Information Governance

Size: px
Start display at page:

Download "Information Governance"

Transcription

1 CONTROLLED Information Governance Caldicot Version-Workbok Non Caldicott Version - Workbook Version 12 January

2 Don t Get Bitten by the Data Demon Notes Using this Workbook The objective of this workbook is to provide you with guidance covering: Information Governance SafeHaven Guidance Data Protection Confidentiality Freedom of Information Records Management And to ensure you are familiar with good working practice to reduce the risk of security and data breaches for anyone working for the Council - don t get bit by the Data Demon for example, being the cause of a data breach. You will find a number of references to the Council s Information Management Policy, Guidelines and Procedures in this course. You should read these if you have not already done so. 2 39

3 Notes Introduction by Judith Greenhalgh Hi, I am Judith Greenhalgh, the Strategic Director of Corporate Resources. One of my responsibilities is to chair the Information Governance Group where representatives from all service areas across the Council meet to review and agree consistent policies and procedures relating to information management and ensure the Council adheres to these. By law, we are all responsible for Information Security and it is our individual responsibility to comply with this. The Council continually reviews security breaches and the audits undertaken and seeks to raise awareness and standards of compliance. It is essential that the Council maintains the trust and confidence of both the public and staff in handling their personal data. The same standards also apply to handling information relating to employees. I cannot over emphasise the importance of ensuring that personal data is always managed in a secure way and is governed by the highest standards. We expect all our staff to follow the agreed policies and procedures in how to manage any type of information. Within the Council there is always advice at hand or someone to speak to for clarification. If you are unsure of any issue relating to Information Security, then the simple rule is not to disclose information until we are clear that you are acting appropriately. The financial penalties for breaches of Information Security can be very serious. It is not uncommon to be fined hundreds of thousands of pounds for serious breaches. The Council has high standards of compliance and it is important to maintain public confidence and reputation. 38 3

4 Introduction by Judith Greenhalgh continued It is important that where an information security breach arises that you report this immediately to your manager. Your early action can minimise risk. If you observe potential security breaches such as leaving a desk and not locking a computer screen, or speaking openly about confidential issues, you should point this out. The Council takes its responsibility for Information Security very seriously. When I was appointed to my post, the expectation of my compliance was stated in my Appointment Letter and the Code of Conduct I was provided with. All newly appointed employees receive the same information. Similarly, Information Security is referred to in all procedures covering your conduct at work and forms an integral aspect of Induction for all employees and throughout your employment. I highly recommend the short training course you are about to undertake. This has been designed to increase your knowledge and understanding. You may find that as part of your work you require more detailed information and training on Information Security. If so, please discuss this with your manager as more detailed information and training is available. Reference documents continued: The Derbyshire Partnership Forum - Sets out the principles for Data sharing among Derbyshire s partners Records Retention Schedule Scanning and Disposal Policy Social Media Policy Subject Access Requests Departmental Data Protection Contacts Departmental Freedom of Information Contacts Information Commissioners Office EDRM Departmental Contacts *Resource Similarly, if you need to report a security breach, contact your manager at the earliest opportunity who will assist you. I hope that you enjoy this e Learning course. Please take the time to complete the comments form at the end. Your feedback will be used to develop and improve this training. Judith Greenhalgh Strategic Director of Corporate Resources 4 37

5 *Resource Because of the nature of your employment you may not have access to a computer and the Council s Dnet. The reference documents below may be obtained by speaking to your line manager. E mail and Internet Acceptable Use Policy - Accidental Misuse of E Mail or Internet Form Data Demon Accidental Misuse of and Internet Document Classification and Handling Policy Derbyshire Safe Haven Guidance ICT Security Policy Information Governance Information Governance is the framework which Enables the organisation and you as an employee to comply with legal and statutory requirements. It includes best practice guidance when handling person identifiable information and organisational records. ICT Acceptable Use Policy Information Security Breach Reporting Tool Off-site Document Storage Guidance Derbyshire Children s Safeguarding Board Underpinning the Information Governance Framework, in regard to personal data, is the Data Protection Act

