2. Overview
• To understand key terms and principles
of the Data Protection Act (DPA)
• Understand types of information
personal/sensitive
• How an organisation can comply with
the DPA
3. Intro to Data Protection Act
• Established 1998 to safe guard
personal data
• Framework for how organisations can
collect and use personal data
• Personal data means data which relates
to a living individual who can be
identified:
– From those data
– From those data and other information in
the possession of the data controller
4. Eight Principles of DPA
1. fairly and lawfully processed
2. processed for limited purposes
3. adequate, relevant and not excessive
4. accurate and up to date
5. kept for no longer than is necessary
6. processed in line with the date subjects’
rights
7. secure
8. not transferred to other countries without
adequate protection
Anyone who processes personal information must comply
with eight principles, which make sure that personal
information is:
5. Types of information I
– Names,
addresses,
– Birth details,
– Contact details,
– Age, gender
– NI number,
– Marital history,
partnerships
– Travel details,
leisure activities,
membership of
organisations,
– Employment
details
– Finance details
6. Types of information II
• Sensitive
– Mental or physical health
– Racial or ethnic origin
– Political opinions
– Religious or related beliefs
– Trade union membership
– Sexual life
– Criminal convictions
– Offences, including alleged
http://www.ico.gov.uk/for_organisations/data_pro
7. Data Protection and FE
• Data protection is important to FE and HE
institutions
– collect, process and use the data of
individuals such as students, staff,
alumni and enquirers for various
purposes.
Specific guidance for education sector:
http://www.ico.gov.uk/for_organisations/sector_guides/
examination records
expected requirements under FOI(S)A
8. Roles within the DPA
• Data controller: determines the
purposes for which and the manner in
which personal data are to be
processed
• Data Processor: person who processes
the data on behalf of the data controller
• Data Subject: an individual who is the
subject of personal data
9. Who’s responsible!
• North Glasgow College is the data
controller
• Data controllers must register with the
Information Commissioner’s Office
(ICO)
http://www.ico.gov.uk/what_we_cover/registe
• S.4 (4) of the DPA: ultimate
responsibility for adhering to the Act
lies with the ‘Data Controller’.
10. Information Commissioner’s Office
(ICO)
• independent public body set up to
uphold information rights in the public
interest, promoting openness by public
bodies and data privacy for individuals
http://www.ico.gov.uk/for_organisations/da
• Also a Scottish Information Commission
but ICO has specific regulatory
responsibility for DPA
12. £150,000
7 June 2013
Issued to Glasgow City Council the
loss of two unencrypted laptops,
one of which contained the personal
information of 20,143 people.
13. 24 January 2013
Sony PlayStation Network Platform was
hacked in April 2011, compromising the
personal information of millions of
customers, including their names,
addresses, email addresses, dates of
birth and account passwords. Customers’
payment card details were also at risk.
£250,000
14. £250,000
11 September 2012
Issued to Scottish Borders Council after
former employees’ pension records were
found in an over-filled paper recycle bank
in a supermarket car park.
All monetary penalties and decisions by
the ICO can be viewed at:
http://www.ico.gov.uk/enforcement/fines.aspx
16. Scenario one
A new admin assistant was asked to fax a child protection report to
a solicitors. The report contained extensive sensitive personal
data about the child, and a number of her family relations.
The law firm was a regular contact, but had recently changed its fax
number. The admin assistant used the contact list to find the
number. The new number had been handwritten over the previous
number.
The following day the law firm called to say it had not received the
faxed report. On checking what had happened, the admin
assistant had misread a number on the new fax contact number.
Identify and discuss any data
protection issues in this incident
17. Scenario two
An HR worker asked an administrator to send some documents to her
work email address so that she could work on them at home.
The documents included a spread sheet listing a number of her clients,
their names and addresses and contact time. Additional information
included descriptors of their physical and mental health problems. The
spread sheet also contained notes relating to family members.
