Presentation is loading. Please wait.

Presentation is loading. Please wait.

Slide 1 Friday, 15 March 2013 Confident in Data Protection Compliance Ayrshire College.

Published bySalvador Brumfield Modified over 9 years ago

Similar presentations

Presentation on theme: "Slide 1 Friday, 15 March 2013 Confident in Data Protection Compliance Ayrshire College."— Presentation transcript:

1 Slide 1 Friday, 15 March 2013 Confident in Data Protection Compliance Ayrshire College

2 Slide 2 Hi! Jason Miles-Campbell JISC Legal Service Manager jason.miles-campbell @jisclegal.ac.uk 0141 548 4939 www.jisclegal.ac.uk

3 Slide 3

4 Slide 4 Law, ICT and Data Protection jiscleg.al/DataProtection

5 Slide 5 Have you heard of Jisc Legal before? 1.Hello again, Jason 2.Yes, fairly often 3.Yes, used occasionally 4.Vague acquaintance 5.What’s that, then?

6 Slide 6 When it comes to data protection... 1.I’m confident 2.I’ve a fair idea 3.I dabble 4.I ask others 5.I hide in the toilet

7 Slide 7 Relevant Law Data Protection Act 1998 Freedom of Information Act 2000 Privacy and Electronic Comms Regs 2003 Protection of Freedoms Act 2012 www.ico.gov.uk

8 Slide 8 Why Comply? 1.It’s the law 2.Good business practice 3.Sets a good example 4.Confidence 5.Risk (ID theft) 6.All of the above

9 Slide 9 Some DP Terminology Data Subject Data Controller Data Processor A Relevant Filing System Processing

10 Slide 10 Which one of the following is likely to be covered by the DPA? 1.a deceased staff member’s email account 2.Student ID numbers in a VLE 3.documents relating to a disciplinary matter 4.‘John Smith’ on a post-it on a monitor

11 Slide 11 What is Personal Data? Any information which relates to an identified or identifiable person Living persons Must be significant biographical information which affects privacy Sensitive personal data

12 Slide 12 Common Scenarios A parent requests information on son’s progress Police request information on one of your students A tutor asks to see a reference supplied by her supervisor An employer requests information on an employee’s attendance Personal details of a student disclosed in confidence appear on FB A staff mobile phone containing sensitive data is lost Internal sharing of data amongst staff External sharing of data - ALL have DP compliance implications

13 Slide 13 Data Protection Essentials “Data protection..regimes…do not seek to protect data itself, rather they seek to provide the individual with a degree of control over the use of their personal data” “data privacy regimes do not seek to cut off the flow of data, merely to see that it is collected and used in a responsible and, above all, accountable, fashion” (Source: DP Code of Practice for FE and HE) i.e. Data Protection law does not prevent using and sharing personal data lawfully and fairly

14 Slide 14 Some Particular Issues Institutional mergers Institutional splits Retention periods - European Social Fund requirements

15 Slide 15 The 8 Data Protection Principles Data Protection Act 1998

16 Slide 16 1: Fair and Lawful Consent Legitimate interest of the data controller Fulfilment of a contractual obligation

17 Slide 17 One of these is fair and lawful. Which? 1.The college releases details on student attendance to a parent 2.The college collects name and contact details of all students 3.A tutor puts personal details of a student on his FB account

18 Slide 18 Sensitive Personal Data Explicit consent Fulfilment of employment law Protection of vital interests Needed for administration of justice / legal proceedings

19 Slide 19 A college collects names and addresses of students. It outsources IT support. The students start to receive targeted emails. Scenario Scenario

20 Slide 20 2: Limited Purposes Consider all uses and future uses State the purposes when collecting the data Stick to using the data for those purposes If a further purpose arises, you need to seek further consent

21 Slide 21 A Sample Data Protection Statement JISC Legal undertake to treat your personal data in accordance with the provisions of the Data Protection Act 1998. The data given will only be used to register you for the JISC Legal Newsletter on the JISCmail system. You can read the details of our Privacy policy at www.jisclegal.ac.uk/privacystate.htm

22 Slide 22 A college decides to retain all emails for a period of 10 years. Is this in line with the DPA? 1.Yes 2.No 3.Depends 4.Don’t know

23 Slide 23 3: Adequate, Relevant, Not Excessive Follows from purposes Good records management practice See Jisc infoNet No duties with respect to personal data you no longer hold!

