Slide 1 Intro of myself advisor for learning resources, bgnd, information arch manager at SQA with direct responsibility for the management of the process of Data Protection Act and also to ensure the continued accreditation to the international standard 27001, which was the effective management of an information security system. Ask them to introduce one another and their bgnd. today short workshop will look at some of the process that is involved to ensure personal information, is stored, managed, processed and secured in accordance with the Data Protection Act
Slide 2 this workshop is by no stretch that magical silver bullet that will solve all data protection woes and challenges for an organisation, it really is a very general introduction and also to give some ideas about how Angus College can ensure the integrity and confidentiality of personal data. we’ll have a look at some of the key terms and principles within the data protection act have a look at the 2 main levels of personal information and some of the tools and processes an organisation can deploy to ensure adherence to the data protection act.
Slide 3 so the DPA, although it was established in 1998 it became an effective legislation tool from about March 2000, the act and legislation outlines a framework for organisations for the collection and use of personal data ensuring the confidentiality and integrity of that data remains, ensuring no loss of privacy or harm to the person the data is about that an organisation is storing, the DPA does not approve of the ‘we’ll store this data, just in case’ attitude, and rightly so so when we talk of personal data this covers data which relates to a living individual and said individual can be identified from those data and/or an amalgam of other data in possession of the data controller this also includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual. So an example would be if you’re marking a students paper and you write feedback or any remark on it, within the context of a personal information request this information would have to be transcribed and sent to the individual.
Slide 4 The act hinges on 8 principles that 1 st data principle have legitimate grounds for collecting and using the personal data; be transparent in how you are going to use the date not use the data in ways that have unjustified adverse effects on the individuals concerned; 2 nd data principle clear about the purpose or purposes for which you hold personal data so that you can then ensure that you process the data in a way that is compatible with your original purpose or purposes (or ”not incompatible”, as the Data Protection Act says.) Specifying those purposes at the outset is likely to help you avoid the possibility of “function creep”. make sure that you process personal data in accordance with the other data protection principles, and that you have notified the Information Commissioner if you need to do so, you are likely to comply with the requirement to “specify” without doing anything more. 3,4 & 5 Ensuring you don’t hold excessive amounts of data, You should not hold personal data on the off-chance that it might be useful in the future Data protection principle 4 take reasonable steps to ensure the accuracy of any personal data you obtain; ensure that the source of any personal data is clear; carefully consider any challenges to the accuracy of information; and consider whether it is necessary to update the information. Data protection principle 5 Retention the current and future value of the information; the costs, risks and liabilities associated with retaining the information; and the ease or difficulty of making sure it remains accurate and up to date. Principle 6 The right of access to what an organisation holds about them a right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed; and a right to claim compensation for damages caused by a breach of the Act. Principle 7 Adequate security controls are in place to ensure the integrity and confidentiality of the personal information design and organise your security to fit the nature of the personal data you hold and the harm that may result from a security breach; be clear about who in your organisation is responsible for ensuring information security; be ready to respond to any breach of security swiftly and effectively. Principle 8 It is important to remember that all the data protection principles apply to overseas transfers of personal data – not just the eighth principle. So you must consider how you will comply with the other principles if you transfer.
