slide 1 wednesday, 3 july 2013 sir george monoux college data protection: confident in compliance

Wednesday, 3 July 2013Sir George Monoux College

Data Protection: Data Protection: Confident in ComplianceConfident in Compliance

Hi!• Jason Miles-Campbell

JISC Legal Service Manager• jason.miles-campbell

@jisclegal.ac.uk• 0141 548 4939• www.jisclegal.ac.uk

Law, ICT and Data ProtectionLaw, ICT and Data Protection

Have you heard of JISC Legal before?

1. 2. 3. 4. 5.

12%

18%

47%

24%

0%

1. Hello again, Jason2. Yes, fairly often3. Yes, used occasionally4. Vague acquaintance5. What’s that, then?

When it comes to data protection...

1. 2. 3. 4. 5.

0%

94%

0%0%6%

1. I’m confident2. I’ve a fair idea3. I dabble4. I ask others5. I hide in the toilet

Relevant LawRelevant Law

• Data Protection Act 1998

• Freedom of Information Act 2000

• Privacy and Electronic Comms Regs 2003

• Protection of Freedoms Act 2012

• www.ico.gov.uk

Why Comply?

1. It’s the law2. Good business practice 3. Sets a good example 4. Confidence 5. Risk (id theft)

1. 2. 3. 4. 5.

75%

13% 13%

0%0%

Common ScenariosCommon Scenarios

• A parent requests information on son’s progress

• Police request information on one of your students

• A tutor asks to see a reference supplied by her supervisor

• An employer requests information on an employee’s attendance

• Personal details of a student disclosed in confidence appear on FB

• A staff mobile phone containing sensitive data is lost

• Internal sharing of data amongst staff

• External sharing of data

- ALL have DP compliance implications

1010

Data Protection Essentials

“Data protection ..regimes…do not seek to protect data itself, rather they seek to provide the individual with a degree of control over the use of their personal data”

“data privacy regimes do not seek to cut off the flow of data, merely to see that it is collected and used in a responsible and, above all, accountable, fashion”

Source: DP Code of Practice for FE and HE

Criminal Justice and Immigration Act 2008 – gives ICO power to impose fines direct for serious security breaches

11

Understanding Your Duties

• Data Subject

• Data Controller

• Data Processor

• Processing

Which one of the following is likely to be covered by the DPA?

1 2 3 4

25% 25%25%25%1. a deceased staff member’s email

account2. Student ID numbers in a VLE3. documents relating to a disciplinary

matter4. ‘John Smith’ on a post-it on a monitor

The Age of Data Protection

1. From birth2. From age 53. From age 124. From age 165. From age 18

1. 2. 3. 4. 5.

94%

0% 0%6%

0%

From what age does DP apply to protect someone?

14

What is Personal Data?

• Any information which relates to an

identified or identifiable person

• Living persons

• Must be significant biographical

information which affects privacy

• Sensitive personal data

1: fair and lawful2: limited purposes3: adequate, relevant and not excessive4: accurate and current5: no kept longer than necessary6: respect the rights of the individual7: appropriate security8: transfer outside EEA needs adequate protection

The Eight DP PrinciplesThe Eight DP Principles

The 8 Data Protection The 8 Data Protection PrinciplesPrinciples

Data Protection Act 1998

1: Fair and Lawful

Requires:•Information•Consideration of competing interests (benefits of processing v privacy)•Judgement as to whether a ‘Schedule 2 Condition” has been met

18

Fair and Lawful Processing

Fair processing –

• A processing notice – transparency

• Weighing up interests v privacy

• Would you be happy?

19

Fair and Lawful Processing

Lawful processing -To process, a Schedule 2 condition must be met:• Consent• Legitimate interest of the data controller• Fulfilment of a contractual obligationMore stringent conditions for ‘sensitive’

personal data

The Age of Data Protection

1. From birth2. From age 53. From age 124. From age 165. From age 18

1. 2. 3. 4. 5.

8%

0%

15%

62%

15%

From what age can someone give DP consent?

One of these is fair and lawful. Which?

1 2 3

0% 0%0%

1. The college releases details on student attendance to a parent

2. The college collects name and contact details of all students

3. A tutor puts personal information about a student on Facebook

Sensitive Personal Data

• Explicit consent• Fulfilment of employment law• Protection of vital interests• Needed for administration of justice /

legal proceedings

2: Limited Purposes

• Consider all uses and future uses

• State the purposes when collecting the data

• Stick to using the data for those purposes

• If a further purpose arises, you need to seek further consent

Clarity of Purpose

1. Purpose is clear2. Could be clearer3. No clarity at all

1. 2. 3.

33% 33%33%

A SampleData Protection Statement

JISC Legal undertake to treat your personal data in accordance with the provisions of the Data Protection Act 1998. The data given will only be used to register you for the JISC Legal Newsletter on the JISCmail system. You can read the details of our Privacy policy at www.jisclegal.ac.uk/privacystate.htm

A college decides to retain all emails for a period of 10 years. Is this in line with the

DPA?

1 2 3 4

25% 25%25%25%

1. Yes2. No3. Depends4. Don’t know

• A college collects names and addresses of students. It outsources IT support. The students start to receive targeted emails.

ScenarioScenario

3: Adequate, Relevant, Not Excessive

• Follows from purposes

• Good records management practice

• See Jisc infoNet

• No duties with respect to personal data you no longer hold!

