 1.
Introduction ..................................................................................................................................... 3
2.
Creation, Monitoring and Review .................................................................................................... 3
3.
Policy Scope ..................................................................................................................................... 4
4.
Roles and Responsibilities ................................................................................................................ 4
5.
Security ............................................................................................................................................ 6
6.
Risk Assessment ............................................................................................................................... 6
7.
Behaviour ......................................................................................................................................... 6
8.
Communications .............................................................................................................................. 7
9.
Use of Images and Video ................................................................................................................. 7
10. Personal Information ....................................................................................................................... 8 11. Education and Training .................................................................................................................... 9 12. Incidents and Response ................................................................................................................... 9 13. Feedback and Further Information ................................................................................................ 10
Executive Summary This template is intended as a guide to help colleges write an effective e-safety policy that reflects their unique college community and context. Headings, statements and content may be selected or adapted accordingly. It is assumed that an e-safety audit of existing measures has been carried out, and relevant policies updated. The JISC Legal e-safety policy checklist is also available as a quick reference guide.
JISC Legal is hosted by the University of Strathclyde, a charitable body, registered in Scotland, with registration number SC015263.
1. Introduction Firstly, it is important for an institution to make clear its general approach to e-safety in terms of teaching and learning. An opening statement is one way to do this and generally should reflect the views of the college as well as some recognition that risks are inherent in such use. A suggested introductory policy statement might include: “_____________ College recognises the benefits and opportunities which new technologies offer to teaching and learning. We provide internet access to all learners and staff and encourage the use of technologies in order to enhance skills, promote achievement and enable lifelong learning. However, the accessibility and global nature of the internet and different technologies available mean that we are also aware of potential risks and challenges associated with such use. Our approach is to implement appropriate safeguards within the college while supporting staff and learners to identify and manage risks independently and with confidence. We believe this can be achieved through a combination of security measures, training, guidance and implementation of our policies. In furtherance of our duty to safeguard learners and the Every Child Matters agenda, we will do all that we can to make our learners and staff stay e-safe and to satisfy our wider duty of care. This e-safety policy should be read alongside other relevant college policies e.g. Safeguarding, Acceptable Use, eSecurity, Anti Bullying, Disciplinary and Child Protection.”
2. Creation, Monitoring and Review It is useful, not only to indicate who is responsible for writing the policy itself, but also to clarify how that document will be monitored and reviewed. A table detailing this with relevant dates may be useful here. A possible statement might include: “Our college e-Safety Group is made up of different stakeholders including the e-Safety Officer, the Child Protection Officer, a senior line manager, a member of the IT support system, __ learners from the Student Committee, __ members of teaching staff, ___ members of support staff and __ parents as well as our local community police officer. Consultation was carried out at ___________________________________ [include examples of events e.g. CPD, Parents evening, staff meetings etc.] with a selection of staff, learners and parents before the policy was approved by the senior leadership team and college Governors on ______October 2012.
The impact of the policy will be monitored regularly with a full review being carried out at least once/twice a year. The policy will also be reconsidered where particular concerns are raised or where an e-safety incident has been recorded.”
JISC Legal is hosted by the University of Strathclyde, a charitable body, registered in Scotland, with registration number SC015263.
3. Policy Scope It is vital that all parties are aware of who the e-safety policy applies to and when. A suggested statement might include: “The policy applies to all users/all learners and staff/all members of the college community who have access to the college IT systems, both on the premises and remotely. Any user of college IT systems must adhere to and sign a hard copy of the e-Safety Rules and the Acceptable Use Agreement available at: _____________ [urls provided]. The e-Safety Policy applies to all use of the internet and forms of electronic communication such as email, mobile phones, social media sites, ____________________”.
4. Roles and Responsibilities All members of the college community should know who is responsible for e-safety. It should be clear to whom they report concerns or gain further information and support. A suggested overall statement might include the following: “There are clear lines of responsibility for e-safety within the college. The first point of contact should be _____________, the e-Safety/Safeguarding Officer. All staff are responsible for ensuring the safety of learners and should report any concerns immediately to their line manager. All teaching staff are required to deliver __ e-safety lessons to classes and to read through and adhere to the incident reporting procedure as contained in appendix __. When informed about an e-safety incident, staff members must take particular care not to guarantee any measure of confidentiality towards either the individual reporting it, or to those involved. All learners must know what to do if they have e-safety concerns and who to talk to. In most cases, this will be ___________. [Name the individual responsible here and their contact details] Where any report of an e-safety incident is made, all parties should know what procedure is triggered and how this will be followed up. Where management considers it appropriate, the child protection officer may be asked to intervene with appropriate additional support from external agencies.”
