Data Protection Policy and Code of Practice

Transcription

1 Data Protection Policy and Code of Practice All our written information can be made available, on request, in a range of different formats and languages. If you would like this document in any other language or format please contact Corporate Services on or Corporate Services. 1

2 Contents Policy Statement Introduction Definitions... 6 Personal Data... 6 Sensitive Personal Data... 6 Record... 6 Vital Record... 6 Format... 7 Records Management... 7 Record Keeping System... 7 Processing Roles and Responsibilities... 8 Chief Executive and Executive Directors... 8 Head of Legal Services... 8 Information Governance Officer... 8 Information Security Officer... 8 Archivist... 8 Information Liaison Officers... 8 Data Controller... 9 Joint Data Controllers... 9 Data Processor The Data Protection Principles Notifying the Information Commissioner Processing Personal Information Releasing Information

3 8. Risk to the Council Training Information Security Working Away from the Office Complaints Breaches of Security Containment and Recovery Assessing the Risks Associated with the Breach Informing the Appropriate People and Organisations that the Breach has Occurred Reviewing the Council s Response and Updating Information Security Monitoring and Reporting Legislation Related Policies Further Information and Guidance Appendix A. Responsibilities Corporate Management Team Executive Director of Corporate Services Head of Legal Services Information Governance Officer Information Security Officer Archivist Information Liaison Officers Individual Members of Staff and Elected Members Appendix B - Data Protection Authorities in the European Union and European Economic Area and Third Countries

4 Policy Statement In order to operate efficiently, Orkney Islands Council has to collect and use information about people with whom it works. These may include members of the public, current, past and prospective employees, clients and customers, and suppliers. In addition it may be required by law to collect and use information in order to comply with the requirements of central government. Orkney Islands Council regards the lawful and careful treatment of personal information as very important to its successful operations and to maintaining confidence between the Council and those with whom it carries out business. The Council will ensure that it treats personal information lawfully and correctly. To this end Orkney Islands Council is committed to protecting the rights and privacy of individuals in accordance with the Data Protection Act 1998 (the 1998 Act). The Council s principal aim is to ensure that all personal data processing carried out by the Council, or on its behalf, complies with the eight data protection principles and key legislative requirements. This Policy and Code of Practice sets out how the Council ensures it complies with the 1998 Act to ensure that personal information about people is: Processed in accordance with the 1998 Act. Collected and used fairly. Stored safely and securely. Not disclosed to any third party unlawfully. This Policy and Code of Practice applies to all employees and elected members as well as consultants, volunteers, contractors, agents or any other individual performing a function on behalf of the Council. 4

5 1. Introduction The Council increasingly depends on computer systems and paper records (paper files) to carry out much of its normal business. Under the 1998 Act, the Council must be open about how it uses personal information and follow proper practices known as the Data Protection Principles. The principles are set out on page 8 of this document. The 1998 Act provides a single EU policy for sharing information between countries in the European Economic Area (EEA). It also prevents information from being shared with countries which do not have similar data protection policies. If a person can be identified from the cover of a file or any of its contents, including with any other information which may be in the public domain, the Council should take suitable action to keep those files secure. The 1998 Act gives the people the Council holds information about (known as data subjects) rights. It entitles them to find out what information is held about them, to challenge that information, have information changed or removed if appropriate, and claim compensation in certain circumstances. However, the 1998 Act does not prevent the Council from holding information about a person without that person knowing it holds information about them. The 1998 Act also protects personal information from being unlawfully released. In effect, it states that: Descriptions of all personal information must be given to the Information Commissioner (an independent officer who manages the 1998 Act and reports directly to Parliament). It is an offence to process information that has not been reported to the Information Commissioner or to process personal information in a way other than as authorised by the Information Commissioner. The Council must follow the data protection principles. The Council must also report any losses of personal data to the Information Commissioner. To ensure the Council complies with the 1998 Act this Policy and Code of Practice has been developed. It gives guidance on: Notifying the Information Commissioner (that is, giving them the details set out on page 8). Following the principles of good practice within the 1998 Act. Giving people access to information held about them (Subject Access Requests). In order to comply with the 1998 Act all employees, elected members, consultants, volunteers, contractors and other agents of the Council who use its computer facilities or paper files to hold and process personal information must comply with this Code of Practice. All staff (including supply/relief) currently have a confidentiality clause in their contract which they sign. They also sign an Information Security User Acceptance for the Information Security User Guidance. Any contract which the 5