The administrator attempted to email the social worker but there were
problems with the organisations email system. The social worker asked
the administrator to email her personal email instead, and she would
then transfer the documents from her home computer.
The administrator emailed the documents to the social worker’s personal
email. Later in the evening, the social worker checked her email but the
documents had not been received. On checking with the administrator, it
transpired that the email address had been taken down incorrectly.
• Identify and discuss any data protection
issues in this incident
18. Scenario three
• The organisation operates a number of services in conjunction with a range of
voluntary agencies. One of the services is an outreach centre for young
people. The outreach workers and social workers will routinely share
information about the users of the service. The people who use the centre will
typically only frequent it for 3 to 6 months before moving on.
• The outreach centre has three desktop computers. One of these is used to
send and store the reports for the council. That computer, and the relevant
folders are password protected. The password is XYZ123 and has never been
updated. It is pinned on the inside of a drawer in the office.
• The centre also keeps information for its own purposes, which might include
details of disruptive attendees and notes about their external associates. This
information is kept on all three computers.
•
• The centre is broken into and the three desktop computers are stolen. During
the council’s investigation, the centre informs the investigating officer that
reports had not been deleted from their computers for at least the past five
years.
• Identify and discuss any data protection
issues in this incident
19. Scenario one - issues• Fax breach – security of sensitive personal data sent by fax:
• No phone ahead fax policy; No checking policy to make sure faxes are
received by the intended recipients; pre-programmed fax numbers, no
evidence of an appointed person responsible for checking or updating fax
numbers;
• No fax cover sheet mentioned;
• The data controller should have been aware of the risks associated with
faxing sensitive personal data, as the risks have been previously well
publicised by the ICO;
• No evidence that other methods had been considered for transmitting
sensitive personal data;
• Higher risk of error with hand written fax contact list of numbers;
• Had the administration assistant involved with this breach received data
protection training?
• Should a relatively new member of staff have been entrusted with faxing
sensitive personal data, is it reasonable to assume this task requires a
certain level of experience and responsibility?
20. Scenario two - issues
• Email breach – security of sensitive personal data sent by email, also third
data protection principle
• No clear email security policy;
• No mention of a contractual agreement between the council and the
outsourced third party finance provider;
• Potential contravention of the third data protection principle, excessive and
irrelevant amount of information going to finance department;
• Potential contravention of the third and seventh data protection principles,
irrelevant personal data being sent by insecure email to a third party
finance provider;
• Administrator should not have emailed spreadsheets to a personal email
address, without first checking data security protocols, or using encryption;
• No cross checking of personal email address to ensure accuracy;
• The council’s home working policy is vague about the security and storage
of personal data when working from home.
21. Scenario three - issues
• Theft of data – organisational and technical security of personal data, also fifth
data protection principle, retention of personal data
• No evidence that a data sharing agreement was in place between the council and
the outreach centre
• Potential contravention of the fifth data protection principle, reports kept for 5
years, when people who use the centre generally only attend for 3-6 months;
• Password to computer storing reports shouldn’t have been kept in a drawer and
should have demonstrated a higher degree of complexity (alphanumerical, upper
and lower case, symbols etc), the password should also have been changed on a
regular basis;
• Lack of technical security x2 desktop computers storing personal data not
password protected, (there is generally no obligation to encrypt desktop
computers);
• What physical security measures were in place at the outreach centre?
• What DPA training would voluntary outreach workers have undertaken and were
such volunteers vetted by the council – how did the council satisfy themselves
about this?