Slide 5 The types of personal information an organisation may hold falls into two types, we have what is deemed personal…
Slide 6 And we also have sensitive/restricted information regarding a living individual The presumption is that, because information about these matters could be used in a discriminatory way, and is likely to be of a private nature, it needs to be treated with greater care than other personal data. In particular, if you are processing sensitive personal data you must satisfy one or more of the conditions for processing which apply specifically to such data, as well as one of the general conditions which apply in every case. The nature of the data is also a factor in deciding what security is appropriate. The first data protection principle requires, that you must be able to satisfy one or more “conditions for processing” in relation to your processing of personal data. Many (but not all) of these conditions relate to the purpose or purposes for which you intend to use the information. if you have a legitimate reason for processing personal data, the best approach is to focus on whether what you intend to do is fair. http://www.legislation.gov.uk/uksi/2000/417/contents/made
Slide 7 The ICO website holds information and guidance for educational establishments, the guidance covers information such as A students examination records and in your packs I’ve included the specific guidance for access to pupils data in Scotland FOI This guidance gives examples of the kinds of information that we would expect colleges of Further Education to provide in order to meet their commitments under the model publication scheme. Any publication scheme you have that was created before 1 January 2009 is now out of date and you should replace it with the ICO model scheme. 7 classes of information, how you should make the information available, what you can charge, and what you need to tell members of the public about the scheme. It is also required that you tell the ICO that you have made these changes to your publication scheme.
Slide 8 To ensure some structure and generic reference within the act they use roles defined as the following :- Data controller, usually an organisation who determines how the personal data will be processed Data processors specifically Data subject Within a organisation it is paramount that all staff are aware of their role and responsibility to data protection and understand the consequences or enforcement of processing personal information. Some organisations, for example, will stipulate procedures within their policy if a member of staff breaches or does not comply with their responsibilities as a data processor, some organisations will develop specific contracts for staff who process personal data
Slide 9 Within your organisation North Glasgow College is the data controller It is mandated that all organisations that process personal data must notify and register with the information commission officer the registry of data controllers is public information and available online, click on link search the registry and show angus colleges notification this documents all purposes that Angus College use personal data and what they are processed for the ultimate responsibility for the adherence to the data protection act is the data controller
Slide 10 the Data Protection Act is enforced is via the Information Commissioner’s Office, ICO is an independent body set up to uphold our information rights and promote openness and transparency within the public sector and ensure data privacy for individuals click on link to show information and guidance available for organisations on DP there is a Scottish Information Commission and have jurisdiction in the management and enforcement of Freedom of Information (Scotland) Act, the ICO has specific regulatory responsibility for data protection.
Slide 11 so how does the ICO enact upon breaches for the data protection act by organisations, well they hit them where it hurts the most, money and reputation The ICO has the power to fine organisation up to a maximum penalty of £500,000 for the mismanagement of personal information.
Couple of recent examples are Sony were fined £250,000
Another one closer to home is that of Borders Council…read slide Slide 13 to determine the amount an organisation will be fined, the ICO uses a framework, they consider The seriousness of the breach, this would include the hurt or damage done to the persons data involved And they also consider any mitigating factors or aggravating factors - your policies and procedures in place, what your organisation does to ensure compliance (mitigating) Aggravating factors may be if this is your second or more offence Click on link And as I mentioned the reputation of an organisation, all monetary fines and decisions pertaining to breaches are published on the website The financial impact on the organisation, the case working group will take into account any financial hardship on the organisation, they want proof from the data controller and this can be used as evidence for their case
Slide 21 So how does an organisation ensure it compliance with the data protection act, well I think it’s a mixture of these 5 attributes It’s all very well having a policy that adheres to a certain level of information security and vocalises how an organisation will ensure the confidentiality and integrity of personal data but quite another thing to embed that policy as process in an organisational culture. Most organisations will develop information governance process and include all these as part of the implementation of good practice to ensure adherence to the data protection act, this can go further than just how to manage personal data all of this can also be embedded to ensure good information management practice for all information within an organisation. People, process and policy are the 3 key ingredients to good information management, ensuring your valued assets are aware of their responsibilities, that they understand the processes and policy your organisation works with. The more time spent on training and awareness will ensure adherence to your policies and process.
