1 / 33

Data Protection What You Need To Know

Data Protection What You Need To Know. Hello!. Jason Miles-Campbell JISC Legal Service Manager jason.miles-campbell @jisclegal.ac.uk 0141 548 4939 www.jisclegal.ac.uk. About JISC Legal. Role: to avoid legal issues becoming a barrier to the use of technology in tertiary education

marinel
Download Presentation

Data Protection What You Need To Know

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Data Protection What You Need To Know

  2. Hello! • Jason Miles-Campbell JISC Legal Service Manager • jason.miles-campbell@jisclegal.ac.uk • 0141 548 4939 • www.jisclegal.ac.uk

  3. About JISC Legal • Role: to avoid legal issues becoming a barrier to the use of technology in tertiary education • Information service: we cannot take decisions for you when you are faced with a risk

  4. jiscleg.al/DataProtection Law, ICT and Data Protection

  5. Common Scenarios • A parent requests information on son’s progress • Police request information on one of your students • A tutor asks to see a reference supplied by her supervisor • An employer requests information on an employee’s attendance • Personal details of a student disclosed in confidence appear on FB • A staff mobile phone containing sensitive data is lost • Internal sharing of data amongst staff • External sharing of data - ALL have DP compliance implications

  6. Why Comply? It’s the law Good business practice Sets a good example Confidence Risk (ID theft)

  7. When it comes to data protection... I’m confident I’ve a fair idea I dabble I ask others I hide in the toilet

  8. Recent Headlines FB Comments Result in sacking Think Before You Tweet or Risk Arrest Unencrypted Devices Pose ‘Unnecessary Risk’ for Sensitive Data Serious Data Protection Risks for App Users Duplicate Password Use by School Leads to data breach University Sends Personal Data to Wrong Recipient Teacher in FB Meltdown Negligent Employees and Contractors Cause 36% of UK Data Breaches University Breaches DPA by Disclosing Personal Data on Website

  9. Data Protection Law • Data Protection Act 1998 • Information Commissioner (www.ico.gov.uk) • Other relevant law:Freedom of Information Act 2000Privacy and Electronic Communications Regs 2003Protection of Freedoms Act 2012

  10. Data Protection Essentials “Data protection ..regimes…do not seek to protect data itself, ... they seek to provide the individual with a degree of control over the use of their personal data” “data privacy regimes do not seek to cut off the flow of data, merely to see that it is collected and used in a responsible and, above all, accountable, fashion” Source: DP Code of Practice for FE and HE i.e. Data Protection law does not prevent using and sharing personal data but .. ICO power to impose fines direct for serious security breaches

  11. Understanding Your Duties • Data Subject • Data Controller • Data Processor • Processing

  12. NCT contracts with Help4U to produce pay slips. Unfortunately, Help4U send the payslips to the wrong recipients. Who is liable? • The college as data controller • The processor as they caused the error • Both the data controller and the processor • Neither

  13. What is Personal Data? • Any information which relates to an identified or identifiable person • Living persons • Must be significant biographical information which affects privacy • Sensitive personal data

  14. Which of the following is likely to be covered by the DPA? • a deceased staff member’s email account • numerals to identify students in a VLE • documents relating to a disciplinary matter • ‘John Smith’ on a post it on a monitor

  15. The 8 Data Protection Principles – key to compliance fair and lawful limited purposes adequate, relevant and not excessive accurate and current not kept longer than necessary respect the rights of the individual appropriate security transfer outside EEA needs adequate protection

  16. Fair Processing… and Lawful Processing • A processing notice – transparency • Weighing up interests v privacy • Would you be happy?

  17. Lawful Processing and Lawful Processing To process, a Schedule 2 condition must be met: • Consent • Legitimate interest of the data controller • Fulfilment of a contractual obligation More stringent conditions for ‘sensitive’ personal data

  18. One of these is fair and lawful. Which? The college releases details on student attendance to a parent The college collects name and contact details of all students A tutor puts personal details of a student on his Facebook account

  19. A college keeps all emails for 10 years. Is this in line with the DPA? Yes No Might be Not sure

  20. New College Telford should give out information about students and staff to other organisations Never Rarely Freely upon request Only when the person gives permission Only when a seniormanager authorises it

  21. Information can be shared freely internally (between staff) within your organisation • True • False • Not sure

  22. Important Points… When handling personal data in your role consider: • Purpose: what data do you hold and why are you collecting personal data? • Fairness: is the reason fair to the data subject? • Transparency: does the data subject know about it? • Security: is there an appropriate level of security?

  23. Over to you Some Scenarios……..

  24. A father asks for information on his son’s progress. Do you… • Supply it - nothing wrong in doing this • Supply it – learner is under 18 • Withhold it as he should never access it • Withhold it until you have consent

  25. The police arrive at reception asking for a student’s address, his record of attendance and whether he is currently in class. What should you do? • Supply it because it’s the police • Supply it only when you know what it’s for and think it is relevant information to the investigation • Never supply it

  26. What security should be on devices holding personal data? • Password protection and encryption • None as kept on campus • It depends on the type of information

  27. You want to finish student profile reports at home. What do you do? • Copy them on to a USB memory stick to take with you • Use your own laptop or tablet after consulting IT, checking policy and ensuring security • Email them to your webmail • Log into and save to the college network from home

  28. A member of staff clicks the wrong email group and sends personal info about a student’s health to other students instead of relevant tutors. Who is liable? • The College is liable for the breach • There is no liability, it was an accident, not deliberate • The member of staff is liable not the college

  29. What should you know? • Where the DP policy is, how to access it and its contents • Have awareness of DP and how it may affect students, staff etc. • That what you’re doing is covered by the data protection notice to students, staff etc. • How to store/share personal information on and off campus • How to keep personal information secure(mobiles, social networking) • Where to get help

  30. Sources of Help • Your institution’s DP officer • Your institutional policies and procedures • info@jisclegal.ac.uk and www.jisclegal.ac.uk (code of practice)

  31. ? Questions? www.jisclegal.ac.uk info@jisclegal.ac.uk 0141 548 4939

More Related