Data protection-training

1. Data Protection and Freedom of Information in schools Keeping data secure, safe and legal

2. Why? Data Protection Act 1998 Freedom of Information (FoI) Act 2000

3. The Data Protection Act 1998 • The Data Protection Act 1998 came into force in March 2001, replacing the Data Protection Act 1984. • The EU Data Protection Directive (also known as Directive 95/46/EC) is a directive adopted by the European Union designed to protect the privacy and protection of all personal data collected for or about citizens of the EU, especially as it relates to processing, using, or exchanging such data. • The Data Protection Act is how the UK implements the European Directive.

4. The aims of the Data Protection Act • Anyone who processes personal information must comply with the eight principles • It provides individuals with important rights, including the right to find out what personal information is held about them

5. The eight data protection principles Information must be: • Fairly and lawfully processed • Processed for specified purposes • Adequate, relevant and not excessive • Accurate and up-to-date • Not kept for longer than is necessary • Processed in line with individuals’ rights • Secure • Not transferred outline the European Economic Area without adequate protection

6. Individual rights • Right of access – individuals have a right to know what information organisations hold about them on a computer or in certain filing systems. • Individuals can submit a Subject Access Request to see or have a copy of this information.

7. Freedom of Information Act 2000 • An Act to make provision for the disclosure of information held by public authorities or by persons providing services for them and to amend the Data Protection Act 1998 and the Public Records Act 1958; and for connected purposes

8. Right of access •What? Anything •Who? Anybody •Where from? Anywhere •Why? None of your business •FoIA assumes information will be disclosed

9. Exemptions 7 Absolute Exemptions •S21 •S23 •S32 •S34 •S40 •S41 •S44 Information accessible by other means; National security; Court records; Parliamentary privilege; Personal information about the applicant; Information provided in confidence; Prohibition on disclosure

10. Exemptions 15 Qualified Exemptions • • • • • • • • • • • • • • • S22 S24 S26 S27 S28 S29 S30 S31 S36 S37 S38 S39 S40 S42 S43 Future publication; National security; Defence or armed forces; International relations; Relations within the UK The economy of the UK; Investigations/proceedings; Law enforcement; Effective conduct of public affairs; Communications with Her Majesty Health & safety; Environmental information; Personal information about third party; Legal professional privilege; Commercial interests

11. School specifics • Impact levels • Encryption • Questions and examples

12. Impact levels Example data types Impact Level IL4 Confidential IL3 Restricted or NHS Confidential IL2 Protect IL1/ IL0 eGIF requirements Aggregated reports Registration level Authentication requirements • • • • Level Three ID verification with vetting and 'need to know' measures Physical/ personal/ procedural protection with appropriate authorisation • School MIS • Teacher access to learning platform/ portals • Special educational needs (with no IL 4 data elements) • Pupil characteristic • Contact point • Health records • General student data • Learning platforms/ portals Level Two ID vetting and 'need to know' measures IAO approval Mandatory twofactor user ID, password and token Internet/virtual private network (VPN) and token Level One basic ID verification User ID and password • Google search • BBC News Anonymous Authentication not required National Pupil Database Looked-after children Witness protection SEN IL4 data elements Example networks External access Gov PC Internet to www café PDA Home Gov PC LAN Bootable USB Wi-fi 3G card Bluetooth Y1 N N Y2 N N N Y3 N3 GSI GCSx CJX Y N Y4 Y5 Encrypted internet VPN Y6 Y7 N Y8 Y1 N Y Y Y Y Y2 Y Y Y GSi CJX Internet Any

13. Data encryption Becta guidance states “Users may not copy or remove sensitive or personal data from the school or authorised premises unless the media is encrypted and is transported securely for storage in a secure location” What does that mean to us? •Change in the way USB sticks are used •Not just USB. Additional encryption when accessing information across the internet

Data protection-training

You are reading a preview.

Check these out next

Data protection-training

More Related Content

Slideshows for you (8)

Similar to Data protection-training (20)

Recently uploaded (20)