Information Security Policy for the Student Registry

Reykjavík City primary schools maintain a student registry to keep track of information about their students, academic progress, and other necessary information related to their education. With this documented Information Security Policy, Reykjavík primary schools want to emphasize the importance of data protection in the processing of the school's student registry.

Primary schools use information technology to store and share student registry data securely and efficiently. This helps schools, students and guardians oversee registrations, management, academic progress and performance.

This policy describes Reykjavík City primary schools' commitment to protect the student registry against internal and external threats, both intentional and accidental. Information security management aims to ensure continued access to student registry data and minimize damage by preventing or limiting the impact of incidents that could disrupt data processing or cause information leaks.

The student registry contains sensitive personal data that requires special protection. The interests of parties related to the matters concerned may be harmed if the information falls into the wrong hands, is incorrect, or is not accessible when necessary. Reykjavík City primary schools define this security policy for data confidentiality, integrity and availability.

Confidentiality. Primary schools ensure only authorized individuals can access student registry information and related equipment.

Data integrity. Primary schools ensure student registry information is accurate and up-to-date. Incorrect, misleading, incomplete or outdated information is corrected, deleted or updated when discovered, with regular monitoring for this purpose.

Data availability. Primary schools ensure authorized users can access student registry information when needed. Schools also ensure that damaged systems and data can be restored using contingency plans and backups stored securely.

This security policy complies with current laws and regulations on personal data protection. The Security Policy is in full compliance with the Data Protection Authority's Rules No. 299/2001 on the Security of Personal Data and meets the requirements of the ÍST EN ISO/IEC 27001 standard.

Employees with access to information assets and processors involved in information system operations, including the student registry, must have access to and know this security policy and relevant parts of the rulebook for their work. Sanctions are specified in employment contracts, job descriptions, collective agreements, or laws and can consist of a written reminder or dismissal, depending on the circumstances.