340 likes | 441 Views
Data Security & Freedom of Information. INFORMATION GOVERNANCE. Freedom of Information Act 2000 Data Protection Act 1998 Information Security Record Management. FREEDOM OF INFORMATION ACT 2000. Background.
E N D
INFORMATION GOVERNANCE • Freedom of Information Act 2000 • Data Protection Act 1998 • Information Security • Record Management
FREEDOM OF INFORMATION ACT 2000 Background • Creates a statutory obligation on public authorities to formally consider written requests for information and respond within 20 days • Two stage introduction • first stage of introduction - Publication Schemes (02-04) • second stage - full Rights of Access came into effect on 1 Jan 05 • Requests for information must be in writing (including fax / e- mail) • There is no right to know why the information is being requested
FREEDOM OF INFORMATION ACT 2000 Publication Schemes • Proactive publishing of information • Similar structure for all public sector organisations • Information split into broad categories known as ‘classes’: • info. published in the School Prospectus • info. on School Profile and other information relating to the governing body • policies that relate to Pupils & Curriculum • School Policies and other information related to the school • All schools must adopt a scheme • Model schemes available at: • http://www.ico.gov.uk/Home/what_we_cover/freedom_of_information/publication_schemes/model_schemes.aspx
FREEDOM OF INFORMATION ACT 2000 Full Rights of Access - Dealing with Individual Requests • Identify and acknowledge FOI requests: • Dear……currently dealing with your request ……will be in touch as soon as possible… • Review material being requested - apply exemptions • Provide a response, either: • - provide all requested information, or • - withhold all, or in part, explain which exemption is being applied and provide opportunity to appeal decision
FREEDOM OF INFORMATION ACT 2000 More about Exemptions • Exemptions exist to protect information that should not be released. • Some exemptions that may apply in a school setting: • Request for a teacher’s home address or career development • information • - Section 40 Personal data exemption • Request by a parent for a copy of another parent’s written • complaint • - Section 41 Information provided in confidence • Request for copy of legal advice obtained by a school • - Section 42 Legal professional privilege • No exemption for embarrassment Full list of exemptions available at http://www.foi.gov.uk/guidance/index.htm
FREEDOM OF INFORMATION ACT 2000 Things to remember when responding • Must respond within 20 working days • Straightforward disclosures can be dealt with by the Principal • Complex requests and decisions to withhold, must involve the BOGs • - consider the public interest test • It may not always be appropriate, or required, to disclose the identity of the applicant to the BOGs • The decision which must be made is - can this information be made public?
FREEDOM OF INFORMATION ACT 2000 • As much of school information is now open to public scrutiny it’s important that we write for disclosure: • Write objectively • Ensure what you write is relevant and professional • Document reasons for decisions generally • Refer to policies in decision making • Don’t forget about e-mails and diaries!
FREEDOM OF INFORMATION ACT 2000 What can the applicant do if dissatisfied? • Lodge an appeal with the school must be heard by the BOGs - • preferably those not involved in the original decision. • If still dissatisfied the applicant can approach the Information • Commissioner (IC) for an independent review. • IC will approach school requesting copies of information and details around the handling of the request. • IC will either uphold the school’s decision or overturn, and issue school with an enforcement notice to release the information.
FREEDOM OF INFORMATION ACT 2000 Key points • Ensure your school adopts a Publication Scheme. • See that requests are identified and dealt with promptly. • Labour intensive requests can be charged for or refused. • duty to offer assistance • Don’t make decisions quickly. Acknowledge requests and consider them carefully. • Just because someone asks, doesn’t mean they get! (appropriate disclosure) • Where information is refused an adequate explanation must be provided and details on how to appeal decision. • Ensure nothing is written which may embarrass ; consider diaries, emails notebooks etc. • WHEN IN DOUBT - SEEK ADVICE
DATA PROTECTION ACT 1998 (DPA) • The DPA is a legal framework for the proper collection, usage, storage, sharing and disposal of personal data. • It permits Data Subjects access to their records. • It can impose considerable penalties on organisations & individuals who fail to comply. • Personal data it is any information that identifies and relates to a living individual such as name, address, date of birth, educational record, financial details and even expressions of opinions or intentions. The Act covers such information held on computer and paper file.
