Data Protection for ‘Process S’ staff

Matt Morrison, Information Rights Officer, Secretary’s OfficeMatthew.Morrison@bristol.ac.uk Data-protection@bristol.ac.uk

What am I going to talk about?

• Relevant advice for student facing staff

• Some law, some good practice

• Where to go for guidance/advice

• Questions?

Background/definitions

• Data Protection Act 1998 – commenced in March 2000 and governs use of personal data. Guided by eight main principles.

• Personal data – “data relating to a living, identifiable individual”, includes letters, faxes, emails (held electronically or in hard copy), handwritten notes, photographs, CCTV footage, audio tapes

• Processing – anything done with personal data e.g. obtaining, holding, altering, analysing, disclosing, destroying.

Taking data security more seriously

• Information Commissioner increased powers to fine organisations for DPA breaches in April 2010 – up to £500,000

• Largest fine so far £130,000 – sending of sensitive data in relation to child protection case to wrong person

• Reputational damage unquantifiable – drop in applications, loss of research funding etc.

• Message from Deputy Vice-Chancellor requiring completion of new data security module by all staff (existing and incoming)

The principles

• 1. Personal data shall be processed fairly and lawfully (consent, essentially)

• 2. Personal data shall be used only for the purposes for which it has been obtained

• 3. Personal data shall be adequate, relevant and not excessive (do not collect irrelevant personal data)

• 4. Personal data shall be accurate and up to date

The principles

• 5. Personal data shall not be kept for longer than is necessary

• 6. Personal data shall be processed in accordance with the rights of the data subject (access request, right to prevent processing etc.)

• 7. Appropriate technical and organisational measures taken to prevent against loss of or damage to personal data (physical and electronic security measures, training/awareness etc.)

• 8. Personal data not transferred outside European Economic Area without fulfilling certain conditions

Sensitive data• Sensitive data as defined in DPA – afforded extra levels of security

• Racial/ethnic origin• Political views• Religious beliefs (or similar)• Trade union membership• Physical or mental health• Sexual life• Information relating to a criminal offence

• Be careful about sharing of this information even within the University. Should only be accessed by those who have a need to see it e.g. extenuating circumstances form including medical info

• Breach involving sensitive data = far more serious

University data classifications

• University internal data classifications: http://www.bris.ac.uk/infosec/uobdata/classifications/

• To guide how confidentially different types of information should be treated within the University

• Access to information based upon need to access that information to perform role

Choosing when to write

• Most likely to be dealing with written documents – emails, letters, minutes etc.

• Be aware that any document identifying an individual could be disclosed to that individual – think before you write! Requests often made in relation to an appeal/grievance

• Is an email always appropriate? Could you talk face to face or over the phone? May be able to discuss more openly

• All emails, even non-personal, could be subject to disclosure into the public domain under the Freedom of Information Act

• Guidance on access to emails: http://www.bris.ac.uk/secretary/dataprotection/emails

Alternatives to email

• Quickfire nature of emails: Data breaches often occur when sending personal data via email – sending to wrong address, accidental ‘Reply-all’

• Can protect against human error by:• Using shared file spaces to store personal data – no data needs to be

sent

• Use of Staff Desktop when working remotely

• If personal data does need to be sent by email, ensure it is encrypted before sending (very easy in Office 2007 and 2010)

• Encryption advice can be found at: http://www.bris.ac.uk/infosec/uobdata/encrypt/

Right of access

• All students (and staff) have the right to access their personal data held by the University – can be student file or can specify documents

• Application can be made using subject access request form: http://www.bris.ac.uk/secretary/dataprotection/individ/subjectaccess.html

• Required to provide £10 fee plus proof of identity

Access to exam scripts

• Exemption under the Act in relation to exam scripts – not required to disclose

• Students are entitled to receive a breakdown of their marks and any comments made by examiners – can be made easier by using separate marking sheet

Third party enquiries• Parent/family/guardian queries

• Relationship is between the student (as an adult) and the University

• Generally do not disclose student personal data without consent• Explain that we require a student’s consent rather than “because

of data protection”• Can offer to pass message on from caller• Certain provisions outside of consent if there are particular

concerns about a student

Third party enquiries

• Can also come from police, local councils, fraud investigators, insurance companies, solicitors and others

• Happy for these to be referred on to Secretary’s Office as they generally rely on a DPA provision outside of consent and require legal consideration

• A number of routine disclosures we make e.g. HESA, local councils – notified to students via Student Agreement

Offsite working• Do not store any personal data on non-UoB owned computing equipment

– PCs, laptops, memory sticks, portable devices. All UoB devices should have full disk encryption.

• Use Staff Desktop wherever possible: http://www.bristol.ac.uk/it-services/advice/homeusers/remote/staffdesktop/

• Can access emails, work on documents without storing any data on non-UoB equipment. Shouldn’t really need to carry personal data on portable devices.

• Hard copies of personal data – only when totally necessary and with appropriate security measures. Can the info be accessed via Staff Desktop?

Guidance / advice• Data Protection website:

http://www.bristol.ac.uk/secretary/dataprotection/

• Information Security website: http://www.bris.ac.uk/infosec/

• Mandatory data security training module: http://www.bris.ac.uk/infosec/training/

• How to encrypt documents: http://www.bristol.ac.uk/it-services/learning/documentation/encrypt-1/encrypt-1il.pdf

• Information Security Manager (Richard Hopkins): cert@bristol.ac.uk

Thanks for listening

Any questions?