To make things very clear to all parties, the college may choose to list all those persons who have responsibility for e-safety and detail their role. This will be specific to your college depending on staff employed and the specific duties they undertake. Below are some examples of roles and responsibilities that may be relevant to a college. The wording will depend on the approach taken by the individual institution.
JISC Legal is hosted by the University of Strathclyde, a charitable body, registered in Scotland, with registration number SC015263.
e-Safety Officer: “The e-Safety Officer [in some cases this may be the Safeguarding/Child Protection Officer] is responsible for keeping up to date with new technologies and their use, as well as attending relevant training. He/She will be expected to lead the e-Safety Group, complete, review and update the eSafety Policy, deliver staff development and training, record incidents, report any developments and incidents to _____________and liaise with the local authority and external agencies to promote esafety within the college community. He/she may also be required to deliver workshops for parents.” Learner: “Learners are responsible for using the college IT systems and mobile devices in accordance with the college Acceptable Use Policy and e-Safety Rules, which they must sign at the time of registration. [links included] . Learners must act safely and responsibly at all times when using the internet and/or mobile technologies. They are responsible for attending e-safety lessons as part of the curriculum and are expected to know and act in line with other relevant college policies e.g. mobile phone use, sharing images, cyber-bullying etc. They must follow reporting procedures where they are worried or concerned, or where they believe an e-safety incident has taken place involving them or another member of the college community. Further guidance is available. [url provided]” Staff: “All staff are responsible for using college IT systems and mobile devices in accordance with the college [staff] Acceptable Use Policy and the e-Safety Rules [links included], which they must sign and submit to the e-Safety Officer. Staff are responsible for attending staff training on e-safety and displaying a model example to learners at all times through embedded good practice. All digital communications with learners must be professional at all times and be carried out in line with the college Communications Policy _______[url provided]. Online communication with learners is restricted to the college network. External platforms not hosted by the college, such as social media sites, may never/be used only where a risk assessment form (contained in appendix __) has been completed by the member of staff and submitted to ____________/with prior written permission from ___________. This policy will, however, be monitored and kept under review. All staff should apply relevant college policies and understand the incident reporting procedures. Any incident that is reported to or discovered by a staff member must be reported to the e-Safety Officer and/or line manager without delay. Further information is available at: ____________.”[url provided] Other specific parties you may wish to include, if relevant, might be the senior management team, eSafety Committee, Child Protection Officer, College Principal, Governors and IT staff. The detail here will, naturally, depend on your institution and staff involved.
JISC Legal is hosted by the University of Strathclyde, a charitable body, registered in Scotland, with registration number SC015263.
5. Security When describing security measures that the college has, or is intending to put in place, it is essential that the appropriate college technical staff are consulted. This will provide the college with expertise and awareness of any technical issues in implementing the strategy. A suggested policy statement might include: “The college will do all that it can to make sure the college network is safe and secure. Every effort will be made to keep security software up to date. Appropriate security measures will include the use of enhanced filtering and protection of firewalls, servers, routers, work stations etc. to prevent accidental or malicious access of college systems and information. Digital communications, including email and internet postings, over the college network, will be monitored in line with the esecurity policy available at: ________.” [url provided].
6. Risk Assessment Colleges must have risk assessment procedures in place whenever new technologies are being considered or where learning is taking place in a new environment. A suggested policy statement might include: “In making use of new technologies and external online platforms, all staff must first carry out a risk assessment for e-safety as contained in appendix ___. This consists of a series of questions for the requestor to answer as well as a section in which they can record any relevant comments or evidence. A risk assessment must also be carried out where a learner is learning off site e.g. on work placement. All forms must be submitted to the e-Safety Officer for his/her consideration and approval.” For examples of questions that might be included, refer to the JISC Legal Web 2.0 Tutor’s Checklist.