DATA PROTECTION ACT 1998 (DPA) Eight DPA Principles are key to compliance • Personal data (PD) shall be processed fairly and lawfully • PD must be collected and used only where there is valid reason. • It is good practice to advise subjects how their data may be used through forms, posters, annual reports etc. • Processed for specified purposes • Where any planned use of the information falls outside what has been explained to the data subject, or what they might expect, consent must be obtained before proceeding • Adequate, relevant and not excessive • We must be able to demonstrate that the level of personal • information we collect is required for the effective delivery of services
DATA PROTECTION ACT 1998 (DPA) Eight DPA Principles are key to compliance • PD shall be accurate and up to date • Where we are making decisions based on such data, we have • a responsibility to ensure it is accurate and kept up to date • Not be kept for longer than is necessary • PD should not be kept for longer than necessary. Some personal data needs to be retained for legal reasons. Schools must refer to the School Record Retention and Disposal Schedule before destroying records
DATA PROTECTION ACT 1998 (DPA) Eight DPA Principles are key to compliance • Processed in accordance with the rights of the individual • Data subjects have rights under the Act. These include: right of access to their records, right to have any inaccurate information corrected and a right to prevent processing likely to cause damage or distress • Kept secure • - One of the biggest obligations placed on a school. • - Equally important for manual and electronic data • - Applies throughout all stages of data processing, from • obtaining and using to sharing and destruction
DATA PROTECTION ACT 1998 (DPA) Eight DPA Principles are key to compliance • PD must not be transferred to countries outside the European Economic Area unless the information is adequately protected. • Personal data cannot be transferred to countries which do not have similar personal data legislation to our own. When dealing with personal data we should always ask ourselves the question; if this was my personal data, how would I like it to be treated?
DATA PROTECTION ACT 1998 (DPA) Examples of Sensitive Personal Data: Data relating to: Racial or ethnic origin Political opinions Religious/similar beliefs TU membership Physical or mental health Sexual life Criminal allegations Criminal proceedings/record Information relating to a child Special care must be taken when processing Sensitive Personal Data, especially around collection, use and sharing.
DATA PROTECTION ACT 1998 (DPA) Subject access rights: • Right of access to personal data in computer or manual form • Entitled to: • Be informed whether personal data is processed • A description of the data held, the purposes for which it is processed and to whom the data may be disclosed • A copy of the data; usually within 40 days • Information as to the source of the data • There are limited exemptions.
DATA PROTECTION ACT 1998 (DPA) Information access summary Data Protection Act (Access to personal data by data subject) 40 days FOI Act (Access to everything else) 20 days
DATA PROTECTION ACT 1998 (DPA) Duty to Notify • Organisations which process personal information must notify the IC • Costs £35 to register • Bogus agencies • Failure to notify – criminal offence • Details on how to notify can be found below • http://www.ico.gov.uk/Home/what_we_cover/data_protection/noti • cation.aspx
DATA PROTECTION ACT 1998 (DPA) Summary of key points for staff Duty to OBTAIN information fairly Duty to PROTECT information Duty to ensure information is SECURE Duty to JUSTIFY use and storage of personal data DON’T PASS on information unless on a need to know basis and you are sure of the recipient’s validity
INFORMATION SECURITY Use and Management of Passwords • Use passwords to protect against unauthorised access. • It is a school’s responsibility to ensure that enabled usernames are available only for current staff and students. • Leavers’ usernames must be removed (ie deleted or disabled) promptly. • The usernames of anyone under investigation for inappropriate use must be disabled promptly. • Usernames must never be created for fictitious staff or students (this includes the creation of ‘generic’ or group usernames i.e. usernames that could be used by more than one person).
INFORMATION SECURITY Use of E-Mail Emails sent to addresses outside the C2K Network (ie. Hotmail.com) will be transmitted across the internet. Never send personal data to such addresses. Never send Sensitive Personal Data by e-mail. Do not transmit unsolicited advertising or attachments as these may conceal viruses. Restrict messages to those who may have an interest in them. Check E-Mail messages every day ( if practical ). Do not subscribe to non work related services / alerts. Delete unwanted messages.
