Transcript Slide 1
Handling Personal Data & Security of Information Paula Trim, Information Officer, Children’s Strategic Services, 456108 Course Objectives • In this session you will learn about: The spirit & intention of the legislation that protects the privacy of personal information The roles and responsibilities of school staff in respect of this legislation The important ‘rules’ that apply to the handling and processing of personal data The rights that people have to help them to protect the privacy of their personal information Security of data Quick Quiz • Please take 5 minutes to complete the quiz. • We’ll come back to it at the end of the session to check how much we have learnt Privacy Legislation • Data Protection Act – covers all aspects of handling personal information • Human Rights Act (Article 8) – mainly surveillance/intrusion & disclosure sharing • Common law duty of confidentiality – disclosure/sharing Data Protection Act (DPA) • Came into force 1st March 2000 • Regulates the handling of personal information • Sets the principles (rules) for how personal information must be processed • Provides certain rights to ‘data subjects’ What is Personal Data? • Information which relates to a living individual who can be identified from that information, or • From that information and other information which is in the possession of, or likely to be in the possession of the data controller • This includes any expression of opinion and any indication of the intentions in respect of the individual Personal Information - What it includes • All manually held personal information, i.e. paper records • All electronically held personal information • Email • Word processed documents • CCTV images • Audio tapes • Photographic film images • Microfilm • In short - everything! What is Sensitive Data? • Racial or Ethnic Origin • Political Opinions • Religious or Similar Beliefs • Trade Union Membership • Physical or Mental Health conditions • Sexual life • Offences (including alleged) What is meant by processing of data? In a nutshell, processing means everything that you can do with personal information, including: • Collecting; Obtaining • Recording; • Holding; Storing; Retrieving; • Using; Amending; Adapting; • Organising; • Disclosing; Sharing; Matching; • Erasing; Destroying • In short absolutely anything “The Rules” The Principles of the Act Data must be: 1. Lawfully and fairly processed 2. Processed for limited purposes 3. Adequate, relevant and not excessive 4. Accurate 5. Not kept longer than is necessary 6. Processed in line with an individuals rights 7. Secure 8. Not transferred to countries without adequate protection “The Rules” The First Principle “Personal information shall be processed fairly and lawfully and shall not be processed unless certain conditions, which are specified in the Act, are met” • Lawfully – We have a statutory framework, which provides us with powers to process personal information lawfully. How do we process Personal Data lawfully? Justification (at least one of these conditions must be met): • • • • Consent Contractual Legal obligation Protecting the vital interests of the data subject (life or death) • Administration of justice • Required by law (under any enactment) • Function of a public nature exercised in the public interest How do we process sensitive Personal Data lawfully? Additional justification (at least one of these conditions must also be met): • • • • • • • Explicit consent Necessary by law for employment purposes Required by law (under any enactment) Protection of vital interests (life or death) Legal proceedings Medical purposes Equal opportunities “The Rules” The First Principle • Fair – what does it mean: • Tell people what we need their information for • Who might we disclose/share the information with • Get consent to process their data (if we need to) • Make sure we have adaquate ‘privacy notices’ on forms/leaflets/the website, which covers the above and provides enough detail to be transparent and open about what we are doing with people’s information. “The Rules” The Second Principle “Personal information shall be obtained only for one or more specified and lawful purposes and shall not be processed further in any manner incompatible with the purpose(s)” • Only use the information supplied for the purpose that was made clear to the data subject • Never use the information for any other purpose unless the data subject has given consent or there is a lawful basis to do so “The Rules” The Third Principle “Personal information shall be adequate, relevant and not excessive in relation to the purpose(s) for which its processed” • • • • Enough information to identify and process Relevant to the purpose Not more than is necessary Also applies to disclosing information e.g. giving data to Crime partners “The Rules” The Fourth Principle “Personal data shall be accurate and, where necessary kept up to date” • • • • • Latest version of the data Check with data subjects if in doubt Check with other sources Responsibility of Systems Controllers Review individuals details “The Rules” The Fifth Principle “Personal Information shall not be kept for longer than is necessary for the purpose(s)” • Retention and Disposal Schedules - What are they? - Where can I find them? Biz/Law & Governance/Legal Services/Information Compliance/Records Management/ “The Rules” The Sixth Principle “Personal data shall be processed in accordance with the rights of Data Subjects specified in the Act” • Subject Access Requests • To prevent processing for the purposes of direct marketing • To seek compensation if they suffer damage and distress as a result of a breach of the Act • To have incorrect information changed “The Rules” The Seventh Principle “Personal information shall be subject to appropriate technical and organisational measures which shall be taken against unauthorised or unlawful processing and against accidental loss or destruction of or damage to the information” “The Rules” The Eighth Principle “Personal information shall not be transferred to a country outside the European Economic Area unless that country ensures an adequate level of protection for the rights of data subjects in relation to the processing of personal data” When it all goes wrong • From 6th April 2010, new enforcement action by the Information