List of active policies
|Saints Tutor T&C||Site policy||All users|
INTERNET USAGE POLICY
2. Saints Tutor Usage
3. Internet Usage Compliance
South Africa has enshrined the right to privacy within the South African Bill of Rights (Constitution of the Republic of South Africa, 1996) and has given effect to that right through the Protection of Personal Information Act (4 of 2013) (“POPIA”). The School is committed to protecting the privacy of our pupils, employees, and partners, in line with POPIA and related South African legislation, global leading practices, and our commitment to good institutional governance. This regulation:
· articulates St Andrew’s institutional stance on privacy; and
· clarifies POPIA’s principles within St Andrew’s institutional context and values.
b. IMPLEMENTATION OF THIS REGULATION
This regulation applies to all:
· School pupils and staff (both permanent and temporary), members of all other members of the school community, and third party suppliers and vendors; and
· processes that include the processing of personal information, including but not limited to institutional business processes and academic (teaching and learning) processes.
‘Data subject’, as defined in POPIA, means the person to whom personal information relates. Data subjects may include, but are not limited to:
· prospective pupils;
· old boys;
· employment candidates;
· visitors; and
· members of the public.
‘Personal information’, as defined in POPIA, means information relating to an identifiable, living individual or identifiable, existing company, including, but not limited to:
· information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
· information relating to the education or the medical, financial, criminal or employment history of the person;
· any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
· the biometric information of the person;
· the personal opinions, views or preferences of the person;
· correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
· the views or opinions of another individual about the person; and
· the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.
A ‘Process’ is a collection of practices influenced by the school’s policies and procedures that takes inputs from a number of sources (including other processes), manipulates the inputs and produces outputs (such as products or services)
‘Process owner’ is the individual accountable for the performance of a process in realising its objectives, driving process improvement, and approving process changes. Process owners include, but are not limited to, academic staff and non-academic staff.
‘Processing’, as defined in POPIA means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information including:
· the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
· disseminations by means of transmission, distribution, or making available in any other form; or
· merging, linking, as well as restriction, degradation, erasure, or destruction of information.
d. PURPOSE OF THIS REGULATION
This regulation, through clarifying foundational principles that give effect to the right to privacy, establishes and enables an institutional framework for the processing of personal information that positions respect for data subjects, transparency, accountability, and auditability at its core.
e. AIM OF THIS REGULATION
· articulates St Andrew’s School’s institutional stance on privacy;
· supports efforts to give effect to the constitutional right to privacy within St Andrew’s School; and
· supports the management of risks and opportunities surrounding personal information processing.
f. REGULATION PRINCIPLES
POPIA’s definition of processing establishes a phased lifecycle for personal information. When considered alongside international legislation, this regulation positions four distinct phases within the lifecycle:
Planning and design activities that take place before actual processing of personal information.
Collection and Creation
Collection, receipt, creation, recording of personal information.
Organisation, collation, storage, securing, updating or modification, access, retrieval, alteration, consultation or use, dissemination, merging, linking, restriction, degradation of personal information.
Erasure or destruction of personal information.
Though process owners must apply all of the principles of protecting personal information throughout the entire lifecycle, this regulation establishes, by phase, when the application of (or the articulation of the application of) a principle is most pertinent.
Phase 1: Preliminary
Principle 1: Privacy by design
Process owners must give effect to the right to privacy by design within their processes before processing starts. Process owners must thus consider privacy and the protection of personal information during the analysis and design of their processes. Specifically, process owners must, during the design of a new process or review and analysis of an existent process:
· conduct a privacy impact assessment to determine the lawfulness of and to identify and evaluate risks associated with the proposed processing of personal information;
· use the outcomes of the assessment to identify and design appropriate and reasonable measures within their processes to mitigate identified risks (which may include halting a process determined as unlawful); and
· document the outcomes of the assessment and how it informed the design of the process.
Principle 2: Secure by design and by default
Process owners must, utilising the outcomes of the privacy impact assessment, identify, design, implement, and document reasonable technical, organisational, and procedural information security and cyber security measures within their processes to ensure the confidentiality, integrity, and availability of personal information.
