Date post: | 01-Apr-2015 |
Category: |
Documents |
Upload: | loren-seward |
View: | 214 times |
Download: | 0 times |
Slide 1
Wednesday, 3 July 2013Sir George Monoux College
Data Protection: Data Protection: Confident in ComplianceConfident in Compliance
Slide 2
Hi!• Jason Miles-Campbell
JISC Legal Service Manager• jason.miles-campbell
@jisclegal.ac.uk• 0141 548 4939• www.jisclegal.ac.uk
Slide 3
Slide 4
Law, ICT and Data ProtectionLaw, ICT and Data Protection
Slide 5
Have you heard of JISC Legal before?
1. 2. 3. 4. 5.
12%
18%
47%
24%
0%
1. Hello again, Jason2. Yes, fairly often3. Yes, used occasionally4. Vague acquaintance5. What’s that, then?
Slide 6
When it comes to data protection...
1. 2. 3. 4. 5.
0%
94%
0%0%6%
1. I’m confident2. I’ve a fair idea3. I dabble4. I ask others5. I hide in the toilet
Slide 7
Relevant LawRelevant Law
• Data Protection Act 1998
• Freedom of Information Act 2000
• Privacy and Electronic Comms Regs 2003
• Protection of Freedoms Act 2012
• www.ico.gov.uk
Slide 8
Why Comply?
1. It’s the law2. Good business practice 3. Sets a good example 4. Confidence 5. Risk (id theft)
1. 2. 3. 4. 5.
75%
13% 13%
0%0%
Slide 9
Common ScenariosCommon Scenarios
• A parent requests information on son’s progress
• Police request information on one of your students
• A tutor asks to see a reference supplied by her supervisor
• An employer requests information on an employee’s attendance
• Personal details of a student disclosed in confidence appear on FB
• A staff mobile phone containing sensitive data is lost
• Internal sharing of data amongst staff
• External sharing of data
- ALL have DP compliance implications
Slide 10 1010
Data Protection Essentials
“Data protection ..regimes…do not seek to protect data itself, rather they seek to provide the individual with a degree of control over the use of their personal data”
“data privacy regimes do not seek to cut off the flow of data, merely to see that it is collected and used in a responsible and, above all, accountable, fashion”
Source: DP Code of Practice for FE and HE
Criminal Justice and Immigration Act 2008 – gives ICO power to impose fines direct for serious security breaches
Slide 11 11
Understanding Your Duties
• Data Subject
• Data Controller
• Data Processor
• Processing
Slide 12
Which one of the following is likely to be covered by the DPA?
1 2 3 4
25% 25%25%25%1. a deceased staff member’s email
account2. Student ID numbers in a VLE3. documents relating to a disciplinary
matter4. ‘John Smith’ on a post-it on a monitor
Slide 13
The Age of Data Protection
1. From birth2. From age 53. From age 124. From age 165. From age 18
1. 2. 3. 4. 5.
94%
0% 0%6%
0%
From what age does DP apply to protect someone?
Slide 14 14
What is Personal Data?
• Any information which relates to an
identified or identifiable person
• Living persons
• Must be significant biographical
information which affects privacy
• Sensitive personal data
Slide 15
1: fair and lawful2: limited purposes3: adequate, relevant and not excessive4: accurate and current5: no kept longer than necessary6: respect the rights of the individual7: appropriate security8: transfer outside EEA needs adequate protection
The Eight DP PrinciplesThe Eight DP Principles
Slide 16
The 8 Data Protection The 8 Data Protection PrinciplesPrinciples
Data Protection Act 1998
Slide 17
1: Fair and Lawful
Requires:•Information•Consideration of competing interests (benefits of processing v privacy)•Judgement as to whether a ‘Schedule 2 Condition” has been met
Slide 18 18
Fair and Lawful Processing
Fair processing –
• A processing notice – transparency
• Weighing up interests v privacy
• Would you be happy?