24 Slide 24 4 & 5: Accuracy and Currency Kept up-to-date Kept no longer than necessary

25 Slide 25 6: The Individual’s Rights S.10 Substantial prejudice S.12 Right to stop automatic processing

26 Slide 26 6: The Individual’s Rights S.7 the Data Subject Access Request Allows access to personal data Exemptions: – request not in writing, or fee not paid; requester cannot verify identity; disclosure of third party personal data; disclosure of third party as source; certain health, education social work records

27 Slide 27 A tutor writes a reference for a student in the college. The student doesn’t get the job and makes a S.A.R. asking the college to see the reference. What should the college do? Scenario Scenario

28 Slide 28 7: Security Data must be secure (organisationally and technically)

29 Slide 29 Password and access, encryption for mobile devices Authority to transfer/share information with third parties – see section in Code of Practice Compliance with recognised standards – what the ICO expects? UCISA Information Security Toolkit may help Information Security Information Security

30 Slide 30 Ayr College contracts with Help4U to process staff personal data to produce pay slips. Unfortunately the names, addresses, bank details and account numbers are sent to the wrong recipient. Who is liable? Over to You Over to You

31 Slide 31 Who is liable? 1.The college as data controller 2.The processor as they caused the error 3.Both the data controller and the processor 4.Neither

32 Slide 32 A laptop is used on campus to create personal profiles of learners. A tutor wishes to work from home so he copied the files of 5 students onto a USB and takes it home. It is accidentally dropped in the car park of the train station...... Scenario Scenario

33 Slide 33 8: Transfer Out of EEA Data must not be transferred out of Europe without adequate security …..

34 Slide 34 In developing your data protection strategy, consider: 1.Purpose: why are you collecting personal data, 2.Fairness: is the reason fair to the data subject and 3.Transparency: does the data subject know about it 4.Security: at an appropriate level of security Important Points Important Points

35 Slide 35 Establish practices to protect individuals and allow the college to carry out operational business without compromising privacy. Address risks of data loss and invasion of privacy. Build DP safeguards into day to day practice. Ensure that this is embedded within the college (training). Forming a Strategy Forming a Strategy

36 Slide 36 “All operational emails will be accessible on the ___ drive” “We will protect privacy by…..” Forming a Strategy Forming a Strategy

37 Slide 37 Implement your strategy Share with all staff Training Records Future proof (technologies) Consistency Response Policy and Procedures Policy and Procedures

38 Slide 38 Should have a privacy statement which Complements full DP policy States what is done with information collected Cookie regulations – in force 26 May 2012 Website Website

39 Slide 39 DP policy in place and a regular review date New developments which may affect your DP policy: Mechanism for conducting a privacy impact assessment at planning stage of new project Guidance and training for staff/student use of social networking and web 2.0 tools laptops memory sticks and other ‘mobiles’ Information Security standards Website information on privacy and cookies What should be in place? What should be in place?

40 Slide 40 40 Police arrive at the front reception requesting to confirm the address of one of your students, his record of attendance at the college, and whether he is currently in class. What should you do? Scenario Scenario

41 Slide 41 41 A father calls saying that he understands his son needs to pay the year 2 course fees for the BTEC HND in Construction, and also has some library fines to pay – he’d like to make payment on his son’s behalf. What do you do? Scenario Scenario

42 Slide 42 42 A college carried out Disclosure Scotland checks for a new cleaner. A colleague asks her boss whether she should be concerned about the shoplifting and security of personal items in college. Scenario Scenario

43 Slide 43 43 Staff are encouraged to use their own mobile devices when processing information, including personal data. How should the college handle this?

44 Slide 44 44 Staff use FB to chat to students…. Scenario Scenario

45 Slide 45 45 An employer emails asking for the grades and attendance record of a student being sponsored by them through their college studies. What do you do? Scenario Scenario

46 Slide 46 A member of staff discloses to his line manager in confidence a health issue. The member of staff is upset when a colleague in another department says he’s sorry to hear he’s not well. Scenario Scenario

47 Slide 47 47 A college is finished with various hard drives so it contracts with a company who have a really persuasive website to dispose of them securely. Unfortunately, the drives then appear for sale on ebay. What is the college’s liability here?

48 Slide 48 48 A tutor receives a request from a JISC project asking for details of a student who has done well in a technology-based course, for the purposes of making a case study. They only want first name and email address. What do you do? Scenario Scenario

49 Slide 49 Sources of help info@jisclegal.ac.uk and www.jisclegal.ac.uk (code of practice) www.ico.gov.uk (checklists) info@jisclegal.ac.ukwww.jisclegal.ac.uk www.ico.gov.uk University of Edinburgh - http://www.recordsmanagement.ed.ac.uk/InfoStaff/DPstaff/D ataProtection.htm http://www.recordsmanagement.ed.ac.uk/InfoStaff/DPstaff/D ataProtection.htm UCISA Information Security Toolkit and others http://www.ucisa.ac.uk/publications.asp http://www.ucisa.ac.uk/publications.asp ICO – privacy impact assessments / general guidance JISC InfoNet on records management and data retention

