Data Protection What You Need To Know New College Telford, 23 October 2013

Data ProtectionWhat You Need To Know

New College Telford, 23 October 2013

2

Hello!• Jason Miles-Campbell

JISC Legal Service Manager• jason.miles-campbell

@jisclegal.ac.uk• 0141 548 4939• www.jisclegal.ac.uk

3

About JISC Legal

• Role: to avoid legal issues becoming a

barrier to the use of technology in

tertiary education

• Information service: we cannot take

decisions for you when you are faced

with a risk

Slide 3 of 28

Law, ICT and Data ProtectionLaw, ICT and Data Protection

Common Scenarios• A parent requests information on son’s progress

• Police request information on one of your students

• A tutor asks to see a reference supplied by her supervisor

• An employer requests information on an employee’s attendance

• Personal details of a student disclosed in confidence appear on FB

• A staff mobile phone containing sensitive data is lost

• Internal sharing of data amongst staff

• External sharing of data

- ALL have DP compliance implications

Why Comply?

1. It’s the law

2. Good business practice

3. Sets a good example

4. Confidence

5. Risk (ID theft)

When it comes to data protection...

1. I’m confident

2. I’ve a fair idea

3. I dabble

4. I ask others

5. I hide in the toilet

Recent Headlines

Serious Data Protection

Risks for App Users

Unencrypted Devices Pose ‘Unnecessary Risk’ for Sensitive Data

Think Before You Tweet or Risk Arrest

Teacher in FB Meltdown

University Sends Personal Data to Wrong Recipient

University Breaches DPA by

Disclosing Personal Data on Website

Negligent Employees and Contractors Cause 36% of UK Data Breaches

Duplicate Password Use by School Leads to data breach

FB Comments Result in sacking

10

Data Protection Law• Data Protection Act 1998

• Information Commissioner (www.ico.gov.uk)

• Other relevant law:

Freedom of Information Act 2000

Privacy and Electronic Communications Regs 2003

Protection of Freedoms Act 2012

11

Data Protection Essentials

“Data protection ..regimes…do not seek to protect data itself, ... they seek to

provide the individual with a degree of control over the use of their

personal data”

“data privacy regimes do not seek to cut off the flow of data, merely to see

that it is collected and used in a responsible and, above all, accountable,

fashion”

Source: DP Code of Practice for FE and HE

i.e. Data Protection law does not prevent using and sharing personal data

but ..

ICO power to impose fines direct for serious security breaches

Understanding Your Duties

• Data Subject

• Data Controller

• Data Processor

• Processing

NCT contracts with Help4U to produce pay slips. Unfortunately, Help4U send the payslips to the

wrong recipients. Who is liable?

1. The college as data controller

2. The processor as they caused the error

3. Both the data controller and the processor

4. Neither

What is Personal Data?• Any information which relates to an identified or

identifiable person

• Living persons

• Must be significant biographical information

which affects privacy

• Sensitive personal data

Which of the following is likely to be covered by the DPA?

1. a deceased staff member’s email account

2. numerals to identify students in a VLE

3. documents relating to a disciplinary matter

4. ‘John Smith’ on a post it on a monitor

The 8 Data Protection Principles – key to compliance

1. fair and lawful2. limited purposes3. adequate, relevant and not excessive4. accurate and current5. not kept longer than necessary6. respect the rights of the individual7. appropriate security8. transfer outside EEA needs adequate protection

17

Fair Processing… and Lawful Processing

• A processing notice – transparency

• Weighing up interests v privacy

• Would you be happy?

Lawful Processing and Lawful Processing

To process, a Schedule 2 condition must be met:

• Consent

• Legitimate interest of the data controller

• Fulfilment of a contractual obligation

More stringent conditions for ‘sensitive’ personal data

18

One of these is fair and lawful. Which?

19

1. The college releases details on student attendance to a parent

2. The college collects name and contact details of all students

3. A tutor puts personal details of a student on his Facebook account

A college keeps all emails for 10 years. Is this in line with the DPA?

20

1. Yes

2. No

3. Might be

4. Not sure

New College Telford should give out information about students and staff to

other organisations

21

1. Never

2. Rarely

3. Freely upon request

4. Only when the person gives permission

5. Only when a seniormanager authorises it

Information can be shared freely internally (between staff) within your

organisation

1. True

2. False

3. Not sure

22

When handling personal data in your role consider:

1.Purpose: what data do you hold and why are you collecting

personal data?

2.Fairness: is the reason fair to the data subject?

3.Transparency: does the data subject know about it?

4.Security: is there an appropriate level of security?

Important Points…

Some Scenarios……..

Over to you

1. Supply it - nothing wrong in doing this2. Supply it – learner is under 183. Withhold it as he should never access

it4. Withhold it until you have consent

A father asks for information onhis son’s progress. Do you…

1. Supply it because it’s the police

2. Supply it only when you know what it’s for and think it is relevant information to the investigation

3. Never supply it

The police arrive at reception asking for a student’s address, his record of attendance and whether he is

currently in class. What should you do?

1. Password protection and encryption

2. None as kept on campus

3. It depends on the type of information

What security should be on devices holding

personal data?

1. Copy them on to a USB memory stick to take with you

2. Use your own laptop or tablet after consulting IT, checking policy and ensuring security

3. Email them to your webmail

4. Log into and save to the college network from home

You want to finish student profile reports at home. What do you do?

1. The College is liable for the breach

2. There is no liability, it was an accident, not deliberate

3. The member of staff is liable not the college

A member of staff clicks the wrong email group

and sends personal info about a student’s

health to other students instead of relevant

tutors. Who is liable?

• Where the DP policy is, how to access it and its contents

• Have awareness of DP and how it may affect students, staff etc.

• That what you’re doing is covered by the data protection notice

to students, staff etc.

• How to store/share personal information on and off campus

• How to keep personal information secure

(mobiles, social networking)

• Where to get help

What should you know?

Sources of Help

• Your institution’s DP officer

• Your institutional policies and procedures

• info@jisclegal.ac.uk and www.jisclegal.ac.uk (code of practice)

Questions?

??www.jisclegal.ac.ukinfo@jisclegal.ac.uk

0141 548 4939