Date post: | 16-Apr-2017 |
Category: |
Technology |
Upload: | jisc-scotland |
View: | 3,760 times |
Download: | 10 times |
Protecting personal information
Overview• To understand key terms and principles
of the Data Protection Act (DPA)
• Understand types of information personal/sensitive
• How an organisation can comply with the DPA
Intro to Data Protection Act• Established 1998 to safe guard
personal data• Framework for how organisations can
collect and use personal data• Personal data means data which
relates to a living individual who can be identified:– From those data– From those data and other information in
the possession of the data controller
Eight Principles of DPA
1. fairly and lawfully processed2. processed for limited purposes3. adequate, relevant and not excessive4. accurate and up to date5. kept for no longer than is necessary6. processed in line with the date subjects’
rights7. secure8. not transferred to other countries without
adequate protection
Anyone who processes personal information must comply with eight principles, which make sure that personal information is:
Types of information I– Names,
addresses, – Birth details, – Contact details, – Age, gender– NI number, –Marital history,
partnerships
– Travel details, leisure activities, membership of organisations,
– Employment details
– Finance details
Types of information II• Sensitive–Mental or physical health– Racial or ethnic origin– Political opinions– Religious or related beliefs– Trade union membership– Sexual life– Criminal convictions– Offences, including allegedhttp://www.ico.gov.uk/for_organisations/data_protection/the_guide/conditions_for_processing.aspx
Data Protection and FE• Data protection is important to FE and HE
institutions– collect, process and use the data of
individuals such as students, staff, alumni and enquirers for various purposes.
Specific guidance for education sector:http://www.ico.gov.uk/for_organisations/sector_guides/education.aspxexamination recordsexpected requirements under FOI(S)A
Roles within the DPA• Data controller: determines the
purposes for which and the manner in which personal data are to be processed
• Data Processor: person who processes the data on behalf of the data controller
• Data Subject: an individual who is the subject of personal data
Who’s responsible!• North Glasgow College is the data
controller• Data controllers must register with
the Information Commissioner’s Office (ICO)
http://www.ico.gov.uk/what_we_cover/register_of_data_controllers.aspx• S.4 (4) of the DPA: ultimate
responsibility for adhering to the Act lies with the ‘Data Controller’.
Information Commissioner’s Office (ICO)
• independent public body set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals
http://www.ico.gov.uk/for_organisations/data_protection.aspx
• Also a Scottish Information Commission but ICO has specific regulatory responsibility for DPA
£500,000
£150,0007 June 2013
Issued to Glasgow City Council the loss of two unencrypted laptops, one of which contained the personal information of 20,143 people.
24 January 2013
Sony PlayStation Network Platform was hacked in April 2011, compromising the personal information of millions of customers, including their names, addresses, email addresses, dates of birth and account passwords. Customers’ payment card details were also at risk.
£250,000
£250,00011 September 2012
Issued to Scottish Borders Council after former employees’ pension records were found in an over-filled paper recycle bank in a supermarket car park.
All monetary penalties and decisions by the ICO can be viewed at:
http://www.ico.gov.uk/enforcement/fines.aspx
Data Day Hygiene
http://www.youtube.com/watch?v=CdYWoLC7TNI
Scenario oneA new admin assistant was asked to fax a child protection report
to a solicitors. The report contained extensive sensitive personal data about the child, and a number of her family relations.
The law firm was a regular contact, but had recently changed its fax number. The admin assistant used the contact list to find the number. The new number had been handwritten over the previous number.
The following day the law firm called to say it had not received the faxed report. On checking what had happened, the admin assistant had misread a number on the new fax contact number.
Identify and discuss any data protection issues in this incident
Scenario two An HR worker asked an administrator to send some documents to her
work email address so that she could work on them at home.
The documents included a spread sheet listing a number of her clients, their names and addresses and contact time. Additional information included descriptors of their physical and mental health problems. The spread sheet also contained notes relating to family members.
The administrator attempted to email the social worker but there were problems with the organisations email system. The social worker asked the administrator to email her personal email instead, and she would then transfer the documents from her home computer.
The administrator emailed the documents to the social worker’s personal email. Later in the evening, the social worker checked her email but the documents had not been received. On checking with the administrator, it transpired that the email address had been taken down incorrectly.
• Identify and discuss any data protection issues in this incident
Scenario three• The organisation operates a number of services in conjunction with a range
of voluntary agencies. One of the services is an outreach centre for young people. The outreach workers and social workers will routinely share information about the users of the service. The people who use the centre will typically only frequent it for 3 to 6 months before moving on.
• The outreach centre has three desktop computers. One of these is used to send and store the reports for the council. That computer, and the relevant folders are password protected. The password is XYZ123 and has never been updated. It is pinned on the inside of a drawer in the office.
• The centre also keeps information for its own purposes, which might include details of disruptive attendees and notes about their external associates. This information is kept on all three computers.
• • The centre is broken into and the three desktop computers are stolen. During
the council’s investigation, the centre informs the investigating officer that reports had not been deleted from their computers for at least the past five years.
• Identify and discuss any data protection issues in this incident
Scenario one - issues• Fax breach – security of sensitive personal data sent by fax:
• No phone ahead fax policy; No checking policy to make sure faxes are received by the intended recipients; pre-programmed fax numbers, no evidence of an appointed person responsible for checking or updating fax numbers;
• No fax cover sheet mentioned;
• The data controller should have been aware of the risks associated with faxing sensitive personal data, as the risks have been previously well publicised by the ICO;
• No evidence that other methods had been considered for transmitting sensitive personal data;
• Higher risk of error with hand written fax contact list of numbers;
• Had the administration assistant involved with this breach received data protection training?