Slide 19 19
Fair and Lawful Processing
Lawful processing -To process, a Schedule 2 condition must be met:• Consent• Legitimate interest of the data controller• Fulfilment of a contractual obligationMore stringent conditions for ‘sensitive’
personal data
Slide 20
The Age of Data Protection
1. From birth2. From age 53. From age 124. From age 165. From age 18
1. 2. 3. 4. 5.
8%
0%
15%
62%
15%
From what age can someone give DP consent?
Slide 21
One of these is fair and lawful. Which?
1 2 3
0% 0%0%
1. The college releases details on student attendance to a parent
2. The college collects name and contact details of all students
3. A tutor puts personal information about a student on Facebook
Slide 22
Sensitive Personal Data
• Explicit consent• Fulfilment of employment law• Protection of vital interests• Needed for administration of justice /
legal proceedings
Slide 23
2: Limited Purposes
• Consider all uses and future uses
• State the purposes when collecting the data
• Stick to using the data for those purposes
• If a further purpose arises, you need to seek further consent
Slide 24
Clarity of Purpose
1. Purpose is clear2. Could be clearer3. No clarity at all
1. 2. 3.
33% 33%33%
Slide 25
A SampleData Protection Statement
JISC Legal undertake to treat your personal data in accordance with the provisions of the Data Protection Act 1998. The data given will only be used to register you for the JISC Legal Newsletter on the JISCmail system. You can read the details of our Privacy policy at www.jisclegal.ac.uk/privacystate.htm
Slide 26
A college decides to retain all emails for a period of 10 years. Is this in line with the
DPA?
1 2 3 4
25% 25%25%25%
1. Yes2. No3. Depends4. Don’t know
Slide 27
• A college collects names and addresses of students. It outsources IT support. The students start to receive targeted emails.
ScenarioScenario
Slide 28
3: Adequate, Relevant, Not Excessive
• Follows from purposes
• Good records management practice
• See Jisc infoNet
• No duties with respect to personal data you no longer hold!
Slide 29
4 & 5: Accuracy and Currency
• Kept up-to-date
• Kept no longer than necessary
Slide 30
6: The Individual’s Rights
• S.10 Substantial prejudice
• S.12 Right to stop automatic processing
Slide 31
6: The Individual’s Rights
• S.7 the Data Subject Access Request• Allows access to personal data• Exemptions:– request not in writing, or fee not paid; requester
cannot verify identity; disclosure of third party personal data; disclosure of third party as source; certain health, education social work records
Slide 32
A tutor writes a reference for a student in the college. The student doesn’t get the job and makes a S.A.R. asking the college to see the reference. What should the college do?
ScenarioScenario
Slide 33
7: Security
Data must be secure
(organisationally and technically)
Slide 34
• Password and access, encryption for mobile devices
• Authority to transfer/share information with third
parties – see section in Code of Practice
• Compliance with recognised standards –
what the ICO expects?
• UCISA Information Security Toolkit may help
Information SecurityInformation Security
Slide 35
• A college contracts with Help4U to process staff personal data to produce pay slips. Unfortunately the names, addresses, bank details and account numbers are sent to the wrong recipient. Who is liable?
Over to YouOver to You
Slide 36
Who is liable?
1 2 3 4
0% 0%0%0%
1. The college as data controller2. The processor as they caused the
error3. Both the data controller and the
processor4. Neither
Slide 37
A laptop is used on site to record learner
progress. A tutor wishes to work from home
so he copies the files of five students onto a
USB and takes it home. It is accidentally
dropped in the car park of the train station......
ScenarioScenario
Slide 38
Security Situations
1. At your desk2. On your laptop3. On your mobile phone4. On the train5. At home
1. 2. 3. 4. 5.
63%
19% 19%
0%0%
Where are the greatest security risks?
Slide 39 39
Appropriate Security
Your PCYour laptop
Your mobile phoneYour IT infrastructure / VLE
Your deskYour rubbish
Slide 40
8: Transfer Out of EEA
• Data must not be transferred out of Europe without adequate security …..