Slide 22 within an organisation the ICO would view it towards mitigating factors of a breach if there is an effective management system in place for personal data North Glasgow College has a data protection and IT security policy that documents exactly how staff must comply when working with personal data, it also includes measures to ensure the security of data be it physical or electronic access There are other areas that need organisations to have a policy or guidance in place for staff with the onslaught of mobile devices a lot of organisations need to consider what their policy is, a survey released in December last year "Independent research commissioned by Cisco reveals that 73% of Local Government, Healthcare and Higher & Further Education organisations allow employees to use personal devices at work. But while the majority have begun to embrace BYOD, only 22% have put specific and enforceable policies in place for users. In addition, only 24% have installed security solutions on user devices. email is also an issue and it must be specified within an organisation what can be shared, transferred over the internet via email. ensuring staff are aware of these policies and what the implication is for them is how an organisation can develop a secure data culture Know what you’ve got, where it is and what security controls must be applied, most organisations work within a risk framework and apply levels of risk to their operational and production processes, information is a valued asset in an organisation and so it can be useful to measure risk to data and what the impact may be a level of risk to an information asset if its loss of revenue to the organisation or damaging reputation click on link
Slide 23 In creating an information asset register or including information as an asset within your corporate risk register, you need to look at information and Identifying the risk to the information Then looking at how to treat the risk by how to by avoiding, reducing, transferring or accepting them so it looks what impacts the risk and how you can apply measures to mitigate the risk An organisation should then actively monitor and review risk to ensure stability in their treatments There are other tools that are worth considering, privacy impact assessments are useful if you are using third party data processors for example, PIAs can ensure that the external supplier adheres to the rigours of data protection and information security. Know what you’ve got, where it is and what security controls must be applied to ensure continued integrity and confidentiality of that information
We all have the right as individual to ask organisations about the personal information they hold about us. These requests are referred to as subject access requests A lot of organisations will specify how they deal with a subject access request and what kind of information they hold on their website, Click on link to SQA webpage and click on link for the SAR form. It is vital that an organisation specifies who is responsible for the dealing of SARs and that this information is monitored and reviewed
Slide25 dealing with SARs it is imperative that an organisation has ownership/responsibility in place, who deals with them and who is involved in the procedure By using good retention it is important that these requests are logged and recorded properly and are kept for a specific amount of time If the information being sent out involves other persons you must make sure that that persons information has been redacted Example of SQA exam logs from invigilators, all other persons who have been recorded must be redacted before sending out this information Click on link there are specific exemptions within the DPA , in the main are concerned with criminal proceedings or financial processes or management information within an organisation Example of an exemption The senior management of an organisation are planning a re-organisation. This is likely to involve making certain employees redundant, and this possibility is included in management plans. Before the plans are revealed to the workforce, an employee makes a subject access request. In responding to that request, the organisation does not have to reveal its plans to make him redundant if doing so would be likely to prejudice the conduct of the business (perhaps by causing staff unrest in advance of an announcement of the management’s plans). Example Your Examination script is exempt from release under the Data Protection Act. SQA markers are instructed not to add their comments to examination scripts, but occasionally this does happen. You are entitled to receive a copy of any marks or comments markers add to your script. We will provide these, if available, in response to your subject access request. examination marks and personal data contained in examination scripts; Mention the handout access to pupils information Another consideration for personal data requests is when an organisation shares data with other organisations for a specific purpose, data sharing agreements are extremely important to ensure data subjects are aware of how their personal information will be processed and what the external organisation is legitimately allowed to do with the data (mention the data sharing checklist and the code of practice for data sharing agreements)
Slide 26 Training and awareness are fundamental to creating good information governance Click on link ICO has created a useful toolkit for companies to download and use to raise awareness of protecting personal data Coming along this morning is also a useful in building up your ideas for moving forward with protecting personal information
Slide 27 Another of the attributes I mentioned earlier tat can help an organisation develop and embed good data protection process is records management, ensuring you have documented the Read slide
Slide 28 Example of retention schedule dealing with subject access requests from SQA, it documents exactly what information is comprised of, how long it must be stored, if it’s a statutory or business requirement and what treatment is used to complete the documents lifecycle.
