data security & freedom of information. information governance freedom of information act 2000...

Data Security &Freedom ofInformation

INFORMATION GOVERNANCE

• Freedom of Information Act 2000

• Data Protection Act 1998

• Information Security

• Record Management

FREEDOM OF INFORMATION ACT 2000

• Creates a statutory obligation on public authorities to formally consider written requests for information and respond within 20 days

• Two stage introduction– first stage of introduction - Publication Schemes (02-04)– second stage - full Rights of Access came into effect on

1 Jan 05

• Requests for information must be in writing (including fax / e-mail)

• There is no right to know why the information is being requested

Background

Publication Schemes

• Proactive publishing of information

• Similar structure for all public sector organisations

• Information split into broad categories known as ‘classes’:- info. published in the School Prospectus- info. on School Profile and other information relating to the governing body- policies that relate to Pupils & Curriculum- School Policies and other information related to the school

• All schools must adopt a scheme

Model schemes available at:http://www.ico.gov.uk/Home/what_we_cover/

freedom_of_information/publication_schemes/model_schemes.aspx


• Identify and acknowledge FOI requests:

Dear……currently dealing with your request ……will be in touch as soon as possible…

• Review material being requested - apply exemptions

• Provide a response, either:

- provide all requested information, or

- withhold all, or in part, explain which exemption is being applied and provide opportunity to appeal decision

Full Rights of Access - Dealing with Individual Requests


FREEDOM OF INFORMATION ACT 2000More about Exemptions

Exemptions exist to protect information that should not be released.Some exemptions that may apply in a school setting:

• Request for a teacher’s home address or career developmentinformation- Section 40 Personal data exemption

• Request by a parent for a copy of another parent’s written complaint

- Section 41 Information provided in confidence

• Request for copy of legal advice obtained by a school- Section 42 Legal professional privilege

No exemption for embarrassment Full list of exemptions available at http://www.foi.gov.uk/guidance/index.htm

FREEDOM OF INFORMATION ACT 2000Things to remember when responding

• Must respond within 20 working days

• Straightforward disclosures can be dealt with by the Principal

• Complex requests and decisions to withhold, must involve the BOGs

- consider the public interest test

• It may not always be appropriate, or required, to disclose the identity of the applicant to the BOGs

The decision which must be made is - can this information be made public?

As much of school information is now open to public scrutiny it’s important that we write for disclosure:

• Write objectively

• Ensure what you write is relevant and professional

• Document reasons for decisions generally

• Refer to policies in decision making

• Don’t forget about e-mails and diaries!



• Lodge an appeal with the school must be heard by the BOGs -

preferably those not involved in the original decision.

• If still dissatisfied the applicant can approach the Information Commissioner (IC) for an independent review.

• IC will approach school requesting copies of information and details around the handling of the request.

• IC will either uphold the school’s decision or overturn, and issue school with an enforcement notice to release the information.

What can the applicant do if dissatisfied?

• Ensure your school adopts a Publication Scheme.• See that requests are identified and dealt with promptly.• Labour intensive requests can be charged for or refused.

– duty to offer assistance• Don’t make decisions quickly. Acknowledge requests and

consider them carefully.• Just because someone asks, doesn’t mean they get!

(appropriate disclosure)• Where information is refused an adequate explanation must be

provided and details on how to appeal decision.• Ensure nothing is written which may embarrass ; consider

diaries, emails notebooks etc.

WHEN IN DOUBT - SEEK ADVICE

FREEDOM OF INFORMATION ACT 2000Key points

DATA PROTECTION ACT 1998 (DPA)

• The DPA is a legal framework for the proper collection, usage, storage, sharing and disposal of personal data.

• It permits Data Subjects access to their records.

• It can impose considerable penalties on organisations & individuals who fail to comply.

• Personal data it is any information that identifies and relates to a living individual such as name, address, date of birth, educational record, financial details and even expressions of opinions or intentions. The Act covers such information held on computer and paper file.

Eight DPA Principles are key to compliance

Personal data (PD) shall be processed fairly and lawfully PD must be collected and used only where there is valid

reason. It is good practice to advise subjects how their data may be used through forms, posters, annual reports etc.

Processed for specified purposesWhere any planned use of the information falls outside what has

been explained to the data subject, or what they might expect, consent must be obtained before proceeding

Adequate, relevant and not excessiveWe must be able to demonstrate that the level of personalinformation we collect is required for the effective delivery of services



PD shall be accurate and up to date Where we are making decisions based on such data, we have a responsibility to ensure it is accurate and kept up to date

Not be kept for longer than is necessaryPD should not be kept for longer than necessary. Some personal data needs to be retained for legal reasons. Schools must refer to the School Record Retention and Disposal Schedule before destroying records



Processed in accordance with the rights of the individualData subjects have rights under the Act. These include: right of access to their records, right to have any inaccurate information corrected and a right to prevent processing likely to cause damage or distress

Kept secure- One of the biggest obligations placed on a school.- Equally important for manual and electronic data- Applies throughout all stages of data processing, from obtaining and using to sharing and destruction


PD must not be transferred to countries outside the European Economic Area unless the information is adequately protected.

Personal data cannot be transferred to countries which do not have similar personal data legislation to our own.



When dealing with personal data we should always ask ourselves the question; if this was my personal data, how would I like it to be treated?

Examples of Sensitive Personal Data:

Data relating to:Racial or ethnic originPolitical opinionsReligious/similar beliefsTU membershipPhysical or mental healthSexual lifeCriminal allegationsCriminal proceedings/recordInformation relating to a child


Special care must be taken when processing Sensitive Personal Data, especially around collection, use and sharing.