• This breach could involve sensitive personal data as defined by section 2 of the
22. Ensure your compliant
• Governance
• Policy and guidance, risk register, impact levels,
protective marking
• Training
• protecting information course, knowing where to get
help and advice on DPA
• Records management
• retention schedules, disposal records, information asset
register
• Security of personal data
• mobile devices, physical security of manual records,
owner/responsibility, incident reporting/third party
contracts
• Dealing with requests
• Owner/responsibility, log of incidents,
monitoring/redaction, data sharing agreements, SAR
log
23. Governance
• Policies and procedures ( data
protection, information security, email
policies, portable devices)
• Measure and impact, risk register
– http://www.nationalarchives.gov.uk/documents
24. Assessing the risk to personal
information
• Identify the risk
• Treat the risk
• Monitor and review
• review what personal data is held
(privacy impact assessment)
• Apply security measures for physical or
electronic assets
• Create an information asset register
25. The right of access to
personal data
• individual can send you a subject
access request (SAR) requiring you to
tell them about the personal information
you hold about them, and to provide
them with a copy of that information.
• In most cases you must respond to a
valid subject access request within 40
calendar days of receiving it.
• Example of a SAR form
26. Requests for personal data
• owner / procedure
• record and log requests
• redaction
• Exemptions
http://www.ico.gov.uk/for_organisations/data
• data sharing agreements
28. Records Management
• roles and responsibilities
• retention schedules
• indexing/tracking records
• destruction/disposition
29. Retention for SARs
Record of subject
access request
Initial request,
response, related
correspondence
and other
supporting
documentation
Completion of
request + 3 years
Statutory Destroy
Record of subject
access request
where appeal
made to UK
Information
Commissioner
Initial request,
response, appeal
records, related
correspondence
and other
supporting
documentation
Outcome of
appeal + 6 years
Statutory Destroy
General
compliance
records
Files re DP audit,
general
compliance, data
breaches, security
training etc
Current year + 3 Business req Destroy
Notification and
changes
Current year + 3 Statutory Destroy
31. Security measures
• owner/responsibility (North Glasgow
College Data Protection policy)
• physical security of manual records
• network security and access permissions
• mobile devices
• security incident log
• remote working risk assessment
http://www.reading.ac.uk/internal/imps/D
ataProtection/DataProtectionGuidelines/i
mps-d-p-encryption-remote-working.aspx
32. How the ICO can help
http://www.ico.gov.uk/what_we_cover/au
dits_advisory_visits_and_self_assessmen
ts.aspx
http://www.ico.gov.uk/~/media/document
s/library/data_protection/detailed_specia
list_guides/personal_information_online_
cop.pdf
33. Ensure that…
• only collect information that you need
for a specific purpose;
• keep it secure;
• ensure it is relevant and up to date;
• only hold as much as you need, and
only for as long as you need it; and
• allow the subject of the information to
see it on request.
• ensure all staff are aware of their
responsibility
36. North Glasgow College
Civil Service Learning / Protecting
Information course
Level 1: provides useful information and
advice to help you protect and share
information safely and appropriately.
Approx.: 45 minutes to complete
https://north-gla.blackboard.com/
Notas del editor
Slide 1 Intro of myself advisor for learning resources, bgnd, information arch manager at SQA with direct responsibility for the management of the process of Data Protection Act and also to ensure the continued accreditation to the international standard 27001, which was the effective management of an information security system. Ask them to introduce one another and their bgnd. today short workshop will look at some of the process that is involved to ensure personal information, is stored, managed, processed and secured in accordance with the Data Protection Act
Slide 2 this workshop is by no stretch that magical silver bullet that will solve all data protection woes and challenges for an organisation, it really is a very general introduction and also to give some ideas about how Angus College can ensure the integrity and confidentiality of personal data. we’ll have a look at some of the key terms and principles within the data protection act have a look at the 2 main levels of personal information and some of the tools and processes an organisation can deploy to ensure adherence to the data protection act.
Slide 3 so the DPA, although it was established in 1998 it became an effective legislation tool from about March 2000, the act and legislation outlines a framework for organisations for the collection and use of personal data ensuring the confidentiality and integrity of that data remains, ensuring no loss of privacy or harm to the person the data is about that an organisation is storing, the DPA does not approve of the ‘we’ll store this data, just in case’ attitude, and rightly so so when we talk of personal data this covers data which relates to a living individual and said individual can be identified from those data and/or an amalgam of other data in possession of the data controller this also includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual. So an example would be if you’re marking a students paper and you write feedback or any remark on it, within the context of a personal information request this information would have to be transcribed and sent to the individual.
