Slide 1 Wednesday, 3 July 2013 Sir George Monoux College Data Protection: Confident in Compliance

Slide 2 Hi! Jason Miles-Campbell JISC Legal Service Manager

Slide 3

Slide 4 Law, ICT and Data Protection jiscleg.al/DataProtection

Slide 5 Have you heard of JISC Legal before? 1.Hello again, Jason 2.Yes, fairly often 3.Yes, used occasionally 4.Vague acquaintance 5.What’s that, then?

Slide 6 When it comes to data protection... 1.I’m confident 2.I’ve a fair idea 3.I dabble 4.I ask others 5.I hide in the toilet

Slide 7 Relevant Law Data Protection Act 1998 Freedom of Information Act 2000 Privacy and Electronic Comms Regs 2003 Protection of Freedoms Act

Slide 8 Why Comply? 1.It’s the law 2.Good business practice 3.Sets a good example 4.Confidence 5.Risk (id theft)

Slide 9 Common Scenarios A parent requests information on son’s progress Police request information on one of your students A tutor asks to see a reference supplied by her supervisor An employer requests information on an employee’s attendance Personal details of a student disclosed in confidence appear on FB A staff mobile phone containing sensitive data is lost Internal sharing of data amongst staff External sharing of data - ALL have DP compliance implications

Slide Data Protection Essentials “Data protection..regimes…do not seek to protect data itself, rather they seek to provide the individual with a degree of control over the use of their personal data” “data privacy regimes do not seek to cut off the flow of data, merely to see that it is collected and used in a responsible and, above all, accountable, fashion” Source: DP Code of Practice for FE and HE Criminal Justice and Immigration Act 2008 – gives ICO power to impose fines direct for serious security breaches

Slide Understanding Your Duties Data Subject Data Controller Data Processor Processing

Slide 12 Which one of the following is likely to be covered by the DPA? 1.a deceased staff member’s account 2.Student ID numbers in a VLE 3.documents relating to a disciplinary matter 4.‘John Smith’ on a post-it on a monitor

Slide 13 The Age of Data Protection 1.From birth 2.From age 5 3.From age 12 4.From age 16 5.From age 18 From what age does DP apply to protect someone?

Slide What is Personal Data? Any information which relates to an identified or identifiable person Living persons Must be significant biographical information which affects privacy Sensitive personal data

Slide 15 1: fair and lawful 2: limited purposes 3: adequate, relevant and not excessive 4: accurate and current 5: no kept longer than necessary 6: respect the rights of the individual 7: appropriate security 8: transfer outside EEA needs adequate protection The Eight DP Principles

Slide 16 The 8 Data Protection Principles Data Protection Act 1998

Slide 17 1: Fair and Lawful Requires: Information Consideration of competing interests (benefits of processing v privacy) Judgement as to whether a ‘Schedule 2 Condition” has been met

Slide Fair and Lawful Processing Fair processing – A processing notice – transparency Weighing up interests v privacy Would you be happy?

Slide Fair and Lawful Processing Lawful processing - To process, a Schedule 2 condition must be met: Consent Legitimate interest of the data controller Fulfilment of a contractual obligation More stringent conditions for ‘sensitive’ personal data

Slide 20 The Age of Data Protection 1.From birth 2.From age 5 3.From age 12 4.From age 16 5.From age 18 From what age can someone give DP consent?

Slide 21 One of these is fair and lawful. Which? 1.The college releases details on student attendance to a parent 2.The college collects name and contact details of all students 3.A tutor puts personal information about a student on Facebook

Slide 22 Sensitive Personal Data Explicit consent Fulfilment of employment law Protection of vital interests Needed for administration of justice / legal proceedings

Slide 23 2: Limited Purposes Consider all uses and future uses State the purposes when collecting the data Stick to using the data for those purposes If a further purpose arises, you need to seek further consent

Slide 24 Clarity of Purpose 1.Purpose is clear 2.Could be clearer 3.No clarity at all

Slide 25 A Sample Data Protection Statement JISC Legal undertake to treat your personal data in accordance with the provisions of the Data Protection Act The data given will only be used to register you for the JISC Legal Newsletter on the JISCmail system. You can read the details of our Privacy policy at

Slide 26 A college decides to retain all s for a period of 10 years. Is this in line with the DPA? 1.Yes 2.No 3.Depends 4.Don’t know

Slide 27 A college collects names and addresses of students. It outsources IT support. The students start to receive targeted s. Scenario Scenario

Slide 28 3: Adequate, Relevant, Not Excessive Follows from purposes Good records management practice See Jisc infoNet No duties with respect to personal data you no longer hold!