Slide 29 Technology is an integral part of ensuring security procedures are in place for the management of personal data Most of this is very practical in nature and straightforward but it is amazing to see staffing organisations doing things like working with sensitive information, leaving their desk, not locking their pc, a security breach just waiting to happen An incident management team can be an effective way to govern both physical and electronic incidents, comprising of a board and working group with responsibility to ensure compliance and awareness amongst staff.
Angus College has specified in their policy who owns and has responsibility of security measures This also must be taken into consideration for the security of physical records and access to IT have management of the network of the organisation and ensuring access controls and permissions are in place to ensure only the right people gain access to the data they are allowed to view. Some organisations will introduce a security breach log to ensure any data breaches are reported, handled and solved. And due to the flexibility these days of working practice, some institutions will create guidance and policy for staff Click on link show remote working assessments to ensure security of data when working at home
Slide 31 Don’t despair! The ICO may be the ones that dole out the financial fines but they also have an excellent information dissemination policy and are there to help organisations embed and develop good information management practice. Click on link Advisory visits Self assessment data protection is ever evolving and is a developing piece of legislation, with our society being enslaved to an online environment the ICO have created a code of practice of how organisations can process and personal information online.
Slide 33 we share our information everywhere now and it is increasingly difficult to keep up to speed with who has your information and what they may be doing with it and with that in mind click on link
Introduction to Data Protection and Information Security
Overview• To understand key terms and principlesof the Data Protection Act (DPA)• Understand types of informationpersonal/sensitive• How an organisation can comply withthe DPA
Intro to Data Protection Act• Established 1998 to safe guardpersonal data• Framework for how organisations cancollect and use personal data• Personal data means data which relatesto a living individual who can beidentified:– From those data– From those data and other information inthe possession of the data controller
Eight Principles of DPA1. fairly and lawfully processed2. processed for limited purposes3. adequate, relevant and not excessive4. accurate and up to date5. kept for no longer than is necessary6. processed in line with the date subjects’rights7. secure8. not transferred to other countries withoutadequate protectionAnyone who processes personal information must complywith eight principles, which make sure that personalinformation is:
Types of information I– Names,addresses,– Birth details,– Contact details,– Age, gender– NI number,– Marital history,partnerships– Travel details,leisure activities,membership oforganisations,– Employmentdetails– Finance details
Types of information II• Sensitive– Mental or physical health– Racial or ethnic origin– Political opinions– Religious or related beliefs– Trade union membership– Sexual life– Criminal convictions– Offences, including allegedhttp://www.ico.gov.uk/for_organisations/data_pro
Data Protection and FE• Data protection is important to FE and HEinstitutions– collect, process and use the data ofindividuals such as students, staff,alumni and enquirers for variouspurposes.Specific guidance for education sector:http://www.ico.gov.uk/for_organisations/sector_guides/examination recordsexpected requirements under FOI(S)A
Roles within the DPA• Data controller: determines thepurposes for which and the manner inwhich personal data are to beprocessed• Data Processor: person who processesthe data on behalf of the data controller• Data Subject: an individual who is thesubject of personal data
Who’s responsible!• North Glasgow College is the datacontroller• Data controllers must register with theInformation Commissioner’s Office(ICO)http://www.ico.gov.uk/what_we_cover/registe• S.4 (4) of the DPA: ultimateresponsibility for adhering to the Actlies with the ‘Data Controller’.
Information Commissioner’s Office(ICO)• independent public body set up touphold information rights in the publicinterest, promoting openness by publicbodies and data privacy for individualshttp://www.ico.gov.uk/for_organisations/da• Also a Scottish Information Commissionbut ICO has specific regulatoryresponsibility for DPA
£150,0007 June 2013Issued to Glasgow City Council theloss of two unencrypted laptops,one of which contained the personalinformation of 20,143 people.