6 Council enters into with another person or organisation will normally have a clause to explain how information will be shared in accordance with the 1998 Act. This document has been designed to reduce the risk of the Council failing to comply with the 1998 Act. More importantly it aims to make sure the Council follows good business practices when collecting and using personal information, much of which may be confidential. 2. Definitions Personal Data This is data which relates to a living individual who can be identified: From the data or. From the data and other information which is in the possession of, or is likely to come into the possession of, the data controller. This includes name, address, telephone number, national insurance number as well as any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual. Sensitive Personal Data This is personal data consisting of information as to any of the following: The racial or ethnic origin of the data subject; The data subject s political opinions; The data subject s religious beliefs or other beliefs of a similar nature; Whether the data subject is a member of a trade union - within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992; The data subject s physical or mental health or condition; The data subject s sexual life; The commission or alleged commission of an offence by the data subject; and Any proceedings for any offence committed or alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any court in such proceedings. Sensitive personal data is subject to much stricter conditions of processing. Record A record is recorded information, in any form, including data in systems created, received and maintained by the Council and kept as evidence of such activity. Vital Record This is a record without which an organisation would be unable to function or to prove that a key activity had taken place. 6

7 Format A record can be in any format including (but not limited to) paper files, , audio/visual, electronic documents, systems data, databases, digital images and photographs. Records Management The control of the Council records during their lifetime, from creation to storage until archiving or destruction. Record Keeping System A system or procedure by which the records of the Council are created, captured, secured, maintained and disposed. Processing The definition of processing covers everything from obtaining and gathering in information to using the information and, eventually, destroying the information. 7

8 3. Roles and Responsibilities All staff and elected members are responsible for protecting personal information held and processed on computer as well as paper files. Chief Executive and Executive Directors Overall responsibility and accountability for ensuring that all staff and associated third parties comply with information legislation, this Policy and associated policies and procedures, lies with the Chief Executive and Executive Directors. Head of Legal Services The Head of Legal Services will monitor compliance with information legislation and this Policy across Council. Information Governance Officer The Information Governance Officer is responsible for developing, delivering and maintaining a comprehensive information governance and security framework for the Council. He/she will help ensure compliance with legislative frameworks governing the access to, retention, sharing and disposal of information. The Information Governance Officer is responsible for reporting all personal information held by the Council to the Information Commissioner. Information Security Officer The Information Security Officer is responsible for creating, implementing and maintaining the Council s security policy and procedures in order to reflect changing local and national requirements. This includes requirements arising from legislation, security standards and national guidance. The Information Security Officer will support service areas on achieving best practice and compliance with security requirements. Archivist The Archivist will ensure that policies and procedures are compatible with the 1998 Act, particularly in relation to the transfer of records to the archive and their subsequent storage and access. Information Liaison Officers Each Executive Director has nominated one or more Information Liaison Officer(s) to the Council s Information Governance Group. They are responsible for providing routine advice on data protection to their service. 8

9 Data Controller A Data Controller is a person or organisation who decides how any personal information can be held and processed, and for what purposes. Orkney Islands Council is the Data Controller. Joint Data Controllers These are people or organisations (for example, Orkney Islands Council, NHS Orkney or Police Scotland) who jointly process and share information. Data Processor This role is carried out by any person other than a Council employee (for example, contractors and agents) who process personal information on behalf of the Council. Detailed descriptions of the responsibilities of individual members of staff, elected members, the Head of Legal Services, the Information Governance Officer, Information Security Officer and the Information Liaison Officers are given in Appendix A. 9

