1 / 17

Data Protection for ‘Process S’ staff

Data Protection for ‘Process S’ staff. Matt Morrison, Information Rights Officer, Secretary’s Office Matthew.Morrison@bristol.ac.uk Data-protection@bristol.ac.uk. What am I going to talk about?. Relevant advice for student facing staff Some law, some good practice

deron
Download Presentation

Data Protection for ‘Process S’ staff

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Data Protection for ‘Process S’ staff Matt Morrison, Information Rights Officer, Secretary’s Office Matthew.Morrison@bristol.ac.uk Data-protection@bristol.ac.uk

  2. What am I going to talk about? • Relevant advice for student facing staff • Some law, some good practice • Where to go for guidance/advice • Questions?

  3. Background/definitions • Data Protection Act 1998 – commenced in March 2000 and governs use of personal data. Guided by eight main principles. • Personal data – “data relating to a living, identifiable individual”, includes letters, faxes, emails (held electronically or in hard copy), handwritten notes, photographs, CCTV footage, audio tapes • Processing – anything done with personal data e.g. obtaining, holding, altering, analysing, disclosing, destroying.

  4. Taking data security more seriously • Information Commissioner increased powers to fine organisations for DPA breaches in April 2010 – up to £500,000 • Largest fine so far £130,000 – sending of sensitive data in relation to child protection case to wrong person • Reputational damage unquantifiable – drop in applications, loss of research funding etc. • Message from Deputy Vice-Chancellor requiring completion of new data security module by all staff (existing and incoming)

  5. The principles • 1. Personal data shall be processed fairly and lawfully (consent, essentially) • 2. Personal data shall be used only for the purposes for which it has been obtained • 3. Personal data shall be adequate, relevant and not excessive (do not collect irrelevant personal data) • 4. Personal data shall be accurate and up to date

  6. The principles • 5. Personal data shall not be kept for longer than is necessary • 6. Personal data shall be processed in accordance with the rights of the data subject (access request, right to prevent processing etc.) • 7. Appropriate technical and organisational measures taken to prevent against loss of or damage to personal data (physical and electronic security measures, training/awareness etc.) • 8. Personal data not transferred outside European Economic Area without fulfilling certain conditions

  7. Sensitive data • Sensitive data as defined in DPA – afforded extra levels of security • Racial/ethnic origin • Political views • Religious beliefs (or similar) • Trade union membership • Physical or mental health • Sexual life • Information relating to a criminal offence • Be careful about sharing of this information even within the University. Should only be accessed by those who have a need to see it e.g. extenuating circumstances form including medical info • Breach involving sensitive data = far more serious

  8. University data classifications • University internal data classifications: http://www.bris.ac.uk/infosec/uobdata/classifications/ • To guide how confidentially different types of information should be treated within the University • Access to information based upon need to access that information to perform role

  9. Choosing when to write • Most likely to be dealing with written documents – emails, letters, minutes etc. • Be aware that any document identifying an individual could be disclosed to that individual – think before you write! Requests often made in relation to an appeal/grievance • Is an email always appropriate? Could you talk face to face or over the phone? May be able to discuss more openly • All emails, even non-personal, could be subject to disclosure into the public domain under the Freedom of Information Act • Guidance on access to emails: http://www.bris.ac.uk/secretary/dataprotection/emails

  10. Alternatives to email • Quickfire nature of emails: Data breaches often occur when sending personal data via email – sending to wrong address, accidental ‘Reply-all’ • Can protect against human error by: • Using shared file spaces to store personal data – no data needs to be sent • Use of Staff Desktop when working remotely • If personal data does need to be sent by email, ensure it is encrypted before sending (very easy in Office 2007 and 2010) • Encryption advice can be found at: http://www.bris.ac.uk/infosec/uobdata/encrypt/

  11. Right of access • All students (and staff) have the right to access their personal data held by the University – can be student file or can specify documents • Application can be made using subject access request form: http://www.bris.ac.uk/secretary/dataprotection/individ/subjectaccess.html • Required to provide £10 fee plus proof of identity

  12. Access to exam scripts • Exemption under the Act in relation to exam scripts – not required to disclose • Students are entitled to receive a breakdown of their marks and any comments made by examiners – can be made easier by using separate marking sheet

  13. Third party enquiries • Parent/family/guardian queries • Relationship is between the student (as an adult) and the University • Generally do not disclose student personal data without consent • Explain that we require a student’s consent rather than “because of data protection” • Can offer to pass message on from caller • Certain provisions outside of consent if there are particular concerns about a student

  14. Third party enquiries • Can also come from police, local councils, fraud investigators, insurance companies, solicitors and others • Happy for these to be referred on to Secretary’s Office as they generally rely on a DPA provision outside of consent and require legal consideration • A number of routine disclosures we make e.g. HESA, local councils – notified to students via Student Agreement

  15. Offsite working • Do not store any personal data on non-UoB owned computing equipment – PCs, laptops, memory sticks, portable devices. All UoB devices should have full disk encryption. • Use Staff Desktop wherever possible: http://www.bristol.ac.uk/it-services/advice/homeusers/remote/staffdesktop/ • Can access emails, work on documents without storing any data on non-UoB equipment. Shouldn’t really need to carry personal data on portable devices. • Hard copies of personal data – only when totally necessary and with appropriate security measures. Can the info be accessed via Staff Desktop?

  16. Guidance / advice • Data Protection website: http://www.bristol.ac.uk/secretary/dataprotection/ • Information Security website: http://www.bris.ac.uk/infosec/ • Mandatory data security training module: http://www.bris.ac.uk/infosec/training/ • How to encrypt documents: http://www.bristol.ac.uk/it-services/learning/documentation/encrypt-1/encrypt-1il.pdf • Information Security Manager (Richard Hopkins): cert@bristol.ac.uk

  17. Thanks for listening Any questions?

More Related