Transcript Slide 1

CYPS Information Governance Training
Agenda
• introductions
• questionnaire
• Information Governance presentation
• case studies
• video
Nigel McCosker
Corporate Services
INFORMATION GOVERNANCE WORKING WITH OPENNESS
• current information access legislation
• information security
• impact on Board and risks
• working with openness
INFORMATION ACCESS LEGISLATION
Freedom of Information Act 2000 (FOI)
•
creates a statutory obligation on public
authorities to consider releasing information in
response to a written request
•
came fully in to affect on 1 Jan 05
•
requests for information must be in writing
•
there is no right to know why the information is being
requested
INFORMATION ACCESS LEGISLATION
Freedom of Information Act 2000 (FOI)
•
the requested information must be provided unless it
falls in to one of a number of exempt categories
•
two types of exemption exist:
•Absolute (information cannot be released - clear cut)
•Qualified (must apply a public interest test)
INFORMATION ACCESS LEGISLATION
Freedom of Information Act 2000 (FOI)
Examples of Absolute exemptions:
Section 21 - Information accessible by other means
Section 32 - Court records
Section 40 - Personal information
Section 41 - Information provided in confidence
Section 44 - Prohibitions on disclosure
INFORMATION ACCESS LEGISLATION
Freedom of Information Act 2000 (FOI)
Examples of Qualified exemptions:
Section 22 - Information intended for future publication
Section 36 - Prejudice to effective conduct of public affairs
Section 43 - Commercial Interests
INFORMATION ACCESS LEGISLATION
Freedom of Information Act 2000 (FOI)
• the Act is fully retrospective
• anyone can apply for information
• the Act has provisions for dealing with repeat or
vexatious requests
• criminal offence to tamper
• any member of staff can receive a request
INFORMATION ACCESS LEGISLATION
Freedom of Information Act 2000 (FOI)
Who is using FOI?
• the public – i.e. pupils and parents
• the media
• pressure groups
• politicians
INFORMATION ACCESS LEGISLATION
Data Protection Act 1998 (DPA)
• a legal framework for the proper collection,
usage, storage, sharing and disposal of
personal data
• underpinned by eight core Principles
• permits Data Subjects access to their
records
INFORMATION ACCESS LEGISLATION
What is personal data?
“Personal data” means data which relate to a living
individual who can be identified (a) from those data, or
(b) from those data and other information which is in
the possession of, or is likely to come in to the
possession of, the data controller
INFORMATION ACCESS LEGISLATION
What is personal data?
This definition includes any expression of opinion
about the individual and any indication of the
intentions of the data controller or any other person
in respect of the individual
INFORMATION ACCESS LEGISLATION
What is personal data?
The mere mention of a data subject in a document
does not amount to personal data.
In order to be considered personal data the
information must be biographical in a significant
sense
INFORMATION ACCESS LEGISLATION
Main provisions of the Data Protection Act:
• covers all personal data held on computer and manual
records
• covers ‘processing' including obtaining, holding and
disclosing data
• permits Data Subjects access to their records
• imposes considerable penalties on organisations that
mishandle personal data
INFORMATION ACCESS LEGISLATION
Data Protection Principles
• personal data shall be processed fairly and
lawfully (with consent)
• processed for specified purposes
• adequate, relevant and not excessive
• kept accurate and up to date
INFORMATION ACCESS LEGISLATION
Data Protection Principles
• not be kept for longer than is necessary
(record retention schedule)
• processed in accordance with the rights of the
individual
• kept secure
• not transferred to countries outside the
European Economic Area unless adequately
protected.
INFORMATION ACCESS LEGISLATION
Subject access requests
• right of access to personal data in computer
or manual form
• entitled to:
- be informed whether personal data is processed
- a description of the data held, the purposes for which
it is processed and to whom the data may be disclosed;
- a copy of the data; Usually within 40 days
- information as to the source of the data
• there are limited exemptions
INFORMATION ACCESS LEGISLATION
Data Protection Act
(Access to one’s
own personal data)
FOI Act
(Access to everything
else)
INFORMATION ACCESS LEGISLATION
Dealing with information requests
• FOI
WELB/SELB have handling procedures in place
contact the relevant officer immediately
• Subject Access Request (DPA)
WELB/SELB Contact the relevant officer / section
immediately
INFORMATION SECURITY
Where does Information Security fit in?
• Data Protection is the ‘what we have to do’
• Information Security is much of the the ‘how we do it’
• Information Security is involved with the protection of
all Board information, not just personal data
INFORMATION SECURITY
Manual data
 keep personal data in a locked filing cabinet or
drawer

