Information Security and Cyber Protocol

Title
Title
Title
Title
Version
Author
Next Review Date
Notes
V1 (February 2025)
Emma Kitcher, Data Protection Officer
February 2026
New Draft
V2 (March 2026)
Caroline Oliver
October 2026
Added Holiday Club into policy

Contents

    INTRODUCTION
    Key Definitions
    Scope
    Key Legislation / Framework
    Accountable Parties
    Equipment Security and Integrity
    Email Security
    Internet Security
    Identity, Authentication and Authorisation
    Use Of Personal Devices
    Accountability, Audit and Compliance
    Technical Controls
    Procedural Controls
    Changes to this Policy

INTRODUCTION

This protocol intends to support Hopscotch Nurseries and Holiday Club staff to discharge their duties in a way that supports effective information security and protect Hopscotch Nurseries and Holiday Clubs from cyber threats and identify vulnerabilities.
Information security is made up of three elements:
  • Confidentiality: information will only be available to a limited number of individuals
  • Integrity: information is useful, complete and accurate and remains so.
  • Availability: that information is available when and as required [1] .
Without high standards of information security, supported by systematic processes and practice, we cannot realise these concepts within Hopscotch Nurseries.
Should you have any concerns or information security issues that need attention, contact the Data Protection Lead.

Key Definitions

Personal Confidential Information            
This term is intended to cover information captured by the Data Protection Act 2018 / GDPR (identifiable information about the living), information covered by the Common Law Duty of Confidence / Tort of Misuse of Private Information and finally, information covered by Article 8 European Convention for Human Rights.

Scope

This policy applies to all staff whether temporary or permanent and any third parties accessing the organisation’s information systems.

Key Legislation / Framework

Data Protection legislation mandates the implementation of appropriate organisational and technical measures to ensure the confidentiality, availability and integrity of Hopscotch Nurseries ‘s information assets from unauthorised access, loss, theft or from cyber threats and vulnerabilities. The protocol has been developed with reference to Cyber Essentials.
The policy takes into account the following legislation;
  • Computer Misuse Act 1990
  • The Human Rights Act 1998 (HRA)
  • Health and Social Care Act 2012
  • Freedom of Information Act 2000
  • Electronic Communications Act 2000
  • Regulation of Investigatory Powers Acts 2000
  • UK General Data Protection Regulation (EU GDPR) 2016 / Data Protection Act 2018

Accountable Parties

All staff, whether management or administrative, who create, receive and use Personal Confidential Information have responsibilities to ensure effective reporting and management of information security for Hopscotch Nurseries and Holiday Clubs. Employees have a contractual and legal obligation to read and comply with all policies and to attend mandatory training to support the appropriate management of information.

Equipment Security and Integrity

  • Staff are responsible for the security of the equipment that has been allocated to them or that they have access to, including any computer terminal and mobile devices, and they must be used in accordance with this protocol.
  • Staff must lock screen or log off when leaving terminals or devices unattended. Pressing Windows Key + L is a quick way to do this.
  • Anyone who is not authorised to access the network must only be permitted to use terminals or devices under supervision from Hopscotch Nurseries and Holiday Clubs
  • The use of public Wi-Fi when handling customer hosted data or sensitive data is not permitted as it is considered to be unsafe. Contact your line manager for advice and guidance if you find yourself in a situation where you need to use a network other than the one you usually use.
  • If you have been issued with a laptop, tablet computer, smartphone, or other mobile device, staff must ensure that it is always kept secure, especially when travelling.
  • When not in use, devices should be kept out of sight and where possible, locked away, especially when travelling in a vehicle. Leaving it in the footwell or on the seat is not acceptable.
  • Any device used for work purposes both personal and issued by the organisation MUST have a screen lock enabled.
  • Staff should not delete, destroy or modify existing systems, programs, information or data (except as authorised in the proper performance of your duties).
  • Staff must not download or install software from external sources without authorisation from the Data Protection Lead. This includes software programs, instant messaging programs, screensavers, photos, video clips and music files.
  • Staff must not attach any device or equipment to Hopscotch Nurseries systems without authorisation from the SIRO. This includes any USB flash drive, MP3 player, tablet, smartphone or other similar device, whether connected via the USB port, or in any other way.
  • Staff should inform the Data Protection Lead if staff suspect a virus. The Data Protection Lead may be required to delete or block access to emails or attachments in the interests of security.
  • Staff should not attempt to gain access to restricted areas of the network or systems, or to any other password- protected information inappropriately.
  • USB Memory sticks must not be used without the prior permission of your line manager.

 Email Security

  • Hopscotch Nurseries and Holiday Clubs software monitors email traffic for viruses; however, staff should exercise particular caution when opening unsolicited or suspicious emails from unknown sources.
  • Email messages may be required to be disclosed in legal proceedings in the same way as paper documents and can be retrieved even once deleted.
  • Staff who receive an email in error should inform the sender and delete the erroneous email.
  • Staff should not use their own personal email account to send or receive email for the purposes of Hopscotch Nurseries and Holiday Clubs business.
  • When sending email that contains sensitive or service user data, staff should always use a secure email service and add password protection to attachments as necessary.

Internet Security

Internet access via Hopscotch Nurseries and Holiday Clubs devices is provided primarily for business purposes. Incidental and occasional personal use of the internet, email, and telephone systems is permitted, but should only involve access to trusted sites and appropriate content.
 

