Embed Size (px)
Citation preview
Data Protection Act 1998
Guidance for Staff and Members to assist with compliance
Policy NumberVersion Number 1.0Author Linda R McKee
Date of Screening of Policy 27 July 2016EQIA Recommended? NoDate Adopted by Council 27 September 2016Date Policy Revised
1
Version Control
Version Author / Reviewer
Review Date Amendments
0.1 Linda R McKee November 2015 Draft
0.2 Linda R McKee November 2015 Updated Draft
0.3 Linda R McKee 16 December 2015
0.4 Linda R McKee 04 April 2016 ICT input obtained. New Logo added. Title updated
0.5 Linda R McKee 15 April 2016 Amended: to reflect new GDPR guidance, re legislative basis
for processing. All SARs requests to be recorded centrally.
0.6 Elaine Kirk, Solicitor 03 August 2016 Typo corrected in section 2.
1.0 27 September 2016 Adopted by Council (after input from JCNC and approval from CP&R)
Linkages
The following internal documents will provide additional information:
Freedom of Information Policy
Records Management Policy and Procedures
A guide to physical, ICT and security policy
ICT policies and procedures
2
Introduction
The Data Protection Act (1998) sets out rules on the processing / handling of personal data. Council has to be open about how it uses personal data and must follow the principles of good information handling. It is very important that all staff adhere to the principles of the Act and ensure the security of all personal information we hold. Council is required to tell the Information Commissioner and the data subjects about the types of personal information it holds and how it uses that information.
To assist you, the Council has prepared this guidance. The guidance is for all Council Members, employees and agency staff. It covers the key principles and the “do’s and don’ts” of data protection. The guidance relates to information held electronically on computers and manually on paper files.
Key principles
The definition of personal data in the Act is complex, so it is best to assume that all information about a living, identifiable individual is personal data. This means, for example, that data we hold on our staff, our Members and the individuals who use Council services and facilities is personal data, to include email addresses, personal phone numbers and addresses.
The Data Protection Act lists 8 principles which can be summarised as follows: Confidentiality / Privacy - Respect the confidentiality of the people to whom the
information relates - think of the personal data you hold about other individuals in the same way as if it were your personal data being held. The data subject (the person to whom the data relates) has rights and these must be respected.
Security - Ensure you take appropriate security measures to protect personal data from unauthorised processing, loss, distribution or damage. Exercise particular care when handling sensitive personal information.
Retention - Personal data should only be held when necessary, and for no longer than is necessary.
Fair Processing - Personal data must be processed fairly and legally. It should be collected for one or more specific purposes and should only be processed in line with that purpose. Advice should be sought before this information is shared or used for other purposes. The data collected should be adequate, relevant and not excessive.
Accuracy - Ensure, where relevant, that personal data held is accurate and up to date.
The Data Protection Act also refers to Sensitive Data which must be held and treated to a higher level than personal data. Sensitive personal data includes: race, ethnicity, political opinions, religious beliefs, trade union membership, health, sexual life, criminal offences or allegations of crime. See Government Classification guidance. If you have any queries or need more information contact: the Information Governance Office, your line manager or ICT (if the issue relates to IT related issues).
The Do’s and Don’ts of Data Protection
1. Collecting and processing personal data
Do only collect the personal information you need for one or more particular business
purposes and be clear about why the information is being collected and held. Ensure
3
the legislative basis for processing the data. See ICO’s guidance on privacy notices. if you intend to use the personal information for another purpose you should seek
advice from Information Governance or your line manager. The Privacy and Electronic Communications Regulations (PECR) sit alongside the
Data Protection Act. They give people specific privacy rights in relation to electronic communications. Always tell the data subject how you will use their information and give the option to change their preferences i.e. opt in to a mailing list, opt out, change address etc. The ICO has oversight and guidance on same.
check information regularly for accuracy and update records promptly if the database is obsolete, review and record deletion in accordance with retention
and disposal schedule always check with your line manager before sharing / releasing any personal data.
Use the check list template on the staff portal to record the request and decision. if personal data is going to be shared regularly with other agencies, a formal data
sharing agreement should be in place. See ICO’s guidance on data sharing.