Phase 2: Collection and Creation
Principle 3: Minimal processing
Process owners must ensure that their processes do not collect more personal information than is necessary or relevant to the process.
Principle 4: Accuracy
Decisions made on inaccurate information may expose the school, process owner, and data subject to unnecessary risk or harm. Process owners must take reasonable measures to ensure the accuracy of any collected personal information. Where reasonably possible, process owners must ensure that their processes collect personal information directly from data subjects.
Principle 5: Notification
Process owners must take reasonably practicable steps to notify data subjects of any personal information processing.
Principle 6: Consent
Any consent to the processing of personal information, according to POPIA, must be “voluntary, specific, and an informed expression of will in terms of which permission is given for the processing of personal information.” If consent is the basis for the processing activity, data subjects must be able to freely withdraw consent.
Consent is not always necessary, practical, or desirable for every potential process. Consent should only be used as a justification to process personal information if no other grounds exist. If the processing of personal information is required to conclude or perform in terms of a contract or to comply with legislation, obtaining consent is never appropriate, because the data subject will not be able to withdraw the consent.
Process owners must thus determine the need for consent during the design of their process (i.e. as part of the privacy impact assessment). If process owners identify a need to capture consent, such consent processes must align with the provisions of POPIA.
Phase 3: Utilisation
Principle 7: For specific purposes
Process owners must ensure that any processing of personal information must align with the original specified and documented purpose for collecting the personal information as specified in the privacy notice or consent procedures (see principles 5 and 6).
Some further processing of personal information may be allowable under law when such processing aligns with the original specified purpose for collecting the personal information.
Principle 8: Access
Process owners must ensure that their processes give effect to all data subject rights. This includes giving data subjects access to mechanisms that allow them:
· access to their personal information;
· to change or correct their personal information; and
· to have their personal information deleted if the information is inaccurate, irrelevant or if St Andrew’s School is no longer authorised to have it (see principle 10 for more detail).
Principle 9: Breach notification
POPIA expects St Andrew’s School to have procedures in place to detect, report, investigate, and contain personal information breaches. The School already has existent breach procedures in place. Where reasonably possible, process owners must ensure that their processes align with the institutional breach procedures.
Where process owners cannot reasonably align their processes with the institutional procedures, they must still establish breach procedures aligned with the outcomes of their privacy impact assessment (see principle 1).
Phase 4: Disposal
Principle 10: Defensible disposal
Process owners should not keep personal information for longer than is required. POPIA considers the storage and retention of personal information as processing of personal information (see definitions). Long-term storage may also expose the school, the process owner, and the data subjects to unnecessary risk. Process owners must ensure the proper disposal of a record or personal information as soon as reasonably practicable after achieving the purpose for which the information was originally collected (see principle 7) through:
· archiving records with vital or historical value;or
· destruction, deletion, or de-identification of a record or personal information.
g. NON-COMPLIANCE WITH THIS REGULATION
Failure to apply and explain the principles within this regulation to processing of personal information may render the School or the individuals, involved with processing, non-compliant with South African privacy-related legislation. This non-compliance may lead to fines and claims against St Andrew’s School and/or the individuals involved under South African legislation. Non-compliance may further expose the School to significant reputational harm and data subjects to unnecessary risk and harm.
Based on the nature of the non-compliance, St Andrew’s School may execute its information breach procedures.
St Andrew’s School may take disciplinary action against staff or pupils for non-compliance with this regulation. St Andrew’s School may take action, as allowed by contractual agreement or relevant legislation, against members of the school community and third party suppliers and vendors for non-compliance with this regulation.
h. CONTROL OVER THIS REGULATION
The headmaster owns these regulations as statutory Information Officer. He is ultimately accountable for all processing of personal information within St Andrew’s School and thereby responsible for the existence, implementation, monitoring of compliance, and reporting compliance and non-compliance of this regulation to the Board of Governors.
