390 likes | 484 Views
CYPS Information Governance Training Agenda. introductions questionnaire Information Governance presentation case studies video. Nigel McCosker Corporate Services. INFORMATION GOVERNANCE - WORKING WITH OPENNESS. current information access legislation information security
E N D
CYPS Information Governance Training Agenda • introductions • questionnaire • Information Governance presentation • case studies • video Nigel McCosker Corporate Services
INFORMATION GOVERNANCE - WORKING WITH OPENNESS • current information access legislation • information security • impact on Board and risks • working with openness
INFORMATION ACCESS LEGISLATION Freedom of Information Act 2000 (FOI) • creates a statutory obligation on public authorities to consider releasing information in response to a written request • came fully in to affect on 1 Jan 05 • requests for information must be in writing • there is no right to know why the information is being requested
INFORMATION ACCESS LEGISLATION Freedom of Information Act 2000 (FOI) • the requested information must be provided unless it falls in to one of a number of exempt categories • two types of exemption exist: • Absolute (information cannot be released - clear cut) • Qualified (must apply a public interest test)
INFORMATION ACCESS LEGISLATION Freedom of Information Act 2000 (FOI) Examples of Absolute exemptions: Section 21 - Information accessible by other means Section 32 - Court records Section 40 - Personal information Section 41 - Information provided in confidence Section 44 - Prohibitions on disclosure
INFORMATION ACCESS LEGISLATION Freedom of Information Act 2000 (FOI) Examples of Qualified exemptions: Section 22 - Information intended for future publication Section 36 - Prejudice to effective conduct of public affairs Section 43 - Commercial Interests
INFORMATION ACCESS LEGISLATION Freedom of Information Act 2000 (FOI) • the Act is fully retrospective • anyone can apply for information • the Act has provisions for dealing with repeat or • vexatious requests • criminal offence to tamper • any member of staff can receive a request
INFORMATION ACCESS LEGISLATION Freedom of Information Act 2000 (FOI) Who is using FOI? • the public – i.e. pupils and parents • the media • pressure groups • politicians
INFORMATION ACCESS LEGISLATION Data Protection Act 1998 (DPA) • a legal framework for the proper collection, • usage, storage, sharing and disposal of • personal data • underpinned by eight core Principles • permits Data Subjects access to their • records
INFORMATION ACCESS LEGISLATION What is personal data? • “Personal data” means data which relate to a living individual who can be identified - • (a) from those data, or • (b) from those data and other information which is in the possession of, or is likely to come in to the possession of, the data controller
INFORMATION ACCESS LEGISLATION What is personal data? • This definition includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual
INFORMATION ACCESS LEGISLATION What is personal data? • The mere mention of a data subject in a document does not amount to personal data. • In order to be considered personal data the information must be biographical in a significant sense
INFORMATION ACCESS LEGISLATION Main provisions of the Data Protection Act: • covers all personal data held on computer and manual • records • covers ‘processing' including obtaining, holding and • disclosing data • permits Data Subjects access to their records • imposes considerable penalties on organisations that • mishandle personal data
INFORMATION ACCESS LEGISLATION Data Protection Principles • personal data shall be processed fairly and • lawfully (with consent) • processed for specified purposes • adequate, relevant and not excessive • kept accurate and up to date
INFORMATION ACCESS LEGISLATION Data Protection Principles • not be kept for longer than is necessary • (record retention schedule) • processed in accordance with the rights of the • individual • kept secure • not transferred to countries outside the • European Economic Area unless adequately • protected.
