Mybor Portal Policy — Mides Academy

Version: 13.0
Effective date: August 10, 2025
Next review date: August 10, 2026
Owner: Mides Academy (Mybor Project Team)
Support / contact: info@midesacad.uk 

1. Purpose

This Portal Policy sets out the rules, responsibilities, and safeguards for use of the Mybor Student & Parent Portal (the “Portal”). It aims to protect personal data, ensure safe and appropriate use, maintain system security and availability, and define how Mides Academy and Portal users (students, parents/carers, staff) should behave when accessing Portal services.

2. Scope

This policy applies to:

• All users of the Mybor Portal (students, parents/carers, legal guardians, staff, contractors).
  
  

• All devices used to access the Portal (school devices, personal computers, mobile devices).
  
  

• All data stored, processed, or displayed within the Portal (personal details, attendance, behaviour, academic records, communications).
  
  

3. Roles & Responsibilities

• School Leadership (Principal / SLT): Approve policy, ensure compliance, allocate resources for data protection and security.
  
  

• Mybor Project Team / IT: Implement, configure, maintain, and secure the Portal; manage access provisioning; conduct audits and backups.
  
  

• Data Protection Officer (DPO) / Data Lead: Oversee data handling, retention, subject access requests, and GDPR/UK Data Protection compliance.
  
  

• Teachers & Staff: Use Portal responsibly, enter accurate records, and protect pupil/parent privacy.
  
  

• Students & Parents/Carers: Use Portal in line with acceptable use rules; protect account credentials; report issues or suspicious activity immediately to info@midesacad.uk
  
  

4. Acceptable Use

• The Portal is provided to support teaching, learning and school administration. Use must be lawful, respectful, and consistent with Mides Academy policies (including Behaviour, Safeguarding, and ICT Acceptable Use).
  
  

• Users must not:
  
  

  • Share login credentials or attempt to use another person’s account.
    
    

  • Upload, store or share illegal, offensive, or inappropriate content.
    
    

  • Attempt to access restricted areas or modify data they are not authorised to change.
    
    

  • Use the Portal for commercial activity or political campaigning.
    
    

5. Account Provisioning & Access

• Staff accounts are issued by the Mybor Project Team on request by line managers and will include role-based permissions.
  
  

• Student & Parent accounts will be created by the school admin team. Parents/carers will be asked to confirm their identity and relationship to the child before an account is issued.
  
  

• Temporary or guest access may be granted for certain events; such accounts will have limited permissions and an expiry date.
  
  

• Access will be reviewed periodically; inactive accounts may be disabled.
  
  

6. Passwords & Authentication

• Initial passwords will be temporary and must be changed at first login.
  
  

• Passwords should be strong (minimum recommended length and complexity) and must not be shared.
  
  

• Where available, two-factor authentication (2FA) is strongly recommended for parent and staff accounts.
  
  

• If a password is forgotten or suspected to be compromised, use the “Forgot Password” flow or contact info@midesacad.uk immediately.
  
  

7. Privacy & Data Protection

• Mides Academy collects and processes Portal data to support education, safeguarding, and school operations. Processing is carried out in accordance with the UK Data Protection Act and GDPR principles (lawfulness, fairness, transparency, data minimisation, accuracy, storage limitation, integrity and confidentiality).
  
  

• Parents and staff will be given a privacy notice explaining what personal data is collected, why, how long it will be kept, and with whom it may be shared (e.g., exam boards, statutory agencies).
  
  

• Sensitive personal data (special category data) will be processed only where absolutely necessary and with appropriate safeguards.
  
  

• Users have rights (access, rectification, restriction, erasure) and can make requests to the DPO or via info@midesacad.uk
  
  

8. Data Retention & Deletion

• Records within Mybor (attendance, behaviour, assessment) will be retained according to the school’s records retention schedule. Academic and safeguarding records may be retained for longer periods as legally required.
  
  

• When parents/carers or students request deletion of personal data, the school will assess legal retention requirements before complying and will provide guidance on implications (e.g., loss of historical records).
  
  

• Deactivated or deleted accounts will be removed from active access and data archived or deleted per retention policy.
  
  

9. Security & Technical Controls

• The Mybor Project Team will implement industry-standard technical and organisational measures to protect Portal data: access controls, encryption in transit and at rest where feasible, secure hosting, regular patching, backups and monitoring.
  
  

• Regular penetration tests, vulnerability scans and security audits will be scheduled to identify and remediate risks.
  
  

• Third-party integrations will be assessed for data protection compliance and contracts will include appropriate liabilities and data processing clauses.
  
  

10. Reporting Issues & Incident Response

• Users must report suspected security incidents, data breaches, or safeguarding concerns immediately to: info@midesacad.uk (primary) and the school office by phone during school hours for urgent matters.
  
  

• The school will follow its Incident Response Plan: contain the incident, assess impact, notify relevant stakeholders (including the ICO where required), remediate vulnerabilities, and document actions taken.
  
  

• The school will notify affected individuals where their personal data is likely to result in high risk to their rights and freedoms.
  
  

11. Safeguarding & Appropriate Content

• Mybor will be used to log and support safeguarding activity as required by law and school policy.
  
  

• If students or parents view content or messages that raise safeguarding concerns, they must contact the school’s safeguarding lead or use the standard reporting channels without delay.
  
  

• Communications sent through Mybor should be professional and in line with the school’s safeguarding and communications policies.
  
  

12. Training & Awareness

• The school will provide training for staff on Portal use, data protection, and online safeguarding.
  
  

• Clear training resources and guides will be available for students and parents (e.g., how to use the Portal, privacy settings, how to report issues).
  
  

• New staff and parent account holders will be directed to mandatory induction materials and the Portal policy during onboarding.
  
  

13. Third-Party Access & Integrations

• Any third-party services integrated with Mybor must have a data processing agreement in place and be evaluated for security and privacy compliance.
  
  

• Data sharing with third parties will be limited to what is necessary and documented. Where required by law, parental consent will be sought for certain processing activities.
  
  

14. Monitoring & Auditing

• The school will log access and administrative actions in Mybor for accountability and auditing.
  
  

• Regular audits will be performed on permissions, account activity, and data integrity. Any suspicious or unauthorised activity will be investigated.
  
  

15. Exceptions & Policy Changes

• Exceptions to this policy may be granted only by the Principal in writing, with mitigating controls documented.
  
  

• This policy will be reviewed at least annually or after significant changes to the Portal or applicable law. Users will be notified of major changes.
  
  

16. Enforcement & Sanctions

• Violations of this policy by staff, students or parents may result in restricted access, disciplinary action under school policies, and where appropriate, legal or criminal investigation.
  
  

• The school reserves the right to suspend Portal access while investigating policy breaches.
  
  

17. Appendix — Quick Actions for Users

• Forgot password: Use the Portal’s reset feature or email info@midesacad.uk
  
  

• Report a breach/suspected compromise: Email info@midesacad.uk immediately and call the school for urgent concerns.
  
  

• Request data access or correction: Submit a Subject Access Request to info@midesacad.uk (subject: “SAR Request”).
  
  

• Request account closure or deletion: Email info@midesacad.uk with details and reason.
  
  

18. Approval

Approved by: Gabriel Omolayomi
Date: 01 Sep 2025