operate a clear desk policy; lock all personal data
away when you are finished with it and at the end
of the day

only remove files containing personal information
from storage areas when necessary. Their location
should be tracked at all times
INFORMATION SECURITY
Manual data

pupil or client records transferred between
Boards should be moved securely. Such files
should be hand delivered
• destroy personal data by shredding
INFORMATION SECURITY
Electronic data

do not store personal data on desktops, laptops or
portable media unless protected by encryption
software

usernames and passwords provide legitimate users
access to Board systems and should not be
disclosed to anyone. Always renew passwords
when prompted
INFORMATION SECURITY
Electronic data
• position monitors so others cannot see personal data.
• when leaving your desk, lock your PC (by pressing
‘Ctrl, Alt and Del’ keys simultaneously). Log off when
leaving for longer periods
• emails sent to addresses outside the organisation will
be transmitted across the internet. Never send
personal data to such addresses
• never leave personal data at printers. Collect print jobs
promptly
INFORMATION SECURITY
Electronic data

avoid sending personal information by fax. Where this
is necessary do it over a secure protocol.

never leave laptops/portables/media unattended.
When transporting any computer media always ensure
it is out of sight, either in a glove compartment or boot
of a car.

consider pupil databases
INFORMATION SECURITY
General good practice

do not allow sensitive conversations to be overheard

guard against people seeking information by deception
• if working from home treat that environment like your
work environment. Do not allow friends/family access
to any information.
IMPACT ON BOARD AND RISKS
• most Board information is either publicly accessible or
releasable to a data subject on request
• public servant = public record. Staff do not own the
records they create
• requests for information can highlight a lack of
information as well as scrutinise what is available
IMPACT ON BOARD AND RISKS
• information which is unprofessional i.e. not based on
sound policy/procedure can undermine public
confidence if released
• extra demands are placed on Information management
/ record keeping systems due to the need to locate
information
IMPACT ON BOARD AND RISKS
Records which have been released under FOI/DPA to date
• minutes
• reports
• pupil files
• internal memos
• emails
• diary extracts
WORKING WITH OPENNESS
Writing for disclosure
• does not mean record less
• keep records factual and professional
• write objectively
• document reasons for decisions generally
• record the context of file note / record
• refer to policies in decision making
WORKING WITH OPENNESS
Telephone conversations
• record relevant detail
• add necessary information to pupil file
• avoid post-its. Record detail in a telephone record book
or type it up
• take control of the call where you need to
• say what you mean. You might not be taking notes but
the other person may
WORKING WITH OPENNESS
Diary entries and notebooks
• diary extracts are accessible under FOI and DPA
- even if you have bought the diary yourself
but use it for work
• non-work related entries are exempt
• make diary entries with the same care as if
adding information directly into a pupil file
• Includes electronic diaries and PDAs
WORKING WITH OPENNESS
Emails
• formal method of Board communication
• no control on where your email might end up
• avoid forwarding discussion threads where this is unnecessary
• accessible under FOI and DPA where related to a request topic
or Data Subject
• avoid ‘chat’ emails. Never mix informal discussion within a work
related e-mail
• make the subject line clear and concise
WORKING WITH OPENNESS
Minutes
Purpose of minutes:
• providing accountability for decisions
• identify action owners and attributing time-scales
• recording the consideration of alternatives and the reasons
for their rejection
• capturing policy development
• change management tool
WORKING WITH OPENNESS
Key points for staff
Always write with disclosure in mind
• does not mean write less, or write vaguely
• write..
- concisely
- factually and
- in line with policy/procedure
• consider how the record would read in court
WORKING WITH OPENNESS
Record management
Creation
The record lifecycle
Final disposal
Active use
Retention
WORKING WITH OPENNESS
Record Management
Know what information you hold
and be able to access it...
 Subject Access Requests
 FOI requests
 Inspections / audits
WORKING WITH OPENNESS
File Disposal
What can disposal mean?
• destruction
• offer records to the Public Record
Office for Northern Ireland (PRONI)
refer to the Board’s record retention
schedule before disposing of records
Help / Support
• WELB ICT Manager ext 1247
[email protected]
• WELB Corporate Information Manager ext 1553
[email protected]
• WELB staff folder (X: Drive) - Policies / Procedures /
Guidance for staff
• Information Commissioner's website
www.ico.gov.uk
Thanks for listening
Questions