6 Derbyshire County Council SafeHaven Guidance As an employee you must be aware of your responsibility for secure personal and confidential information handling and management. It is the responsibility of managers, senior managers and strategic directors, to ensure all employees reporting to them have appropriate training in information security and confidentiality. The key documents that YOU as an employee should read in relation to information security are in the Derbyshire SafeHaven Guidance. Ways of Avoiding Security Breaches Your responses on page 20 to Ways of avoiding security breaches could also include: One way you can reduce the risk of commi ng a data breach is to ensure that you have read, understood and comply with the Council s Data Security policies Save files to secure network drives Obtain wri en consent before sharing personal data Have a process in place to double check that correspondence by whatever media has been sent to correct recipient Non DCC devices such as personal mobile phones or tablets should not be used to share confiden al data via text, or social media other than in emergencies Never use unencrypted devices to store personal data Lock your prin ng requests When using social media i.e. SMS texts, Facebook, Twi er etc., ensure you comply with the Council s Social Media Policy Lock away any papers containing personal data when you leave your desk Avoid sending personal data by unless through a secure network or in an encrypted state Verify recipients iden ty and address before sharing data par cularly where telephone contact is involved Log out of IT systems when you leave your worksta on 6 35

7 Information Governance: Your Responsibility DCC SafeHaven Guidance It is the responsibility of every employee of the Council to be aware of and adhere to the Information Governance policies of the organisation. The DCC SafeHaven Guidance document gives you advice and guidance in key areas of information security covering: - Paper record security Mail internal and external Verbal communica on Electronic records Establishment security Taking work outside the workplace Informa on sharing Management of confiden al informa on For further information contact your departmental Data Protection or Freedom of Information contact.* 34 7

8 The Data Protection Act 1998 Records Management / Classification The Data Protection Act 1998 tells you how to deal with all aspects of peoples Personal Data. To support compliance with Code of Practice the Council has introduced a new policy requiring the labelling of all electronic and paper documents into the following classifications: We will now look at the key aspects of this. CONTROLLED This information is generally available to anyone within areas of the Council and contains business value to the organisation or requires protection due to personal data RESTRICTED Unauthorised disclosure of this information (even within the organisation) would cause serious damage in terms of financial loss, legal action or loss of reputation PUBLIC This is information that is freely available to anyone, e.g. information that is provided in flyers, leaflets, press releases, or the Council website and does not require any access restrictions 8 33

9 Why do we need to adhere to the Code? The Data Protection Act 1998 The Data Protection Act 1998 is underpinned by a set of eight straightforward, common-sense principles and establishes a framework of rights and duties which are designed to safeguard personal data. The framework balances the legitimate needs of organisations to collect and use personal data for business and other purposes against the right of individuals for their personal data to be treated with respect and privacy. If you make sure you handle personal data in line with the spirit of these principles, this will go a long way towards ensuring that you comply with the letter of the law. Freedom of information is only as good as the records/information it provides access to: Access rights are of limited value if the information cannot be found, or, when found, cannot be relied upon as being authoritative By adhering to the Code of Practice the Council will give some assurance that the information it holds is complete and reliable Failure to comply with the practice outlined in the Code can result in the Information Commissioner issuing a practice recommendation, or an information notice. Failure to act on both of these can result in the Council being found in contempt of court It can affect the Authority s reputation if we get it wrong. 32 9

10 The Data Protection Act 1998 What does the Code of Practice say? As a Local Authority we should:- What is Personal Data? Ensure that records are stored securely and that access to them is controlled Define how long they need to keep particular records, should dispose of them when they are no longer needed, and should be able to explain why records are no longer held Please refer to the Council s Retention and Disposal Policy for further information* Ensure that records shared with other bodies or held on their behalf by other bodies are managed in accordance with the code Personal data means data which relates to a living individual who can be identified from that information or other information in the possession of the organisation or likely to be in the future. The Council is rolling out an Electronic Document and Records Management system to improve our compliance with this requirement. Contact your EDRM representative for further details.* A Data Subject is the person to whom the data relates

11 What does the Code of Practice say? Types of Personal Information What types of Personal Information are there? The Code of Practice states: All staff have a legal and professional obligation in respect of any records which they create or use in the performance of their duties By records it means files, minutes, policies, procedures, e mails, letters, videos, pictures, web content etc. Any record created as a consequence of providing Council services, is an official record and subject to information requests (FOI, EIR and Subject Access) Personal - Anything that focuses on or has the potential to impact on an individual, e.g., name, date of birth, home address. Sensitive - Ethnicity, medical history, sexual orientation, criminality, trade union membership, religion. For further guidance speak to your Departmental Data Protection contact