24 January 2013Sony PlayStation Network Platform washacked in April 2011, compromising thepersonal information of millions ofcustomers, including their names,addresses, email addresses, dates ofbirth and account passwords. Customers’payment card details were also at risk.£250,000
£250,00011 September 2012Issued to Scottish Borders Council afterformer employees’ pension records werefound in an over-filled paper recycle bankin a supermarket car park.All monetary penalties and decisions bythe ICO can be viewed at:http://www.ico.gov.uk/enforcement/fines.aspx
Data Day Hygienehttp://www.youtube.com/watch?v=CdYW
Scenario oneA new admin assistant was asked to fax a child protection report toa solicitors. The report contained extensive sensitive personaldata about the child, and a number of her family relations.The law firm was a regular contact, but had recently changed its faxnumber. The admin assistant used the contact list to find thenumber. The new number had been handwritten over the previousnumber.The following day the law firm called to say it had not received thefaxed report. On checking what had happened, the adminassistant had misread a number on the new fax contact number.Identify and discuss any dataprotection issues in this incident
Scenario twoAn HR worker asked an administrator to send some documents to herwork email address so that she could work on them at home.The documents included a spread sheet listing a number of her clients,their names and addresses and contact time. Additional informationincluded descriptors of their physical and mental health problems. Thespread sheet also contained notes relating to family members.The administrator attempted to email the social worker but there wereproblems with the organisations email system. The social worker askedthe administrator to email her personal email instead, and she wouldthen transfer the documents from her home computer.The administrator emailed the documents to the social worker’s personalemail. Later in the evening, the social worker checked her email but thedocuments had not been received. On checking with the administrator, ittranspired that the email address had been taken down incorrectly.• Identify and discuss any data protectionissues in this incident
Scenario three• The organisation operates a number of services in conjunction with a range ofvoluntary agencies. One of the services is an outreach centre for youngpeople. The outreach workers and social workers will routinely shareinformation about the users of the service. The people who use the centre willtypically only frequent it for 3 to 6 months before moving on.• The outreach centre has three desktop computers. One of these is used tosend and store the reports for the council. That computer, and the relevantfolders are password protected. The password is XYZ123 and has never beenupdated. It is pinned on the inside of a drawer in the office.• The centre also keeps information for its own purposes, which might includedetails of disruptive attendees and notes about their external associates. Thisinformation is kept on all three computers.•• The centre is broken into and the three desktop computers are stolen. Duringthe council’s investigation, the centre informs the investigating officer thatreports had not been deleted from their computers for at least the past fiveyears.• Identify and discuss any data protectionissues in this incident
Scenario one - issues• Fax breach – security of sensitive personal data sent by fax:• No phone ahead fax policy; No checking policy to make sure faxes arereceived by the intended recipients; pre-programmed fax numbers, noevidence of an appointed person responsible for checking or updating faxnumbers;• No fax cover sheet mentioned;• The data controller should have been aware of the risks associated withfaxing sensitive personal data, as the risks have been previously wellpublicised by the ICO;• No evidence that other methods had been considered for transmittingsensitive personal data;• Higher risk of error with hand written fax contact list of numbers;• Had the administration assistant involved with this breach received dataprotection training? • Should a relatively new member of staff have been entrusted with faxingsensitive personal data, is it reasonable to assume this task requires acertain level of experience and responsibility?
Scenario two - issues• Email breach – security of sensitive personal data sent by email, also thirddata protection principle• No clear email security policy;• No mention of a contractual agreement between the council and theoutsourced third party finance provider;• Potential contravention of the third data protection principle, excessive andirrelevant amount of information going to finance department;• Potential contravention of the third and seventh data protection principles,irrelevant personal data being sent by insecure email to a third partyfinance provider; • Administrator should not have emailed spreadsheets to a personal emailaddress, without first checking data security protocols, or using encryption;• No cross checking of personal email address to ensure accuracy;• The council’s home working policy is vague about the security and storageof personal data when working from home.