10 4. The Data Protection Principles The Data Protection Principles set out in the 1998 Act operate as a mandatory code for processing personal data. Under the 1998 Act, the personal information the Council holds must be: 1. Processed fairly and lawfully. 2. Collected for specified lawful purposes and not be further processed in any way other than as is necessary for that purpose. 3. Adequate, relevant and necessary in relation to the purpose it was collected for. 4. Accurate and kept up to date. 5. Not kept for longer than is necessary for the purpose it was collected for. 6. Processed in line with the rights of the person the information is about. 7. Protected by appropriate measures against unauthorised or unlawful processing, or accidental loss or damage. 8. Transferred to a country outside the European Economic Area only if that country provides an adequate level of protection for the rights of the people the personal information is held about. 10

11 5. Notifying the Information Commissioner The Council must let the Information Commissioner's Office know that it holds personal information about living people. At least every 12 months, the Information Governance Officer, with advice and support from Information Liaison Officers, will review how the Council reports, uses and holds personal information. This helps to make sure that personal information which has not been reported is not being processed, and that personal information is not unlawfully collected or released. The Information Governance Officer will keep a record of these reviews. The following information must be provided when the Information Governance Officer reports to the Information Commissioner: The Council s name and address. A description of the personal information held. The purposes the personal information is held and used for. Details of where the information comes from. Details of the people or organisations the information may be given to. A general description of the measures the Council will take to keep to the seventh data protection principle. Any overseas countries personal information may be transferred to. The Council s entry on the Information Commissioner s Data Protection Register can be accessed by clicking here. In certain circumstances, it is not necessary to report some personal information. For example, the Council may not need to report personal information which is used only for: Working out wages, keeping accounts, or keeping records of purchases and sales or Distributing articles or information to people (for example, people on a mailing list). For personal information used to distribute articles or information, the Council must ask the relevant people if they object to the Council using their personal details for these purposes. If anyone does object, the personal details of those objecting must be removed. To help decide whether or not the use of personal information must be reported to the Information Commissioner the following flow chart has been produced. 11

12 Quick guide to notifying the Information Commissioner 12

13 13

14 6. Processing Personal Information The Council will hold and process personal information only to support those activities it is legally entitled to carry out (except where the Council is acting as a data processor by providing computer facilities to, or when dealing with paper records for, other organisations). The Council may on occasion share personal information with other organisations. In doing so, the Council will comply with the provisions of the Information Commissioner s Data Sharing Code of Practice. The person the personal information is collected from must be advised of the purpose for which the information will be held or processed and who the information may be shared with. If possible, all Council forms will contain a statement about this. If this is not the case, a statement on a separate piece of paper should be sent with the form. On any forms where some information asked for does not have to be provided, or only needs to be provided in certain circumstances, this must be identified in some way and an explanation given, preferably on the form but otherwise on a separate piece of paper sent with the form. The Information Governance Officer should be consulted when new forms asking for personal information are being designed. The Information Governance Officer must approve the design before it is finalised. The Information Governance Officer must hold copies of all forms used to collect personal information. This includes any forms to be published on the portal. There must be a clearly written and up-to-date statement of working procedures for all the Council s computer systems that are used by several people for holding and processing personal information. The statement should contain: Rules about how the system can be used. Which people carry out which functions. Where information may be entered from. The type of information which may be entered in free text or comments fields. How people looking for information should be identified. Under what circumstances information can be released. The policy on holding information and. A procedure for giving people access to the information held about them. The following two principles must be complied with: Forms or screens that provide for information to be entered must not allow more information than is necessary to be entered. The computer must be capable of producing a report showing all the information held on a specific person, together with the full text for any codes used, so subject access requests can be dealt with efficiently. 14

15 There should be procedures in place to make sure all the personal information the Council holds is accurate, up to date and still required. All staff working on systems must have access to a copy of any relevant procedures. Systems should be reviewed each year by the Information Governance Officer, Information Security Officer and relevant Information Liaison Officer. As part of normal working procedures, employees may have to use information taken from a computer (for example, reports, standard letters and so on). They should ensure any personal information contained cannot be seen by unauthorised people (for example, visitors to the office). All staff are expected to maintain a clear desk policy. Confidential information should not be left unattended on employees desks. This includes personal information on post it notes, committee reports which have exempt information and any other information which is not in the public domain. When any paper file containing personal information has to be disposed of, it should be shredded first, or placed in the appropriate confidential-waste bags to be destroyed. Confidential waste bags must be kept locked away prior to the contents being destroyed. Storage media must be securely erased before reuse or reallocation. Staff should contact IT Support for advice. When staff wish to dispose of computers they must contact IT Support. 15