12 The Data Protection Act 1998 Records Management The 8 Data Protection Principles are: 1. Personal data shall be processed fairly and lawfully. There are specific conditions in the Act that must be followed before personal data and sensitive personal data can be processed 2. Personal data shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes Records Management is important. It is a key piece of the Information Governance jigsaw! 3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or those purposes 4. Personal data shall be accurate and where necessary, kept up to date 5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes 6. Personal data shall be processed in accordance with the rights of data subjects under this Act 7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to it Section 46: Records Management Code of Practice Freedom of Information allows public access to all recorded information held by public authorities As part of FOI the Lord Chancellor issued a code of practice on Records Management The Code of Practice outlines the practice that the Council should conform to so that it is able to respond to FOI requests 8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data 12 29

13 Freedom of Information Subject Access Requests Key principles in answering requests for information: What is a subject access request? Make sure that everyone knows who is responsible for dealing with FOI requests and where to send them Don t leave FOI requests on your desk or on your PC, forward them on to your departmental contact without delay, 20 work days can pass very quickly Practice good records management to ensure information can be quickly identified and retrieved. Check your records retention schedule to establish whether we still hold the information at all Remember that an FOI request must be dealt with as soon as possible, but certainly within 20 days of receipt A Subject Access Request under The Data Protection Act 1998 is a request to access personal data held by an organisation that relates to a person. The request can be made by the person themselves or someone with the authority to represent them. You must respond to a Subject Access Request promptly and in any event within 40 calendar days of receiving it. Some types of personal data are exempt from the right of subject access and so cannot be obtained by making a subject access request. An example would be data concerning an investigation of the data subject

14 Safeguarding and the Data Protection Act 1998 Am I ok to share personal information relating to a Safeguarding issue? Freedom of Information Sometimes when applying an exemption it is necessary to consider the public interest in the information being requested. However, what the public are interested in and what is in the public interest are not necessarily the same thing. Newspapers for example can contain stories that the public may find interesting, however, not all the information that is disclosed is something the public need to know in the wider public interest. Apart from exemptions a request can be refused if the cost exceeds the Fees Regulations limit (equivalent to 18 hours) or if the request is vexatious or repeated. If you are sharing personal information relating to a Safeguarding issue, the safety of the individuals concerned should be your first priority. As long as you can justify your decision to share information under these circumstances and record it, you will not be in breach of the Act. Safeguarding means the protection from maltreatment, preventing impairment of health or development, proving an environment of safe and effective care and promoting the best outcomes for children and vulnerable adults. If you are involved in Safeguarding of children or vulnerable adults please ensure you are aware of the Information Sharing Guidance from Derbyshire Children s Safeguarding Board

15 Freedom of Information The FOI Act provides a right of access to information. Information should therefore be released wherever possible. The Information Commissioner s Office However, it would clearly not be appropriate for all information to be made public. There are recognised exemptions in the FOI Act, for example: Commercial interests The information Commissioner s Office (ICO) is the UK s independent authority set up to promote access to official information and to protect personal information. You will now learn how it achieves these aims. Information intended for future publication Personal Data Information reasonably accessible to the applicant by other means (e.g. it is already published on the Derbyshire Website) 26 15

16 The Information Commissioner s Office Freedom of Information The ICO s mission is to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. The ICO can prosecute those who commit criminal offences under the Act. Offences include: Unlawfully obtaining or disclosing personal data or information Arranging the disclosure of personal data to someone else Selling personal data which was unlawfully obtained Action that can be taken by the Information Commissioner s Office A Freedom of Information request must be made in writing (an EIR request need not). The requester must supply a name and a postal or address for the Authority to reply to. FOI requests can be made by members of the public, the media (television, radio, newspapers), MPs, Charities etc. FOI requests can be made by anyone anywhere in the world. The Council is required to reply to a request as soon as possible within 20 working days The Information Commissioner s Office can: Issue monetary penalty notices, requiring organisations to pay up to 500,000 for serious breaches of the Data Protection Act Prosecute those who commit criminal offences under the Act Report to Parliament on data protection issues of concern Provide information and advice for individuals and organisations. Much of this can be found on the Information Commissioners Office website 16 25

