Data Protection and Freedom of Information in

schools

Keeping data secure, safe and legal

Why?

Data Protection Act 1998

Freedom of Information (FoI) Act 2000

The Data Protection Act 1998• The Data Protection Act 1998 came into force in March

2001, replacing the Data Protection Act 1984.

• The EU Data Protection Directive (also known as Directive 95/46/EC) is a directive adopted by the European Union designed to protect the privacy and protection of all personal data collected for or about citizens of the EU, especially as it relates to processing, using, or exchanging such data.

• The Data Protection Act is how the UK implements the European Directive.

The aims of the Data Protection Act

• Anyone who processes personal information must comply with the eight principles

• It provides individuals with important rights, including the right to find out what personal information is held about them

The eight data protection principles

Information must be:

• Fairly and lawfully processed

• Processed for specified purposes

• Adequate, relevant and not excessive

• Accurate and up-to-date

• Not kept for longer than is necessary

• Processed in line with individuals’ rights

• Secure

• Not transferred outline the European Economic Area without adequate protection

Individual rights

• Right of access – individuals have a right to know what information organisations hold about them on a computer or in certain filing systems.

• Individuals can submit a Subject Access Request to see or have a copy of this information.

Freedom of Information Act 2000• An Act to make provision for the disclosure of information

held by public authorities or by persons providing services for them and to amend the Data Protection Act 1998 and the Public Records Act 1958; and for connected purposes

Right of access

•What? Anything•Who? Anybody•Where from? Anywhere•Why? None of your business

•FoIA assumes information will be disclosed

Exemptions7 Absolute Exemptions

•S21 Information accessible by other means;•S23 National security;•S32 Court records;•S34 Parliamentary privilege;•S40 Personal information about the applicant;•S41 Information provided in confidence;•S44 Prohibition on disclosure

Exemptions15 Qualified Exemptions• S22 Future publication;• S24 National security;• S26 Defence or armed forces;• S27 International relations;• S28 Relations within the UK• S29 The economy of the UK;• S30 Investigations/proceedings;• S31 Law enforcement;• S36 Effective conduct of public affairs;• S37 Communications with Her Majesty• S38 Health & safety;• S39 Environmental information;• S40 Personal information about third party;• S42 Legal professional privilege;• S43 Commercial interests

School specifics

• Impact levels• Encryption• Questions and examples

Impact levels

Impact Level

Example data types eGIF requirements

Examplenetworks

External access

Aggregated reports Registrationlevel

Authenticationrequirements

Gov PCto www

Internetcafé PDA Home Gov

PC LAN

Wi-fi 3G card Bluetooth BootableUSB

IL4 Confidential • National Pupil Database• Looked-after children• Witness protection• SEN IL4 data elements

Level Three IDverification withvetting and'need to know'measures

Physical/ personal/proceduralprotection withappropriateauthorisation

GSiCJX

Y1 N N Y2

N N N Y3

IL3 RestrictedorNHSConfidential

• School MIS• Teacher access tolearning platform/ portals

• Special educationalneeds (with no IL 4 dataelements)

• Pupil characteristic• Contact point• Health records

Level Two IDvetting and'need to know'measuresIAO approval

Mandatory two-factor user ID,password andtokenInternet/virtualprivate network(VPN) and token

N3GSIGCSxCJX

Y N Y4 Y5

EncryptedinternetVPN

Y6 Y7 N Y8

IL2 Protect • General student data• Learning platforms/portals

Level Onebasic IDverification

User ID andpassword

InternetY1 N Y Y

Y Y Y2 Y

IL1/ IL0 • Google search• BBC News

Anonymous Authentication notrequired Any Y Y

Data encryptionBecta guidance states“Users may not copy or remove sensitive or personal data from the school or authorised premises unless the media is encrypted and is transported securely for storage in a secure location”

What does that mean to us?•Change in the way USB sticks are used•Not just USB. Additional encryption when accessing information across the internet