Protecting personal information

Overview• To understand key terms and principles

of the Data Protection Act (DPA)

• Understand types of information personal/sensitive

• How an organisation can comply with the DPA

Intro to Data Protection Act• Established 1998 to safe guard

personal data• Framework for how organisations can

collect and use personal data• Personal data means data which

relates to a living individual who can be identified:– From those data– From those data and other information in

the possession of the data controller

Eight Principles of DPA

1. fairly and lawfully processed2. processed for limited purposes3. adequate, relevant and not excessive4. accurate and up to date5. kept for no longer than is necessary6. processed in line with the date subjects’

rights7. secure8. not transferred to other countries without

adequate protection

Anyone who processes personal information must comply with eight principles, which make sure that personal information is:

Types of information I– Names,

addresses, – Birth details, – Contact details, – Age, gender– NI number, –Marital history,

partnerships

– Travel details, leisure activities, membership of organisations,

– Employment details

– Finance details

Types of information II• Sensitive–Mental or physical health– Racial or ethnic origin– Political opinions– Religious or related beliefs– Trade union membership– Sexual life– Criminal convictions– Offences, including allegedhttp://www.ico.gov.uk/for_organisations/data_protection/the_guide/conditions_for_processing.aspx

Data Protection and FE• Data protection is important to FE and HE

institutions– collect, process and use the data of

individuals such as students, staff, alumni and enquirers for various purposes.

Specific guidance for education sector:http://www.ico.gov.uk/for_organisations/sector_guides/education.aspxexamination recordsexpected requirements under FOI(S)A

Roles within the DPA• Data controller: determines the

purposes for which and the manner in which personal data are to be processed

• Data Processor: person who processes the data on behalf of the data controller

• Data Subject: an individual who is the subject of personal data

Who’s responsible!• North Glasgow College is the data

controller• Data controllers must register with

the Information Commissioner’s Office (ICO)

http://www.ico.gov.uk/what_we_cover/register_of_data_controllers.aspx• S.4 (4) of the DPA: ultimate

responsibility for adhering to the Act lies with the ‘Data Controller’.

Information Commissioner’s Office (ICO)

• independent public body set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals

http://www.ico.gov.uk/for_organisations/data_protection.aspx

• Also a Scottish Information Commission but ICO has specific regulatory responsibility for DPA

£500,000

£150,0007 June 2013

Issued to Glasgow City Council the loss of two unencrypted laptops, one of which contained the personal information of 20,143 people.

24 January 2013

Sony PlayStation Network Platform was hacked in April 2011, compromising the personal information of millions of customers, including their names, addresses, email addresses, dates of birth and account passwords. Customers’ payment card details were also at risk.

£250,000

£250,00011 September 2012

Issued to Scottish Borders Council after former employees’ pension records were found in an over-filled paper recycle bank in a supermarket car park.

All monetary penalties and decisions by the ICO can be viewed at:

http://www.ico.gov.uk/enforcement/fines.aspx

Data Day Hygiene

http://www.youtube.com/watch?v=CdYWoLC7TNI

Scenario oneA new admin assistant was asked to fax a child protection report

to a solicitors. The report contained extensive sensitive personal data about the child, and a number of her family relations.

The law firm was a regular contact, but had recently changed its fax number. The admin assistant used the contact list to find the number. The new number had been handwritten over the previous number.

The following day the law firm called to say it had not received the faxed report. On checking what had happened, the admin assistant had misread a number on the new fax contact number.

Identify and discuss any data protection issues in this incident

Scenario two An HR worker asked an administrator to send some documents to her

work email address so that she could work on them at home.

The documents included a spread sheet listing a number of her clients, their names and addresses and contact time. Additional information included descriptors of their physical and mental health problems. The spread sheet also contained notes relating to family members.

The administrator attempted to email the social worker but there were problems with the organisations email system. The social worker asked the administrator to email her personal email instead, and she would then transfer the documents from her home computer.

The administrator emailed the documents to the social worker’s personal email. Later in the evening, the social worker checked her email but the documents had not been received. On checking with the administrator, it transpired that the email address had been taken down incorrectly.

• Identify and discuss any data protection issues in this incident

Scenario three• The organisation operates a number of services in conjunction with a range

of voluntary agencies. One of the services is an outreach centre for young people. The outreach workers and social workers will routinely share information about the users of the service. The people who use the centre will typically only frequent it for 3 to 6 months before moving on.

• The outreach centre has three desktop computers. One of these is used to send and store the reports for the council. That computer, and the relevant folders are password protected. The password is XYZ123 and has never been updated. It is pinned on the inside of a drawer in the office.

• The centre also keeps information for its own purposes, which might include details of disruptive attendees and notes about their external associates. This information is kept on all three computers.

• • The centre is broken into and the three desktop computers are stolen. During

the council’s investigation, the centre informs the investigating officer that reports had not been deleted from their computers for at least the past five years.

• Identify and discuss any data protection issues in this incident

Scenario one - issues• Fax breach – security of sensitive personal data sent by fax:

• No phone ahead fax policy; No checking policy to make sure faxes are received by the intended recipients; pre-programmed fax numbers, no evidence of an appointed person responsible for checking or updating fax numbers;

• No fax cover sheet mentioned;

• The data controller should have been aware of the risks associated with faxing sensitive personal data, as the risks have been previously well publicised by the ICO;

• No evidence that other methods had been considered for transmitting sensitive personal data;

• Higher risk of error with hand written fax contact list of numbers;

• Had the administration assistant involved with this breach received data protection training? 