Slide 4 The act hinges on 8 principles that 1 st data principle have legitimate grounds for collecting and using the personal data; be transparent in how you are going to use the date not use the data in ways that have unjustified adverse effects on the individuals concerned; 2 nd data principle clear about the purpose or purposes for which you hold personal data so that you can then ensure that you process the data in a way that is compatible with your original purpose or purposes (or ”not incompatible”, as the Data Protection Act says.) Specifying those purposes at the outset is likely to help you avoid the possibility of “function creep”. make sure that you process personal data in accordance with the other data protection principles, and that you have notified the Information Commissioner if you need to do so, you are likely to comply with the requirement to “specify” without doing anything more. 3,4 & 5 Ensuring you don’t hold excessive amounts of data, You should not hold personal data on the off-chance that it might be useful in the future Data protection principle 4 take reasonable steps to ensure the accuracy of any personal data you obtain; ensure that the source of any personal data is clear; carefully consider any challenges to the accuracy of information; and consider whether it is necessary to update the information. Data protection principle 5 Retention the current and future value of the information; the costs, risks and liabilities associated with retaining the information; and the ease or difficulty of making sure it remains accurate and up to date. Principle 6 The right of access to what an organisation holds about them a right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed; and a right to claim compensation for damages caused by a breach of the Act. Principle 7 Adequate security controls are in place to ensure the integrity and confidentiality of the personal information design and organise your security to fit the nature of the personal data you hold and the harm that may result from a security breach; be clear about who in your organisation is responsible for ensuring information security; be ready to respond to any breach of security swiftly and effectively. Principle 8 It is important to remember that all the data protection principles apply to overseas transfers of personal data – not just the eighth principle. So you must consider how you will comply with the other principles if you transfer.
Slide 5 The types of personal information an organisation may hold falls into two types, we have what is deemed personal…
Slide 6 And we also have sensitive/restricted information regarding a living individual The presumption is that, because information about these matters could be used in a discriminatory way, and is likely to be of a private nature, it needs to be treated with greater care than other personal data. In particular, if you are processing sensitive personal data you must satisfy one or more of the conditions for processing which apply specifically to such data, as well as one of the general conditions which apply in every case. The nature of the data is also a factor in deciding what security is appropriate. The first data protection principle requires, that you must be able to satisfy one or more “conditions for processing” in relation to your processing of personal data. Many (but not all) of these conditions relate to the purpose or purposes for which you intend to use the information. if you have a legitimate reason for processing personal data, the best approach is to focus on whether what you intend to do is fair. http://www.legislation.gov.uk/uksi/2000/417/contents/made
Slide 7 The ICO website holds information and guidance for educational establishments, the guidance covers information such as A students examination records and in your packs I’ve included the specific guidance for access to pupils data in Scotland FOI This guidance gives examples of the kinds of information that we would expect colleges of Further Education to provide in order to meet their commitments under the model publication scheme. Any publication scheme you have that was created before 1 January 2009 is now out of date and you should replace it with the ICO model scheme. 7 classes of information, how you should make the information available, what you can charge, and what you need to tell members of the public about the scheme. It is also required that you tell the ICO that you have made these changes to your publication scheme.