16 7. Releasing Information There are situations where the Council can release personal information. For example, under the 1998 Act, any person whose personal information the Council holds on computer or in paper files has the right to know what information the Council holds about them. If a person asks for this information, known as a Subject Access Request, the Council must provide the information requested within 40 days. This period begins when the Council: Is satisfied about the applicant s identity. Is satisfied with the validity of the request. Has received the 10 fee and. Has enough details to locate the information which the person is seeking. Other situations where personal data may be released are as follows: Personal data may be given to other Council employees so they can perform their duties by processing that information, as long as it is not for a different purpose. Personal information may be released, if it is urgently needed, to prevent injury or other damage to a person s health. Personal information may be released for the purposes of preventing or detecting crime, arresting or prosecuting offenders or assessing or collecting any tax or duty if there is a good chance that not providing the information prevents one or more of these purposes. However, information given for this purpose should only be about specific named people. Requests for such information may be made by phone (from a local police station or divisional headquarters) or in person. If the request is made in person, the police should provide the necessary information on the standard form the police produce. If the request is made by phone, the caller should be called back to check that they are the police. A few days later the police will confirm in writing that they asked for and received the information. There are some types of personal information people do not have a right of access. Indeed, there may be occasions when the Council would breach the 1998 Act if the Council complied with the terms of a Subject Access Request. All requests for access to personal information should be sent immediately to the Information Governance Officer. Applicants will be encouraged to fill out the Subject Access Request form. For more information, see our Subject Access Requests guidance leaflet Personal Information - Your Right to Know. 16

17 8. Risk to the Council The main risk to the Council is breaching the 1998 Act. This could result in the Information Commissioner imposing a civil monetary penalty of up to 500,000 on the Council. The Council may also be sued for damages by a 3rd party that has suffered harm as a result of a breach. Examples of a breach include: Staff recording personal information in a record keeping system and not realising that they may in fact need to notify the Information Commissioner through the Information Governance Officer. A printout containing personal information being put with normal waste rather than being shredded. Staff sharing personal information to someone that doesn t need to know that information or who does not have a right to that information (for example, sending an with personal information to the wrong person). Not responding to a subject access request within the 40 day timescale. Not keeping the Council s notification to the Information Commissioner up to date. Personal information being distributed through the internal mail system and not being put in a sealed envelope. Information not being accurate and up to date. Keeping information for longer than required. Information being sent to a country outside the European Economic Area and which does not have acceptable Data Protection laws (see Appendix B). Not reporting any losses or unlawful disclosure/sharing of personal information to the Information Commissioner. Not ensuring that any new data sharing projects have the consent of the data subjects and appropriate data sharing agreements are in place. Failure to advise service users what we will do with their information when collecting their information (e.g. on a form). Printing out personal information to a shared printer and not taking adequate precautions to ensure that information is not accessed by other people. Sharing 3rd party information in the course of responding to a subject access request. 17

18 9. Training All staff will be trained in the basics of data protection as soon as reasonably possible after starting to work for the Council. All staff (including supply/relief) have a confidentiality clause in their contract which they agree to. They also sign an Information Security User Acceptance for the Information Security User Guidance. Staff who work on computer systems that hold or process personal information, or who use the information associated with those systems, will receive training. If written procedures for using such systems are not yet in place, staff will be trained in legitimate ways of finding and providing information and told which information must not be recorded. Any new Information Liaison Officers will be trained in data protection relating to their responsibilities for their business area. Managers may want to request in-depth training for their staff, particularly if they are dealing with sensitive data. In those circumstances they should contact the relevant Information Liaison Officer in the first instance when appropriate arrangements can be agreed. Local training modules can be put in place for service areas who routinely deal with more sensitive personal and/or confidential information. The Information Governance Officer will make elected members familiar with the basics of data protection as soon as reasonably possible after they are elected. 18