17 Freedom of Information ICO Financial Penalties All recorded information held by, or on behalf of, a public authority is within the scope of the Act. However, disclosure of personal data is subject to the Data Protection Act. The legislation applies to any recorded information held by the Council. It covers files, letters, databases, loose reports and letters, s, office notebooks, videos, photographs, wall charts and maps etc. It extends to closed files and archived material as well as information in current use. It also extends to social media such as SMS texts, Facebook, Twitter etc. if it relates to DCC business. Where information relates to the environment this is covered by the Environment Information Regulations 2004 (EIR) which has broadly similar provisions. Apart from offences by individuals, the ICO has issued penalties for a variety of data breaches by organisations: Scottish Borders Council - whose former employees pension records were found in an over -filled paper recycle bank in a supermarket car park - fined 250,000 for the data breach NHS Surrey after leaving 3,000 patient records on a computer subsequently sold online - fined 200,000. Greater Manchester Police after the theft of a memory stick containing sensitive personal data from an officer s home - fined 150,000 for the data breach. Aberdeen City Council after publishing sensitive material online, including details relating to the care of vulnerable children fined 100,000. London Borough of Lewisham after a social worker left sensitive documents in a plastic shopping bag on a train taking them home to work on - fined 70,000 for the data breach. Since 2010 the Information Commissioner has handed out penalties totalling over 3 million to over 28 public sector organisations for breaking one or more of the 8 Data Protection principles. In particular relating to Information Security

18 Ways of Avoiding Security Breaches Freedom of Information How can I stop security breaches and keep this Data Demon away? Since 1st January 2005 all requests for information received by a public authority have had to be answered in accordance with the Freedom of Information Act You must be familiar with the basics of the act as any employee may receive a request. The access legislation is primarily about a culture change from need to know to right to know. For public authorities it represents a balance between: Think of ways you could stop security breaches and note them down here: Greater openness and transparency of decision making The need to protect information where disclosure would cause harm or otherwise be contrary to the public interest 18 23

19 Confidentiality Please be aware if you access or disclose any confidential data, which includes all personal data, held by the Council. Without appropriate authorisation you could face both internal disciplinary action and criminal proceedings under the Data Protection and Computer Misuse acts. Confidentiality is wider than just personal data. Recent Security Breaches Examples of recent security breaches include: Unshredded confidential waste left in corridors for collection Visitors not being signed in entering a building Personal data being sent to the wrong recipient either via post or Personal data being lost i.e. from a stolen laptop, memory stick or briefcase (never leave items on display in a parked car) Personal data left on a shared printer.last few pages of confidential document left on printer after it had run out of paper 22 19

20 Information Security Breaches You have a responsibility to ensure that personal data is held securely and that confidentiality is respected and safeguarded. If you discover or commit an information security breach you should report it immediately to your line manager and ensure it is recorded on the online incident report form. You will find the information Security Breach Reporting Tool on DNET.* Using the reporting tool will support the identification of any weaknesses in our systems and working practices. The more examples that are recorded, the more it will help us to plan and implement preventative measures. Inappropriate Use of Internet and You are required to abide by the council s E mail and Internet Acceptable Use Policy. The use of social media is also covered by the Council policy and all employees are required to abide by the policy. However if you do accidentally access inappropriate material on the web, inform your line manager and complete the report Accidental Misuse of E mail or Internet 20 21

DATA PROTECTION AND DATA STORAGE POLICY

DATA PROTECTION AND DATA STORAGE POLICY DATA PROTECTION AND DATA STORAGE POLICY 1. Purpose and Scope 1.1 This Data Protection and Data Storage Policy (the Policy ) applies to all personal data collected and dealt with by Centre 404, whether

More information

Information Governance Policy

Information Governance Policy Information Governance Policy 1 Introduction Healthwatch Rutland (HWR) needs to collect and use certain types of information about the Data Subjects who come into contact with it in order to carry on its

More information

Merthyr Tydfil County Borough Council. Data Protection Policy

Merthyr Tydfil County Borough Council. Data Protection Policy Merthyr Tydfil County Borough Council Data Protection Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of the

More information

Everyone in the workplace has a legal duty to protect the privacy of information about individuals. AEP/BELB/LJ/2010 Awareness Session

