Slide 1

Wednesday, 3 July 2013Sir George Monoux College

Data Protection: Data Protection: What You Need to KnowWhat You Need to Know

Slide 2

Hi!• Jason Miles-Campbell

JISC Legal Service Manager• jason.miles-campbell

@jisclegal.ac.uk• 0141 548 4939• www.jisclegal.ac.uk

Slide 3

Slide 4

Law, ICT and Data ProtectionLaw, ICT and Data Protection

Slide 5

Have you heard of JISC Legal before?

1. 2. 3. 4. 5.

5%10%

62%

19%

5%

1. Hello again, Jason2. Yes, fairly often3. Yes, used occasionally4. Vague acquaintance5. What’s that, then?

Slide 6

When it comes to data protection...

1. 2. 3. 4. 5.

14%

62%

0%

10%14%

1. I’m confident2. I’ve a fair idea3. I dabble4. I ask others5. I hide in the toilet

Slide 7 7

www.ico.gov.uk

Data Protection Act 1998

Slide 8

Why Comply?

1. It’s the law2. Good business practice 3. Sets a good example 4. Confidence 5. Risk (id theft)

1. 2. 3. 4. 5.

84%

5% 5%5%0%

Slide 9 99

Data Protection Essentials

“Data protection ..regimes…do not seek to protect data itself, rather they seek to provide the individual with a degree of control over the use of their personal data”

“data privacy regimes do not seek to cut off the flow of data, merely to see that it is collected and used in a responsible and, above all, accountable, fashion”

Source: DP Code of Practice for FE and HE

i.e. Data Protection law does not prevent using and sharing personal data but ..

Criminal Justice and Immigration Act 2008 – gives ICO power to impose fines direct for serious security breaches

Slide 10 10

Understanding Your Duties

• Data Subject

• Data Controller

• Data Processor

• Processing

Slide 11 11

What is Personal Data?

• Any information which relates to an

identified or identifiable person

• Living persons

• Must be significant biographical

information which affects privacy

• Sensitive personal data

Slide 12

The Age of Data Protection

1. From birth2. From age 53. From age 124. From age 165. From age 18

1. 2. 3. 4. 5.

86%

10%5%

0%0%

From what age does DP apply to protect someone?

Slide 13

1: fair and lawful2: limited purposes3: adequate, relevant and not excessive4: accurate and current5: no kept longer than necessary6: respect the rights of the individual7: appropriate security8: transfer outside EEA needs adequate protection

The Eight DP PrinciplesThe Eight DP Principles

Slide 14 14

Fair and Lawful Processing

Fair processing –

• A processing notice – transparency

• Weighing up interests v privacy

• Would you be happy?

Slide 15 15

Fair and Lawful Processing

Lawful processing -To process, a Schedule 2 condition must be met:• Consent• Legitimate interest of the data controller• Fulfilment of a contractual obligationMore stringent conditions for ‘sensitive’

personal data

Slide 16

The Age of Data Protection

1. From birth2. From age 53. From age 124. From age 165. From age 18

1. 2. 3. 4. 5.

8%

0%

25%

58%

8%

From what age can someone give DP consent?

Slide 17

Security Situations

1. At your desk2. On your laptop3. On your mobile phone4. On the train5. At home

1. 2. 3. 4. 5.

38%

31%

19%

0%

13%

Where are the greatest security risks?

Slide 18 18

Appropriate Security

Your PCYour laptop

Your mobile phoneYour IT infrastructure / VLE

Your deskYour rubbish

Slide 19

When handling personal data in your role:

1. Purpose: why are you collecting personal data,

2. Fairness: is the reason fair to the data subject and

3. Transparency: does the data subject know about it

4. Security: at an appropriate level of security

Important PointsImportant Points

Slide 20

Some Scenarios……..

Over to youOver to you

Slide 21

A parent asks for information on her son’s progress. Do you…

1. 2. 3. 4.

0%

100%

0%0%

1. Supply it - nothing wrong in doing this

2. Supply it – he is under 183. Withhold it as she should never

access it4. Withhold it until you have

consent of her son

Slide 22

The police ask for information on one of your students. Do you…

1. 2. 3.

0% 0%0%

1. Supply it because it’s the police2. Supply it only when you know

what it’s for and think it is relevant information to the investigation

3. Never supply it

Slide 23

A student asks his tutor if he can see the reference the tutor wrote for him. Do you

1. 2. 3.

0% 0%0%

1. Say no - he has no right to see it under DPA

2. Say yes – he is entitled under DPA to see it

3. Not sure so seek help before replying

Slide 24

The College decides to retain all emails for a period of 10 years. Is this in line with

the DPA?

1. 2. 3. 4.

0% 0%0%0%

1. Yes2. No3. Maybe4. Can I phone a friend?

Slide 25

A member of staff clicks the wrong email group and instead of sending to relevant tutors, sends info

relating to student health issues to other students.

1. 2. 3.

0% 0%0%

1. The College is liable for the breach2. There is no liability, it was an

accident, not deliberate3. The member of staff is liable

not the College

Slide 26

What security should be on mobile devices holding personal data?

1. 2. 3.

0% 0%0%

1. Password protection and encryption

2. None as only used on College premises

3. It depends on the type of information

Slide 27

• Where the DP policy is, how to access it and its contents

• Have awareness of DP and how it may affect students, staff etc.

• That what you’re doing is covered by the data protection notice to students, staff etc.

• How to store/share personal information on and off campus

• How to keep personal information secure(mobiles, social networking)

• Where to get help

What should you know?What should you know?

Slide 28

Sources of help Sources of help

• Your institution’s DP officer• Your institutional policies and procedures• info@jisclegal.ac.uk and www.jisclegal.ac.uk

(code of practice)

Slide 29

Next steps?

1. 2. 3. 4. 5. 6.

0% 0% 0%0%0%0%

1. Go back and say well done!2. Start a conversation with

management3. Re-write a few policies4. Monitor what’s in place already5. Get further support6. Point at someone else and say

‘his problem!’ or ‘her problem!’

Slide 30 ??www.jisclegal.ac.ukinfo@jisclegal.ac.uk

0141 548 4939

Questions and Follow UpQuestions and Follow Up

http://jiscleg.al/sgm3pm Friday