Transcript Cost Codes - welbni.org

Data Security &
Freedom of
Information
INFORMATION GOVERNANCE
• Freedom of Information Act 2000
• Data Protection Act 1998
• Information Security
• Record Management
FREEDOM OF INFORMATION ACT 2000
Background
•
Creates a statutory obligation on public authorities to formally
consider written requests for information and respond within
20 days
•
Two stage introduction
– first stage of introduction - Publication Schemes (02-04)
– second stage - full Rights of Access came into effect on
1 Jan 05
•
Requests for information must be in writing (including fax / email)
•
There is no right to know why the information is being requested
FREEDOM OF INFORMATION ACT 2000
Publication Schemes
•
Proactive publishing of information
•
Similar structure for all public sector organisations
•
Information split into broad categories known as ‘classes’:
- info. published in the School Prospectus
- info. on School Profile and other information relating to the
governing body
- policies that relate to Pupils & Curriculum
- School Policies and other information related to the school
•
All schools must adopt a scheme
Model schemes available at:
http://www.ico.gov.uk/Home/what_we_cover/freedom_of_information
/publication_schemes/model_schemes.aspx
FREEDOM OF INFORMATION ACT 2000
Full Rights of Access - Dealing with Individual Requests
•
Identify and acknowledge FOI requests:
Dear……currently dealing with your request ……will be
in touch as soon as possible…
•
Review material being requested - apply exemptions
•
Provide a response, either:
- provide all requested information, or
- withhold all, or in part, explain which exemption is
being applied and provide opportunity to appeal
decision
FREEDOM OF INFORMATION ACT 2000
More about Exemptions
Exemptions exist to protect information that should not be released.
Some exemptions that may apply in a school setting:
•
Request for a teacher’s home address or career development
information
- Section 40 Personal data exemption
•
Request by a parent for a copy of another parent’s written
complaint
- Section 41 Information provided in confidence
•
Request for copy of legal advice obtained by a school
- Section 42 Legal professional privilege
No exemption for embarrassment
Full list of exemptions available at
http://www.foi.gov.uk/guidance/index.htm
FREEDOM OF INFORMATION ACT 2000
Things to remember when responding
•
Must respond within 20 working days
•
Straightforward disclosures can be dealt with by the
Principal
•
Complex requests and decisions to withhold, must involve
the BOGs
- consider the public interest test
•
It may not always be appropriate, or required, to disclose
the identity of the applicant to the BOGs
The decision which must be made is - can this information be
made public?
FREEDOM OF INFORMATION ACT 2000
As much of school information is now open to public scrutiny
it’s important that we write for disclosure:
• Write objectively
• Ensure what you write is relevant and professional
• Document reasons for decisions generally
• Refer to policies in decision making
• Don’t forget about e-mails and diaries!
FREEDOM OF INFORMATION ACT 2000
What can the applicant do if dissatisfied?
•
Lodge an appeal with the school must be heard by the BOGs preferably those not involved in the original decision.
•
If still dissatisfied the applicant can approach the Information
Commissioner (IC) for an independent review.
•
IC will approach school requesting copies of information and
details around the handling of the request.
•
IC will either uphold the school’s decision or overturn, and issue
school with an enforcement notice to release the information.
FREEDOM OF INFORMATION ACT 2000
Key points
• Ensure your school adopts a Publication Scheme.
• See that requests are identified and dealt with promptly.
• Labour intensive requests can be charged for or refused.
– duty to offer assistance
• Don’t make decisions quickly. Acknowledge requests and
consider them carefully.
• Just because someone asks, doesn’t mean they get!
(appropriate disclosure)
• Where information is refused an adequate explanation must be
provided and details on how to appeal decision.
• Ensure nothing is written which may embarrass ; consider
diaries, emails notebooks etc.
WHEN IN DOUBT - SEEK ADVICE
DATA PROTECTION ACT 1998 (DPA)
•
The DPA is a legal framework for the proper collection, usage,
storage, sharing and disposal of personal data.
•
It permits Data Subjects access to their records.
•
It can impose considerable penalties on organisations &
individuals who fail to comply.
•
Personal data it is any information that identifies and relates to
a living individual such as name, address, date of birth,
educational record, financial details and even expressions of
opinions or intentions. The Act covers such information held
on computer and paper file.