• Should a relatively new member of staff have been entrusted with faxing sensitive personal data, is it reasonable to assume this task requires a certain level of experience and responsibility?
Scenario two - issues• Email breach – security of sensitive personal data sent by email, also
third data protection principle• No clear email security policy;
• No mention of a contractual agreement between the council and the outsourced third party finance provider;
• Potential contravention of the third data protection principle, excessive and irrelevant amount of information going to finance department;
• Potential contravention of the third and seventh data protection principles, irrelevant personal data being sent by insecure email to a third party finance provider;
• Administrator should not have emailed spreadsheets to a personal email address, without first checking data security protocols, or using encryption;
• No cross checking of personal email address to ensure accuracy; • The council’s home working policy is vague about the security and
storage of personal data when working from home.
Scenario three - issues• Theft of data – organisational and technical security of personal data, also fifth
data protection principle, retention of personal data
• No evidence that a data sharing agreement was in place between the council and the outreach centre
• Potential contravention of the fifth data protection principle, reports kept for 5 years, when people who use the centre generally only attend for 3-6 months;
• Password to computer storing reports shouldn’t have been kept in a drawer and should have demonstrated a higher degree of complexity (alphanumerical, upper and lower case, symbols etc), the password should also have been changed on a regular basis;
• Lack of technical security x2 desktop computers storing personal data not password protected, (there is generally no obligation to encrypt desktop computers);
• What physical security measures were in place at the outreach centre?
• What DPA training would voluntary outreach workers have undertaken and were such volunteers vetted by the council – how did the council satisfy themselves about this?
• This breach could involve sensitive personal data as defined by section 2 of the DPA, particularly in the details of disruptive attendees notes.
Ensure your compliant• Governance
• Policy and guidance, risk register, impact levels, protective marking
• Training• protecting information course, knowing where to get
help and advice on DPA• Records management
• retention schedules, disposal records, information asset register
• Security of personal data• mobile devices, physical security of manual records,
owner/responsibility, incident reporting/third party contracts
• Dealing with requests • Owner/responsibility, log of incidents,
monitoring/redaction, data sharing agreements, SAR log
Governance• Policies and procedures ( data
protection, information security, email policies, portable devices)
• Measure and impact, risk register– http://www.nationalarchives.gov.uk/docu
ments/information-management/info-asset-register-factsheet.pdf
Assessing the risk to personal information
• Identify the risk• Treat the risk• Monitor and review• review what personal data is held
(privacy impact assessment)• Apply security measures for physical
or electronic assets• Create an information asset register
The right of access to personal data
• individual can send you a subject access request (SAR) requiring you to tell them about the personal information you hold about them, and to provide them with a copy of that information. • In most cases you must respond to a
valid subject access request within 40 calendar days of receiving it.• Example of a SAR form
Requests for personal data• owner / procedure• record and log requests • redaction• Exemptionshttp://www.ico.gov.uk/for_organisations/data_protection/the_guide/exemptions.aspx• data sharing agreements
Training and awareness
http://www.ico.gov.uk/Global/think_privacy_toolkit.asp
x
Protecting Personal Information course
Records Management
• roles and responsibilities
• retention schedules
• indexing/tracking records
• destruction/disposition
Retention for SARsRecord of subject access request
Initial request, response, related correspondence and other supporting documentation
Completion of request + 3 years
Statutory Destroy
Record of subject access request where appeal made to UK Information Commissioner
Initial request, response, appeal records, related correspondence and other supporting documentation
Outcome of appeal + 6 years
Statutory Destroy
General compliance records
Files re DP audit, general compliance, data breaches, security training etc
Current year + 3 Business req Destroy
Notification and changes
Current year + 3 Statutory Destroy
Security Measures
http://www.ico.gov.uk/for_organisations/data_protection/security_measures.aspx
https://www.getsafeonline.org/video/
https://www.getsafeonline.org/businesses/
Security measures• owner/responsibility (North Glasgow
College Data Protection policy)• physical security of manual records• network security and access permissions• mobile devices• security incident log• remote working risk assessment
http://www.reading.ac.uk/internal/imps/DataProtection/DataProtectionGuidelines/imps-d-p-encryption-remote-working.aspx
How the ICO can help
http://www.ico.gov.uk/what_we_cover/audits_advisory_visits_and_self_assessments.aspx
http://www.ico.gov.uk/~/media/documents/library/data_protection/detailed_specialist_guides/personal_information_online_cop.pdf
Ensure that…• only collect information that you need
for a specific purpose; • keep it secure; • ensure it is relevant and up to date; • only hold as much as you need, and
only for as long as you need it; and • allow the subject of the information to
see it on request. • ensure all staff are aware of their
responsibility
Keep Safe!
http://www.bbc.co.uk/learningzone/clips/5594.html
Thank you
Penny Robertson
twitter.com/@[email protected]
Jisc RSC Scotlandhttp://jiscrsc.ac.uk/scotland
North Glasgow CollegeCivil Service Learning / Protecting Information course
Level 1: provides useful information and advice to help you protect and share information safely and appropriately. Approx.: 45 minutes to complete
https://north-gla.blackboard.com/