1 / 33

Data Protection

Data Protection . Course Tutors Ian Gover Michele Weaver. Objectives . The course is designed for all schools or educational settings and will explore areas around Data Protection. The course will answer these questions: What is Personal Data? What does the law say?

brilliant
Download Presentation

Data Protection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Data Protection Course Tutors Ian Gover Michele Weaver

  2. Objectives • The course is designed for all schools or educational settings and will explore areas around Data Protection. • The course will answer these questions: • What is Personal Data? • What does the law say? • What policies should a school have? • What is the current situation in schools? • How can I audit a school? • What does the ICO/LA recommend? • What should my school do? Making an action plan. • What support is there for my school?

  3. Agenda 1.30 Data Protection Quiz MW 1.45 What is Personal Data? MW What does the law say? 2.15 What is the current situation in schools? IG What policies should a school have? 2.45 Break 2.50 ICO Video IG 3.05 How can I audit? IG 3.25 Case Studies What does the ICO/LA recommend? MW 3.55 Document Retention IG 4.10 The future MW 4.20 Where can I go for help? IG What support is there? Action Planning

  4. Data Protection Quiz

  5. Data Protection Act Principles • processed lawfully • obtained and processed for specified purposes • adequate, relevant and not excessive • accurate and up to date • kept for no longer than is necessary • processed in accordance with the rights of data subjects • kept securely • transferred outside the EU only in very limited circumstances

  6. Data Protection Act What is covered? • Information processed, or intended to be processed, wholly or partly by automatic means (that is, information in electronic form); and • Information processed in non-automated which forms part of, or is intended to form part of, a ‘filing system’ (that is, manual information in a filing systems).

  7. ‘Policed’ by ICO The Information Commissioner’s Office is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. Data Controllers can be fined £500,000 for serious data breaches. Breaches have to be notified.

  8. All schools are…. • their own Data controllers • Who is your nominated Data Controller? • required to fill in a notification form every year • What happens if the Data Controller leaves? • Is the renewal date in your school diary? • charged a cost of £35 < 250 £500 >250 staff

  9. Data Security in Schools Audit • Report from South West Audit Partnership commissioned by LA • Completed during March/April 2012 • 10 schools • 9 primary • 1 middle • Half a day visit with confidential report to school

  10. Audit FindingsData Protection Policies • 4 Schools did not have Personal Data Handling/Data Protection Policies • 1 school had not reviewed the policy since 2003 • 2 schools had policies that were not complete • Only 3 schools met the statutory requirements

  11. Audit FindingsFreedom of Information Publication Scheme • All schools have a FoI Publication Scheme • No evidence of review and approval by governors at 5 schools • 1 had not been approved since 2007 • 1 was not based on model publication scheme

  12. Audit Findingse-Safety Policy • 4 schools did not have an e-safety policy • 1 school policy was not comprehensive • 1 school had not taken policy to governors

  13. Audit FindingsAcceptable User Policies Pupils • 2 schools did not have an AUP for pupils • At one of these schools this was for KS1 pupils only (parents signature issue) • 2 schools did not send these out on an annual basis • Some evidence that not all forms had been returned

  14. Audit FindingsAcceptable User Policies Staff • 1 school did not have a staff AUP • 1 school did not update it an a yearly basis

  15. Audit FindingsPolicies in General Confusion as to: • which policies were statutory • how often should they be reviewed • how often should they be presented to governors

  16. Audit FindingsSecurity of data held on portable and mobile devices • 2 schools full use of Somerset Learning Platform led to this not being an issue • 2 schools about to increase use SLP • 1 school had encrypted laptops and memory sticks • 5 schools questioned need for encryption on some machines

  17. Audit FindingsLocking of computer screens • At 3 schools instances were seen of computer screens being left unattended • 5 minute rule and

  18. Audit FindingsBackups • At 1 school the back-up report was not reviewed on a regular basis

  19. Audit FindingsInternet Audit Logs • 6 schools were not monitoring and reviewing audit logs • 1 school had purchased new audit software but no monitoring was yet in place

  20. Audit FindingsSending personal data by email No guidance in place for sending personal data by e-mail

  21. ICO Report http://bit.ly/ICOreport • 95% had provided some information to pupils and parents • Nearly all schools used a computer based management system • Fewer than 10% use biometric data • Not all schools had password protection to confidential parts of the management system • 75% monitored access to the system

  22. ICO Report http://bit.ly/ICOreport • A few schools had no policies and only a few indicated having the full range. • Fewer than a third had received subject access requests. 10% of these had some difficulty answering these • Procedures for the safe storage of paper files varied considerably • 98% had passwords on their computer systems but these were not necessarily strong or changed frequently

  23. ICO Report http://bit.ly/ICOreport • 80% used secure email • Schools were less sure about the storage of portable devices than paper files • Not all schools were sure about the safe disposal of devices • Half the schools thought that staff and governors were using personal devices

  24. ICO Report http://bit.ly/ICOreport • Most schools knew they shared data, but some reported that they did not know their responsibilities • Most schools had their own website – fewer than half had secure areas and 15% of these schools did not check to see if people should have access – most schools knew about permission for photos etc • Half the schools had CCTV – procedures for storing and staff access varied considerably

  25. What policies should a school have? http://bit.ly/elimsafepolicies Also consider: Privacy Notices Data Handling Document Retrieval Record Retention Data Exchange Policy

  26. ICO Video

  27. How can I audit? Use the School Data Processing Survey form? Complete various surveys Get eLIM in to complete survey

  28. Case Studies

  29. Document Retention Advice and toolkit from IRMS http://www.irms.org.uk/resources/information-guides/199-rm-toolkit-for-school

  30. The Future

  31. Where can I go for help? Michele Weaver Information Governance eLIM - Ian Gover igover@somerset.gov.uk

  32. What support is there? • Advice • Training Courses • Data Protection Survey • Various LA groups • Website • http://bit.ly/somersetesafedp

  33. Action Planning Use the grid to record what you are going to do

More Related