50 Slide 50 Summary Make all staff aware of data protection Consider what personal data you hold Ensure you’ve stated the purposes for which the data will be used Observe the data protection principles Periodically review what personal data you hold Ensure the college’s notification allows this

51 Slide 51 Common Scenarios A parent requests information on son’s progress Police request information on one of your students A tutor asks to see a reference supplied by her supervisor An employer requests information on an employee’s attendance Personal details of a student disclosed in confidence appear on FB A staff mobile phone containing sensitive data is lost Internal sharing of data amongst staff External sharing of data - ALL have DP compliance implications

52 Slide 52 Next Steps? 1.Go back and say well done! 2.Start a conversation with management 3.Re-write a few policies 4.Monitor what’s in place already 5.Get further support 6.Point at the guy over there and say ‘his problem!’

53 Slide 53 ? www.jisclegal.ac.uk info@jisclegal.ac.uk 0141 548 4939 Questions and Follow Up Questions and Follow Up

Download ppt "Slide 1 Friday, 15 March 2013 Confident in Data Protection Compliance Ayrshire College."

Similar presentations

Numbers Treasure Hunt Following each question, click on the answer. If correct, the next page will load with a graphic first – these can be used to check.

Numbers Treasure Hunt Following each question, click on the answer. If correct, the next page will load with a graphic first – these can be used to check.
Scenario: EOT/EOT-R/COT Resident admitted March 10th Admitted for PT and OT following knee replacement for patient with CHF, COPD, shortness of breath.

Scenario: EOT/EOT-R/COT Resident admitted March 10th Admitted for PT and OT following knee replacement for patient with CHF, COPD, shortness of breath.
AP STUDY SESSION 2.

AP STUDY SESSION 2.
1

1
Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.

Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.
1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 4 Computing Platforms.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 4 Computing Platforms.
RXQ.11.4.1 Customer Enrollment Using a Registration Agent (RA) Process Flow Diagram (Move-In) Customer Supplier Customer authorizes Enrollment (11.3.2.1)

RXQ Customer Enrollment Using a Registration Agent (RA) Process Flow Diagram (Move-In) Customer Supplier Customer authorizes Enrollment ( )
Instructions for Filling out the Reintegration Opportunity Report Savable PDF Training.

Instructions for Filling out the Reintegration Opportunity Report Savable PDF Training.
David Burdett May 11, 2004 Package Binding for WS CDL.

David Burdett May 11, 2004 Package Binding for WS CDL.
Business Transaction Management Software for Application Coordination 1 www.choreology.com Business Processes and Coordination. Introduction to the Business.

Business Transaction Management Software for Application Coordination 1 Business Processes and Coordination. Introduction to the Business.
The Managing Authority –Keystone of the Control System

The Managing Authority –Keystone of the Control System
Prepared by: Workforce Enterprise Services For: The Illinois Department of Commerce and Economic Opportunity Bureau of Workforce Development ENTRY OF EMPLOYER.

Prepared by: Workforce Enterprise Services For: The Illinois Department of Commerce and Economic Opportunity Bureau of Workforce Development ENTRY OF EMPLOYER.
Local Customization Chapter 2. Local Customization 2-2 Objectives Customization Considerations Types of Data Elements Location for Locally Defined Data.

Local Customization Chapter 2. Local Customization 2-2 Objectives Customization Considerations Types of Data Elements Location for Locally Defined Data.
Process a Customer Chapter 2. Process a Customer 2-2 Objectives Understand what defines a Customer Learn how to check for an existing Customer Learn how.

Process a Customer Chapter 2. Process a Customer 2-2 Objectives Understand what defines a Customer Learn how to check for an existing Customer Learn how.
Custom Statutory Programs Chapter 3. Customary Statutory Programs and Titles 3-2 Objectives Add Local Statutory Programs Create Customer Application For.

Custom Statutory Programs Chapter 3. Customary Statutory Programs and Titles 3-2 Objectives Add Local Statutory Programs Create Customer Application For.
Custom Services and Training Provider Details Chapter 4.

Custom Services and Training Provider Details Chapter 4.
CALENDAR.

CALENDAR.
1 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt BlendsDigraphsShort.

1 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt 10 pt 15 pt 20 pt 25 pt 5 pt BlendsDigraphsShort.
Applicable for Persons Registered under Article 10

Applicable for Persons Registered under Article 10
1 Click here to End Presentation Software: Installation and Updates Internet Download CD release NACIS Updates.

1 Click here to End Presentation Software: Installation and Updates Internet Download CD release NACIS Updates.

Similar presentations

Ads by Google