data protection stfc presentation to ppd senior staff 26/11/2009 foi/dp team
TRANSCRIPT
Data Protection
STFC Presentation to PPD Senior Staff
26/11/2009 FoI/DP team
Background to the present FoI/DP function
• CCLRC used Data Protection co-ordinators and received few Freedom of Information requests
• PPARC received few requests, dealt with by the FoI officer in HR – Data Protection requests not formally recorded
• STFC moved the FoI/DP function to sit with Records Management under Information Management Group - CICT
STFC FoI/DP team responsibilities
Information Management
Freedom of Information Records Management Data Protection
Approach to Data Protection Enquiries
• The approach to Data Protection enquiries is low key compared with the high profile FoI enquiries
• FoI/DP team members have attended PDP conferences and workshops including one on Exemption 40 – the link between the two Acts
• No formal DP enquiry process has been mapped for STFC
• Legal advice is available - also advice on Information Security
• HR and Finance staff receive separate training
Present Situation - 2009
• FoI requests still dominate but DP issues cause most internal enquiries
• Internal requests dealt with by a single contact - ongoing training required to increase throughput
• No set process for requests
• Limited experience and resources within team to train all staff
• General but no specific DP awareness training for Co-ordinators
• No formal means of checking staff awareness. Induction training and assistance on request is provided
• There is recognition that this should be addressed
The Information Commissioner
• The Information Commissioner is Christopher Graham and his powers are increasing!
• STFC Registration is online: Z9833636 postcode SN2 1SZ
• http://www.ico.gov.uk/ESDWebPages/Search.asp?EC=1
• Online viewing available and online updates to register
• Online advice and assistance as well as phone advice
• http://www.ico.gov.uk/what_we_cover/data_protection.aspx
• Rights and responsibilities
Basics of the Data Protection Act – ICO
• Individuals’ right to know what information is held about them.• Framework to ensure that personal information is handled
properly.
• Anyone who processes personal information must comply with 8 principles:
• 1. Fairly and lawfully processed • 2. Processed for limited purposes • 3. Adequate, relevant and not excessive • 4. Accurate and up to date • 5. Not kept for longer than is necessary • 6. Processed in line with your rights • 7. Secure • 8. Not transferred to other countries without adequate
protection
Data protection Act 1998 - continued
• The Act (in force from 1st March 2000) provides individuals with important rights, including:
• the right to find out what personal information is held on
computer and most paper records.
• The right to complain to the ICO if they feel that their information has not been handled according to the principles
It is what is held on databases that causes most concern!
New Powers to Punish – April 2010
• Press Release • Date: 09 May 2008 • ICO welcomes new powers to fine organisations for data
breaches • The Criminal Justice and Immigration Act has received Royal Assent
creating tough new sanctions for the privacy watchdog, the Information Commissioner’s Office (ICO). This new legislation gives the ICO the power to impose substantial fines on organisations that deliberately or recklessly commit serious breaches of the Data Protection Act.
• David Smith, Deputy Information Commissioner said: “This change in the law sends a very clear signal that data protection must be a priority and that it is completely unacceptable to be cavalier with people’s personal information. The prospect of substantial fines for deliberate or reckless breaches of the Data Protection Principles will act as a strong deterrent and help ensure that organisations take their data protection obligations more seriously.
• “This new power will enable some of the worst breaches of the Data Protection Act to be punished. By demonstrating that the law is being taken seriously tougher sanctions will help to reassure individuals that data protection matters and give them confidence that organisations have no choice but to handle personal information properly.
Internal Requests to STFC
• Requests for advice and assistance internally have increased, possibly due to increased awareness that Data Protection poses serious questions for STFC database owners
Examples:
• Storing data collected by surveys or from conference attendance
• Service Level Agreement requirements concerning 3rd party providers of services
• Third party awareness where STFC is host for 3rd party information
Cross Council Liaison
• To address common issues STFC liaises with other Research Councils and RCUK by means of the Information Compliance Group (ICG)
• ICG reports to OSG
• Councils share information and advice
• Councils consider alignment of approach to both DP and FoI
• However, each council makes it’s own decisions on FoI disclosure
Sensitive Personal Information
http://www.opsi.gov.uk/acts/acts1998/ukpga_19980029_en_1
In this Act “sensitive personal data” means personal data consisting of information as to—
(a) the racial or ethnic origin of the data subject,
(b) his political opinions,
(c) his religious beliefs or other beliefs of a similar nature, (d) whether he is a member of a trade union (within the meaning of the [1992 c.
52.] Trade Union and Labour Relations (Consolidation) Act 1992), (e) his physical or mental health or condition, • (f) his sexual life, • (g) the commission or alleged commission by him of any offence, or • (h) any proceedings for any offence committed or alleged to have been
committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.
How to answer your own questions
• Work through the 8 Data Protection Principles
• Check whether any Sensitive personal information is being requested
• Check whether we really need to hold the information – why?
• Ensure that the Individual is aware of their rights – survey wording etc.
• Gain the individual’s permission to hold the information
• Ensure there is a means to update/delete it
• If in doubt, ask.
The FoI/DP/Records team service to users
• STFC staff intranet
• Email: STFC_internal_foi_dp_enquiries
• Telephone – 01793 442184
• Request training, checking of policies etc.,
• We are here to help and advise you
End
Any Questions?