INFORMATION ACCESS LEGISLATION Subject access requests • right of access to personal data in computer • or manual form • entitled to: • - be informed whether personal data is processed • - a description of the data held, the purposes for which • it is processed and to whom the data may be disclosed; • - a copy of the data; Usually within 40 days • - information as to the source of the data • there are limited exemptions
INFORMATION ACCESS LEGISLATION Data Protection Act (Access to one’s own personal data) FOI Act (Access to everything else)
INFORMATION ACCESS LEGISLATION Dealing with information requests • FOI • WELB/SELB have handling procedures in place • contact the relevant officer immediately • Subject Access Request (DPA) • WELB/SELB Contact the relevant officer / section • immediately
INFORMATION SECURITY Where does Information Security fit in? • Data Protection is the ‘what we have to do’ • Information Security is much of the the ‘how we do it’ • Information Security is involved with the protection of • all Board information, not just personal data
INFORMATION SECURITY Manual data • keep personal data in a locked filing cabinet or drawer • operate a clear desk policy; lock all personal data away when you are finished with it and at the end of the day • only remove files containing personal information from storage areas when necessary. Their location should be tracked at all times
INFORMATION SECURITY Manual data • pupil or client records transferred between Boards should be moved securely. Such files should be hand delivered • destroy personal data by shredding
INFORMATION SECURITY Electronic data • do not store personal data on desktops, laptops or portable media unless protected by encryption software • usernames and passwords provide legitimate users access to Board systems and should not be disclosed to anyone. Always renew passwords when prompted
INFORMATION SECURITY Electronic data • position monitors so others cannot see personal data. • when leaving your desk, lock your PC (by pressing • ‘Ctrl, Alt and Del’ keys simultaneously). Log off when • leaving for longer periods • emails sent to addresses outside the organisation will • be transmitted across the internet. Never send • personal data to such addresses • never leave personal data at printers. Collect print jobs • promptly
INFORMATION SECURITY Electronic data • avoid sending personal information by fax. Where this is necessary do it over a secure protocol. • never leave laptops/portables/media unattended. When transporting any computer media always ensure it is out of sight, either in a glove compartment or boot of a car. • consider pupil databases
INFORMATION SECURITY General good practice • do not allow sensitive conversations to be overheard • guard against people seeking information by deception • if working from home treat that environment like your • work environment. Do not allow friends/family access • to any information.
IMPACT ON BOARD AND RISKS • most Board information is either publicly accessible or • releasable to a data subject on request • public servant = public record. Staff do not own the • records they create • requests for information can highlight a lack of • information as well as scrutinise what is available
IMPACT ON BOARD AND RISKS • information which is unprofessional i.e. not based on • sound policy/procedure can undermine public • confidence if released • extra demands are placed on Information management • / record keeping systems due to the need to locate • information
IMPACT ON BOARD AND RISKS Records which have been released under FOI/DPA to date • minutes • reports • pupil files • internal memos • emails • diary extracts
WORKING WITH OPENNESS Writing for disclosure • does not mean record less • keep records factual and professional • write objectively • document reasons for decisions generally • record the context of file note / record • refer to policies in decision making
WORKING WITH OPENNESS Telephone conversations • record relevant detail • add necessary information to pupil file • avoid post-its. Record detail in a telephone record book • or type it up • take control of the call where you need to • say what you mean. You might not be taking notes but • the other person may
WORKING WITH OPENNESS Diary entries and notebooks • diary extracts are accessible under FOI and DPA • - even if you have bought the diary yourself • but use it for work • non-work related entries are exempt • make diary entries with the same care as if • adding information directly into a pupil file • Includes electronic diaries and PDAs
WORKING WITH OPENNESS Emails • formal method of Board communication • no control on where your email might end up • avoid forwarding discussion threads where this is unnecessary • accessible under FOI and DPA where related to a request topic • or Data Subject • avoid ‘chat’ emails. Never mix informal discussion within a work • related e-mail • make the subject line clear and concise
WORKING WITH OPENNESS Minutes Purpose of minutes: • providing accountability for decisions • identify action owners and attributing time-scales • recording the consideration of alternatives and the reasons • for their rejection • capturing policy development • change management tool
WORKING WITH OPENNESS Key points for staff • Always write with disclosure in mind • does not mean write less, or write vaguely • write.. • - concisely • - factually and • - in line with policy/procedure • consider how the record would read in court
WORKING WITH OPENNESS Record management Creation The record lifecycle Final disposal Active use Retention
WORKING WITH OPENNESS Record Management Know what information you hold and be able to access it... • Subject Access Requests • FOI requests • Inspections / audits
WORKING WITH OPENNESS File Disposal • destruction • offer records to the Public Record • Office for Northern Ireland (PRONI) • refer to the Board’s record retention schedule before disposing of records What can disposal mean?
Help / Support • WELB ICT Manager ext 1247 • joe_mcquaid@welbni.org • WELB Corporate Information Manager ext 1553 • nigel_mccosker@welbni.org • WELB staff folder (X: Drive) - Policies / Procedures / • Guidance for staff • Information Commissioner's website • www.ico.gov.uk
Thanks for listening Questions