Data Protection What You Need To Know New College Telford, 23 October 2013
Mar 31, 2015
Data ProtectionWhat You Need To Know
New College Telford, 23 October 2013
2
Hello!• Jason Miles-Campbell
JISC Legal Service Manager• jason.miles-campbell
@jisclegal.ac.uk• 0141 548 4939• www.jisclegal.ac.uk
3
About JISC Legal
• Role: to avoid legal issues becoming a
barrier to the use of technology in
tertiary education
• Information service: we cannot take
decisions for you when you are faced
with a risk
Slide 3 of 28
Law, ICT and Data ProtectionLaw, ICT and Data Protection
Common Scenarios• A parent requests information on son’s progress
• Police request information on one of your students
• A tutor asks to see a reference supplied by her supervisor
• An employer requests information on an employee’s attendance
• Personal details of a student disclosed in confidence appear on FB
• A staff mobile phone containing sensitive data is lost
• Internal sharing of data amongst staff
• External sharing of data
- ALL have DP compliance implications
Why Comply?
1. It’s the law
2. Good business practice
3. Sets a good example
4. Confidence
5. Risk (ID theft)
When it comes to data protection...
1. I’m confident
2. I’ve a fair idea
3. I dabble
4. I ask others
5. I hide in the toilet
Recent Headlines
Serious Data Protection
Risks for App Users
Unencrypted Devices Pose ‘Unnecessary Risk’ for Sensitive Data
Think Before You Tweet or Risk Arrest
Teacher in FB Meltdown
University Sends Personal Data to Wrong Recipient
University Breaches DPA by
Disclosing Personal Data on Website
Negligent Employees and Contractors Cause 36% of UK Data Breaches
Duplicate Password Use by School Leads to data breach
FB Comments Result in sacking
10
Data Protection Law• Data Protection Act 1998
• Information Commissioner (www.ico.gov.uk)
• Other relevant law:
Freedom of Information Act 2000
Privacy and Electronic Communications Regs 2003
Protection of Freedoms Act 2012
11
Data Protection Essentials
“Data protection ..regimes…do not seek to protect data itself, ... they seek to
provide the individual with a degree of control over the use of their
personal data”
“data privacy regimes do not seek to cut off the flow of data, merely to see
that it is collected and used in a responsible and, above all, accountable,
fashion”
Source: DP Code of Practice for FE and HE
i.e. Data Protection law does not prevent using and sharing personal data
but ..
ICO power to impose fines direct for serious security breaches
Understanding Your Duties
• Data Subject
• Data Controller
• Data Processor
• Processing
NCT contracts with Help4U to produce pay slips. Unfortunately, Help4U send the payslips to the
wrong recipients. Who is liable?
1. The college as data controller
2. The processor as they caused the error
3. Both the data controller and the processor
4. Neither
What is Personal Data?• Any information which relates to an identified or
identifiable person
• Living persons
• Must be significant biographical information
which affects privacy
• Sensitive personal data
Which of the following is likely to be covered by the DPA?
1. a deceased staff member’s email account
2. numerals to identify students in a VLE
3. documents relating to a disciplinary matter
4. ‘John Smith’ on a post it on a monitor
The 8 Data Protection Principles – key to compliance
1. fair and lawful2. limited purposes3. adequate, relevant and not excessive4. accurate and current5. not kept longer than necessary6. respect the rights of the individual7. appropriate security8. transfer outside EEA needs adequate protection
17
Fair Processing… and Lawful Processing
• A processing notice – transparency
• Weighing up interests v privacy
• Would you be happy?
Lawful Processing and Lawful Processing
To process, a Schedule 2 condition must be met:
• Consent
• Legitimate interest of the data controller
• Fulfilment of a contractual obligation
More stringent conditions for ‘sensitive’ personal data
18
One of these is fair and lawful. Which?
19
1. The college releases details on student attendance to a parent
2. The college collects name and contact details of all students
3. A tutor puts personal details of a student on his Facebook account
A college keeps all emails for 10 years. Is this in line with the DPA?
20
1. Yes
2. No
3. Might be
4. Not sure
New College Telford should give out information about students and staff to
other organisations
21
1. Never
2. Rarely
3. Freely upon request
4. Only when the person gives permission
5. Only when a seniormanager authorises it
Information can be shared freely internally (between staff) within your
organisation
1. True
2. False
3. Not sure
22
When handling personal data in your role consider:
1.Purpose: what data do you hold and why are you collecting
personal data?
2.Fairness: is the reason fair to the data subject?
3.Transparency: does the data subject know about it?
4.Security: is there an appropriate level of security?
Important Points…
Some Scenarios……..
Over to you
1. Supply it - nothing wrong in doing this2. Supply it – learner is under 183. Withhold it as he should never access
it4. Withhold it until you have consent
A father asks for information onhis son’s progress. Do you…
1. Supply it because it’s the police
2. Supply it only when you know what it’s for and think it is relevant information to the investigation
3. Never supply it
The police arrive at reception asking for a student’s address, his record of attendance and whether he is
currently in class. What should you do?
1. Password protection and encryption
2. None as kept on campus
3. It depends on the type of information
What security should be on devices holding
personal data?
1. Copy them on to a USB memory stick to take with you
2. Use your own laptop or tablet after consulting IT, checking policy and ensuring security
3. Email them to your webmail
4. Log into and save to the college network from home
You want to finish student profile reports at home. What do you do?
1. The College is liable for the breach
2. There is no liability, it was an accident, not deliberate
3. The member of staff is liable not the college
A member of staff clicks the wrong email group
and sends personal info about a student’s
health to other students instead of relevant
tutors. Who is liable?
• Where the DP policy is, how to access it and its contents
• Have awareness of DP and how it may affect students, staff etc.
• That what you’re doing is covered by the data protection notice
to students, staff etc.
• How to store/share personal information on and off campus
• How to keep personal information secure
(mobiles, social networking)
• Where to get help
What should you know?
Sources of Help
• Your institution’s DP officer
• Your institutional policies and procedures
• [email protected] and www.jisclegal.ac.uk (code of practice)