1 / 31

Data Protection

Objective. To increase understanding and awareness of the Data Protection Act and why it is important for The University to comply. The University clearly feels there is a need to change the way we deal with Data Protection.. How We Are Going To Do This?. Outlining the key elements of the act an

asasia
Download Presentation

Data Protection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Data Protection

    2. Objective To increase understanding and awareness of the Data Protection Act and why it is important for The University to comply. The University clearly feels there is a need to change the way we deal with Data Protection.

    3. How We Are Going To Do This? Outlining the key elements of the act and how it applies to our day-to-day work.

    4. The Role of the Information Commissioner To enforce the Act by encouraging the promotion of good information handling coupled with providing codes of practice on how best to process personal data. The University has officially notified the Information Commissioner that it processes data for particular reasons.

    5. What is the Data Protection Act? The Data Protection Act (DPA) aims to provide individuals with protection and control over the way that information about them is collected, stored and used. The key word being individuals, It is not intended to obstruct the legitimate use of information, but strives to ensure that it is used fairly via the 8 principles.

    6. The Act Covers Paper Files - information held in manual form i.e. staff appraisals & student records Electronic Files,Databases, spreadsheets & email. Photographs - for example identity cards and departmental picture boards. CCTV - usually installed for security purposes and people must be aware that they may appear on CCTV.

    7. The Act Covers Publications - for example a prospectus with names and photos of all Heads of Depts - individuals would have to consent to this. Web Pages - The Freedom of Information Act [2000] aims to promote a culture of openness which includes publishing staff names, job titles and extension numbers. Such publication in telephone directories is also considered to be a normal business requirement.

    8. Key Definitions in the 1998 Act Data means information that: Is being processed by automatically operating equipment in response to instructions given for that purpose Is recorded with the intention that it should be processed by means of such equipment, referred to as automatic processing examples of this are credit scoring and some ability tests.

    9. Data means Information that: Is part of a “relevant filing system”. A relevant filing system - is any set of information that an individual can be identified from. An example of a relevant filing system is this year’s appraisal forms kept in a locked desk drawer, in whatever order the key is that an individual can be easily identified from them. However items left in a disorganised manner does not form a relevant filing system.

    10. Key Definitions in the 1998 Act Data means information that: Forms part of an accessible record. The definition of an accessible record is supplied by the Information Commissioner, details of this appears later. Very unlikely to apply in a University setting.

    11. Personal Data Personal Data is data which relates to a living individual who can be identified from that information. Examples of this are name, address and telephone number We can create personal data as we go along for example, you take a phone call about a student or member of staff, it is somebody asking your advice about some performance issues - they could be good or bad. On your desk you have a pad and are writing some details of the conversation to refer back to, including the individuals name - this is now personal data and the individual therefore has the right to see the notes you have made about them.

    12. Sensitive Personal Data Sensitive Personal Data refers specifically to racial or ethnic origin, political opinions, religious beliefs, trade union membership, health, sex life and criminal convictions. Under the Act the processing of such data is subject to much stricter conditions. Sensitive personal data are items such as enrolment and job application forms.

    13. Data Terms “Data Subject” A “data subject” is any living individual who is the subject of personal data. “Data Subject Access” This refers to the right of an individual to access personal data relating to him or her by any establishment. Subject access rights apply to both computer and manual personal files and include items such as absence and interview notes.

    14. Data Terms “Data Controller” The University as a corporate body is registered with the Information Commission as the “Data Controller”. “Data Protection Officer” The Data Protection Officer is a person who acts on behalf of the Data Controller and is responsible for updating policy.

    15. Data Processing Processing means Obtaining, recording, holding or disclosing data OR Carrying out any operations on the data. Processing is a very wide term and means anything you do with it including filing, posting, compiling a report, using it or even just handing it to someone else.

    16. File Assessment ~ Considerations Why have I got this file? Is it accurate? Do I have permission to access it? Is it still current? Arrangements for storage or destruction?