19 10. Information Security For a comprehensive description of the Council s approach to computer security, see the Orkney Islands Council Information Security Staff Guidance document which is a guide to the Council s computer security policy. The elements of computer security relating to data protection are described below. Maintenance and support staff must be supervised, especially those from outside the Council, while they are in Council facilities or establishments. If they need a password to get access to equipment, software or information, this should be arranged beforehand and the password deleted when they have finished. Staff and elected members should never give people their own password. Maintenance and support staff should not be allowed to take away computers or other hardware or printouts unless this has previously been agreed with the Information Security Officer. Records containing personal information must not be provided for test, maintenance or development purposes without first being anonymised to remove or scramble any information that can identify an individual. The following assurances must be provided before sample data is provided to suppliers for test or maintenance purposes: Specification of the supplier in the Council s report to the Information Commissioner. Information will be used only for conducting one or more specific tests within a previously agreed scope of work. Information will not be given to any person not involved in the relevant test and will not be produced in any publication or manual. After carrying out the relevant test or tests, any printouts containing personal information must be destroyed and any disks or tapes returned securely. Additionally for information transfer, processing and storage within Orkney Islands Council: Records containing personal information that need to go from one Service or office to another should be delivered to a specific person or secure area, and not left lying about for collection. The Chief Executive and Executive Directors are responsible for making sure the requirements of the Data Protection laws have been considered and provided for when obtaining or developing equipment and software through IT Services. Where there is a requirement for data to be processed by an external contractor or supplier on behalf of Orkney Islands Council the following checks and controls must be undertaken and in place before any data is permitted to be transferred or processed: The external contractor or suppliers' Data Protection Registration status must be checked. A third party data processing agreement must be in place with the contractor or supplier and this agreement must be approved by Legal Services. 19

20 11. Working Away from the Office Staff may occasionally have to work away from their usual workplace and, in order to do so, they may need to use computers. If this happens, the Council s Information Security User Acceptance and Standards and this Policy and Code of Practice still apply to the work they do. If staff and elected members take equipment off Council premises, they must make ensure this equipment and any paper files are transported safely. Any computer or other hardware which may contain personal information must be protected from unauthorised access while they are being transported. The equipment should be locked in a car boot where possible, and should never be left unattended on any other form of transport. A line manager must agree to the equipment and information being taken off Council premises and must make sure that the employee or elected member knows their responsibilities and can meet them. Any portable computing equipment must be Council owned, of an approved type and fully encrypted to the corporate standard. Information processed on a portable computing device should be transferred to the corporate network as soon as is practicable. Users of portable computing devices outwith Council premises must take all reasonable precautions to ensure that their screens are not overlooked by an unauthorised person. Screens must not be left live when unattended. When using equipment in their home, they must make sure no member of their household or visitor has access to the computer. Information must be positioned where any personal information which may be displayed on the screen or held in paper files cannot be seen by anyone else inside or outside the home. Any paper files or material printed off a computer which may contain personal information must be kept secure such as in a locked bag. Members of a household and members of the public must not have access to the information and it must be kept securely locked away when staff are not home. If at all possible, the carrying of hard copies of confidential documents should be avoided where possible. Instead documents should be scanned onto an encrypted laptop. Portable computing devices, including laptops and flash drives, must be of the approved type and be fully encrypted to the corporate standard. If a staff member or elected member keeps computer equipment at home, the equipment and anything printed off containing personal information must be locked away either in a desk or cupboard when they are not around. 20