Scenario three - issues• Theft of data – organisational and technical security of personal data, also fifthdata protection principle, retention of personal data• No evidence that a data sharing agreement was in place between the council andthe outreach centre• Potential contravention of the fifth data protection principle, reports kept for 5years, when people who use the centre generally only attend for 3-6 months;• Password to computer storing reports shouldn’t have been kept in a drawer andshould have demonstrated a higher degree of complexity (alphanumerical, upperand lower case, symbols etc), the password should also have been changed on aregular basis;• Lack of technical security x2 desktop computers storing personal data notpassword protected, (there is generally no obligation to encrypt desktopcomputers);• What physical security measures were in place at the outreach centre?• What DPA training would voluntary outreach workers have undertaken and weresuch volunteers vetted by the council – how did the council satisfy themselvesabout this?• This breach could involve sensitive personal data as defined by section 2 of the
Ensure your compliant• Governance• Policy and guidance, risk register, impact levels,protective marking• Training• protecting information course, knowing where to gethelp and advice on DPA• Records management• retention schedules, disposal records, information assetregister• Security of personal data• mobile devices, physical security of manual records,owner/responsibility, incident reporting/third partycontracts• Dealing with requests• Owner/responsibility, log of incidents,monitoring/redaction, data sharing agreements, SARlog
Governance• Policies and procedures ( dataprotection, information security, emailpolicies, portable devices)• Measure and impact, risk register– http://www.nationalarchives.gov.uk/documents
Assessing the risk to personalinformation• Identify the risk• Treat the risk• Monitor and review• review what personal data is held(privacy impact assessment)• Apply security measures for physical orelectronic assets• Create an information asset register
The right of access topersonal data• individual can send you a subjectaccess request (SAR) requiring you totell them about the personal informationyou hold about them, and to providethem with a copy of that information.• In most cases you must respond to avalid subject access request within 40calendar days of receiving it.• Example of a SAR form
Requests for personal data• owner / procedure• record and log requests• redaction• Exemptionshttp://www.ico.gov.uk/for_organisations/data• data sharing agreements
Training and awarenesshttp://www.ico.gov.uk/Global/think_privacy_txProtecting Personal Information course
Records Management• roles and responsibilities• retention schedules• indexing/tracking records• destruction/disposition
Retention for SARsRecord of subjectaccess requestInitial request,response, relatedcorrespondenceand othersupportingdocumentationCompletion ofrequest + 3 yearsStatutory DestroyRecord of subjectaccess requestwhere appealmade to UKInformationCommissionerInitial request,response, appealrecords, relatedcorrespondenceand othersupportingdocumentationOutcome ofappeal + 6 yearsStatutory DestroyGeneralcompliancerecordsFiles re DP audit,generalcompliance, databreaches, securitytraining etcCurrent year + 3 Business req DestroyNotification andchangesCurrent year + 3 Statutory Destroy
Security measures• owner/responsibility (North GlasgowCollege Data Protection policy)• physical security of manual records• network security and access permissions• mobile devices• security incident log• remote working risk assessmenthttp://www.reading.ac.uk/internal/imps/DataProtection/DataProtectionGuidelines/imps-d-p-encryption-remote-working.aspx
How the ICO can helphttp://www.ico.gov.uk/what_we_cover/audits_advisory_visits_and_self_assessments.aspxhttp://www.ico.gov.uk/~/media/documents/library/data_protection/detailed_specialist_guides/personal_information_online_cop.pdf
Ensure that…• only collect information that you needfor a specific purpose;• keep it secure;• ensure it is relevant and up to date;• only hold as much as you need, andonly for as long as you need it; and• allow the subject of the information tosee it on request.• ensure all staff are aware of theirresponsibility
North Glasgow CollegeCivil Service Learning / ProtectingInformation courseLevel 1: provides useful information andadvice to help you protect and shareinformation safely and appropriately.Approx.: 45 minutes to completehttps://north-gla.blackboard.com/