Slide 4 Law, ICT and Data Protection jiscleg.al/DataProtection
Slide 5 Have you heard of JISC Legal before? 1.Hello again, Jason 2.Yes, fairly often 3.Yes, used occasionally 4.Vague acquaintance 5.What’s that, then?
Slide 6 When it comes to data protection... 1.I’m confident 2.I’ve a fair idea 3.I dabble 4.I ask others 5.I hide in the toilet
Slide 7 7 www.ico.gov.uk Data Protection Act 1998
Slide 8 Why Comply? 1.It’s the law 2.Good business practice 3.Sets a good example 4.Confidence 5.Risk (id theft)
Slide 9 9 9 Data Protection Essentials “Data protection..regimes…do not seek to protect data itself, rather they seek to provide the individual with a degree of control over the use of their personal data” “data privacy regimes do not seek to cut off the flow of data, merely to see that it is collected and used in a responsible and, above all, accountable, fashion” Source: DP Code of Practice for FE and HE i.e. Data Protection law does not prevent using and sharing personal data but.. Criminal Justice and Immigration Act 2008 – gives ICO power to impose fines direct for serious security breaches
Slide 10 10 Understanding Your Duties Data Subject Data Controller Data Processor Processing
Slide 11 11 What is Personal Data? Any information which relates to an identified or identifiable person Living persons Must be significant biographical information which affects privacy Sensitive personal data
Slide 12 The Age of Data Protection 1.From birth 2.From age 5 3.From age 12 4.From age 16 5.From age 18 From what age does DP apply to protect someone?
Slide 13 1: fair and lawful 2: limited purposes 3: adequate, relevant and not excessive 4: accurate and current 5: no kept longer than necessary 6: respect the rights of the individual 7: appropriate security 8: transfer outside EEA needs adequate protection The Eight DP Principles
Slide 14 14 Fair and Lawful Processing Fair processing – A processing notice – transparency Weighing up interests v privacy Would you be happy?
Slide 15 15 Fair and Lawful Processing Lawful processing - To process, a Schedule 2 condition must be met: Consent Legitimate interest of the data controller Fulfilment of a contractual obligation More stringent conditions for ‘sensitive’ personal data
Slide 16 The Age of Data Protection 1.From birth 2.From age 5 3.From age 12 4.From age 16 5.From age 18 From what age can someone give DP consent?
Slide 17 Security Situations 1.At your desk 2.On your laptop 3.On your mobile phone 4.On the train 5.At home Where are the greatest security risks?
Slide 18 18 Appropriate Security Your PC Your laptop Your mobile phone Your IT infrastructure / VLE Your desk Your rubbish
Slide 19 When handling personal data in your role: 1.Purpose: why are you collecting personal data, 2.Fairness: is the reason fair to the data subject and 3.Transparency: does the data subject know about it 4.Security: at an appropriate level of security Important Points Important Points
Slide 20 Some Scenarios…….. Over to you Over to you
Slide 21 A parent asks for information on her son’s progress. Do you… 1.Supply it - nothing wrong in doing this 2.Supply it – he is under 18 3.Withhold it as she should never access it 4.Withhold it until you have consent of her son
Slide 22 The police ask for information on one of your students. Do you… 1.Supply it because it’s the police 2.Supply it only when you know what it’s for and think it is relevant information to the investigation 3.Never supply it
Slide 23 A student asks his tutor if he can see the reference the tutor wrote for him. Do you 1.Say no - he has no right to see it under DPA 2.Say yes – he is entitled under DPA to see it 3.Not sure so seek help before replying
Slide 24 The College decides to retain all emails for a period of 10 years. Is this in line with the DPA? 1.Yes 2.No 3.Maybe 4.Can I phone a friend?
Slide 25 A member of staff clicks the wrong email group and instead of sending to relevant tutors, sends info relating to student health issues to other students. 1.The College is liable for the breach 2.There is no liability, it was an accident, not deliberate 3.The member of staff is liable not the College
Slide 26 What security should be on mobile devices holding personal data? 1.Password protection and encryption 2.None as only used on College premises 3.It depends on the type of information
Slide 27 Where the DP policy is, how to access it and its contents Have awareness of DP and how it may affect students, staff etc. That what you’re doing is covered by the data protection notice to students, staff etc. How to store/share personal information on and off campus How to keep personal information secure (mobiles, social networking) Where to get help What should you know? What should you know?
Slide 28 Sources of help Your institution’s DP officer Your institutional policies and procedures firstname.lastname@example.org and www.jisclegal.ac.uk (code of practice) email@example.com
Slide 29 Next steps? 1.Go back and say well done! 2.Start a conversation with management 3.Re-write a few policies 4.Monitor what’s in place already 5.Get further support 6.Point at someone else and say ‘his problem!’ or ‘her problem!’
Slide 30 ? www.jisclegal.ac.uk firstname.lastname@example.org 0141 548 4939 Questions and Follow Up Questions and Follow Up http://jiscleg.al/sgm 3pm Friday