Identity, Authentication and Authorisation

  • Passwords must not be shared or written down.
  • Password changes must be authorised via the approved processes identified under the IT Security Protocol.
  • Authorisation of users must be in line the approved processes identified under the IT Protocols.
  • Role Based Access Controls will be implemented to ensure that access is limited to the correct individuals and the correct information assets.

Use Of Personal Devices

Line Managers are responsible for ensuring that:
  • Staff have an appropriate business need to use their personal device for work and that other options are not available (such as IT issued devices).
  • Staff comply with this protocol and associated procedures.
  • The correct process is followed to on-board staff
  • They take disciplinary action as appropriate against any member of staff in breach of this protocol.
  • Notify any suspected breaches of this protocol to the Data Protection Lead.
  • Immediately notify the appropriate IT Lead if a staff member leaves or no longer requires to use their personal device for work purposes.
  • Follow the Leaver’s Process to remove access to software and systems as appropriate.
 
Staff who are using their own device for work purposes, must, without exception:
  • Have this use approved by their line manager in writing.
  • Abide by this and associated policies & procedures.
  • Report any suspected breaches of this protocol to their line manager or the Data Protection Lead.
  • Understand that failure to comply with the rules contained in this protocol, or any attempt to circumvent the security controls, may result in the withdrawal of this facility and/or disciplinary action.
  • Report the loss or theft of a personal device being used for work purposes to their line manager at the earliest possible opportunity.
  • Report any lost or stolen devices to line manager and Data Protection Lead immediately.
  • Keep their username and password secret and not allow anybody else to access the information.
  • Take suitable precautions to protect the physical asset in transit and in work locations.
  • Not use a shared / communal device.
  • Not storing personal/confidential information on the device unless absolutely necessary and appropriate security is in place.
  • Safely transfer information to the appropriate health and care record as soon as it is practical to do so.
  • Avoid downloading software or videos / open suspicious links
  • Not print out documents on home printer, instead store in shared drive.
  • Log out of all software and systems, including emails, when not in use.
  • Only view sensitive documents in browser and do not download.
  • Where possible create a normal “user” account on the laptop without admin capabilities to undertake the work.
  • Additionally, no documents should be downloaded to the device unless absolutely necessary, attachments to emails can be viewed in browser but there may other systems or portals accessed that permit the download of documents.
 
Setting up Personal Device Use for New Starters (laptops and computers)
  • Whereas IT issued devices are configured for appropriate security and remote management, this is not in place for personally owned devices and so particular steps are taken to reduce the risk to Hopscotch Nurseries and Holiday Clubs or customer data.
  • When a new member of staff joins the organisation, the Management Team will make enquiries around whether a Hopscotch Nurseries and Holiday Clubs issued device will be issued to the new starter.
  • Where it is confirmed that the staff member will be using their own device, management must perform the following checks regarding the personal device:
  • Confirm that anti-virus software is installed and will automatically update.
  • Confirm that encryption software is in place.
  • Confirm that device access controls are in place.
  • Ensuring that access to Hopscotch Nurseries and Holiday Clubs data is via web browser and that no materials are downloaded to the device itself.
  • For use of personal mobile phones, the following will be checked:
  • Change Default Passwords / Pins on the mobile.
  • Use Two-Factor authentication where available.
  • Remove any Unused Apps from Personal Mobiles and only Download Trusted Apps.
  • Ensure that staff access to software is removed when the individual leaves the organisation.
  • Following the review, risks or issues will be reported by the line manager to the Data Protection Lead.
  • Following the review, evidence of the review must be retained by the organisation.

Accountability, Audit and Compliance

All information systems will have the facility to produce audit, such that such audits can identify inappropriate use or activity.

Technical Controls

  • Only Hopscotch Nurseries issued encrypted media should be used by staff including CD, DVD, USB, mobile phones and computers (unless formally approved otherwise)
  • User accounts that are not needed must be removed from all computers and devices.
  • Anti-virus software must be updated as updates become available.

Procedural Controls

  • Staff must undertake regular data security training and comprehension should be assessed and reported into the appropriate governance group within Hopscotch Nurseries and Holiday Clubs.
  • Visitors must be always accompanied when visiting the Hopscotch Nurseries and Holiday Clubs premises.
  • Staff must be careful when clicking on links or responding to unusual emails.
  • Staff must not use Hopscotch Nurseries and Holiday Clubs equipment for accessing sites unrelated to their work activities unless provided expressly permitted.
  • Employees are required to maintain a clear desk policy by ensuring that all sensitive or confidential information in paper form is removed from desks when not in use and secured in designated storage areas.
  • All workstations must be cleared of sensitive information on screens when left unattended. Screens must be locked or logged off to prevent unauthorised access. Regular checks will be conducted to ensure compliance with this policy.
  • All staff are required to report any suspected or confirmed security incidents immediately upon discovery. This includes, but is not limited to, data breaches, loss or theft of devices, suspected malware infections, phishing attempts, and unauthorised access or disclosure of sensitive information.

Changes to this Policy

We reserve the right to change this Policy at any time so please check back regularly to obtain the latest copy of this Policy.  Where appropriate, we will notify you of the changes to this Policy as soon as possible.

 [1]  Information Security Management Principles 2nd Ed