1. Data Protection for Process S staff Matt Morrison, Information Rights Officer, Secretarys Office Matthew.Morrison@bristol.ac.uk Data-protection@bristol.ac.uk

2. What am I going to talk about? Relevant advice for student facing staff Some law, some good practice Where to go for guidance/advice Questions?

3. Background/definitions Data Protection Act 1998 – commenced in March 2000 and governs use of personal data. Guided by eight main principles. Personal data – data relating to a living, identifiable individual, includes letters, faxes, emails (held electronically or in hard copy), handwritten notes, photographs, CCTV footage, audio tapes Processing – anything done with personal data e.g. obtaining, holding, altering, analysing, disclosing, destroying.

4. Taking data security more seriously Information Commissioner increased powers to fine organisations for DPA breaches in April 2010 – up to £500,000 Largest fine so far £130,000 – sending of sensitive data in relation to child protection case to wrong person Reputational damage unquantifiable – drop in applications, loss of research funding etc. Message from Deputy Vice-Chancellor requiring completion of new data security module by all staff (existing and incoming)

5. The principles 1. Personal data shall be processed fairly and lawfully (consent, essentially) 2. Personal data shall be used only for the purposes for which it has been obtained 3. Personal data shall be adequate, relevant and not excessive (do not collect irrelevant personal data) 4. Personal data shall be accurate and up to date

6. The principles 5. Personal data shall not be kept for longer than is necessary 6. Personal data shall be processed in accordance with the rights of the data subject (access request, right to prevent processing etc.) 7. Appropriate technical and organisational measures taken to prevent against loss of or damage to personal data (physical and electronic security measures, training/awareness etc.) 8. Personal data not transferred outside European Economic Area without fulfilling certain conditions

7. Sensitive data Sensitive data as defined in DPA – afforded extra levels of security Racial/ethnic origin Political views Religious beliefs (or similar) Trade union membership Physical or mental health Sexual life Information relating to a criminal offence Be careful about sharing of this information even within the University. Should only be accessed by those who have a need to see it e.g. extenuating circumstances form including medical info Breach involving sensitive data = far more serious

8. University data classifications University internal data classifications: http://www.bris.ac.uk/infosec/uobdata/classifications/ http://www.bris.ac.uk/infosec/uobdata/classifications/ To guide how confidentially different types of information should be treated within the University Access to information based upon need to access that information to perform role

9. Choosing when to write Most likely to be dealing with written documents – emails, letters, minutes etc. Be aware that any document identifying an individual could be disclosed to that individual – think before you write! Requests often made in relation to an appeal/grievance Is an email always appropriate? Could you talk face to face or over the phone? May be able to discuss more openly All emails, even non-personal, could be subject to disclosure into the public domain under the Freedom of Information Act Guidance on access to emails: http://www.bris.ac.uk/secretary/dataprotection/emails http://www.bris.ac.uk/secretary/dataprotection/emails

10. Alternatives to email Quickfire nature of emails: Data breaches often occur when sending personal data via email – sending to wrong address, accidental Reply-all Can protect against human error by: Using shared file spaces to store personal data – no data needs to be sent Use of Staff Desktop when working remotely If personal data does need to be sent by email, ensure it is encrypted before sending (very easy in Office 2007 and 2010) Encryption advice can be found at: http://www.bris.ac.uk/infosec/uobdata/encrypt/ http://www.bris.ac.uk/infosec/uobdata/encrypt/

11. Right of access All students (and staff) have the right to access their personal data held by the University – can be student file or can specify documents Application can be made using subject access request form: http://www.bris.ac.uk/secretary/dataprotection/individ/subjectaccess. html http://www.bris.ac.uk/secretary/dataprotection/individ/subjectaccess. html Required to provide £10 fee plus proof of identity

12. Access to exam scripts Exemption under the Act in relation to exam scripts – not required to disclose Students are entitled to receive a breakdown of their marks and any comments made by examiners – can be made easier by using separate marking sheet

13. Third party enquiries Parent/family/guardian queries Relationship is between the student (as an adult) and the University Generally do not disclose student personal data without consent Explain that we require a students consent rather than because of data protection Can offer to pass message on from caller Certain provisions outside of consent if there are particular concerns about a student

14. Third party enquiries Can also come from police, local councils, fraud investigators, insurance companies, solicitors and others Happy for these to be referred on to Secretarys Office as they generally rely on a DPA provision outside of consent and require legal consideration A number of routine disclosures we make e.g. HESA, local councils – notified to students via Student Agreement

15. Offsite working Do not store any personal data on non-UoB owned computing equipment – PCs, laptops, memory sticks, portable devices. All UoB devices should have full disk encryption. Use Staff Desktop wherever possible: http://www.bristol.ac.uk/it- services/advice/homeusers/remote/staffdesktop/http://www.bristol.ac.uk/it- services/advice/homeusers/remote/staffdesktop/ Can access emails, work on documents without storing any data on non-UoB equipment. Shouldnt really need to carry personal data on portable devices. Hard copies of personal data – only when totally necessary and with appropriate security measures. Can the info be accessed via Staff Desktop?

16. Guidance / advice Data Protection website: http://www.bristol.ac.uk/secretary/dataprotection/ http://www.bristol.ac.uk/secretary/dataprotection/ Information Security website: http://www.bris.ac.uk/infosec/http://www.bris.ac.uk/infosec/ Mandatory data security training module: http://www.bris.ac.uk/infosec/training/ http://www.bris.ac.uk/infosec/training/ How to encrypt documents: http://www.bristol.ac.uk/it- services/learning/documentation/encrypt-1/encrypt-1il.pdfhttp://www.bristol.ac.uk/it- services/learning/documentation/encrypt-1/encrypt-1il.pdf Information Security Manager (Richard Hopkins): cert@bristol.ac.ukcert@bristol.ac.uk

17. Thanks for listening Any questions?