21 12. s may contain personal information and care should always be taken when sending personal information by (for example, one could be sent to everyone in the Council by mistake). Please see the Council s Orkney Islands Council Information Security Staff Guidance document which is a guide to the Council s computer security policy. A check should be made that the information is in fact being sent to the appropriate person (for example, s can accidentally be sent to someone with the same surname). If someone has to send sensitive personal information by , they should make sure it is only sent to appropriate staff. They could do this by putting the information into a word document and protecting the document with a password. If sensitive information is being sent to an external address the sender should ensure that the recipient has a secure address i.e. a Public Services Network (PSN) e- mail address. Secure mail transfer (SMURF) should always be used when sending personal information to non-psn external addresses. Please note that when using SMURF, only the attachment is secure. When possible, secure mail transfer (SMURF) should be used when sending personal information to non-psn external addresses. Where this is not possible, such as when sending s to individuals, then any sensitive personal information should never be included in the body of the message and always be included in attachments that are either encrypted or password protected. Inappropriate use of can result in legal action. Portable computing devices must always be used with the Council s Remote Working Solution. Users must not attempt to bypass or change the configuration. Further advice can be obtained from IT Support and the Council s Information Security Officer. 13. Complaints Any complaints received by, or on behalf of, a member of the public containing allegations of inappropriate disclosure of information will be dealt with in the normal way through the Corporate Complaints Procedure in the first instance. If an individual does not feel that the Council is treating their data appropriately and has not answered their complaint they can contact the Information Commissioner. 21

22 14. Breaches of Security Organisations which process personal data must take appropriate measures against unauthorised or unlawful processing and against accidental loss, destruction of or damage to personal data. Despite the security measures taken to protect personal data held by the Council, a breach can happen for a number of reasons: Loss or theft of data or equipment on which data is stored. Inappropriate access controls allowing unauthorised use. Equipment failure. Human error. Unforeseen circumstances such as a fire or flood. Hacking attack and. Blagging offences where information is obtained by deceiving the organisation which holds it. No matter how the breach occurs it should be dealt with effectively and the Council must respond to and manage the incident appropriately. If a breach occurs the Information Governance Officer must be informed immediately. IT security breaches should also be reported to the Information Security Officer. The Information Governance Officer will then put into place a breach management plan which will include the following four elements: 1. Containment and Recovery The response to the incident should include a recovery plan and, where necessary, procedures for damage limitation. 2. Assessing the Risks Associated with the Breach Any risks associated with the breach should be assessed as they are likely to affect what should be done once the breach has been contained. In particular, it is important to assess: The potential adverse consequences for individuals. How serious or substantial these are and. How likely they are to happen. 3. Informing the Appropriate People and Organisations that the Breach has Occurred. Informing people about an information security breach can be an important part of managing the incident, but it is not an end in itself. It is necessary to be clear about who needs to be notified and why. For example, consider notifying: The individuals concerned. The Information Commissioner for Scotland. Other regulatory bodies. Other third parties such as the police and the banks and/or. The media. 22

23 4. Reviewing the Council s Response and Updating Information Security It is important that the causes of the breach are investigated and the effectiveness of the response to it should be evaluated. If necessary, policies and procedures should then be updated accordingly. More information on breach management can be found on Information Commissioner's Office Guidance on Data Security Breach Management. 15. Monitoring and Reporting This policy will be reviewed annually by the Information Governance Officer. A review of the Council s compliance with relevant legislation and best practice will be reported to elected members on an annual basis. The Information Governance Officer will monitor the Council s compliance with relevant legislation and best practice. Proposed changes to information governance policies or procedures will be considered by the Information Governance Group in the first instance. 16. Legislation The Council has a responsibility to protect the information that it holds from loss and unauthorised access and modification. In addition, the Council is required to comply with relevant legislation including: Adults with Incapacity (Scotland) Act Age of Legal Capacity (Scotland) Act Computer Misuse Act Copyright, Designs and Patents Act Data Protection Act Environmental Information (Scotland) Regulations Freedom of Information (Scotland) Act Inspire (Scotland) Regulations Human Rights Act Local Government (Scotland) Act Public Records (Scotland) Act Regulation of Investigatory Powers (Scotland) Act Re-use of Public Sector Information Regulations All staff are also subject to a common law duty of confidentiality and must abide by this. 23

24 17. Related Policies Orkney Islands Council Records Management Policy. Orkney Islands Council Information Security Policy. Orkney Islands Council Records Retention Schedule. Orkney Islands Council Freedom of Information Policy Orkney Islands Council Personal Information Your Right to Know. 18. Further Information and Guidance Post: Information Governance Officer Corporate Services Orkney Islands Council Council Offices Kirkwall KW15 1NY Tel: , extn Further information is also available from the Information Commissioner s website including: Subject Access Code of Practice. Data Sharing Code of Practice and. Conducting Privacy Impact Assessments Code of Practice. 24

