Information Technology (IT) and Digital Safeguarding Policy

The School’s IT facilities include:

• Hardware and software provided by the School (e.g., PCs, laptops, tablets, smartphones, printers, operating systems, web browsers, online services).
• Software or online services arranged by the School (e.g., special deals for students on commercial application packages).
• Data provided or accessed through the School (e.g., online journals, data sets, citation databases).
• Network access provided by the School (e.g., Wi-Fi, Ethernet, mobile).
• IT credentials issued by the School (e.g., School login or other tokens).

All use of these facilities is subject to this policy, including on data protection, as well as all other School regulations and policies.

Users must read, understand, and adhere to this policy and all policies fully. Ignorance of the law does not excuse unlawful conduct. When accessing services from abroad, users must comply with both local and English laws, alongside School regulations. For third-party online services, users should follow the respective terms and conditions, whether accessed directly, through the School, or via agreements like those with Jisc. Violations of law or third-party regulations will be considered breaches of this IT policy.

Users must not create, access, share, or distribute material that is unlawful, extremist, discriminatory, or contrary to the School’s Safeguarding and Prevent Policy. Any user who encounters such material on School systems or online spaces associated with the School must report it immediately to the Prevent Lead, IT Team, and through the Prevent Support Ticket system on the AGS.

The School’s IT facilities are provided to support School work. Personal or third-party use of these facilities must be avoided. The School disclaims any liability for issues arising from such use.

Users of the School’s IT facilities are provided access through usernames, passwords, security keys, and tokens. These credentials are for individual use only and must not be shared unless explicitly authorised. Access to the School's Online Library and electronic resources is restricted to authorised users, who must not share their access credentials. Attempting to use IT facilities without proper authorisation may be a legal offence under the Computer Misuse Act. For any doubts about authorised use, contact servicedesk@lsi.ac.uk.

The School’s IT facilities must be used reasonably, lawfully, and with proper etiquette. Abusive, inconsiderate, discriminatory, or similar behaviour will not be tolerated and may result in enforcement action.

Specifically, do not:

• Cause undue offence, concern, or annoyance to others.
• Create or transmit defamatory, fraudulent, obscene, or offensive material.
• Send spam or unsolicited bulk emails.
• Interfere with others' legitimate use of IT facilities.
• Occupy specialist facilities unnecessarily if others need them.
• Recklessly consume excessive IT resources, such as processing power, bandwidth, or paper.
• Create, download, store, or transmit unlawful, indecent, offensive, threatening, or discriminatory material.

To access IT facilities, users must protect their IT credentials, which may include usernames, passwords, email addresses, smart cards, or other identity hardware issued by the School.

Follow these guidelines to safeguard your credentials:

• Never write them down or store them in unprotected files.
• Do not disguise or hide your real identity when using IT facilities.
• Do not share your credentials with anyone. No one is authorised to ask for your password.

Do not attempt to impersonate others, obtain or use someone else's credentials, or corrupt or destroy anyone else’s credentials.

Under the Data Protection Act, all users (staff, students, etc.) must protect sensitive or confidential information. This includes:

• Records with personally identifiable information (PII) such as student records, personnel records, medical records, disciplinary records, and recruitment records.
• Commercially sensitive information or intellectual property of the School, such as exam papers, research documentation, etc.
• Sensitive information from third parties provided to the School for specific purposes.

If your role involves handling such information, familiarise yourself with relevant legislation, data and cyber protection regulations, and School policies, such as the Research Ethics and Governance Code of Practice. Adhere to all provisions to ensure the confidentiality and protection of this information.

All devices used to access protected data must:

• Have a password, PIN, biometric, or other secure access mechanism upon startup.
• Be set to sleep or hibernate within 15 minutes of inactivity and require re-authentication upon waking.
• Not have security codes revealed to others unless required by a legal investigation.
• Not be shared unless designated as a shared device by the School.
• Be secured against loss or theft; report any loss or theft immediately to your line manager and the IT Service Desk. The IT Service Desk will then remotely erase all School-related data if possible.
• Be returned to your line manager for a reset if the device is to be replaced or is no longer needed, to ensure all settings and data are deleted.