Don’t× don’t transfer personal data, internally or externally, unless it is necessary to do so
and for the purposes it was given for.
2. Storing and securing information
Do where possible, ensure that personal data which is held in electronic format is stored
in secure departmental or corporate IT systems. Otherwise, ensure any personal information is stored only in secure network shared folders. If the file cannot be stored in a secure shared file immediately, you should password protect the file and store it in a protected environment.
access privileges for corporate systems and file shares should be regularly reviewed by nominated system administrators to ensure only appropriate staff have access.
make sure that only authorised personnel have access to paper records. keep all computer passwords secure. always lock / log off your computer when away from your desk. prevent virus attacks by taking care when opening emails and attachments or visiting
new websites. The Council’s virus protection software will, in most circumstances, do this for you but be aware of the risks. All laptops / PCs should be connected to the Council network at least once a month to ensure virus protection is up to date.
only visit websites you know and trust. contact IT immediately if you think you have a virus / spyware on your computer. position computer screens away from windows and other people to prevent
accidental disclosures of personal information. be aware of the risk of holding and / or transmitting personal information on your
mobile devices e.g. mobile phone. obtain the approval of your line manager before taking any laptop or papers
containing personal information out of the office. ensure that any information taken out of the office in either paper or electronic form is
kept secure at all times. securely store papers containing personal information when not being used or when
you are away from your desk / office in lockable desks, filing cabinets or cupboards. Keys should be kept in a secure place.
a clear desk policy should be in place. Keep items for dispatch out of sight of public work stations. This includes:
o Names and addresses on letters waiting to be collected or dispatched by post
4
o Names and addresses for event or performance ticket collection etc refer to the Council’s ICT Policy for information held in electronic format – all Council
staff are required to comply with the Policy. be aware that many areas within Council buildings are open to the public, e.g.
meeting rooms, reception areas etc. All visitors must “sign-in” to the building which they are entering. You should report any strangers or unauthorised personnel seen in non-public areas to reception.
ensure that new areas of work which involves holding of personal data is designed to comply with the ICO’s privacy by design guidelines.
if you use cloud based programmes or marketing tools like My Emma or Mailchimp assess adequacy as per ICO guidance.
be careful if you use social networking sites e.g. Facebook, LinkedIn. Be wary of friend requests from people you don’t know and links directing you to websites.
Don’t× don’t share your password× don’t hold personal data in unstructured formats e.g. Word documents and Excel
Spreadsheets where that information is readily available in a corporate system, unless there is a legitimate business reason for doing so.
× don’t copy personal data to removable media such as USB keys, iPads unless the media is encrypted and password protected (encrypted memory sticks are available from ICT) and kept secure at all times.
× don’t allow anyone else to access your computer.× don’t leave printouts of personal data on printers / photocopiers.× when attending meetings, don’t leave work related papers which hold personal data
unattended.× leave work related papers in your car unattended between meetings / overnight.
3. Disclosing personal information over the phone
On occasions, it may be necessary to share personal information over the phone. In cases where this is necessary, please be aware of the following guidance:
Do always check with your line manager before disclosing any personal information.
This includes staff movements i.e. holidays, out of office, ill health etc. be aware that there are people who will try to trick you to give out personal
information. To prevent this, always carry out identity checks before giving out personal information.
limit the amount of personal information you give out over the telephone and ask for written confirmation if necessary. This includes requests by companies / consultants who want to contact local organisations / community groups. Consider, offering to include the request in the next mailing list for the organisation / community group to respond to if they feel appropriate
if you are discussing personal information over the phone, be careful that other persons do not overhear your conversation.
use the check list template on the staff portal to record the request and decision.
Don’t× be bullied into giving information. Ask your line manager or Information Governance
Office if you need help.× give out personal information relating to a staff member – if a staff member is out of
the office due to illness, holiday, left for the afternoon, this is personal data. Offer to
5
take a message “as the person is not available at present” or transfer the call to a colleague or line manager if the person requested is off work for a prolonged period.
