Transcript Data Protection Training Presentation

Data Protection Act 1998
I am not stupid you know!
But …
• 1 in 3 people admit they throw away documents containing important
personal information without shredding them
• Lancashire County Council left social work records in a filing cabinet
that was sold at auction
• 62,000 Bank of Scotland mortgage customer details were put on a
CD and put in the post but it never turned up ...
People are aware of their rights!
• A senior academic at Lancaster University has received a written
warning for making "illicit disclosures" after he responded to a
mother's complaint about her son's tuition.
• The professor replied immediately, listing the student's modules,
contact time etc.
BUT
• When the student became aware of the exchange, he complained to
the university that it had released the information without his consent.
How does the law protect personal data?
The Data Protection Act (DPA) is designed to protect
personal data stored on computers or in an organised
paper filing system.
The DPA
A number of concerns needed addressing:
 Who could access this information?
 How accurate is it?
 Could it be copied?
 Is it possible to store information without the
individual’s knowledge or permission?
 Was a record kept of any changes?
Exercise 1
You are on your own in the office one lunchtime, the
phone rings…what do you do?
You answer the phone …
‘‘Hello I am a lawyer with Grabbit and Runne acting in a
criminal case. I need to know the address of one of your
members of staff as they are key witnesses in a trial, please
can you give me their contact details?
Without them the defence will collapse and you may be
prosecuted for obstruction…
Exercise 1
• Summary
How the DPA works
• The 1998 Data Protection Act was passed by
Parliament to control the way information is handled
and to give legal rights to people who have
information stored about them.
• Basically it works by:
• setting up rules that people have to follow
• having an Information Commissioner to
enforce the rules
It does not stop organisations storing and using
information about people.
It just makes them follow rules.
The 3 Main Roles

Information Commissioner

Data Controller

Data subject
Types of data
There are distinct types of personal data
1. Personal data
2. Sensitive personal data
If someone who is not entitled to see these details can obtain access
without permission it is unauthorised access.
Exercise 2
It’s late, you want to go home, you’re the last one in
the office, the phone rings (why you again?)…what do
you do?
You pick up the phone…
‘‘Hello is that the University? I am phoning
about my nephew, I want to know how well he
is doing, his mother is so worried about him. I
also want to know his address so I can send
his birthday present …’’
Exercise 2
• Summary
The Eight Principles
For the personal data that Data Controllers store and process:
1. It must be collected and used fairly and inside the law.
2. It must only be held and used for the reasons given to the Information
Commissioner.
3. It can only be used for those registered purposes and only be disclosed to those
people mentioned in the register entry.
4. The information held must be adequate, relevant and not excessive when compared
with the purpose stated in the register.
5. It must be accurate and be kept up to date.
6. It must not be kept longer than is necessary for the registered purpose.
7. The information must be kept safe and secure.
8. The files may not be transferred outside of the European Economic Area unless the
country that the data is being sent to has a suitable data protection law.
Data Subject’s rights
1.
A Right of Subject Access
2.
A Right of Correction
3.
A Right to Prevent Distress
4.
A Right to Prevent Direct Marketing
5.
A Right to Prevent Automatic Decisions
6.
A Right of Complaint to the Information Commissioner
7.
A Right to Compensation
Exemptions
Complete exemptions
1. Any personal data that is held for a national security reason is not covered.
2. Personal data held for domestic purposes only at home, e.g. a list of your friends'
names, birthdays and addresses does not have to keep to the rules.
Partial exemptions
e.g. HMRC, school pupils, company planning documents, health notes, statistics,
employer references
Yes OK Tim, but what does it all mean?
• You can be prosecuted for unlawful action under the
legislation if:
– you use or disclose information about other people without
consent or authorisation
– you give information to another employee or student who does
not need the details to carry out their legitimate duties, even if it
was accidental
Think!
– Who can hear your phone call?
– Who are you really talking to?
– Do they really need to know?
– Who can see your pc screen?
– Where does waste paper end up?
– What information is on your desk or in-tray?
You should remember these points:







Do not leave people's information out on your desk.
Lock filing cabinets.
Do not leave data displayed on screen, (use a screensaver?).
Do not leave your computer logged on and unattended.
Do not choose a password that's easy to guess.
Do not give your password to anyone, ever.
Never send anything by fax or e-mail that you wouldn't put on the
back of a postcard.
 Do not disclose any personal information without the data subject’s
consent or verifying the enquirer (e.g. phone the police officer back
via the station switch board).
Exercise 3
• Please see Case Study “Lost Laptop” in
your notes.
Exercise 3
• Summary
Social Networking
What social media tools are you
using?
•Are they for work or social
purposes?
•Or is the line a bit
Social Networking
• Social Media ‘posts’ are subject to Data
Protection legislation
•So, think before updating that Facebook
status!
The Internet Doesn’t Forget!
Email: [email protected] with any queries you may have.
Exercise 4
What did you get from this session?
Please write down 3 things that you are going to do
when you get back to the office regarding the
DPA issues raised here today.
Thank You!
Please email:
[email protected]
with any queries you may have.
www.bradford.ac.uk/data-protection