7. Behaviour Online communication can take many forms, whether it is by email, text, webcam or instant chat. It is essential that all learners and staff are aware of existing college policies that refer to acceptable behaviours when communicating online. Possible statements might include: “_____________ College will ensure that all users of technologies adhere to the standard of behaviour as set out in the Acceptable Use Policy or Staff/Learners Code of Behaviour at: _________. [url provided] The college will not tolerate any abuse of IT systems. Whether offline or online, communications by staff and learners should be courteous and respectful at all times. Any reported incident of bullying or harassment or other unacceptable conduct will be treated seriously and in line with the student and staff disciplinary codes. These are available here: ___________. [url provided] JISC Legal is hosted by the University of Strathclyde, a charitable body, registered in Scotland, with registration number SC015263.
Where conduct is found to be unacceptable, the college will deal with the matter internally. Where conduct is considered illegal, the college will report the matter to the police. The grid at appendix __ makes it clear what sanctions will be applied for specific behaviours.”
8. Communications There are a variety of technologies and sites now available through which individuals can communicate with one another. Colleges need to discuss their approach and decide whether particular technologies are permitted and when and how these technologies may be used. The policy will require to be updated in line with the evolving nature of ICT. The college may consider adding a template grid that lists all types of communication technology e.g. email, mobile phones, chat rooms, social media, blogs etc. stating when their use may be permitted and by whom. For example, the use of social media sites may be permitted by learners where this does not interfere with classes attended, OR allowed between ___ and ____p.m. OR not allowed at all, OR allowed with supervision/permission of _________. A possible statement might include: “_________ College requires all users of IT to adhere to appendix ___ which states clearly when email, mobile phones, social media sites, games consoles, chatrooms, video conferencing and web cameras may be used during the college day. Any extension of this policy will require express written permission of _____________.”
9. Use of Images and Video Images can be tricky to manage and given the popularity of smart phones and ease of sharing via Facebook, Pinterest etc. these should be included as part of your institution’s policy. The wording of this section will depend on the college’s approach to risk. Images may be downloaded arbitrarily from the internet or they may belong to learners and/or staff. Safeguarding implications should be considered carefully in all cases. A possible statement might be: “The use of images, or photographs, is popular in teaching and learning and should be encouraged where there is no breach of copyright or other rights of another person (e.g. images rights or rights associated with personal data). This will include images downloaded from the internet and those belonging to staff or learners. All learners and staff should receive training on the risks when taking, downloading and posting images online and making them available to others. There are particular risks where personal images of themselves or others are posted onto social networking sites, for example. ___________ College teaching staff will provide information to learners on the appropriate use of images as detailed in the _____________policy. This includes photographs of learners and staff as JISC Legal is hosted by the University of Strathclyde, a charitable body, registered in Scotland, with registration number SC015263.
well as using third party images. Our aim is to reinforce good practice as well as offer further information for all users on how to keep their personal information safe. No image/photograph can be copied, downloaded, shared or distributed online without permission from ______________. Photographs of activities on the college premises should be considered carefully and have the consent of ________________before being published. Approved photographs should not include names of individuals without consent.
10. Personal Information Any processing of personal information needs to be done in compliance with the Data Protection Act 1998. This is likely to include content such as student records, e-portfolios and assessed work. The college is legally obliged to take steps to minimise the risk that data will be lost and processed unfairly. The statement included by the college will depend on the internal data protection policy adopted and implemented by the institution. There should be clear links to that policy. Possible statements might include: “Personal information is information about a particular living person. __________ College collects and stores the personal information of learners and staff regularly e.g. names, dates of birth, email addresses, assessed materials and so on. The college will keep that information safe and secure and will not pass it onto anyone else without the express permission of the learner/parent/ carer. [as appropriate] No personal information can be posted to the college website/without the permission of____________/unless it is in line with our Data Protection Policy. [url provided] Only names and work email addresses of (senior) staff will appear on the college website/no staff/no learners’ personal information will be available on the website without consent. Staff must keep learners’ personal information safe and secure at all times. When using an online platform, all personal information must be password protected. No personal information of individuals is permitted offsite unless the member of staff has the permission of ____________________. Every user of IT facilities is required to log off on completion of any activity, or where they are physically absent from a device for any period. All college mobile devices such as a laptop, USB ( containing personal data) require to be encrypted, password protected and signed out by a member of the IT staff before leaving the premises. Where the personal data is no longer required, it must be securely deleted in line with the __________________policy.”
JISC Legal is hosted by the University of Strathclyde, a charitable body, registered in Scotland, with registration number SC015263.