25 Appendix A. Responsibilities Corporate Management Team Overall responsibility and accountability for ensuring that all staff and associated third parties comply with information legislation, this Policy and associated policies and procedures lies with the Council s Chief Executive, Executive Directors and Heads of Service. Executive Director of Corporate Services The Executive Director of Corporate Services will act as the Council s Senior Information Risk Owner. S/he has strategic responsibility for information governance. Head of Legal Services The Head of Legal Services will be responsible for: Monitoring compliance with information legislation and this Policy across Council. Reviewing the registration of the Council, Councillors and other relevant organisations with the Information Commissioner s Office. Reviewing a breach management plan in the event of a data protection breach and ensure that the Council s response is adequate. Information Governance Officer The Information Governance Officer is responsible for developing, delivering and maintaining a comprehensive information governance and security framework for the Council. They will ensure compliance with legislative and regulatory frameworks governing the access to, retention, sharing and disposal of information. Their responsibilities include the following: With the relevant Information Liaison Officer(s), providing staff with day-to-day expert advice, guidance and support on all areas of information governance and security. Chairing and developing the Council s Information Governance Group to create a centre of best practice for the promotion of an information governance and security framework for the Council. Raising awareness of the Council s information governance policies and procedures, relevant legislation and best practice by developing and providing training for employees, elected members and other relevant stakeholders. Liaising with external bodies and acting as the Council s central contact point with the Information Commissioner s Office, the Office of the Scottish Information Commissioner and the Keeper of the Records of Scotland. Taking the lead on any audits relating to information governance and security conducted by the Information Commissioner s Office or any other regulatory agencies. Managing information requests including requests for information made under the Freedom of Information legislation, environmental information regulations, the 1998 Act and Access to Health Records Act

26 Implementing a risk based assessment of information breaches and risks, including investigation of breaches involving personal data. Maintaining, reviewing and updating the Council s information governance policies, procedures and forms. Registering the Council, Councillors and other relevant organisations with the Information Commissioner s Office. Working with the Information Security Officer and Information Liaison Officers to make sure that all personal information held on computer and in paper files is held, processed and registered with the Information Commissioner in line with the 1998 Act. Information Security Officer The Information Security Officer s responsibilities include the following: Ensuring that the Council s Information Security Policy and procedures are kept under review, in order to reflect changing local and national requirements. Raising awareness of the Information Security Policy and monitoring the effectiveness of service policies and procedures. Developing and managing the corporate Information Security Management System (ISMS) including operational policies, security standards and controls, outline procedures, security reporting mechanisms and checklists. Developing and maintaining the information security guidance document issued to Council staff: Orkney Islands Council Information Security Staff Guidance. Monitoring the IT security infrastructure to ensure compliance with legislation, standards and guidelines. Monitoring and investigating any breaches of information security within the Council. Archivist The Archivist is responsible for ensuring that policies and procedures relating to the storage of records and the provision of access within the Archive are compatible with the 1998 Act. Principle 5 of the 1998 Act states that personal data processed for any purpose shall not be kept for longer than is necessary for that purpose. The Information Commissioner has however approved the following special purpose as a compatible further use of personal data: Records selected for permanent preservation as archives, with a view to their use in historical or other research. The Archivist s responsibilities include the following: Appraising records containing personal data, taking into consideration whether their value for research purposes justifies their retention and is in the substantial public interest. Ensuring that the processing of personal data for the purpose of archival preservation is undertaken with regard to the exemptions set out in Section 33 of 26