DATA PROTECTION ACT 1998 (DPA)
Eight DPA Principles are key to compliance
Personal data (PD) shall be processed fairly and lawfully
PD must be collected and used only where there is valid reason.
It is good practice to advise subjects how their data may be
used through forms, posters, annual reports etc.
Processed for specified purposes
Where any planned use of the information falls outside what has
been explained to the data subject, or what they might expect,
consent must be obtained before proceeding
Adequate, relevant and not excessive
We must be able to demonstrate that the level of personal
information we collect is required for the effective delivery of
services
DATA PROTECTION ACT 1998 (DPA)
Eight DPA Principles are key to compliance
PD shall be accurate and up to date
Where we are making decisions based on such data, we have
a responsibility to ensure it is accurate and kept up to date
Not be kept for longer than is necessary
PD should not be kept for longer than necessary. Some
personal data needs to be retained for legal reasons. Schools
must refer to the School Record Retention and Disposal
Schedule before destroying records
DATA PROTECTION ACT 1998 (DPA)
Eight DPA Principles are key to compliance
Processed in accordance with the rights of the individual
Data subjects have rights under the Act. These include: right of
access to their records, right to have any inaccurate
information corrected and a right to prevent processing likely to
cause damage or distress
Kept secure
- One of the biggest obligations placed on a school.
- Equally important for manual and electronic data
- Applies throughout all stages of data processing, from
obtaining and using to sharing and destruction
DATA PROTECTION ACT 1998 (DPA)
Eight DPA Principles are key to compliance
PD must not be transferred to countries outside the European
Economic Area unless the information is adequately protected.
Personal data cannot be transferred to countries which do not
have similar personal data legislation to our own.
When dealing with personal data we should always ask ourselves
the question; if this was my personal data, how would I like it to
be treated?
DATA PROTECTION ACT 1998 (DPA)
Examples of Sensitive Personal Data:
Data relating to:
Racial or ethnic origin
Political opinions
Religious/similar beliefs
TU membership
Physical or mental health
Sexual life
Criminal allegations
Criminal proceedings/record
Information relating to a child
Special care must be taken when processing Sensitive Personal
Data, especially around collection, use and sharing.
DATA PROTECTION ACT 1998 (DPA)
Subject access rights:
Right of access to personal data in computer or manual form
Entitled to:
Be informed whether personal data is processed
A description of the data held, the purposes for which it is
processed and to whom the data may be disclosed
A copy of the data; usually within 40 days
Information as to the source of the data
There are limited exemptions.
DATA PROTECTION ACT 1998 (DPA)
Information access
summary
Data Protection Act (Access
to personal data by data
subject)
40 days
FOI Act
(Access to everything else)
20 days
DATA PROTECTION ACT 1998 (DPA)
Duty to Notify
•
Organisations which process personal information must notify
the IC
•
Costs £35 to register
•
Bogus agencies
•
Failure to notify – criminal offence
•
Details on how to notify can be found below
http://www.ico.gov.uk/Home/what_we_cover/data_protection/noti
cation.aspx
DATA PROTECTION ACT 1998 (DPA)
Summary of key points for staff
Duty to OBTAIN information fairly
Duty to PROTECT information
Duty to ensure information is SECURE
Duty to JUSTIFY use and storage of personal data
DON’T PASS on information unless on a need to know basis and
you are sure of the recipient’s validity
INFORMATION SECURITY
Use and Management of Passwords
Use passwords to protect against unauthorised access.
It is a school’s responsibility to ensure that enabled usernames are
available only for current staff and students.
Leavers’ usernames must be removed (ie deleted or disabled)
promptly.
The usernames of anyone under investigation for inappropriate use
must be disabled promptly.
Usernames must never be created for fictitious staff or students
(this includes the creation of ‘generic’ or group usernames i.e.
usernames that could be used by more than one person).
INFORMATION SECURITY
Use of E-Mail
Emails sent to addresses outside the C2K Network (ie. Hotmail.com) will be
transmitted across the internet. Never send personal data to such addresses.
Never send Sensitive Personal Data by e-mail.
Do not transmit unsolicited advertising or attachments as these may conceal
viruses.
Restrict messages to those who may have an interest in them.
Check E-Mail messages every day ( if practical ).
