1 / 26

Privacy and Security Basics Training

Privacy and Security Basics Training. April 2019. Who should take this training?. This training sets out RNIB’s standards for handling any data that relates to living people, whether they are customers, patients, staff, volunteers or others.

gbateman
Download Presentation

Privacy and Security Basics Training

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy and Security Basics Training April 2019

  2. Who should take this training? This training sets out RNIB’s standards for handling any data that relates to living people, whether they are customers, patients, staff, volunteers or others. This training should be taken by all RNIB staff and by all volunteers and contractors who access or use personal data, whether this is on paper or electronically.

  3. The law The Data Protection Act was replaced with the General Data Protection Regulation (GDPR) in May 2018. The new law introduces serious financial penalties for failure to handle people’s data properly – up to 4% of annual turnover. But this is not just about the risk of fines. RNIB is committed to treating all individuals with dignity and respect. This includes the ways in which we handle their information.

  4. What you must do It is the responsibility of everyone in RNIB to help make sure that people's data is treated responsibly, securely and respectfully. You must follow RNIB processes and policies When accessing or working with data about people, users must comply with data protection legislation and RNIB’s policies about the ways in which people’s information may be used. If you are unsure about what to do, talk to your manager

  5. Monitoring our network and systems RNIB provides you with access to data, systems and equipment in order for you to carry out your role. You must only use these in accordance with RNIB policies. Your use of our systems, network and equipment  are monitored and reviewed by RNIB.  Unauthorised or improper use of our systems may result in disciplinary action or even proceedings under the Computer Misuse Act 1990 and/or the Police and Justice Act 2006. 

  6. How should we handle personal data? The simplest rule is to always treat people’s data the way you would like other organisations to treat yours or your family’s. We must keep people’s data secure. We must be transparent about what we do with people’s data, and be able to explain why we need it and what we will use it for. We must make sure we listen to people when they ask us about what data we hold, or ask us to correct data

  7. Subject Access Requests (SARs) People have a right to ask for a copy of the data we hold about them. We must respond in full within 30 days. They are entitled to all information we hold, across any department, including paper documents and emails. We must be careful never to release information that could identify another person. If you receive such a request, you must forward it to the dataprotectionofficer@rnib.org.uk mailbox for further advice.

  8. What might a SAR look like? “I’d like a copy of an assessment I did with RNIB in 2016” “I want all data RNIB holds about me” “I want to request my data under Data Protection or GDPR or Freedom of Information” This does not need to be a formal request to the IG Team. It may come up in correspondence with any staff member.

  9. Other rights • People have a right to ask for their data to be: • Updated or corrected • No longer used to contact them • No longer used for other particular purposes • Deleted or destroyed • If you receive such a request, you must forward it to the dataprotectionofficer@rnib.org.uk mailbox for further advice.

  10. What might these requests look like? “I moved house and you haven’t updated my address. This means I didn’t get the letter you said you’d send last month.” “My father recently passed away. Please cancel his subscription to your newsletter.” “I recently changed my surname, please update my records.” “I don’t want any more of these emails you keep sending!”

  11. Recording information professionally • If your role involves writing or recording information about individuals, you must make sure that: • You record what is necessary • You record information accurately and professionally • You are brief, factual and professional in the way you record opinions about people • Remember that people are entitled to copies of information RNIB holds about them, including written opinions.

  12. Contacting people – Direct Marketing You may have heard of direct marketing – this does not only mean contacting people in order to sell them something or ask for money! If your communication to people could begin ‘We thought you might be interested’ or ‘We thought you might like to know’ there is a good chance that this is direct marketing. If it is, there are a number of legal requirements we must follow. If you are intending to contact customers, you must contact the directmarketingreports@rnib.org.uk email and follow RNIB’s process.

  13. Email - general dos and don’ts If you are sending an email to a number of external email addresses, you must ALWAYS use BCC and not CC. Before sending an email, check the addresses you’re sending it to are correct. If sending an attachment, check carefully that you have attached the correct document. Before replying to or forwarding an email containing a long discussion, read it carefully and delete any unnecessary information before forwarding (including email addresses).