27 the 1998 Act (research, history and statistics) and that data is not processed in such a way that substantial damage or distress is, or is likely to be, caused to any data subject. Managing appropriate security and provision of access to personal data in their own administrative records, such as staff and reader records and correspondence with depositors, as well as personal data in the archives within the repository. Managing the acquisition and transfer of records from the Council and other organisations and individuals. This includes making reference to any agreements made with the depositor or donor, determining the role of the Archivist in relation to each collection of records and determining the responsibilities of each party in complying with data protection rules. Given the large number of individuals featuring in the archive collection, the Archivist is not always in a position to ascertain whether individuals are still alive and hence whether the information about the individuals is protected by the 1998 Act. If it is not known whether a data subject is alive or dead, the Archivist will use working assumptions in line with national codes of practice to govern whether access to personal data for the purpose of research is granted or not. Advising the Council on records management matters including retention, storage and disposal procedures. Information Liaison Officers Each Service has one or more Information Liaison Officers. Information Liaison Officers are responsible for meeting the requirements of the 1998 Act within their Service and service areas. Their duties include: Preparing details for all new or altered computer systems managed by someone in the Service. Making sure that all personal information held or processed on computers in their Service/service area is processed in line with the details reported to the Information Commissioner. Making sure staff understand and accept their responsibilities and agreed procedures. Giving the Information Governance Officer information on all proposed new systems which involve processing personal information to make sure the use will be in line with the details reported to the Information Commissioner. This must be done before the information is collected or the system is introduced. If changes to existing systems mean the details reported to the Information Commissioner need to change, informing the Information Governance Officer before the change is introduced. Together with the Information Governance Officer, making sure that the Service only uses information in line with details reported to the Information Commissioner. Arranging for staff in their Service/service area to receive training in relation to data protection. 27

28 Making sure procedures are in place to search for, find and collect all personal information held within the Service and needed to reply to a request someone has made for access to information about them. Telling the Information Governance Officer about any request a person makes to have personal information about them. Keeping in touch with the Information Governance Officer and other Information Liaison Officers. Implementing and managing local file plans. Supporting the roll out of records management procedures and providing local records management support to their service. Individual Members of Staff and Elected Members Individual members of staff and elected members are responsible for protecting personal information held or processed on computer, or held in paper records, within their care. They do this in the following ways: Making sure personal information is processed only in line with the details reported to the Information Commissioner and telling their Information Liaison Officer about any exceptions. Reporting all proposed new systems or changes to existing systems to their Information Liaison Officer before the new system or change is introduced. Following agreed procedures for holding or processing personal information. Taking reasonable steps to check the identity of an enquirer who is asking for personal information, especially those calling in person or phoning. Making sure personal information is adequately protected at all times, by following the guidance given in this document and associated policies and procedures. Advising the relevant Information Liaison Officer of any potential data protection breaches and/or information security concerns. Implementing a clear desk policy to make sure that no personal information or other information not publically available is left unattended. Controlling access to Council offices and records storage centres in accordance with Council procedures. Ensuring adequate security measures are in place when allowing contractors or other visitors onto Council premises. 28

29 Appendix B - Data Protection Authorities in the European Union and European Economic Area and Third Countries The following countries have the same data protection principles as the UK and so it is appropriate to transfer information to them in keeping with the eighth data protection principle. 1. Andorra. 2. Argentina. 3. Australia. 4. Austria. 5. Belgium. 6. Bulgaria. 7. Canada. 8. Croatia. 9. Cyprus. 10. Czech Republic. 11. Denmark. 12. Estonia. 13. Faroe Islands. 14. Finland. 15. Former Yugoslav Republic Macedonia. 16. France. 17. Germany. 18. Greece. 19. Guernsey. 20. Hawaii. 21. Hong Kong. 22. Hungary. 23. Iceland. 24. Ireland. 25. Isle of Man. 26. Israel. 27. Italy. 28. Japan. 29. Jersey. 30. Korea. 31. Latvia. 32. Lichtenstein. 33. Lithuania. 34. Luxembourg. 29

30 35. Malta. 36. Monaco. 37. New Zealand. 38. Norway. 39. The Netherlands. 40. Poland. 41. Portugal. 42. Romania. 43. Slovakia. 44. Slovenia. 45. Spain. 46. Sweden. 47. Switzerland. 48. Taiwan. 49. Thailand. 50. United Kingdom. 51. Uruguay. 52. USA. 30

31 Document control Sheet Review/Approval History Date Name Position Version Approved 9 December 2014 Fraser Bell Head of Legal Services Council 9 December 2014 Change Record Table Date Author Version Status Reason Status Description Final The document is complete and is not expected to change significantly. All changes will be listed in the change record table. 31