Do not subscribe to non work related services / alerts.
Delete unwanted messages.
INFORMATION SECURITY
Securing Automated Data
Portables/Laptops
Never leave laptops/portables/media unattended. When
transporting any computer media always ensure it is out of sight,
either in a glove compartment or boot of a car.
Never disclose your username or password.
Do not hold confidential or pupil level data on laptops.
No additional devices may be connected to data points on the C2k
network without the specific agreement of C2k; random checks will
be carried out to identify such violations.
INFORMATION SECURITY
Securing Automated Data
Portables/Laptops
Only software which is licensed and appropriate for school needs
may be installed on laptops.
Laptop users may not install alternative versions of Internet
Explorer, any other Internet browsers, Windows updates or any
hacking tools and should not switch off Windows firewall.
Antivirus software is provided and automatically updated in
school. This protection must be kept up to date if the laptop has
not been connected to the school network for more than one
week.
INFORMATION SECURITY
Securing Automated Data
Portables/Laptops
The laptop should not be given, lent or used by anyone other than
the nominated member of staff when outside school.
If the laptop is lost or stolen, the school should be notified
immediately, or during school holidays, the C2k Helpdesk (0870
6011 666).
The laptop must be returned to school if the nominated member of
staff ceases employment with the school.
INFORMATION SECURITY
C2k Networks
No additional devices may be connected to data points on the C2k
network without the specific agreement of C2k; random checks will
be carried out to identify such violations.
It is the school’s responsibility to ensure that software added to
desktops on the C2k network is appropriately licensed.
The school’s C2k Manager/Administrator must ensure that software
which represents a security threat is not installed on any desktop.
The school should make all users aware that attempts to bypass
filtering, or to access inappropriate or illegal material will be
reported to the school authority.
INFORMATION SECURITY
Legacy networks connected to Internet via C2k
All legacy network servers and desktops must have adequate, up
to-date anti-virus protection with automatic updates.
Appropriate, up to date security patches and service packs must be
in place on the school legacy network.
Other Internet or wireless connections must not be made available
to equipment which is connected to the C2k network unless C2k
has granted permission for such connections.
INFORMATION SECURITY
Manual Records
Keep personal data in a locked filing cabinet or drawer.
Operate a clear desk policy; Lock all personal data away when
you are finished with it and at the end of the day.
Only remove files containing personal information from storage
areas when necessary. Their location should be tracked at all
times.
Destroy personal data by shredding.
INFORMATION SECURITY
General Good Practice
Personal information should only be passed on, on a need to know basis.
Do not allow sensitive conversations to be overheard.
Guard against people seeking information by deception.
Never leave personal data at printers. Collect print jobs promptly.
If working from home treat that environment like your work environment.
Do not allow friends/family access to any information.
Avoid sending personal information by fax. Where this is necessary do it
over a secure protocol.
RECORD MANAGEMENT
The Record Life Cycle
Creation
Final disposal
Active use
Retention
RECORD MANAGEMENT
Information Access
Know what information you hold
and be able to access it.
Subject Access Requests
FOI requests
Inspections / audits
RECORD MANAGEMENT
File Disposal
What can disposal mean?
• Archive
• Offer records to the Public Record
Office for Northern Ireland (PRONI)
• Destruction
Adopt and refer to the School Record Retention Schedule
before disposing of records
available at http://www.deni.gov.uk/index/85-schools/5-schoolmanagement/85-disposal-of-school-records.htm
RECORD MANAGEMENT
Don’t forget about electronic records
CONTACTS / GUIDANCE
Freedom of Information
WELB Corporate Information Manager 02882 411553
www.foi.gov.uk/guidance/index.htm
www.ico.gov.uk/
http://www.welbni.org/index.cfm/do/GuidSch
Data Protection
http://www.ico.gov.uk/for_organisations/data_protection_guide.aspx
WELB Corporate Information Manager 02882 411553
WELB Data Protection officer 02882 411247
Information Security
C2k Helpdesk 0870 6011 666
WELB Corporate Information Manager 02882 411553
WELB Data Protection officer 02882 411247
Record Management
WELB Corporate Information Manager 02882 411553
www.proni.gov.uk
www.deni.gov.uk/index/85-schools/5-school-management/85-disposal-ofschool-records.htm