• Do not connect School-owned devices to unsecured or unknown Wi-Fi networks. Ensure the network name is correct and not a misleading imitation (e.g., 'Eduroam' rather than '_!Eduroam').
• Avoid working in public locations where your screen is visible and refrain from discussing confidential information in public.
• Always lock your computer or device when left unattended, even briefly.
• Do not access protected information on personal devices or any device not provided by the School, as these may not be free from malware and could retain sensitive data in their history.

• Always encrypt protected information before sending it electronically.
• Send the encryption key through a separate channel, such as SMS.

• Do not store protected information on removable or portable devices (e.g., laptops, tablets, smartphones, USB sticks) unless encrypted. Keep the encryption key secure and out of sight when not in use.
• Avoid storing protected information in personal cloud services (e.g., Dropbox, Google Drive) not provided by the School.
• Do not leave confidential paper documents on desks overnight. Lock them away when not in use.
• Collect printed documents immediately. Shred paper with protected information when no longer needed.

Please consult the School's Data Protection Policy for comprehensive information on the legal and regulatory requirements that must be followed. Adhere to all stipulations set out in the policy to ensure compliance with data protection laws and other relevant regulations.

All users must adhere to cyber security best practices at all times. When creating passwords, use strong password guidelines. If available, register for and utilise 2-factor authentication. Change your password immediately if you suspect it has been compromised. Avoid using the same password or pattern across multiple sites. Never leave logged-in computers unattended, and ensure you log out properly when finished. If using a password manager, do not log in on School IT equipment. Report any suspected security incidents or compromises involving your credentials, device, data, or IT facilities to dataprotection@lsi.ac.uk immediately.

To publish information, all users must adhere to the School’s regulations and policies, including this IT policy If you have any questions, consult the authority mentioned in this IT policy.

Specifically:

• Do not make statements that purport to represent the School without written approval from the Marketing Team.
• Do not publish information on behalf of third parties using the School's IT facilities without approval from the Director of Technology.

Infringement of copyright or violation of software licences is strictly prohibited. Users must comply with copyright and licensing regulations when using the School's electronic resources. It is essential to familiarise yourself with the specific regulations from the respective providers.

Almost all published works are protected by copyright. Just because material (such as images, text, music, or software) is accessible online does not mean you can use it freely. You are responsible for ensuring that you have the right to use copyrighted material.

For any doubts or questions regarding copyright or licensing, consult the authority mentioned in this IT policy.

Users must not access, delete, modify, or disclose information belonging to others without their consent or written permission from the School’s Data Protection Officer. For any questions, contact the authority mentioned in this policy. 

Certain exemptions apply:

• Access by IT or Compliance Staff: Authorised IT or compliance staff may access private information under specific circumstances defined by institutional or legal processes.
• Information Retrieval: If a School employee who created or manages information is unavailable, the Director may request the retrieval of the information. Care must be taken to avoid accessing private data or compromising account security.

Users must adhere to the licensing and usage conditions for the School's library and other resources. Specifically:

• Do not share licensed materials with anyone other than authorised users.
• Do not upload content from licensed materials to social media sites.
• Do not alter or create new versions of licensed materials without permission.
• Do not tamper with copyright notices in licensed materials.
• Do not use licensed materials for commercial purposes.
• Do not extensively or systematically download, reproduce, or distribute licensed materials.

The School may update its terms of use without prior notice. Continued use of the library and resources after changes signifies acceptance of the new terms. The School is not liable for misuse of its resources. If you violate copyright or licensing regulations and the School faces a claim, you must indemnify the School. Breaching these terms may result in suspension or exclusion from using the library and other resources.

Users must not compromise the IT infrastructure's integrity. Specifically, you must not:

• Damage, reconfigure, or move equipment.
• Risk damaging the infrastructure by being careless with food or drink near computers.
• Load software onto School equipment unless authorised.
• Reconfigure or connect equipment to the network, such as adding Wi-Fi access points or repeaters.
• Set up servers or services on the network, including game servers, file-sharing services, or websites.
• Deliberately or recklessly introduce malware.
• Attempt to disrupt or bypass IT security measures.