Everyone in the workplace has a legal duty to protect the privacy of information about individuals. AEP/BELB/LJ/2010 Awareness Session Everyone in the workplace has a legal duty to protect the privacy of information about individuals AEP/BELB/LJ/2010 Awareness Session During 2007 alone, 36,989,300 people in the UK have had their private

More information

MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY

MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY Page 1 of 16 Contents Policy Information 3 Introduction 4 Responsibilities 7 Confidentiality 9 Data recording and storage 11 Subject Access 12 Transparency

More information

Information Governance Framework. June 2015

Information Governance Framework. June 2015 Information Governance Framework June 2015 Information Security Framework Janice McNay June 2015 1 Company Thirteen Group Lead Manager Janice McNay Date of Final Draft and Version Number June 2015 Review

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Responsible Officer Author Date effective from July 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended December 2012 Review

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY Version 1.3 April 2014 Contents 1 POLICY STATEMENT...2 2 PURPOSE....2 3 LEGAL CONTEXT AND DEFINITIONS...2 3.1 Data Protection Act 1998...2 3.2 Other related legislation.....4 3.3

More information

Data Protection and Information Security Policy and Procedure

Data Protection and Information Security Policy and Procedure Data Protection and Information Security Policy and Procedure Document Detail Category: Data Protection Authorised By: Full Governing Body Author: School Business Manager Version: 1 Status: Approved May

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY Reference number Approved by Information Management and Technology Board Date approved 14 th May 2012 Version 1.1 Last revised N/A Review date May 2015 Category Information Assurance Owner Data Protection

More information

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER 3 APPLIES TO: ALL STAFF 4 COMMITTEE & DATE APPROVED: AUDIT COMMITTEE

More information

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY Originated by: Data Protection Working Group: November 2008 Impact Assessment: (to be confirmed) Recommended by Senate: 28 January 2009 Approved by Council:

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY Approval date: June 2014 Approved by: Board Responsible Manager: Executive Director of Resources Next Review June 2016 Data Protection Policy 1. Introduction Data Protection Policy

More information

So the security measures you put in place should seek to ensure that:

So the security measures you put in place should seek to ensure that: Guidelines This guideline offers an overview of what the Data Protection Act requires in terms of information security and aims to help you decide how to manage the security of the personal data you hold.

More information

1.2 Scope This policy and guidance applies to all University staff, students and others who use or process any personal information.

1.2 Scope This policy and guidance applies to all University staff, students and others who use or process any personal information. MANCHESTER METROPOLITAN UNIVERSITY DATA PROTECTION POLICY This policy should be read in conjunction with the Data Protection Guidance, which is attached as: Appendix A Dealing with Personal Data Appendix

More information

Data Protection Policy June 2014

Data Protection Policy June 2014 Data Protection Policy June 2014 Approving authority: Consultation via: Court Audit and Risk Committee, University Executive, Secretary's Board, Information Governance and Security Group Approval date:

More information

Corporate ICT & Data Management. Data Protection Policy

Corporate ICT & Data Management. Data Protection Policy 90 Corporate ICT & Data Management Data Protection Policy Classification: Unclassified Date Created: January 2012 Date Reviewed January Version: 2.0 Author: Owner: Data Protection Policy V2 1 Version Control

More information

INFORMATION GOVERNANCE STAFF HANDBOOK

INFORMATION GOVERNANCE STAFF HANDBOOK INFORMATION GOVERNANCE STAFF HANDBOOK Contents Why do YOU need to know about Information Governance (IG)?... 2 Keeping Information Safe... 2 Confidentiality... 2 Deciding to Communicate Important Information...

More information

Security Awareness. A Supplier Guide/Employee Training Pack. May 2011 (updated November 2011)

Security Awareness. A Supplier Guide/Employee Training Pack. May 2011 (updated November 2011) Security Awareness A Supplier Guide/Employee Training Pack May 2011 (updated November 2011) Contents/Chapters 1. How do I identify a DWP asset 2. Delivering on behalf of DWP - Accessing DWP assets 3. How

More information

Policy Document Control Page

Policy Document Control Page Policy Document Control Page Title Title: Data Protection Policy Version: 3 Reference Number: CO59 Keywords: Data, access, principles, protection, Act. Data Subject, Information Supersedes Supersedes:

More information

Scottish Rowing Data Protection Policy

Scottish Rowing Data Protection Policy Revision Approved by the Board August 2010 1. Introduction As individuals, we want to know that personal information about ourselves is handled properly, and we and others have specific rights in this

More information

Corporate Data Protection Policy

Corporate Data Protection Policy Corporate Data Protection Policy September 2010 Records Management Policy RMP-09 GOLDEN RULE When you think about Data Protection remember that we are all data subjects. Think about how appropriately and

More information

Data Security and Extranet

Data Security and Extranet Data Security and Extranet Derek Crabtree Schools ICT Support Manager derek.crabtree@merton.gov.uk Target Operating Model 2011 Merton Audit Organisation name: London Borough of Merton Periodic plan date:

More information

Human Resources Policy documents. Data Protection Policy

Human Resources Policy documents. Data Protection Policy Policy documents Aims of the Policy apetito is committed to meeting its obligations under data protection law. As a business, apetito handles a range of Personal Data relating to its customers, staff and

More information

DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE

DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE 1. INTRODUCTION Annex C 1.1 Surrey Heath Borough Council (SHBC) processes personal data and must respond appropriately against unauthorised or unlawful

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY Title Author Approved By and Date Review Date Mike Pilling Latest Update- Corporation May 2008 1 Aug 2013 DATA PROTECTION ACT 1998 POLICY FOR ALL STAFF AND STUDENTS 1.0 Introduction 1.1 The Data Protection

More information

Information Services. Protecting information. It s everyone s responsibility

Information Services. Protecting information. It s everyone s responsibility Information Services Protecting information It s everyone s responsibility Protecting information >> Contents >> Contents Introduction - we are all responsible for protecting information 03 The golden

More information

CORK INSTITUTE OF TECHNOLOGY

CORK INSTITUTE OF TECHNOLOGY CORK INSTITUTE OF TECHNOLOGY DATA PROTECTION POLICY APPROVED BY GOVERNING BODY ON 30 APRIL 2009 INTRODUCTION Cork Institute of Technology is committed to a policy of protecting the rights and privacy of

More information

HERTSMERE BOROUGH COUNCIL

HERTSMERE BOROUGH COUNCIL HERTSMERE BOROUGH COUNCIL DATA PROTECTION POLICY October 2007 1 1. Introduction Hertsmere Borough Council ( the Council ) is fully committed to compliance with the requirements of the Data Protection Act

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Reference: Information Governance Policy Date Approved: April 2013 Approving Body: Board of Trustees Implementation Date: April 2013 Version: 6 Supersedes: 5 Stakeholder groups

More information

Information and Data Security

Information and Data Security Information and Data Security Guidance for Knowsley Schools Version 4.0 Version Control Record: Revision Date Author Summary of Changes V1.0 19 th November 2008 L Hornsby V2.0 18 February 2010. Maria Bannister

More information

Data Protection Policy

Data Protection Policy Data Protection Policy This policy applies to the national office of Special Olympics GB; athletes, volunteers, and paid staff its clubs and regions; all Special Olympics GB donors, sponsors, and supporters;

More information

Little Marlow Parish Council Registration Number for ICO Z3112320

Little Marlow Parish Council Registration Number for ICO Z3112320 Data Protection Policy Little Marlow Parish Council Registration Number for ICO Z3112320 Adopted 2012 Reviewed 23 rd February 2016 Introduction The Parish Council is fully committed to compliance with

More information

A common sense guide to the Data Protection Act 1998 for volunteers

A common sense guide to the Data Protection Act 1998 for volunteers A common sense guide to the Data Protection Act 1998 for volunteers Why is it necessary? The Data Protection Act 1998 is a law introduced to control the way information held about individuals is handled

More information

Data Protection and Information Security. Procedure for reporting a breach of data security. April 2013

Data Protection and Information Security. Procedure for reporting a breach of data security. April 2013 Data Protection and Information Security Procedure for reporting a breach of data security April 2013 Page 1 of 6 Created on: 01/04/2009 Contents 1 Introduction... 3 2 Data Classification... 3 3 What Is

More information

RECORDS MANAGEMENT POLICY

RECORDS MANAGEMENT POLICY [Type text] RECORDS MANAGEMENT POLICY POLICY TITLE Academic Year: 2013/14 onwards Target Audience: Governing Body All Staff and Students Stakeholders Final approval by: CMT - 1 October 2014 Governing Body