Slide 41
When handling personal data in your role:
1. Purpose: why are you collecting personal data,
2. Fairness: is the reason fair to the data subject and
3. Transparency: does the data subject know about it
4. Security: at an appropriate level of security
Important PointsImportant Points
Slide 42
Some Scenarios……..
Over to youOver to you
Slide 43
A parent asks for information on her son’s progress. Do you…
1. 2. 3. 4.
0% 0%0%0%
1. Supply it - nothing wrong in doing this
2. Supply it – he is under 183. Withhold it as she should never
access it4. Withhold it until you have
consent of her son
Slide 44
A student asks his tutor if he can see the reference the tutor wrote for him. Do you
1. 2. 3.
0% 0%0%
1. Say no - he has no right to see it under DPA
2. Say yes – he is entitled under DPA to see it
3. Not sure so seek help before replying
Slide 45
The police ask for information on one of your students. Do you…
1. 2. 3.
0% 0%0%
1. Supply it because it’s the police2. Supply it only when you know
what it’s for and think it is relevant information to the investigation
3. Never supply it
Slide 46
The College decides to retain all emails for a period of 10 years. Is this in line with
the DPA?
1. 2. 3. 4.
0% 0%0%0%
1. Yes2. No3. Maybe4. Can I phone a friend?
Slide 47
A member of staff clicks the wrong email group and instead of sending to relevant tutors, sends info
relating to student health issues to other students.
1. 2. 3.
0% 0%0%
1. The College is liable for the breach2. There is no liability, it was an
accident, not deliberate3. The member of staff is liable
not the College
Slide 48
What security should be on mobile devices holding personal data?
1. 2. 3.
0% 0%0%
1. Password protection and encryption
2. None as only used on College premises
3. It depends on the type of information
Slide 49
• Establish practices to protect individuals and allow the college to carry out operational business without compromising privacy.
• Address risks of data loss and invasion of privacy.
• Build DP safeguards into day to day practice.
• Ensure that this is embedded within the college (training).
Forming a StrategyForming a Strategy
Slide 50
• Implement your strategy
• Share with all staff
• Training
• Records
• Future proof (technologies)
• Consistency
• Response
Policy and ProceduresPolicy and Procedures
Slide 51
What proportion of your teaching staff know about your DP policy?
1. 2. 3. 4. 5.
0% 0% 0%0%0%
1. Nearly all2. A majority3. Half4. A minority5. Hardly any
Slide 52
Should have a privacy statement which• Complements full DP policy • States what is done with information
collected• Cookie regulations –
in force 26 May 2012
WebsiteWebsite
Slide 53
• DP policy in place and a regular review date
New developments which may affect your DP policy:
• Mechanism for conducting a privacy impact assessment at planning stage of new project
• Guidance and training for staff/student use of social networking and web 2.0 tools laptops memory sticks and other ‘mobiles’
• Information Security standards
• Website information on privacy and cookies
What should be in place?What should be in place?
Slide 54
• Where the DP policy is, how to access it and its contents
• Have awareness of DP and how it may affect students, staff etc.
• That what you’re doing is covered by the data protection notice to students, staff etc.
• How to store/share personal information on and off campus
• How to keep personal information secure(mobiles, social networking)
• Where to get help
What should you know?What should you know?
Slide 55
Sources of help Sources of help
• Your institution’s DP officer• Your institutional policies and procedures• [email protected] and www.jisclegal.ac.uk
(code of practice)
Slide 56
Next steps?
1. 2. 3. 4. 5. 6.
0% 0% 0%0%0%0%
1. Go back and say well done!2. Start a conversation with
management3. Re-write a few policies4. Monitor what’s in place already5. Get further support6. Point at someone else and say
‘his problem!’ or ‘her problem!’
Slide 57 [email protected]
0141 548 4939
Questions and Follow UpQuestions and Follow Up
http://jiscleg.al/SGMCToday!