Right of access to personal data in computer or manual form

Entitled to:

Be informed whether personal data is processed

A description of the data held, the purposes for which it is processed and to whom the data may be disclosed

A copy of the data; usually within 40 days

Information as to the source of the data

There are limited exemptions.

DATA PROTECTION ACT 1998 (DPA)Subject access rights:

Data Protection Act (Access to personal data by

data subject)

40 days

FOI Act(Access to everything else)

20 days


Information access summary

• Organisations which process personal information must notify the IC

• Costs £35 to register

• Bogus agencies

• Failure to notify – criminal offence

• Details on how to notify can be found below

http://www.ico.gov.uk/Home/what_we_cover/data_protection/notication.aspx


Duty to Notify

Summary of key points for staff

Duty to OBTAIN information fairly

Duty to PROTECT information

Duty to ensure information is SECURE

Duty to JUSTIFY use and storage of personal data

DON’T PASS on information unless on a need to know basis and you are sure of the recipient’s validity


Use and Management of Passwords

Use passwords to protect against unauthorised access.

It is a school’s responsibility to ensure that enabled usernames are available only for current staff and students.

Leavers’ usernames must be removed (ie deleted or disabled) promptly.

The usernames of anyone under investigation for inappropriate use must be disabled promptly.

Usernames must never be created for fictitious staff or students (this includes the creation of ‘generic’ or group usernames i.e. usernames that could be used by more than one person).

INFORMATION SECURITY

Use of E-Mail

Emails sent to addresses outside the C2K Network (ie. Hotmail.com) will be transmitted across the internet. Never send personal data to such addresses.

Never send Sensitive Personal Data by e-mail.

Do not transmit unsolicited advertising or attachments as these may conceal viruses.

Restrict messages to those who may have an interest in them.

Check E-Mail messages every day ( if practical ).

Do not subscribe to non work related services / alerts. Delete unwanted messages.


Securing Automated Data

Portables/Laptops

Never leave laptops/portables/media unattended. When transporting any computer media always ensure it is out of sight, either in a glove compartment or boot of a car.

Never disclose your username or password.

Do not hold confidential or pupil level data on laptops.

No additional devices may be connected to data points on the C2k network without the specific agreement of C2k; random checks will be carried out to identify such violations.



Portables/Laptops

Only software which is licensed and appropriate for school needs may be installed on laptops.

Laptop users may not install alternative versions of Internet Explorer, any other Internet browsers, Windows updates or any hacking tools and should not switch off Windows firewall.

Antivirus software is provided and automatically updated in school. This protection must be kept up to date if the laptop has not been connected to the school network for more than one week.



Portables/Laptops

The laptop should not be given, lent or used by anyone other than the nominated member of staff when outside school.

If the laptop is lost or stolen, the school should be notified immediately, or during school holidays, the C2k Helpdesk (0870 6011 666).

The laptop must be returned to school if the nominated member of staff ceases employment with the school.


C2k Networks

No additional devices may be connected to data points on the C2k network without the specific agreement of C2k; random checks will be carried out to identify such violations.

It is the school’s responsibility to ensure that software added to desktops on the C2k network is appropriately licensed.

The school’s C2k Manager/Administrator must ensure that software which represents a security threat is not installed on any desktop.

The school should make all users aware that attempts to bypass filtering, or to access inappropriate or illegal material will be reported to the school authority.


Legacy networks connected to Internet via C2k

All legacy network servers and desktops must have adequate, up to-date anti-virus protection with automatic updates.

Appropriate, up to date security patches and service packs must be in place on the school legacy network.

Other Internet or wireless connections must not be made available to equipment which is connected to the C2k network unless C2k has granted permission for such connections.


Keep personal data in a locked filing cabinet or drawer.

Operate a clear desk policy; Lock all personal data away when you are finished with it and at the end of the day.

Only remove files containing personal information from storage areas when necessary. Their location should be tracked at all times.

Destroy personal data by shredding.


Manual Records

General Good Practice

Personal information should only be passed on, on a need to know basis.

Do not allow sensitive conversations to be overheard.

Guard against people seeking information by deception.

Never leave personal data at printers. Collect print jobs promptly.

If working from home treat that environment like your work environment. Do not allow friends/family access to any information.

Avoid sending personal information by fax. Where this is necessary do it over a secure protocol.


RECORD MANAGEMENTThe Record Life Cycle

Creation

Active use

Retention

Final disposal

Information Access

Subject Access Requests

FOI requests

Inspections / audits

RECORD MANAGEMENT

Know what information you hold and be able to access it.

RECORD MANAGEMENT

What can disposal mean?

• Archive

• Offer records to the Public Record Office for Northern Ireland (PRONI)

• Destruction

Adopt and refer to the School Record Retention Schedule before disposing of recordsavailable at http://www.deni.gov.uk/index/85-schools/5-school-management/85-disposal-of-school-records.htm

File Disposal

RECORD MANAGEMENTDon’t forget about electronic records

Freedom of InformationWELB Corporate Information Manager 02882 411553www.foi.gov.uk/guidance/index.htmwww.ico.gov.uk/http://www.welbni.org/index.cfm/do/GuidSch

Data Protectionhttp://www.ico.gov.uk/for_organisations/data_protection_guide.aspxWELB Corporate Information Manager 02882 411553WELB Data Protection officer 02882 411247

Information SecurityC2k Helpdesk 0870 6011 666WELB Corporate Information Manager 02882 411553WELB Data Protection officer 02882 411247

Record ManagementWELB Corporate Information Manager 02882 411553www.proni.gov.ukwww.deni.gov.uk/index/85-schools/5-school-management/85-disposal-of-school-records.htm

CONTACTS / GUIDANCE

data security & freedom of information. information governance freedom of information act 2000...

Documents