Additionally, users must:

• Take all reasonable precautions to avoid introducing malware.
• Keep anti-virus software up to date and active, and perform regular scans of your computer.

While the School supports freedom of speech and expression, users should consider the following before posting on social media:

• Think carefully before publishing: Social media is public and content may be permanently visible. Once posted, it cannot be removed.
• Follow standard rules: All posted content must adhere to the same rules and laws as other published materials, including confidentiality, intellectual property, and defamation laws.
• Avoid damaging the School's reputation: Association with the School is easily visible online. Ensure that any opinions or comments are clearly personal and avoid posting anything offensive, derogatory, inappropriate, abusive, discriminatory, or harassing.

The School monitors and logs IT facility usage for the following reasons:

• Ensuring the effective operation of IT facilities.
• Managing School activities during employee absences.
• Addressing data subject requests.
• Detecting, investigating, or preventing misuse or breaches of School regulations.
• Investigating alleged misconduct.
• Complying with legal and audit requirements, including PCI-DSS and Prevent Duty.
• Meeting lawful requests from law enforcement or government agencies for crime detection, investigation, or national security.

All monitoring activity is proportionate, justified, and conducted in accordance with the School’s Data Protection Policy and the Data Protection Act 2018.

Access to monitoring data is restricted to authorised personnel and is used solely for safeguarding, security, or compliance purposes.

For further details, contact the authority mentioned in this policy, 

All digital safeguarding incidents, breaches, and emerging risks must be logged in the Digital Risk Register, maintained by the Prevent Lead.

The Register is reviewed semesterly by the Director of Technology, Prevent Lead, and Director of Student Services, to identify patterns, evaluate mitigations, and inform the School’s central Risk Register.

Significant or thematic digital risks are reported to the Executive Committee and the Quality, Compliance and Audit (QCA) Committee as part of Prevent and safeguarding assurance cycles, and ultimately, the Board of Governors. It informs annual planning, including when it comes to implementing the Prevent Duty. 

The School strictly prohibits the use of its IT systems to access, create, store, or share material that promotes terrorism, radicalisation, or extremist ideologies. Users must report any such misuse immediately to the Prevent Lead and Director of Technology. Breaches may be reported to the police and will be treated as serious violations of the School’s IT policy. Monitoring will be undertaken where appropriate to support safeguarding responsibilities.

The School applies proportionate filtering and monitoring systems to detect and prevent access to unlawful or harmful material through School-managed networks and devices.

These controls are reviewed regularly to ensure they remain effective, non-intrusive, and balanced with the School’s commitments to academic freedom and freedom of speech.

Filtering and monitoring are designed to address safeguarding and Prevent duties without impeding legitimate academic research or inquiry.

Issues related to Prevent and digital safeguarding are reviewed periodically by the Executive Committee and Prevent Lead, and may inform updates to acceptable use policies or support processes.

Users must not monitor IT facility usage without explicit authorisation from the Director of Technology. This prohibition includes:

• Monitoring network traffic
• Discovering network devices
• Capturing WiFi traffic
• Installing key-logging or screen-grabbing software that affects other users
• Accessing system logs, servers, or network equipment

A security incident is any event that breaches this policy or information protection procedures. A security weakness could lead to an incident if not addressed.

Report any security incident or weakness immediately to management upon becoming aware or suspicious of it. This includes any concerns about breaches or vulnerabilities. 

Such incidents and weaknesses include not only obvious thefts but also the following examples:

• Breaches of Confidentiality:

  • Accessing information you should not (e.g. payroll details).
  • Finding personal information in an unsecured email attachment.
  • Losing or having a laptop, phone, or access badge stolen.
  • Discovering confidential papers on an unattended desk or printer in a public area.
  • Finding an open window or unset alarm upon arriving at the office.

• Breaches of Integrity:

  • Noting incorrect records in a database.
  • Discovering that a file on the shared drive will not open.
  • Finding that paper records are missing from their expected location.

• Breaches of Availability:

  • Encountering an unavailable system or application.
  • Being unable to find important information, such as a contract.