Commissioners Office - Fines of up to £500,000 - Audits without consent - Special Information Notices - Enforcement Notices • Criminal offences under the Data Protection Act include: - knowingly or recklessly obtaining or disclosing personal data without consent Remember • Under the DPA you can be held personally liable • Information Commissioners Office (ICO) can take you to Court • Data subject can take you to Court Information Security • Where is your information going? • Is it going off site? Who is having access to it? • If you drop a USB stick with personal or sensitive data on, who picks it up? No-one? Police? Criminal? Is the information protected? • What about manual records? Are they safe from unauthorised access? • Emailing information is safe isn’t it? Or is it?! • It will never happen to us……… ……that’s what other’s thought! Children’s details on stolen laptop CHILDREN DETAILS ON LOST USB STICK Burglar targeted school’s laptops Data protection was breached at local school School sends kid home with memory stick Details on thousands of Surrey children is in the hands of a criminal after laptop theft Devon loses confidential children's data USB stick containing children's details lost in Leicester Stolen laptop contains pupils' data Alarming Statistics •In 2007, the ICO received reports of 94 security breaches •Of these 94 cases, data in only 3 has been recovered •90% of firms (1000 surveyed) let staff leave offices with confidential data on USB Sticks •80% of firms that had reported a stolen computer had not encrypted data on the hard drive •Two years ago 1% of large businesses reported a hacker penetration. This is compared to 13% in this latest survey Risks to the School • • • • Negative press coverage Damage to reputation Lack of trust with parents, pupils and staff Legal action by those affected (Evidence of damage and distress) • Potential for compensation payout • Complaints to the Information Commissioner • ‘Unauthorised access’ Clear Desk Policy •Ensure when you leave your desk at night or at lunch that personal/confidential information is locked away •Who else can get access to your room, your desk and YOUR INFORMATION every evening? THE CLEANERS •Do members of the public or outside people ever visit your office? •Do not leave sensitive files lying around for unauthorised people to look at. Lock them away in your desk or filing cabinet Public Access Points • Control unauthorised access to secure areas • ‘Tailgating’ • Use of ID Cards • If you are responsible for visitors around School premises please escort at all times Eavesdropping • Equipment should be sited to minimise unnecessary access to information • Where are computer screens located? Move away from public gaze. • Think about the use of privacy screens particularly in public areas • Are members of the public able to get unauthorised access to computer screens and information? • Use a password protected screensaver on your PC Data Backup • Save all information to your Network • Try not to save to the C Drive (My Documents)Particularly personal/confidential information – If the computer gets stolen so does the information Removable Devices Removable media devices include: • Laptop or portable computer • Handheld computers – PDA’s, Ipaq’s • USB Memory Sticks • Recordable Discs (CD’s, DVD’s, Floppy disks) • Memory Cards and SIM Cards • Mobile and Smart Phones • Digital cameras • Voice recording devices • Emails • Paper based records (Physical files, photocopies) Removable Devices risks • • • • • The loss of personal and/or confidential information Theft of a removable device means the information goes as well Unauthorised access to Pupil’s information Viruses being transferred between systems through the use of these devices Where is the information going? Who takes it off site? Laptop Security • • • • • Laptop encryption Never leave your laptop in an unattended public place Never leave your laptop in open view in an unattended vehicle When leaving a vehicle, either take your laptop with you or put it out of sight in the boot When at home, make sure it is stored safely and out of public view. Ensure family members can’t get access Working at home •Who else has access to information at home? Family members? Friends? It is still unauthorised access. •What information is being taken home? •Try to limit the amount of information being taken off site. •Emails should not be sent from or to a personal email account. They are not secure Computer/Email Viruses •The School has systems in place to prevent virus attacks causing corruption and data loss to the network •If you are working at home consider what systems you have in place to deter attacks, i.e. firewall, virus protection. •The use of removable devices (CD’s, USB Memory sticks and disks) increases the threat of a virus being introduced onto School systems. Email Security •Email security can not be guaranteed when emailing outside of the Council •Emailing between two organisations is like sending a holiday postcard •Where personal or confidential information is required to be emailed ensure the email is encrypted •For more information about encryption talk to Fred Baert in IT 451047 •How about password protecting the document? Fax equipment •Make sure fax equipment is sited where unauthorised people cannot access it •Do not include personal details when sending information unless absolutely necessary •Programme numbers into fax machines memories to avoid misdialling •If it’s sensitive or confidential information check that someone is going to be there to receive it •Always use an official fax header with a confidentiality statement on it Telephone/Spoken communication •Check whether confidential conversations can be heard and take steps to ensure that they are not •When discussing personal information over the phone be confident the person on the other end should be receiving the information, i.e. check their identity •Avoid sharing confidential information in public places i.e. reception counters •Ensure that personal information is not left on a telephone answering machine service Safe disposal of media •If manual records contain personal or confidential information NEVER EVER dispose of these in the normal waste bins. •Always use a shredder to dispose of personal and confidential material •Ensure that when disposing of IT equipment