Slide 8 To ensure some structure and generic reference within the act they use roles defined as the following :- Data controller, usually an organisation who determines how the personal data will be processed Data processors specifically Data subject Within a organisation it is paramount that all staff are aware of their role and responsibility to data protection and understand the consequences or enforcement of processing personal information. Some organisations, for example, will stipulate procedures within their policy if a member of staff breaches or does not comply with their responsibilities as a data processor, some organisations will develop specific contracts for staff who process personal data
Slide 9 Within your organisation North Glasgow College is the data controller It is mandated that all organisations that process personal data must notify and register with the information commission officer the registry of data controllers is public information and available online, click on link search the registry and show angus colleges notification this documents all purposes that Angus College use personal data and what they are processed for the ultimate responsibility for the adherence to the data protection act is the data controller
Slide 10 the Data Protection Act is enforced is via the Information Commissioner’s Office, ICO is an independent body set up to uphold our information rights and promote openness and transparency within the public sector and ensure data privacy for individuals click on link to show information and guidance available for organisations on DP there is a Scottish Information Commission and have jurisdiction in the management and enforcement of Freedom of Information (Scotland) Act, the ICO has specific regulatory responsibility for data protection.
Slide 11 so how does the ICO enact upon breaches for the data protection act by organisations, well they hit them where it hurts the most, money and reputation The ICO has the power to fine organisation up to a maximum penalty of £500,000 for the mismanagement of personal information.
Couple of recent examples are Sony were fined £250,000
Another one closer to home is that of Borders Council…read slide Slide 13 to determine the amount an organisation will be fined, the ICO uses a framework, they consider The seriousness of the breach, this would include the hurt or damage done to the persons data involved And they also consider any mitigating factors or aggravating factors - your policies and procedures in place, what your organisation does to ensure compliance (mitigating) Aggravating factors may be if this is your second or more offence Click on link And as I mentioned the reputation of an organisation, all monetary fines and decisions pertaining to breaches are published on the website The financial impact on the organisation, the case working group will take into account any financial hardship on the organisation, they want proof from the data controller and this can be used as evidence for their case
Slide 21 So how does an organisation ensure it compliance with the data protection act, well I think it’s a mixture of these 5 attributes It’s all very well having a policy that adheres to a certain level of information security and vocalises how an organisation will ensure the confidentiality and integrity of personal data but quite another thing to embed that policy as process in an organisational culture. Most organisations will develop information governance process and include all these as part of the implementation of good practice to ensure adherence to the data protection act, this can go further than just how to manage personal data all of this can also be embedded to ensure good information management practice for all information within an organisation. People, process and policy are the 3 key ingredients to good information management, ensuring your valued assets are aware of their responsibilities, that they understand the processes and policy your organisation works with. The more time spent on training and awareness will ensure adherence to your policies and process.
Slide 22 within an organisation the ICO would view it towards mitigating factors of a breach if there is an effective management system in place for personal data North Glasgow College has a data protection and IT security policy that documents exactly how staff must comply when working with personal data, it also includes measures to ensure the security of data be it physical or electronic access There are other areas that need organisations to have a policy or guidance in place for staff with the onslaught of mobile devices a lot of organisations need to consider what their policy is, a survey released in December last year "Independent research commissioned by Cisco reveals that 73% of Local Government, Healthcare and Higher & Further Education organisations allow employees to use personal devices at work. But while the majority have begun to embrace BYOD, only 22% have put specific and enforceable policies in place for users. In addition, only 24% have installed security solutions on user devices. email is also an issue and it must be specified within an organisation what can be shared, transferred over the internet via email. ensuring staff are aware of these policies and what the implication is for them is how an organisation can develop a secure data culture Know what you’ve got, where it is and what security controls must be applied, most organisations work within a risk framework and apply levels of risk to their operational and production processes, information is a valued asset in an organisation and so it can be useful to measure risk to data and what the impact may be a level of risk to an information asset if its loss of revenue to the organisation or damaging reputation click on link
