170 likes | 284 Views
Data Protection for ‘Process S’ staff. Matt Morrison, Information Rights Officer, Secretary’s Office Matthew.Morrison@bristol.ac.uk Data-protection@bristol.ac.uk. What am I going to talk about?. Relevant advice for student facing staff Some law, some good practice
E N D
Data Protection for ‘Process S’ staff Matt Morrison, Information Rights Officer, Secretary’s Office Matthew.Morrison@bristol.ac.uk Data-protection@bristol.ac.uk
What am I going to talk about? • Relevant advice for student facing staff • Some law, some good practice • Where to go for guidance/advice • Questions?
Background/definitions • Data Protection Act 1998 – commenced in March 2000 and governs use of personal data. Guided by eight main principles. • Personal data – “data relating to a living, identifiable individual”, includes letters, faxes, emails (held electronically or in hard copy), handwritten notes, photographs, CCTV footage, audio tapes • Processing – anything done with personal data e.g. obtaining, holding, altering, analysing, disclosing, destroying.
Taking data security more seriously • Information Commissioner increased powers to fine organisations for DPA breaches in April 2010 – up to £500,000 • Largest fine so far £130,000 – sending of sensitive data in relation to child protection case to wrong person • Reputational damage unquantifiable – drop in applications, loss of research funding etc. • Message from Deputy Vice-Chancellor requiring completion of new data security module by all staff (existing and incoming)
The principles • 1. Personal data shall be processed fairly and lawfully (consent, essentially) • 2. Personal data shall be used only for the purposes for which it has been obtained • 3. Personal data shall be adequate, relevant and not excessive (do not collect irrelevant personal data) • 4. Personal data shall be accurate and up to date
The principles • 5. Personal data shall not be kept for longer than is necessary • 6. Personal data shall be processed in accordance with the rights of the data subject (access request, right to prevent processing etc.) • 7. Appropriate technical and organisational measures taken to prevent against loss of or damage to personal data (physical and electronic security measures, training/awareness etc.) • 8. Personal data not transferred outside European Economic Area without fulfilling certain conditions
Sensitive data • Sensitive data as defined in DPA – afforded extra levels of security • Racial/ethnic origin • Political views • Religious beliefs (or similar) • Trade union membership • Physical or mental health • Sexual life • Information relating to a criminal offence • Be careful about sharing of this information even within the University. Should only be accessed by those who have a need to see it e.g. extenuating circumstances form including medical info • Breach involving sensitive data = far more serious
University data classifications • University internal data classifications: http://www.bris.ac.uk/infosec/uobdata/classifications/ • To guide how confidentially different types of information should be treated within the University • Access to information based upon need to access that information to perform role
Choosing when to write • Most likely to be dealing with written documents – emails, letters, minutes etc. • Be aware that any document identifying an individual could be disclosed to that individual – think before you write! Requests often made in relation to an appeal/grievance • Is an email always appropriate? Could you talk face to face or over the phone? May be able to discuss more openly • All emails, even non-personal, could be subject to disclosure into the public domain under the Freedom of Information Act • Guidance on access to emails: http://www.bris.ac.uk/secretary/dataprotection/emails
Alternatives to email • Quickfire nature of emails: Data breaches often occur when sending personal data via email – sending to wrong address, accidental ‘Reply-all’ • Can protect against human error by: • Using shared file spaces to store personal data – no data needs to be sent • Use of Staff Desktop when working remotely • If personal data does need to be sent by email, ensure it is encrypted before sending (very easy in Office 2007 and 2010) • Encryption advice can be found at: http://www.bris.ac.uk/infosec/uobdata/encrypt/
Right of access • All students (and staff) have the right to access their personal data held by the University – can be student file or can specify documents • Application can be made using subject access request form: http://www.bris.ac.uk/secretary/dataprotection/individ/subjectaccess.html • Required to provide £10 fee plus proof of identity
Access to exam scripts • Exemption under the Act in relation to exam scripts – not required to disclose • Students are entitled to receive a breakdown of their marks and any comments made by examiners – can be made easier by using separate marking sheet
Third party enquiries • Parent/family/guardian queries • Relationship is between the student (as an adult) and the University • Generally do not disclose student personal data without consent • Explain that we require a student’s consent rather than “because of data protection” • Can offer to pass message on from caller • Certain provisions outside of consent if there are particular concerns about a student
Third party enquiries • Can also come from police, local councils, fraud investigators, insurance companies, solicitors and others • Happy for these to be referred on to Secretary’s Office as they generally rely on a DPA provision outside of consent and require legal consideration • A number of routine disclosures we make e.g. HESA, local councils – notified to students via Student Agreement
Offsite working • Do not store any personal data on non-UoB owned computing equipment – PCs, laptops, memory sticks, portable devices. All UoB devices should have full disk encryption. • Use Staff Desktop wherever possible: http://www.bristol.ac.uk/it-services/advice/homeusers/remote/staffdesktop/ • Can access emails, work on documents without storing any data on non-UoB equipment. Shouldn’t really need to carry personal data on portable devices. • Hard copies of personal data – only when totally necessary and with appropriate security measures. Can the info be accessed via Staff Desktop?
Guidance / advice • Data Protection website: http://www.bristol.ac.uk/secretary/dataprotection/ • Information Security website: http://www.bris.ac.uk/infosec/ • Mandatory data security training module: http://www.bris.ac.uk/infosec/training/ • How to encrypt documents: http://www.bristol.ac.uk/it-services/learning/documentation/encrypt-1/encrypt-1il.pdf • Information Security Manager (Richard Hopkins): cert@bristol.ac.uk
Thanks for listening Any questions?