slide 1 friday, 15 march 2013 confident in data protection compliance ayrshire college

Friday, 15 March 2013

Confident inConfident inData Protection ComplianceData Protection Compliance

Ayrshire CollegeAyrshire College

Hi!• Jason Miles-Campbell

JISC Legal Service Manager• jason.miles-campbell

@jisclegal.ac.uk• 0141 548 4939• www.jisclegal.ac.uk

Law, ICT and Data ProtectionLaw, ICT and Data Protection

Have you heard of Jisc Legal before?

1 2 3 4 5

20% 20%

45%

5%

10%

1. Hello again, Jason2. Yes, fairly often3. Yes, used occasionally4. Vague acquaintance5. What’s that, then?

When it comes to data protection...

1 2 3 4 5

0%

30%

10%

40%

20%

1. I’m confident2. I’ve a fair idea3. I dabble4. I ask others5. I hide in the toilet

Relevant LawRelevant Law

• Data Protection Act 1998

• Freedom of Information Act 2000

• Privacy and Electronic Comms Regs 2003

• Protection of Freedoms Act 2012

• www.ico.gov.uk

Why Comply?

1 2 3 4 5 6

17% 17% 17%17%17%17%1. It’s the law2. Good business practice 3. Sets a good example 4. Confidence 5. Risk (ID theft)6. All of the above

Some DP TerminologySome DP Terminology

• Data Subject

• Data Controller

• Data Processor

• A Relevant Filing System

• Processing

Which one of the following is likely to be covered by the DPA?

1 2 3 4

25% 25%25%25%

1. a deceased staff member’s email account

2. Student ID numbers in a VLE3. documents relating to a disciplinary

matter4. ‘John Smith’ on a post-it on a monitor

What is Personal Data?What is Personal Data?

• Any information which relates to an

identified or identifiable person

• Living persons

• Must be significant biographical

information which affects privacy

• Sensitive personal data

Common ScenariosCommon Scenarios

• A parent requests information on son’s progress

• Police request information on one of your students

• A tutor asks to see a reference supplied by her supervisor

• An employer requests information on an employee’s attendance

• Personal details of a student disclosed in confidence appear on FB

• A staff mobile phone containing sensitive data is lost

• Internal sharing of data amongst staff

• External sharing of data

- ALL have DP compliance implications

Data Protection EssentialsData Protection Essentials

“Data protection ..regimes…do not seek to protect data itself, rather they seek to provide the individual with a degree of control over the use of their personal data”

“data privacy regimes do not seek to cut off the flow of data, merely to see that it is collected and used in a responsible and, above all, accountable, fashion” (Source: DP Code of Practice for FE and HE)

i.e. Data Protection law does not prevent using and sharing personal data lawfully and fairly

Some Particular IssuesSome Particular Issues

• Institutional mergers

• Institutional splits

• Retention periods- European Social Fund requirements

The 8 Data Protection The 8 Data Protection PrinciplesPrinciples

Data Protection Act 1998

1: Fair and Lawful

• Consent• Legitimate interest of the data controller• Fulfilment of a contractual obligation

One of these is fair and lawful. Which?

1 2 3

0% 0%0%

1. The college releases details on student attendance to a parent

2. The college collects name and contact details of all students

3. A tutor puts personal details of a student on his FB account

Sensitive Personal Data

• Explicit consent• Fulfilment of employment law• Protection of vital interests• Needed for administration of justice /

legal proceedings

• A college collects names and addresses of students. It outsources IT support. The students start to receive targeted emails.

ScenarioScenario

2: Limited Purposes

• Consider all uses and future uses

• State the purposes when collecting the data

• Stick to using the data for those purposes

• If a further purpose arises, you need to seek further consent

A SampleData Protection Statement

JISC Legal undertake to treat your personal data in accordance with the provisions of the Data Protection Act 1998. The data given will only be used to register you for the JISC Legal Newsletter on the JISCmail system. You can read the details of our Privacy policy at www.jisclegal.ac.uk/privacystate.htm

A college decides to retain all emails for a period of 10 years. Is this in line with the

DPA?

1 2 3 4

25% 25%25%25%

1. Yes2. No3. Depends4. Don’t know

3: Adequate, Relevant, Not Excessive

• Follows from purposes

• Good records management practice

• See Jisc infoNet

• No duties with respect to personal data you no longer hold!

4 & 5: Accuracy and Currency

• Kept up-to-date

• Kept no longer than necessary

6: The Individual’s Rights

• S.10 Substantial prejudice

• S.12 Right to stop automatic processing

6: The Individual’s Rights

• S.7 the Data Subject Access Request• Allows access to personal data• Exemptions:– request not in writing, or fee not paid; requester

cannot verify identity; disclosure of third party personal data; disclosure of third party as source; certain health, education social work records

A tutor writes a reference for a student in the college. The student doesn’t get the job and makes a S.A.R. asking the college to see the reference. What should the college do?

ScenarioScenario

7: Security

Data must be secure

(organisationally and technically)

• Password and access, encryption for mobile devices

• Authority to transfer/share information with third

parties – see section in Code of Practice

• Compliance with recognised standards –

what the ICO expects?