Slide 23 In creating an information asset register or including information as an asset within your corporate risk register, you need to look at information and Identifying the risk to the information Then looking at how to treat the risk by how to by avoiding, reducing, transferring or accepting them so it looks what impacts the risk and how you can apply measures to mitigate the risk An organisation should then actively monitor and review risk to ensure stability in their treatments There are other tools that are worth considering, privacy impact assessments are useful if you are using third party data processors for example, PIAs can ensure that the external supplier adheres to the rigours of data protection and information security. Know what you’ve got, where it is and what security controls must be applied to ensure continued integrity and confidentiality of that information
We all have the right as individual to ask organisations about the personal information they hold about us. These requests are referred to as subject access requests A lot of organisations will specify how they deal with a subject access request and what kind of information they hold on their website, Click on link to SQA webpage and click on link for the SAR form. It is vital that an organisation specifies who is responsible for the dealing of SARs and that this information is monitored and reviewed
Slide25 dealing with SARs it is imperative that an organisation has ownership/responsibility in place, who deals with them and who is involved in the procedure By using good retention it is important that these requests are logged and recorded properly and are kept for a specific amount of time If the information being sent out involves other persons you must make sure that that persons information has been redacted Example of SQA exam logs from invigilators, all other persons who have been recorded must be redacted before sending out this information Click on link there are specific exemptions within the DPA , in the main are concerned with criminal proceedings or financial processes or management information within an organisation Example of an exemption The senior management of an organisation are planning a re-organisation. This is likely to involve making certain employees redundant, and this possibility is included in management plans. Before the plans are revealed to the workforce, an employee makes a subject access request. In responding to that request, the organisation does not have to reveal its plans to make him redundant if doing so would be likely to prejudice the conduct of the business (perhaps by causing staff unrest in advance of an announcement of the management’s plans). Example Your Examination script is exempt from release under the Data Protection Act. SQA markers are instructed not to add their comments to examination scripts, but occasionally this does happen. You are entitled to receive a copy of any marks or comments markers add to your script. We will provide these, if available, in response to your subject access request. examination marks and personal data contained in examination scripts; Mention the handout access to pupils information Another consideration for personal data requests is when an organisation shares data with other organisations for a specific purpose, data sharing agreements are extremely important to ensure data subjects are aware of how their personal information will be processed and what the external organisation is legitimately allowed to do with the data (mention the data sharing checklist and the code of practice for data sharing agreements)
Slide 26 Training and awareness are fundamental to creating good information governance Click on link ICO has created a useful toolkit for companies to download and use to raise awareness of protecting personal data Coming along this morning is also a useful in building up your ideas for moving forward with protecting personal information
Slide 27 Another of the attributes I mentioned earlier tat can help an organisation develop and embed good data protection process is records management, ensuring you have documented the Read slide
Slide 28 Example of retention schedule dealing with subject access requests from SQA, it documents exactly what information is comprised of, how long it must be stored, if it’s a statutory or business requirement and what treatment is used to complete the documents lifecycle.
Slide 29 Technology is an integral part of ensuring security procedures are in place for the management of personal data Most of this is very practical in nature and straightforward but it is amazing to see staffing organisations doing things like working with sensitive information, leaving their desk, not locking their pc, a security breach just waiting to happen An incident management team can be an effective way to govern both physical and electronic incidents, comprising of a board and working group with responsibility to ensure compliance and awareness amongst staff.
Angus College has specified in their policy who owns and has responsibility of security measures This also must be taken into consideration for the security of physical records and access to IT have management of the network of the organisation and ensuring access controls and permissions are in place to ensure only the right people gain access to the data they are allowed to view. Some organisations will introduce a security breach log to ensure any data breaches are reported, handled and solved. And due to the flexibility these days of working practice, some institutions will create guidance and policy for staff Click on link show remote working assessments to ensure security of data when working at home
Slide 31 Don’t despair! The ICO may be the ones that dole out the financial fines but they also have an excellent information dissemination policy and are there to help organisations embed and develop good information management practice. Click on link Advisory visits Self assessment data protection is ever evolving and is a developing piece of legislation, with our society being enslaved to an online environment the ICO have created a code of practice of how organisations can process and personal information online.
In summary:
Slide 33 we share our information everywhere now and it is increasingly difficult to keep up to speed with who has your information and what they may be doing with it and with that in mind click on link