Law, ICT and Data Protection jiscleg.al/DataProtection
Common Scenarios A parent requests information on son’s progress Police request information on one of your students A tutor asks to see a reference supplied by her supervisor An employer requests information on an employee’s attendance Personal details of a student disclosed in confidence appear on FB A staff mobile phone containing sensitive data is lost Internal sharing of data amongst staff External sharing of data - ALL have DP compliance implications
Why Comply? 1.It’s the law 2.Good business practice 3.Sets a good example 4.Confidence 5.Risk (ID theft)
When it comes to data protection... 1.I’m confident 2.I’ve a fair idea 3.I dabble 4.I ask others 5.I hide in the toilet
Recent Headlines Serious Data Protection Risks for App Users Unencrypted Devices Pose ‘Unnecessary Risk’ for Sensitive Data Think Before You Tweet or Risk Arrest Teacher in FB Meltdown University Sends Personal Data to Wrong Recipient University Breaches DPA by Disclosing Personal Data on Website Negligent Employees and Contractors Cause 36% of UK Data Breaches Duplicate Password Use by School Leads to data breach FB Comments Result in sacking
10 Data Protection Law Data Protection Act 1998 Information Commissioner (www.ico.gov.uk)www.ico.gov.uk Other relevant law: Freedom of Information Act 2000 Privacy and Electronic Communications Regs 2003 Protection of Freedoms Act 2012
11 Data Protection Essentials “Data protection..regimes…do not seek to protect data itself,... they seek to provide the individual with a degree of control over the use of their personal data” “data privacy regimes do not seek to cut off the flow of data, merely to see that it is collected and used in a responsible and, above all, accountable, fashion” Source: DP Code of Practice for FE and HE i.e. Data Protection law does not prevent using and sharing personal data but.. ICO power to impose fines direct for serious security breaches
Understanding Your Duties Data Subject Data Controller Data Processor Processing
NCT contracts with Help4U to produce pay slips. Unfortunately, Help4U send the payslips to the wrong recipients. Who is liable? 1.The college as data controller 2.The processor as they caused the error 3.Both the data controller and the processor 4.Neither
What is Personal Data? Any information which relates to an identified or identifiable person Living persons Must be significant biographical information which affects privacy Sensitive personal data
Which of the following is likely to be covered by the DPA? 1.a deceased staff member’s email account 2.numerals to identify students in a VLE 3.documents relating to a disciplinary matter 4.‘John Smith’ on a post it on a monitor
The 8 Data Protection Principles – key to compliance 1.fair and lawful 2.limited purposes 3.adequate, relevant and not excessive 4.accurate and current 5.not kept longer than necessary 6.respect the rights of the individual 7.appropriate security 8.transfer outside EEA needs adequate protection
17 Fair Processing… and Lawful Processing A processing notice – transparency Weighing up interests v privacy Would you be happy?
Lawful Processing and Lawful Processing To process, a Schedule 2 condition must be met: Consent Legitimate interest of the data controller Fulfilment of a contractual obligation More stringent conditions for ‘sensitive’ personal data 18
One of these is fair and lawful. Which? 19 1.The college releases details on student attendance to a parent 2.The college collects name and contact details of all students 3.A tutor puts personal details of a student on his Facebook account
A college keeps all emails for 10 years. Is this in line with the DPA? 20 1.Yes 2.No 3.Might be 4.Not sure
New College Telford should give out information about students and staff to other organisations 21 1.Never 2.Rarely 3.Freely upon request 4.Only when the person gives permission 5.Only when a senior manager authorises it
Information can be shared freely internally (between staff) within your organisation 1.True 2.False 3.Not sure 22
When handling personal data in your role consider: 1.Purpose: what data do you hold and why are you collecting personal data? 2.Fairness: is the reason fair to the data subject? 3.Transparency: does the data subject know about it? 4.Security: is there an appropriate level of security? Important Points…
1.Supply it - nothing wrong in doing this 2.Supply it – learner is under 18 3.Withhold it as he should never access it 4.Withhold it until you have consent A father asks for information on his son’s progress. Do you…
1.Supply it because it’s the police 2.Supply it only when you know what it’s for and think it is relevant information to the investigation 3.Never supply it The police arrive at reception asking for a student’s address, his record of attendance and whether he is currently in class. What should you do?
1.Password protection and encryption 2.None as kept on campus 3.It depends on the type of information What security should be on devices holding personal data?
1.Copy them on to a USB memory stick to take with you 2.Use your own laptop or tablet after consulting IT, checking policy and ensuring security 3.Email them to your webmail 4.Log into and save to the college network from home You want to finish student profile reports at home. What do you do?
1.The College is liable for the breach 2.There is no liability, it was an accident, not deliberate 3.The member of staff is liable not the college A member of staff clicks the wrong email group and sends personal info about a student’s health to other students instead of relevant tutors. Who is liable?
Where the DP policy is, how to access it and its contents Have awareness of DP and how it may affect students, staff etc. That what you’re doing is covered by the data protection notice to students, staff etc. How to store/share personal information on and off campus How to keep personal information secure (mobiles, social networking) Where to get help What should you know?
Sources of Help Your institution’s DP officer Your institutional policies and procedures email@example.com and www.jisclegal.ac.uk (code of practice)firstname.lastname@example.org www.jisclegal.ac.uk