11. Education and Training Having an e-safety policy and rules in place is a start. However, without an effective training and education programme, a college is unlikely to meet its wider duty of care. A Possible overall statement may include: “With the current unlimited nature of internet access, it is impossible for the college to eliminate all risks for staff and learners. It is our view therefore, that the college should support staff and learners stay e-safe through regular training and education. This will provide individuals with skills to be able to identify risks independently and manage them effectively.” For learners: “Learners will attend___ e-safety lessons in a session. The first of these will take place on the first day of a new college session/at the beginning of a new college year/during the induction period, with follow up lesson(s) carried out _________[dates]. The college e-safety lesson plans can be accessed on the network at _________[url provided]. Issues associated with e-safety apply across the curriculum and learners should receive guidance on what precautions and safeguards are appropriate when making use of the internet and technologies. Learners should also know what to do and who to talk to where they have concerns about inappropriate content, either where that material is directed to them, or where it is discovered as part of a random search. A link to the college e-Safety Rules will appear when users log on to the college network and these rules are highlighted in posters and leaflets around IT areas and work stations. Within classes, learners will be encouraged to question the validity and reliability of materials researched, viewed or downloaded. They will also be encouraged to respect the copyright of other parties and to cite references properly. Information on this can be viewed at:__________.” [url provided] For staff: “Staff will take part in mandatory e-safety training before beginning a new college year. This will be led by the e-Safety Officer and will take the format of a workshop, allowing teachers hands-on experience. Further resources of useful guidance and information will be issued to all staff following the session. Each member of staff must record the date of the training attended on their CPD calendar. Any new or temporary users will receive training on the college IT system, led by the e-Safety Officer. They will also be asked to sign the college (staff) Acceptable Use Policy and e-Safety Rules.”
12. Incidents and Response It is important that colleges have in place a clear and consistent procedure when responding to an esafety incident. All members of the college community should know what this procedure is and how and when it will apply. JISC Legal is hosted by the University of Strathclyde, a charitable body, registered in Scotland, with registration number SC015263.
A suggested statement might include: “Where an e-safety incident is reported to the college this matter will be dealt with very seriously. The college will act immediately to prevent, as far as reasonably possible, any harm or further harm occurring. If a learner wishes to report an incident, they can do so to their _________tutor or to the college e-Safety Officer. Where a member of staff wishes to report an incident, they must contact their line manager as soon as possible. Following any incident, the college will review what has happened and decide on the most appropriate and proportionate course of action. Sanctions may be put in place, external agencies may be involved or the matter may be resolved internally depending on the seriousness of the incident. The flow chart in appendix __ lists behaviours and their consequences. This is in line with the college Acceptable Use Policy. Serious incidents will be dealt with by senior management, in consultation with appropriate external agencies.”
13. Feedback and Further Information “_______________ College welcomes all constructive feedback on this and any other college policy. If you would like further information on e-safety, or wish to send us your comments on our e-Safety Policy, then please contact: _________________, our e-Safety Officer/College Principal at ____________________________. [email address/contact telephone number]
For more information, go to the Links tab on JISC Legal’s e-safety page.
JISC Legal is hosted by the University of Strathclyde, a charitable body, registered in Scotland, with registration number SC015263.
About JISC Legal JISC Legal, a JISC Advance service, provides guidance to prevent legal issues being a barrier to the development and adoption of new ICT within the further and higher education sectors. It supports a wide range of staff, including managers, IT directors and staff, library and learning resource staff, administrators, researchers and academics, enabling them to make best use of technology to improve organisational efficiency, enhance learning and teaching, make the most of external engagement and underpin research.
High quality, practical support is delivered through:
“what a fantastic service you provide to academics … this is a minefield to negotiate and your guiding hand is very welcome” Senior Lecturer, University of London
JISC Legal Information Services Directorate University of Strathclyde Alexander Turnbull Building 155 George Street, Glasgow, G1 1RD
A website with news, FAQs and a range of other resources and tools
A series of more detailed guidance publications covering all relevant areas of law and practice
Multimedia presentations and live interactive webcasts
Training events, seminars and presentations throughout the UK
Competitively-priced staff development training, delivered at your institution or online
Commissioned research projects and joint activities with other JISC Advance services
A short turnaround help desk for specific enquiries
For further information visit www.jisclegal.ac.uk Email us at
[email protected] Or phone us on 0141 548 4939
JISC Legal is hosted by the University of Strathclyde, a charitable body, registered in Scotland, with registration number SC015263.