This list is not exhaustive.

Report any suspected breach immediately to dataprotection@lsi.ac.uk. Provide as much detail as possible about what you have observed.

Where a digital incident involves potential safeguarding, radicalisation, or extremism concerns, the matter must be escalated immediately to the Designated Safeguarding and Prevent Leads, in addition to normal IT security channels. The Director of Student Services must be informed of all confirmed safeguarding incidents. Records of such incidents will be maintained securely by the Prevent Lead and reviewed termly through the Executive Committee and Quality, Compliance and Audit Committee (QCA).

The School will take all lawful measures to protect and restore the security of its IT facilities, including data, hardware, and software. Any breach of this IT policy or related provisions will be addressed through the School’s processes, which may include disciplinary action. The School may access IT facilities for investigation as permitted by law. Penalties for breaches may include withdrawal of services, disciplinary action, legal enforcement, or termination of contracts for third parties. Offensive materials will be removed, and any suspected unlawful activity will be reported to the police or relevant enforcement agencies. The School will also report breaches of third-party regulations to the relevant organisation and recover any costs incurred due to infringements.

Subject to any liability the School cannot exclude or limit by law, the School is not liable for any loss or damage arising from the use or withdrawal of its IT facilities, including data and equipment.

The Director of Technology is responsible for this policy and may delegate this authority to others.

The Director of Technology, Prevent Lead, and Director of Student Services will review the effectiveness of digital safeguarding, monitoring, and moderation annually. A summary of findings and any improvement actions will be submitted to the Executive Committee, QCA Committee, and Board of Governors as part of the School’s Prevent assurance cycle.

The School’s online and blended provision includes Virtual Learning Environments (VLEs), discussion boards, video collaboration platforms, and other digital tools that facilitate learning and interaction. The School is committed to ensuring that these environments remain lawful, safe, inclusive, and conducive to academic freedom. All digital engagement must comply with the School’s Safeguarding and Prevent Policy, Code of Conduct, and this policy. 

Discussion boards, asynchronous group spaces, and collaborative forums within modules are moderated by academic staff. Moderators are responsible for ensuring that posts and discussions remain respectful, relevant to learning objectives, and compliant with the School’s policies on safeguarding, equality, and lawful free speech. Any content, behaviour, or communication that appears discriminatory, unlawful, or otherwise concerning must be reported immediately via the Prevent Support Ticket system or directly to the Designated Leads. Where required, moderators may temporarily restrict access to a discussion board pending review by the Dedicated Leads.

Where remote teaching, tutorials, or formal collaborative activities take place through approved School platforms (e.g. Microsoft Teams, Zoom), a member of academic or professional staff must be present as moderator. Moderators may intervene, suspend participation, or terminate sessions where conduct or content breaches this policy or presents a safeguarding risk.

For student-led or informal collaboration conducted via School-approved platforms, participants are expected to uphold the same standards of professional and respectful conduct. Students must use their School credentials when joining or hosting sessions and must immediately report any concerning material, behaviour, or communication through the Prevent Support Ticket system or directly to their PAT or Student Success Team.

Recordings of live sessions may be made for educational purposes, subject to privacy and data protection requirements.

All members of the School community must use online spaces respectfully and lawfully, contributing to a safe and inclusive digital environment. Users must not create, share, or access material that is extremist, discriminatory, or otherwise unlawful. The use of School systems or networks for such purposes constitutes misconduct and may trigger disciplinary or safeguarding procedures.

Where online collaboration occurs on third-party or external platforms, users remain subject to this policy and must ensure that the School’s reputation and safeguarding commitments are maintained.

Any incidents, participant removals, or terminations during online sessions must be referred to the Director of Student Services for review. Where concerns indicate potential safeguarding or radicalisation risk, the Prevent Lead must also be informed. All actions, decisions, and outcomes must be documented in the AGS and retained in line with the School’s Record Retention Schedule. Summaries of incidents and lessons learned are included in termly reports to the Executive Committee and annual reports to the Quality, Compliance and Audit Committee (QCA) and Board of Governors.