Slide 29 4 & 5: Accuracy and Currency Kept up-to-date Kept no longer than necessary

Slide 30 6: The Individual’s Rights S.10 Substantial prejudice S.12 Right to stop automatic processing

Slide 31 6: The Individual’s Rights S.7 the Data Subject Access Request Allows access to personal data Exemptions: – request not in writing, or fee not paid; requester cannot verify identity; disclosure of third party personal data; disclosure of third party as source; certain health, education social work records

Slide 32 A tutor writes a reference for a student in the college. The student doesn’t get the job and makes a S.A.R. asking the college to see the reference. What should the college do? Scenario Scenario

Slide 33 7: Security Data must be secure (organisationally and technically)

Slide 34 Password and access, encryption for mobile devices Authority to transfer/share information with third parties – see section in Code of Practice Compliance with recognised standards – what the ICO expects? UCISA Information Security Toolkit may help Information Security Information Security

Slide 35 A college contracts with Help4U to process staff personal data to produce pay slips. Unfortunately the names, addresses, bank details and account numbers are sent to the wrong recipient. Who is liable? Over to You Over to You

Slide 36 Who is liable? 1.The college as data controller 2.The processor as they caused the error 3.Both the data controller and the processor 4.Neither

Slide 37 A laptop is used on site to record learner progress. A tutor wishes to work from home so he copies the files of five students onto a USB and takes it home. It is accidentally dropped in the car park of the train station Scenario Scenario

Slide 38 Security Situations 1.At your desk 2.On your laptop 3.On your mobile phone 4.On the train 5.At home Where are the greatest security risks?

Slide Appropriate Security Your PC Your laptop Your mobile phone Your IT infrastructure / VLE Your desk Your rubbish

Slide 40 8: Transfer Out of EEA Data must not be transferred out of Europe without adequate security …..

Slide 41 When handling personal data in your role: 1.Purpose: why are you collecting personal data, 2.Fairness: is the reason fair to the data subject and 3.Transparency: does the data subject know about it 4.Security: at an appropriate level of security Important Points Important Points

Slide 42 Some Scenarios…….. Over to you Over to you

Slide 43 A parent asks for information on her son’s progress. Do you… 1.Supply it - nothing wrong in doing this 2.Supply it – he is under 18 3.Withhold it as she should never access it 4.Withhold it until you have consent of her son

Slide 44 A student asks his tutor if he can see the reference the tutor wrote for him. Do you 1.Say no - he has no right to see it under DPA 2.Say yes – he is entitled under DPA to see it 3.Not sure so seek help before replying

Slide 45 The police ask for information on one of your students. Do you… 1.Supply it because it’s the police 2.Supply it only when you know what it’s for and think it is relevant information to the investigation 3.Never supply it

Slide 46 The College decides to retain all s for a period of 10 years. Is this in line with the DPA? 1.Yes 2.No 3.Maybe 4.Can I phone a friend?

Slide 47 A member of staff clicks the wrong group and instead of sending to relevant tutors, sends info relating to student health issues to other students. 1.The College is liable for the breach 2.There is no liability, it was an accident, not deliberate 3.The member of staff is liable not the College

Slide 48 What security should be on mobile devices holding personal data? 1.Password protection and encryption 2.None as only used on College premises 3.It depends on the type of information

Slide 49 Establish practices to protect individuals and allow the college to carry out operational business without compromising privacy. Address risks of data loss and invasion of privacy. Build DP safeguards into day to day practice. Ensure that this is embedded within the college (training). Forming a Strategy Forming a Strategy

Slide 50 Implement your strategy Share with all staff Training Records Future proof (technologies) Consistency Response Policy and Procedures Policy and Procedures

Slide 51 What proportion of your teaching staff know about your DP policy? 1.Nearly all 2.A majority 3.Half 4.A minority 5.Hardly any

Slide 52 Should have a privacy statement which Complements full DP policy States what is done with information collected Cookie regulations – in force 26 May 2012 Website Website

Slide 53 DP policy in place and a regular review date New developments which may affect your DP policy: Mechanism for conducting a privacy impact assessment at planning stage of new project Guidance and training for staff/student use of social networking and web 2.0 tools laptops memory sticks and other ‘mobiles’ Information Security standards Website information on privacy and cookies What should be in place? What should be in place?

Slide 54 Where the DP policy is, how to access it and its contents Have awareness of DP and how it may affect students, staff etc. That what you’re doing is covered by the data protection notice to students, staff etc. How to store/share personal information on and off campus How to keep personal information secure (mobiles, social networking) Where to get help What should you know? What should you know?

Slide 55 Sources of help Your institution’s DP officer Your institutional policies and procedures and (code of practice)

Slide 56 Next steps? 1.Go back and say well done! 2.Start a conversation with management 3.Re-write a few policies 4.Monitor what’s in place already 5.Get further support 6.Point at someone else and say ‘his problem!’ or ‘her problem!’

Slide 57 ? Questions and Follow Up Questions and Follow Up Today!