all data is destroyed including the hard drive and discs. What about home computers? •It is not enough to simply hit the delete button. The information is still held on the computer When a computer ends up on the Council Tip!! •To avoid paying £20 to delete data off a computer, a Council worker dumped the machine on a local dump •The machine was sold as second hand because it was still working •The buyer found social care information about thousands of members of the public •The buyer offered to sell the data back to the Council •When the Council rejected the offer, the buyer called a national paper Questions to ask yourself about passwords •Do you write your password down? •If yes, who else has access to your password? •Can you encrypt a post it note? •What damage can be done if someone logs on as you? •Damage to electronic information •Downloading personal/sensitive information •Access to the internet under your name •It’s your name on the audit trail Top 10 Passwords 1. 2. 3. 4. 5. 123 Password Liverpool Letmein 123456 6. qwerty 7. Charlie 8. Monkey 9. Arsenal 10. Thomas Good Password Guide •Passwords should be a minimum of 8 characters •Use mixed case and try and include some form of punctuation •Always use different passwords for different systems •Do not use a keyboard pattern i.e. qwerty •Update your passwords regularly and try not to use the same one again •NEVER share your passwords with ANYONE What should I do if there is a breach of security? •As soon as you become aware that you have lost or irretrievably damaged information you must inform your Data Controller •If incident involves IT hardware or electronic data the Council’s IT Security Officer •If information relates to social care the Council’s Caldicott Guardian. What can I do to help? •Consider the eight principles when handling personal data •Look at your work area and think about the security issues. If there are issues, report them •Carry out risk assessments, particularly in high risk areas – eg data sharing, processing sensitive personal data. What could go wrong, what is the probability, what is the impact? What’s in store for 2012? • Transparency Programme : • Publication of School info • Staff qualifications, pay etc • Reform of Data Protection Directive: • Custodial sentences Quick Quiz Answers • Personal data : • • • • Has to be more than just a name and address Is only personal information that is sensitive or confidential Is any information that identifies a living individual ‘Processing’ information means: • • • • Obtaining and using it Collecting, amending, updating and adding to it Storing, filing and disposing of it All of the above Quiz results cont… • What is NOT personal data from this list? • • • • • • Information held in an unstructured file that is not referenced to the individual in any way A CCTV recording A tape-recording of a meeting about a child at risk A photograph of an individual employed as a model by an agency A recorded message left on a telephone answering service When we collect information from an individual we: • • • • • • Need their consent Don’t have to do anything, because we have to have personal information to run our services Should make sure that we tell them what it will be used for Need their consent, but only if it is sensitive data Might need their consent Should make sure we tell them who it may be shared with Quiz results cont… • Sensitive information under the DPA includes: • • • • • • • • Any financial information about the individual Religious beliefs Gender Sexuality Trade Union membership Criminal offences Hobbies and pastimes We can disclose personal information about an individual: • • • • If it is a routine disclosure in association with the business of the Academy Only with their consent Provided they are aware that we will be sharing their information and it is for the purpose or purposes that we have told them we will use their information for Provided I have told them that I am intending to do so Quiz results cont… • We don’t have to tell an individual about disclosure of their personal information: • • • • • • • • If a solicitor has written asking for the information and they are acting on behalf of the individual If we believe the person, or any other people, to be at serious risk of harm If we think that the person who is asking for it has a very valid reason for wanting it If the courts issue an order to disclose If we believe that it will be helping us or another public sector agency to prevent fraud If we are required by law to disclose the information If Police have asked for it and they have told us it is a very serious matter If there is material about other people in personal information that a data subject has asked to see: • • • • We can disclose 3rd party information if it is reasonable in all the circumstances to do so We should delete it all from the record, before the applicant sees the information We only disclose information with the consent of the third party We seek consent from 3rd parties where necessary and disclose as much information as we can, only editing 3rd party material to conceal identity Quiz results cont… • We can direct market customers of the Council if: • • • • • They have given their express, written consent We have made them aware that we are intending to do this They not told us that they do not want to be direct marketed They have given their verbal consent People have the following absolute rights under the Act: • • • • • Compensation if they have been caused damage & distress To see all of their information on request To tell us what personal information they are prepared to provide Not to be direct marketed unless they have given explicit consent To tell us to dispose of information they do not want us to keep Quiz results cont… • How many principles are there in the DPA? • • • • • 5 12 8 7 You can be personally liable under the Act and this means: • • • • • The Council can be taken to Court by the regulating body Damages can be awarded to the data subject, which the Council will pay The regulating body can ask the Council to improve its processes and procedures, to avoid further breaches in the Act If you recklessly, knowingly or negligently misuse personal information the regulating body can take you to Court The data subject can take you to Court and sue for damages Any Questions