2. WEBSITES AND SOFTWARE USAGE
a. GENERAL PERSONAL INFORMATION COLLECTED ON OUR WEBSITES
Saints Tutor also uses your data as set out below.
b. LEGAL BASIS FOR THE USE OF PERSONAL DATA ON SAINTS TUTOR
If you have a School account, and use this to access Saints Tutor, our legal basis for using your personal information is to allow us to deliver our contractual obligations to you as a user of our service.
c. DATA HELD BY SAINTS TUTOR
Data held by Saints Tutor includes your name, and email address, as well as your School information, such as your ID number, username and enrolled paper information. It may contain other user contributed information.
Saints Tutor logs contain detailed information about user activity within each course, including the date and time of when course-specific information was viewed and/or updated, the address of the machine from which the access was made, the browser identification information and information about the referring web page. Logs are used to create summary statistics which may be made internally available. Summary statistics do not include personal data.
The Saints Tutor system contains information about contributions to courses, including contributions to chat rooms and discussion forums, ownership of resources, assignment/file submissions, text matching scores and evidence of participation in other Saints Tutor-based activities.
Information and data related to users, including grades, feedback comments, scores, completion data, access rights and group membership is also recorded.
Additional personal data may be held within individual courses, either within documents/resources uploaded to the course, or within activities within the course. Other than contributions to chat rooms and discussion forums which are submitted by individuals in a personal capacity, course maintainers are responsible for the information held about you that may be uploaded onto such courses.
d. HOW SAINTS TUTOR USES YOUR PERSONAL INFORMATION
Saints Tutor records and uses your personal information to:
· Provide you an account to access, and be identifiable within, the School’s Learning Management System (Saints Tutor)
· Provide you access to papers/sites within Saints Tutor
· Provide you the ability to upload, amend and delete certain information within Saints Tutor
· Provide you access to the information, resources and activities uploaded to Saints Tutor
· Control access to different parts of the system.
· Help support Saints Tutor users
· For system administration and bug tracking
· Report on course, resource and activity access, activity completion, course completion and course data (such as grades, scores, submissions and content uploaded)
· For producing usage statistics for management and planning purposes
Individual papers within Saints Tutor may collect additional personal information in order to:
· Provide services to the users
· Facilitate and support business processes
· Support users in their use of Saints Tutor
A non-exhaustive list of examples of this may include:
· User feedback
· Data collection for the purposes of business processes
· Contact information
· Application information
e. SOURCE OF SAINTS TUTOR INFORMATION
For all users, Saints Tutor records information supplied by the user. This includes information entered into your profile (such as telephone numbers, addresses) and data automatically entered via the School Admin Management System (SA-SAMS), such as username and ID number.
As well as the information that you upload and submit to Saints Tutor, Saints Tutor also contains additional information.
For users who identify themselves to the system with their School Username, Saints Tutor uses information supplied by:
· Relevant School departmental systems and services.
Additional information may be uploaded onto individual papers by users of the system.
f. WHAT ARE THE PERMISSIONS NEEDED FOR THE GOOGLE INTEGRATIONS TO WORK?
· profile - To view basic profile info
· email - To view email address
· openid - To authenticate using OpenID
https://www.googleapis.com/auth/drive - To upload, download, update, and delete files in Google Drive. To create, access, update, and delete native Google documents in Google Drive. To manage files and documents in your Google Drive (e.g., search, organize, and modify permissions and other metadata, such as title)
g. WHO HAS ACCESS TO SAINTS TUTOR DATA
The IT Administrator and headmaster have access to all information stored within Saints Tutor for the purposes set out above.
All course administrators and maintainers have access to the personal information of the other users of that course.
Relevant subsets of this data may be passed to disciplinary panels (set up according to the school’s Code of Conduct) as part of an investigation into computer misuse.
h. SAINTS TUTOR DATA RETENTION
Information and data uploaded to Saints Tutor, including accounts, papers and about contributions to courses, including contributions to chat rooms and discussion forums, ownership of resources and evidence of participation in other Saints Tutor-based activities may be retained indefinitely.
Saints Tutor data is backed up by the IT administrator. The backups are held for the purpose of reinstatement of the data, e.g. in the event of failure of a system component.
