OfS privacy

The OfS aspires to provide a consistently high quality service to our stakeholders across all that we do. This requires our approach to the management of IT and communication to be supported by robust and secure systems and processes that protect information and personal data.

We seek to protect our information assets, including personal data concerned with our policy analysis and funding roles, wherever, however, and whenever they are created, processed, transmitted, shared or stored.

Our intention is to protect our information assets from misuse of any type, including unauthorised disclosure, modification and destruction. We manage the development and continuous improvement of our information security processes through drawing on UK government and international standards.

This is achieved through:

• utilising cross-organisational groups with oversight of this work
• assigning senior and other roles with specific responsibilities in this work
• using regularly reviewed policies, procedures, guidance and technical responses to issues arising which staff and others are required to follow
• all staff completing required training packages
• training and awareness-raising activity for staff to promote compliance with our data protection and wider information security policies
• keeping personal data confidential, retaining its integrity but making it available (through restricting access) only to those staff who need access  
• having data sharing agreements in place with organisations with whom we share personal data (whether as data controller or processor) 
• ensuring that data protection features in routine business contracts  
• operating restrictions on the transmission of personal data, particularly overseas  
• a range of physical, technical, and organisational security measures - for example, access control, encryption, secure collection of data over our extranet.

Our information security policies are designed to support staff in achieving the level of confidentiality, integrity and availability in the use of our information that we seek to have. These policies are a blend of technical, behavioural, cultural, ethical and process driven approaches to information security.

As a relatively small organisation, we are able to maintain a high level of consistency and awareness in our information security management system are able to adapt swiftly to changing threat landscapes.

Part of any organisation’s commitment to maintaining the confidentiality, integrity and availability of its information is to have in place a way to protect its resources in the event of a serious incident that affects its ability to carry out its business.

The OfS therefore has in place a business continuity plan, which takes into  account the risks we face, and which incorporates a disaster recovery plan. The key features of these plans are:

• Our main servers (and therefore our data) are offsite in a secure facility
• The network we use is managed by professional staff who operate a cybersecurity protection service from which we benefit
• Our technical infrastructure operates with a number of firewalls to protect against external attack
• We use anti-virus and anti-malware software, security certification, adopt a standard approach to patching, use two-factor authentication and complex passwords for access to systems, and operate perimeter and other physical controls
• We can monitor activity across our network
• We test our controls to ensure their effectiveness
• Staff can access critical parts of our systems using secure remote access so critical functions can continue in the event of an emergency
• Our key processes and operating procedures are documented
• We have made assessments of the action we would take in a number of scenarios.

To support staff responsible for the management and security of information, our governance function independently reviews and provides assurance over what we do.

We use our internal auditors to review information security arrangements regularly.

We meet the requirements of the Government (Cabinet Office) Security Policy Framework, which requires an annual self-assessment. We are also required to periodically provide assurance to government about aspects of our information security arrangements for example, in respect of the large data sets we hold, including those used to calculate OfS funding for institutions.

We regularly review our information security policies under the oversight of our Information Security Steering Group.

We report on our information security arrangements to our Audit Committee at least annually and make a statement about these arrangements in our annual accounts.