    17. The 8 Data Protection Principles One: That Data is processed fairly and lawfully and shall not be processed unless certain conditions are met. The conditions are that one condition from schedule 2 must be met for processing of personal data to be fair and lawful and one condition from schedule 2 and one condition from schedule 3 must be met for sensitive personal data. Schedules 2 and 3 are accessible via the notes page. http://www.hmso.gov.uk/acts/acts1998/80029--n.htm#sch2 http://www.hmso.gov.uk/acts/acts1998/80029--o.htm#sch3http://www.hmso.gov.uk/acts/acts1998/80029--n.htm#sch2 http://www.hmso.gov.uk/acts/acts1998/80029--o.htm#sch3

    18. The 8 Data Protection Principles Two: Obtained for specified and lawful purposes and not further processed in a manner incompatible with that purpose. Data must only be used for what it was originally collected for. Example If you collect student home addresses for emergency contact reasons, you should not use that information to send out induction questionnaires.

    19. The 8 Data Protection Principles Three: Adequate, relevant and not excessive. You should have just enough information for what you need for example if you collect emergency contact details, you only need the name, address and phone number not the relationship to the individual.

    20. The 8 Data Protection Principles Four: Accurate and where necessary up to date. This means firstly advising people what data you hold about them, and then providing a mechanism for them to advise you of any changes. This can be as simple as sending a memo round once or twice a year reminding people to advise you of any changes.

    21. The 8 Data Protection Principles Five: Kept for no longer than necessary. When data is obsolete, confidentially destroy it. You should approach data retention from a risk assessment point of view I.e. what will happen If I keep it and what will happen if I throw it away? The Information Commission explicitly says that information should not be kept just in case it might be needed one day. What use is a 10 year old appraisal for example.

    22. The 8 Data Protection Principles Six: Processed in accordance with data subjects’ rights. Individuals are entitled to access the information the University holds about them, the right to rectify, block, erase or destroy inaccurate or incomplete data, the right to prevent processing likely to cause them damage or distress or to be used for direct marketing, and also in relation to automated decision making.

    23. The 8 Data Protection Principles Seven: Protected by appropriate security. Keep things locked away - if your desk or office locks, lock it! Restrict access as much as possible. Do not send faxes or email if there is a way to avoid doing so. Ensure staff and students are aware of their responsibilities. Address mail correctly and appropriately.

    24. The 8 Data Protection Principles Eight: Not transferred without adequate protection to a country outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedom of data subjects in relation to the processing of personal data.

    25. Staff Responsibilities All staff must ensure that: Personal data provided in connection with their employment is accurate and up-to-date. It is important to inform the University of any errors, corrections or changes for example change of address, marital status etc.

    26. Staff Responsibilities All staff must ensure that: Personal data relating to individuals, that staff hold or process Is kept securely and treated as confidential. Is not disclosed either orally or in writing, accidentally or otherwise, to any unauthorised third party.

    27. Staff Responsibilities Passing Information to external third parties: In such instances it is important that you ensure that the third party are aware that they must also comply with the Act and apply appropriate security measures to any information that we share with them. Unauthorised disclosure may be a disciplinary matter. Remember staff and students have a right to access all information held about them including any comments ~ so be careful what you write!

    28. Disclosure of Student Personal Data It is vital that all Student data is treated as confidential and not inadvertently disclosed to third parties. Please refer to the Good Work Practice guide for advice on how to deal with third party reference requests.

    29. Further Information The Complete Data Protection Act can be viewed at: www.legislation.hmso.gov.uk/acts/acts1998/9980029.htm Information Commission: www.dataprotection.gov.uk www.dataprotection.gov.uk/dpaudit/index.htm Data Protection Code of Practice www.jisc.ac.uk/pub00/dp_code.html#708 Records and Compliance Officer Re: Student & Other Records x 3053 Data Protection Officer Re: HR Records x 3573 John McParland University Secretary on 020 7739 2004.

    30. Additional Legislation to consider Human Rights Act 1998 The Regulation of Investigatory Powers Act 2000 The Freedom of Information Act ( not in force until 29.02.04) The Computer Misuse Act 1990 The Public Interest Disclosure Act 1998 Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000

    31. Important Thought Just remember when dealing with your daily duties ~ Data Protection is Government Legislation and compliance is non-negotiable It is becoming increasingly important to think carefully about the information you have about individuals and what you do with it. Failure to comply with Legislation can lead to legal and disciplinary action. Liability can be personal as well as organisational with fines of up to £5000

More Related