• UCISA Information Security Toolkit may help

Information SecurityInformation Security

• Ayr College contracts with Help4U to process staff personal data to produce pay slips. Unfortunately the names, addresses, bank details and account numbers are sent to the wrong recipient. Who is liable?

Over to YouOver to You

Who is liable?

1 2 3 4

0% 0%0%0%

1. The college as data controller2. The processor as they caused the

error3. Both the data controller and the

processor4. Neither

A laptop is used on campus to create personal

profiles of learners. A tutor wishes to work

from home so he copied the files of 5 students

onto a USB and takes it home. It is

accidentally dropped in the car park of the

train station......

ScenarioScenario

8: Transfer Out of EEA

• Data must not be transferred out of Europe without adequate security …..

In developing your data protection strategy, consider:

1. Purpose: why are you collecting personal data,

2. Fairness: is the reason fair to the data subject and

3. Transparency: does the data subject know about it

4. Security: at an appropriate level of security

Important PointsImportant Points

• Establish practices to protect individuals and allow the college to carry out operational business without compromising privacy.

• Address risks of data loss and invasion of privacy.

• Build DP safeguards into day to day practice.

• Ensure that this is embedded within the college (training).

Forming a StrategyForming a Strategy

“All operational emails will be accessible on the ___ drive”

“We will protect privacy by…..”

Forming a StrategyForming a Strategy

• Implement your strategy

• Share with all staff

• Training

• Records

• Future proof (technologies)

• Consistency

• Response

Policy and ProceduresPolicy and Procedures

Should have a privacy statement which• Complements full DP policy • States what is done with information

collected• Cookie regulations –

in force 26 May 2012

WebsiteWebsite

• DP policy in place and a regular review date

New developments which may affect your DP policy:

• Mechanism for conducting a privacy impact assessment at planning stage of new project

• Guidance and training for staff/student use of social networking and web 2.0 tools laptops memory sticks and other ‘mobiles’

• Information Security standards

• Website information on privacy and cookies

What should be in place?What should be in place?

40

• Police arrive at the front reception requesting to confirm the address of one of your students, his record of attendance at the college, and whether he is currently in class.

• What should you do?

ScenarioScenario

41

• A father calls saying that he understands his son needs to pay the year 2 course fees for the BTEC HND in Construction, and also has some library fines to pay – he’d like to make payment on his son’s behalf.

• What do you do?

ScenarioScenario

42

• A college carried out Disclosure Scotland checks for a new cleaner. A colleague asks her boss whether she should be concerned about the shoplifting and security of personal items in college.

ScenarioScenario

43

• Staff are encouraged to use their own mobile devices when processing information, including personal data.

• How should the college handle this?

44

• Staff use FB to chat to students….

ScenarioScenario

45

• An employer emails asking for the grades and attendance record of a student being sponsored by them through their college studies.

• What do you do?

ScenarioScenario

• A member of staff discloses to his line manager in confidence a health issue. The member of staff is upset when a colleague in another department says he’s sorry to hear he’s not well.

ScenarioScenario

47

• A college is finished with various hard drives so it contracts with a company who have a really persuasive website to dispose of them securely. Unfortunately, the drives then appear for sale on ebay.

• What is the college’s liability here?

48

• A tutor receives a request from a JISC project asking for details of a student who has done well in a technology-based course, for the purposes of making a case study. They only want first name and email address.

• What do you do?

ScenarioScenario

Sources of help Sources of help • [email protected] and www.jisclegal.ac.uk (code of practice)

www.ico.gov.uk (checklists)• University of Edinburgh -

http://www.recordsmanagement.ed.ac.uk/InfoStaff/DPstaff/DataProtection.htm

• UCISA Information Security Toolkit and others http://www.ucisa.ac.uk/publications.asp

• ICO – privacy impact assessments / general guidance• JISC InfoNet on records management and data retention

SummarySummary

• Make all staff aware of data protection

• Consider what personal data you hold

• Ensure you’ve stated the purposes for which the data will be used

• Observe the data protection principles

• Periodically review what personal data you hold

• Ensure the college’s notification allows this

Common ScenariosCommon Scenarios

• A parent requests information on son’s progress

• Police request information on one of your students

• A tutor asks to see a reference supplied by her supervisor

• An employer requests information on an employee’s attendance

• Personal details of a student disclosed in confidence appear on FB

• A staff mobile phone containing sensitive data is lost

• Internal sharing of data amongst staff

• External sharing of data

- ALL have DP compliance implications

Next Steps?

1 2 3 4 5 6

0%

19%

13%

38%

25%

6%

1. Go back and say well done!2. Start a conversation with

management3. Re-write a few policies4. Monitor what’s in place already5. Get further support6. Point at the guy over there and

say ‘his problem!’

[email protected]

0141 548 4939

Questions and Follow UpQuestions and Follow Up

slide 1 friday, 15 march 2013 confident in data protection compliance ayrshire college

Documents