4. Using email securely
Do take care when putting personal information in an email. Are you authorised to
disclose the information? be careful when giving opinions about people. Only express opinions that are
relevant and that you are competent to give. insert the recipient on the ‘To’ field only when the message has been completed.
Check and recheck recipients before sending the e-mail. be careful when using a group email address. Check who is in the group and make
sure you really want to send your message to everyone in the group. when sending to a group of external recipients ensure you place the email addresses
in the bcc line. refer to relevant Council Policies on Using Computers, IT Security. if personal data is to be transmitted via e-mail, obtain approval from your line
manager and record the decision. ensure if you access work related emails on your mobile device that it is password
protected.
Don’t× don’t send offensive emails about other people, their private lives or anything else
that could bring your or Council into disrepute.× don’t e-mail personal information where this can be avoided. There is no guarantee
that electronic communications either internally or outside the Council are private / secure.
× don’t open or forward suspicious looking e-mails or e-mails from people you don’t know.
× don’t click on links in suspicious e-mails or spam.× don’t respond to e-mails from your third parties asking for your details – phone the
requester back and clarify with them, this includes calls from your bank.× don’t post your email address, personal or company information anywhere on the
internet.
5. Sending Personal Data by Post or Fax
Use of fax machines is one of the most common causes of data breaches in the UK. As such, the use of these machines presents a significant risk.
Do an recorded assessment of the risk posed by sending personal information by
internal mail, post, fax or courier should be carried out to decide whether it is appropriate to use these methods.
when carrying out an assessment, consider:o the nature of the information, its sensitivity, confidentiality and value;o the damage or distress that could be caused to individuals if the information
was lost or stolen;o the effect any loss would have on the Council.
when sending personal data by post, either internally or externally, place the data in a sealed envelope and mark it “Personal” and “To be opened by addressee only”. Obtain a receipt where relevant. Consider a double envelope approach.
6
consider whether sending the information by a means other than fax is more appropriate, such as encrypted e-mail, courier service or recorded delivery. Make sure you only send the information that is required.
ensure you double check the fax number you are using and check that you are sending the fax to a recipient with adequate security measures, for example, your fax should not be left uncollected in an open plan office or on the machine after use.
if the fax is sensitive, ask the recipient to confirm that they are at the fax machine, there is sufficient paper in the machine and they are ready to receive the document.
ring up the recipient to ensure the whole document has been received. use a cover sheet. This will let anyone know who the document is for and whether it
is sensitive or confidential without them having to look at the contents.
Don’t× issue personal information by post or fax if your recorded assessment of risk (see
above) identifies that if the information was lost or stolen it would cause damage or distress to the individual concerned, or bring Council’s reputation into question.
6. Disposing of information
Do refer to the Council retention and disposal schedule available on the staff portal prior
to disposing of any information. record any records being destroyed in each Department’s Information Asset Register dispose of personal data in confidential waste. when disposing of personal information held in electronic format, contact IT to
arrange secure disposal. This applies equally to the disposal / decommissioning of any electronic equipment.
dispose of confidential paper waste securely by shredding or using confidential waste bags. Confidential Waste Bags should not be left insecure.
ask your line manager or the facilities manager if you are unsure of disposal arrangements.
Don’t× don’t dispose of personal data unless the disposal is in accordance with the Council’s
retention and disposal schedule.× don’t reuse paper which contains personal data.
7. Responding to Subject Access Requests
Under the Data Protection Act individuals whose personal information is held by the Council may make requests for access to this data. These are called subject access requests.
Do inform the Information Governance Office immediately if you receive a formal written
request for a SAR, as Council has a limited time (40 days) to deal with the request.
Don’t× don’t accept or process a verbal or telephone subject access request – ask the data
subject to formally submit their request in writing.× don’t process any data access request unless you have been authorised to do so.
7
8
8. Breaches of data security
Do if you suspect there has been a breach of data security, contact your line manager
immediately recording the scale of lost and sensitivity of data lost. Your line manager should inform Head of Policy / Information Governance Office immediately.
Don’t× don’t attempt to conceal any suspected or actual breach of data security. It is in the
best interests of everyone that any breaches are reported to management immediately.
9