4 & 5: Accuracy and Currency

• Kept up-to-date

• Kept no longer than necessary

6: The Individual’s Rights

• S.10 Substantial prejudice

• S.12 Right to stop automatic processing

6: The Individual’s Rights

• S.7 the Data Subject Access Request• Allows access to personal data• Exemptions:– request not in writing, or fee not paid; requester

cannot verify identity; disclosure of third party personal data; disclosure of third party as source; certain health, education social work records

A tutor writes a reference for a student in the college. The student doesn’t get the job and makes a S.A.R. asking the college to see the reference. What should the college do?

ScenarioScenario

7: Security

Data must be secure

(organisationally and technically)

• Password and access, encryption for mobile devices

• Authority to transfer/share information with third

parties – see section in Code of Practice

• Compliance with recognised standards –

what the ICO expects?

• UCISA Information Security Toolkit may help

Information SecurityInformation Security

• A college contracts with Help4U to process staff personal data to produce pay slips. Unfortunately the names, addresses, bank details and account numbers are sent to the wrong recipient. Who is liable?

Over to YouOver to You

Who is liable?

1 2 3 4

0% 0%0%0%

1. The college as data controller2. The processor as they caused the

error3. Both the data controller and the

processor4. Neither

A laptop is used on site to record learner

progress. A tutor wishes to work from home

so he copies the files of five students onto a

USB and takes it home. It is accidentally

dropped in the car park of the train station......

ScenarioScenario

Security Situations

1. At your desk2. On your laptop3. On your mobile phone4. On the train5. At home

1. 2. 3. 4. 5.

63%

19% 19%

0%0%

Where are the greatest security risks?

39

Appropriate Security

Your PCYour laptop

Your mobile phoneYour IT infrastructure / VLE

Your deskYour rubbish

8: Transfer Out of EEA

• Data must not be transferred out of Europe without adequate security …..

When handling personal data in your role:

1. Purpose: why are you collecting personal data,

2. Fairness: is the reason fair to the data subject and

3. Transparency: does the data subject know about it

4. Security: at an appropriate level of security

Important PointsImportant Points

Some Scenarios……..

Over to youOver to you

A parent asks for information on her son’s progress. Do you…

1. 2. 3. 4.

0% 0%0%0%

1. Supply it - nothing wrong in doing this

2. Supply it – he is under 183. Withhold it as she should never

access it4. Withhold it until you have

consent of her son

A student asks his tutor if he can see the reference the tutor wrote for him. Do you

1. 2. 3.

0% 0%0%

1. Say no - he has no right to see it under DPA

2. Say yes – he is entitled under DPA to see it

3. Not sure so seek help before replying

The police ask for information on one of your students. Do you…

1. 2. 3.

0% 0%0%

1. Supply it because it’s the police2. Supply it only when you know

what it’s for and think it is relevant information to the investigation

3. Never supply it

The College decides to retain all emails for a period of 10 years. Is this in line with

the DPA?

1. 2. 3. 4.

0% 0%0%0%

1. Yes2. No3. Maybe4. Can I phone a friend?

A member of staff clicks the wrong email group and instead of sending to relevant tutors, sends info

relating to student health issues to other students.

1. 2. 3.

0% 0%0%

1. The College is liable for the breach2. There is no liability, it was an

accident, not deliberate3. The member of staff is liable

not the College

What security should be on mobile devices holding personal data?

1. 2. 3.

0% 0%0%

1. Password protection and encryption

2. None as only used on College premises

3. It depends on the type of information

• Establish practices to protect individuals and allow the college to carry out operational business without compromising privacy.

• Address risks of data loss and invasion of privacy.

• Build DP safeguards into day to day practice.

• Ensure that this is embedded within the college (training).

Forming a StrategyForming a Strategy

• Implement your strategy

• Share with all staff

• Training

• Records

• Future proof (technologies)

• Consistency

• Response

Policy and ProceduresPolicy and Procedures

What proportion of your teaching staff know about your DP policy?

1. 2. 3. 4. 5.

0% 0% 0%0%0%

1. Nearly all2. A majority3. Half4. A minority5. Hardly any

Should have a privacy statement which• Complements full DP policy • States what is done with information

collected• Cookie regulations –

in force 26 May 2012

WebsiteWebsite

• DP policy in place and a regular review date

New developments which may affect your DP policy:

• Mechanism for conducting a privacy impact assessment at planning stage of new project

• Guidance and training for staff/student use of social networking and web 2.0 tools laptops memory sticks and other ‘mobiles’

• Information Security standards

• Website information on privacy and cookies

What should be in place?What should be in place?

• Where the DP policy is, how to access it and its contents

• Have awareness of DP and how it may affect students, staff etc.

• That what you’re doing is covered by the data protection notice to students, staff etc.

• How to store/share personal information on and off campus

• How to keep personal information secure(mobiles, social networking)

• Where to get help

What should you know?What should you know?

Sources of help Sources of help

• Your institution’s DP officer• Your institutional policies and procedures• [email protected] and www.jisclegal.ac.uk

(code of practice)

Next steps?

1. 2. 3. 4. 5. 6.

0% 0% 0%0%0%0%

1. Go back and say well done!2. Start a conversation with

management3. Re-write a few policies4. Monitor what’s in place already5. Get further support6. Point at someone else and say

‘his problem!’ or ‘her problem!’

[email protected]

0141 548 4939

Questions and Follow UpQuestions and Follow Up

http://jiscleg.al/SGMCToday!

slide 1 wednesday, 3 july 2013 sir george monoux college data protection: confident in compliance

Documents

consent slide

compliance slide

facebook slide

aldataprotection slide

toilet slide

monitor slide

age of data protection

sensitive data