INFORMATION SECURITY Securing Automated Data Portables/Laptops Never leave laptops/portables/media unattended. When transporting any computer media always ensure it is out of sight, either in a glove compartment or boot of a car. Never disclose your username or password. Do not hold confidential or pupil level data on laptops. No additional devices may be connected to data points on the C2k network without the specific agreement of C2k; random checks will be carried out to identify such violations.
INFORMATION SECURITY Securing Automated Data Portables/Laptops Only software which is licensed and appropriate for school needs may be installed on laptops. Laptop users may not install alternative versions of Internet Explorer, any other Internet browsers, Windows updates or any hacking tools and should not switch off Windows firewall. Antivirus software is provided and automatically updated in school. This protection must be kept up to date if the laptop has not been connected to the school network for more than one week.
INFORMATION SECURITY Securing Automated Data Portables/Laptops The laptop should not be given, lent or used by anyone other than the nominated member of staff when outside school. If the laptop is lost or stolen, the school should be notified immediately, or during school holidays, the C2k Helpdesk (0870 6011 666). The laptop must be returned to school if the nominated member of staff ceases employment with the school.
INFORMATION SECURITY C2k Networks No additional devices may be connected to data points on the C2k network without the specific agreement of C2k; random checks will be carried out to identify such violations. It is the school’s responsibility to ensure that software added to desktops on the C2k network is appropriately licensed. The school’s C2k Manager/Administrator must ensure that software which represents a security threat is not installed on any desktop. The school should make all users aware that attempts to bypass filtering, or to access inappropriate or illegal material will be reported to the school authority.
INFORMATION SECURITY Legacy networks connected to Internet via C2k All legacy network servers and desktops must have adequate, up to-date anti-virus protection with automatic updates. Appropriate, up to date security patches and service packs must be in place on the school legacy network. Other Internet or wireless connections must not be made available to equipment which is connected to the C2k network unless C2k has granted permission for such connections.
INFORMATION SECURITY Manual Records Keep personal data in a locked filing cabinet or drawer. Operate a clear desk policy; Lock all personal data away when you are finished with it and at the end of the day. Only remove files containing personal information from storage areas when necessary. Their location should be tracked at all times. Destroy personal data by shredding.
INFORMATION SECURITY General Good Practice Personal information should only be passed on, on a need to know basis. Do not allow sensitive conversations to be overheard. Guard against people seeking information by deception. Never leave personal data at printers. Collect print jobs promptly. If working from home treat that environment like your work environment. Do not allow friends/family access to any information. Avoid sending personal information by fax. Where this is necessary do it over a secure protocol.
RECORD MANAGEMENT The Record Life Cycle Creation Final disposal Active use Retention
RECORD MANAGEMENT Information Access Know what information you hold and be able to access it. Subject Access Requests FOI requests Inspections / audits
RECORD MANAGEMENT File Disposal What can disposal mean? • Archive • Offer records to the Public Record • Office for Northern Ireland (PRONI) • Destruction • Adopt and refer to the School Record Retention Schedule before disposing of records • available athttp://www.deni.gov.uk/index/85-schools/5-school-management/85-disposal-of-school-records.htm
RECORD MANAGEMENT Don’t forget about electronic records
CONTACTS / GUIDANCE Freedom of Information WELB Corporate Information Manager 02882 411553 www.foi.gov.uk/guidance/index.htm www.ico.gov.uk/ http://www.welbni.org/index.cfm/do/GuidSch Data Protection http://www.ico.gov.uk/for_organisations/data_protection_guide.aspx WELB Corporate Information Manager 02882 411553 WELB Data Protection officer 02882 411247 Information Security C2k Helpdesk 0870 6011 666 WELB Corporate Information Manager 02882 411553 WELB Data Protection officer 02882 411247 Record Management WELB Corporate Information Manager 02882 411553 www.proni.gov.uk www.deni.gov.uk/index/85-schools/5-school-management/85-disposal-of-school-records.htm