• Should a relatively new member of staff have been entrusted with faxing sensitive personal data, is it reasonable to assume this task requires a certain level of experience and responsibility?

Scenario two - issues• Email breach – security of sensitive personal data sent by email, also

third data protection principle• No clear email security policy;

• No mention of a contractual agreement between the council and the outsourced third party finance provider;

• Potential contravention of the third data protection principle, excessive and irrelevant amount of information going to finance department;

• Potential contravention of the third and seventh data protection principles, irrelevant personal data being sent by insecure email to a third party finance provider;  

• Administrator should not have emailed spreadsheets to a personal email address, without first checking data security protocols, or using encryption;

• No cross checking of personal email address to ensure accuracy; • The council’s home working policy is vague about the security and

storage of personal data when working from home.

Scenario three - issues• Theft of data – organisational and technical security of personal data, also fifth

data protection principle, retention of personal data

• No evidence that a data sharing agreement was in place between the council and the outreach centre

• Potential contravention of the fifth data protection principle, reports kept for 5 years, when people who use the centre generally only attend for 3-6 months;

• Password to computer storing reports shouldn’t have been kept in a drawer and should have demonstrated a higher degree of complexity (alphanumerical, upper and lower case, symbols etc), the password should also have been changed on a regular basis;

• Lack of technical security x2 desktop computers storing personal data not password protected, (there is generally no obligation to encrypt desktop computers);

• What physical security measures were in place at the outreach centre?

• What DPA training would voluntary outreach workers have undertaken and were such volunteers vetted by the council – how did the council satisfy themselves about this?

• This breach could involve sensitive personal data as defined by section 2 of the DPA, particularly in the details of disruptive attendees notes.  

Ensure your compliant• Governance

• Policy and guidance, risk register, impact levels, protective marking

• Training• protecting information course, knowing where to get

help and advice on DPA• Records management

• retention schedules, disposal records, information asset register

• Security of personal data• mobile devices, physical security of manual records,

owner/responsibility, incident reporting/third party contracts

• Dealing with requests • Owner/responsibility, log of incidents,

monitoring/redaction, data sharing agreements, SAR log

Governance• Policies and procedures ( data

protection, information security, email policies, portable devices)

• Measure and impact, risk register– http://www.nationalarchives.gov.uk/docu

ments/information-management/info-asset-register-factsheet.pdf

Assessing the risk to personal information

• Identify the risk• Treat the risk• Monitor and review• review what personal data is held

(privacy impact assessment)• Apply security measures for physical

or electronic assets• Create an information asset register

The right of access to personal data

• individual can send you a subject access request (SAR) requiring you to tell them about the personal information you hold about them, and to provide them with a copy of that information. • In most cases you must respond to a

valid subject access request within 40 calendar days of receiving it.• Example of a SAR form

Requests for personal data• owner / procedure• record and log requests • redaction• Exemptionshttp://www.ico.gov.uk/for_organisations/data_protection/the_guide/exemptions.aspx• data sharing agreements

Training and awareness

http://www.ico.gov.uk/Global/think_privacy_toolkit.asp

x

Protecting Personal Information course

Records Management

• roles and responsibilities

• retention schedules

• indexing/tracking records

• destruction/disposition

Retention for SARsRecord of subject access request

Initial request, response, related correspondence and other supporting documentation

Completion of request + 3 years

Statutory Destroy

Record of subject access request where appeal made to UK Information Commissioner

Initial request, response, appeal records, related correspondence and other supporting documentation

Outcome of appeal + 6 years

Statutory Destroy

General compliance records

Files re DP audit, general compliance, data breaches, security training etc

Current year + 3 Business req Destroy

Notification and changes

Current year + 3 Statutory Destroy

Security Measures

http://www.ico.gov.uk/for_organisations/data_protection/security_measures.aspx

https://www.getsafeonline.org/video/

https://www.getsafeonline.org/businesses/

Security measures• owner/responsibility (North Glasgow

College Data Protection policy)• physical security of manual records• network security and access permissions• mobile devices• security incident log• remote working risk assessment

http://www.reading.ac.uk/internal/imps/DataProtection/DataProtectionGuidelines/imps-d-p-encryption-remote-working.aspx

How the ICO can help

http://www.ico.gov.uk/what_we_cover/audits_advisory_visits_and_self_assessments.aspx

http://www.ico.gov.uk/~/media/documents/library/data_protection/detailed_specialist_guides/personal_information_online_cop.pdf

Ensure that…• only collect information that you need

for a specific purpose; • keep it secure; • ensure it is relevant and up to date; • only hold as much as you need, and

only for as long as you need it; and • allow the subject of the information to

see it on request. • ensure all staff are aware of their

responsibility

Keep Safe!

http://www.bbc.co.uk/learningzone/clips/5594.html

Thank you

Penny Robertson

twitter.com/@PennyRobertsonpenny.robertson@rsc-scotland.ac.uk

Jisc RSC Scotlandhttp://jiscrsc.ac.uk/scotland

North Glasgow CollegeCivil Service Learning / Protecting Information course

Level 1: provides useful information and advice to help you protect and share information safely and appropriately. Approx.: 45 minutes to complete

https://north-gla.blackboard.com/