3. INTERNET USAGE COMPLIANCE AGREEMENT
This Internet Usage Compliance Agreement applies to all individuals, employees and learners of St Andrew’s school and affiliates who have access to computers and the Internet to be used in the performance of their work. Use of the Internet is permitted and encouraged where such use supports the goals and objectives of the school. However, access to the Internet through St Andrews and affiliates is a privilege and every person granted access must adhere to the policies concerning Computer, Email and Internet usage. Violation of these policies could result in disciplinary and/or legal action leading up to and including termination of employment or suspension. A person may also be held personally liable for damages caused by any violations of this policy. All persons are required to acknowledge receipt and confirm that they have understood and agree to abide by the rules here under.
b. COMPUTER, EMAIL AND INTERNET USAGE
· Everyone is expected to use the Internet responsibly and productively. Internet access is limited to school / job-related activities only and personal use is not permitted
· School / job-related activities include research and educational tasks that may be found via the Internet that would help in a learner’s task or an employee's role
· All Internet data that is composed, transmitted and/or received by St Andrew’s and affiliates computer systems is considered to belong to St Andrews and is recognized as part of its official data. It is therefore subject to disclosure for legal reasons or to other appropriate third parties
· The equipment, services and technology used to access the Internet are the property of St Andrew’s and the school reserves the right to monitor Internet traffic and monitor and access data that is composed, sent or received through its online connections
· Emails sent via the school email system should not contain content that is deemed to be offensive. This includes, though is not restricted to, the use of vulgar or harassing language/images
· All sites and downloads may be monitored and/or blocked by St Andrew’s if they are deemed to be harmful and/or not productive to school activities
· The installation of software such as instant messaging technology is strictly prohibited
· All email signatures should include the email disclosure provide below.
· St Andrew’s retains the copyright to all e-mail messages sent from its communications systems. This e-mail disclaimer (below) will at all times take precedence over any other e-mail disclaimer received by employees / pupils utilising the communications facilities of the school.
This email and any accompanying attachments may contain confidential and proprietary information. This information is private and protected by law and, accordingly, if you are not the intended recipient, you are requested to delete this entire communication immediately and are notified that any disclosure, copying or distribution of or taking any action based on this information is prohibited.
Emails cannot be guaranteed to be secure or free of errors or viruses. The sender does not accept any liability or responsibility for any interception, corruption, destruction, loss, late arrival or incompleteness of or tampering or interference with any of the information contained in this email or for its incorrect delivery or non-delivery for whatsoever reason or for its effect on any electronic device of the recipient. If verification of this email or any attachment is required, please request a hard-copy version.
c. UNACCEPTABLE USE OF THE INTERNET INCLUDES, BUT IS NOT LIMITED TO:
· Sending or posting discriminatory, harassing, or threatening messages or images on the Internet or via St Andrew’s and affiliates email service
· Using computers to perpetrate any form of fraud, and/or software, film or music piracy
· Stealing, using, or disclosing someone else's password without authorization
· Downloading, copying or pirating software and electronic files that are copyrighted or without authorization
· Sharing confidential material, trade secrets, or proprietary information outside of the organization
· Hacking into unauthorized websites
· Sending or posting information that is defamatory to the school, its products/services, colleagues and/or customers
· Introducing malicious software onto the school network and/or jeopardizing the security of the organization's electronic communications systems
· Sending or posting chain letters, solicitations, or advertisements not related to school purposes or activities
· Passing off personal views as representing those of the organization
· Messages relating to or in support of illegal or inappropriate activities
· SPAM/Mass Emails
· Chain letters
· Mail for solicitation purpose
· Mail involving commercial content
If a person is unsure about what constituted acceptable Internet usage, then he/she should ask the IT Administrator of headmaster for further guidance and clarification.
All terms and conditions as stated in this document are applicable to all users of St Andrew’s and affiliates network and Internet connection. All terms and conditions as stated in this document reflect an agreement of all parties and should be governed and interpreted in accordance with the policies and procedures mentioned above. Any user violating these policies is subject to disciplinary actions deemed appropriate by St Andrew’s.