  14. Working securely on the move Don’t carry paper documents unless absolutely necessary – it is more secure to scan and access electronically. If you must carry paper documents, make sure you do not carry more personal data than required. Only record what’s necessary. Dispose of paper as soon as possible. Dispose of paper with confidential information securely – in a confidential waste bin or by shredding.

  15. Working securely with paper If you are carrying confidential work documents, keep them separate to your laptop (where practical). If you use a notebook, remember how easy it is for this to be lost. Minimise the amount of personally identifiable data you keep in it. Destroy pages once records have been transferred to a RNIB system.

  16. Working securely in the office Use a confidential waste bin for paper with information about customers or staff Make sure all customer and staff data is locked away at the end of the day or when desks are not being used Pick up printing as soon as you have printed it. Lock your laptop screen when stepping away from your desk (Windows key + L is the quickest way) Never share or write down passwords.

  17. Storing and using data securely It is very important that personal data is only stored on systems and equipment provided to you directly by RNIB. Use of this equipment and these systems is monitored. Never store a copy of personal information data on your personal PC, laptop, tablet, mobile or USB stick. Never use your personal email account (Hotmail, Gmail, Yahoo, etc) to carry out RNIB work. Always report lost or stolen equipment.

  18. Be cautious! Be very careful of any email you receive with a link or attachment. If you don’t recognise the source, it may be at attempt to find out your login details. Never click on an email link or open an attachment unless you’re sure where it came from. Never supply your password or credentials to anyone – either in a form or by phone. Never install any programs without approval.

  19. Be discreet! You should only reveal information of a confidential nature over the phone to someone if you are sure they are entitled to it. Never discuss confidential work matters with friends or family. Be aware of your surroundings when discussing confidential work matters, both in the office and in public.

  20. Using data for the purpose provided People provide us with their information for specific reasons – for us to provide them with services that we have explained. We must never re-use their data for any other business reason without discussion with the Head of Service and the Data Protection Officer, unless you are following an existing RNIB process, such as Safeguarding.

  21. What sort of things can go wrong? Loss or theft of paperwork (including personal bags with notebooks) Loss or theft of unencrypted device (laptop, personal device, USB stick) Emails containing confidential information sent to wrong person Data posted or faxed to the wrong person Failure to use Bcc where required to protect people's privacy Failure to redact data properly Verbal disclosure of data Cyber security incidents – malware and ransomware

  22. What should you do if something goes wrong? Keeping RNIB data secure is everyone’s responsibility. If you make a mistake or see something that could put data at risk, never ignore it. You may be able to help – for example, by picking up confidential documents that have been left in a public space and locking them away safely. You must always report the incident to dataprotectionofficer@rnib.org.uk

  23. What should you do if something goes wrong? A common cause of a breach is sending an email to the wrong person, or sending the wrong email to someone. If this happens, people often hit ‘recall.’ This does not have any affect if you have sent the email to someone with a non-RNIB email address! If an email has left our network you will need to contact the recipient and ask them to delete it. If you have sent something highly confidential inside of RNIB, you must ask IT to assist with this, so we can make sure the email is deleted completely. You must also report the breach to the IG Team and send the IT reference number by emailing dataprotectionofficer@rnib.org.uk.

  24. Never use RNIB data for your own purposes We provide access to RNIB data in order to deliver our services and to support customers. It must NEVER be accessed, copied or removed for personal reasons. It is a criminal offence to access customer or staff data for your own personal reasons, and something that RNIB takes very seriously. You must not access data or systems unless you have permission and a business reason to do so. You must not share data with any party that is not entitled to see it, for example, a friend of yours.

  25. Further questions about Data Protection? If you have any questions about Data Protection or the content of this training, please contact your volunteer manager. You can also contact the Information Governance team by emailing: dataprotectionofficer@rnib.org.uk

  26. Now that you've finished Please contact your volunteer manager to let them know you have read through this training. Thank you for taking the time to complete the Privacy and Security Basics training.

More Related