More information

Hampstead Parochial CofE Primary School Data Protection Policy Spring 2015

Hampstead Parochial CofE Primary School Data Protection Policy Spring 2015 Hampstead Parochial CofE Primary School Data Protection Policy Spring 2015 1. Introduction and Scope 1.1 The Data Protection Act 1998 is the law that protects personal privacy and applies to any school

More information

Somerset County Council - Data Protection Policy - Final

Somerset County Council - Data Protection Policy - Final Organisation Title Author Owner Protective Marking Somerset County Council Data Protection Policy - Final Peter Grogan Information Governance Manager Unclassified POLICY ON A PAGE Somerset County Council

More information

Data Protection Guidance

Data Protection Guidance 53 September 2010 Management Circular No. 53 Glasgow City Council Education Services Wheatley House 25 Cochrane Street Merchant City GLASGOW G1 1HL To Heads of all Educational Establishments Data Protection

More information

Data Protection and Information Security. Data Security - Guidelines for the use of Personal Data

Data Protection and Information Security. Data Security - Guidelines for the use of Personal Data Data Protection and Information Data - Guidelines for the use of Personal Data Page 1 of 10 Created on: 21/06/2013 Contents 1. Introduction... 3 2. Definitions... 3 4. Physical... 4 5 Electronic... 6 6

More information

DATA PROTECTION IT S EVERYONE S RESPONSIBILITY. An Introductory Guide for Health Service Staff

DATA PROTECTION IT S EVERYONE S RESPONSIBILITY. An Introductory Guide for Health Service Staff DATA PROTECTION IT S EVERYONE S RESPONSIBILITY An Introductory Guide for Health Service Staff 1 Message from Director General Dear Colleagues The safeguarding of and access to personal information has

More information

Human Resources and Data Protection

Human Resources and Data Protection Human Resources and Data Protection Contents 1. Policy Statement... 1 2. Scope... 2 3. What is personal data?... 2 4. Processing data... 3 5. The eight principles of the Data Protection Act... 4 6. Council

More information

DATA AND PAYMENT SECURITY PART 1

DATA AND PAYMENT SECURITY PART 1 STAR has teamed up with Prevention of Fraud in Travel (PROFiT) and the Fraud Intelligence Network (FIN) to offer our members the best advice about fraud prevention. We recognise the increasing threat of

More information

Data Protection Policy

Data Protection Policy 1 Data Protection Policy Version 1: June 2014 1 2 Contents 1. Introduction 3 2. Policy Statement 3 3. Purpose of the Data Protection Act 1998 3 4. The principles of the Data Protection Act 1998 4 5 The

More information

Highland Council Information Security Policy

Highland Council Information Security Policy Highland Council Information Security Policy Document Owner: Vicki Nairn, Head of Digital Transformation Page 1 of 16 Contents 1. Document Control... 4 Version History... 4 Document Authors... 4 Distribution...

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Including the Information Governance Strategy Framework and associated Information Governance Procedures Last Review Date Approving Body N/A Governing Body Date of Approval

More information

PAPER RECORDS SECURE HANDLING AND TRANSIT POLICY

PAPER RECORDS SECURE HANDLING AND TRANSIT POLICY PAPER RECORDS SECURE HANDLING AND TRANSIT POLICY CORPORATE POLICY Document Control Title Paper Records Secure Handling and Transit Policy Author Information Governance Manager ** Owner SIRO/CIARG Subject

More information

Rick Parsons Information Governance Officer County Hall 01865 323593 rick.parsons@oxfordshire.gov.uk

Rick Parsons Information Governance Officer County Hall 01865 323593 rick.parsons@oxfordshire.gov.uk Rick Parsons Information Governance Officer County Hall 01865 323593 rick.parsons@oxfordshire.gov.uk 1 THE DATA PROTECTION ACT 1998 2 Requirements of the Act Roles & Responsibilities Best Practice 3 The

More information

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014 Islington ICT Physical Security of Information Policy A council-wide information technology policy Version 0.7 June 2014 Copyright Notification Copyright London Borough of Islington 2014 This document

More information

2. Scope 2.1 This policy covers all the activities and processes of the University that uses personal information in whatever format.

2. Scope 2.1 This policy covers all the activities and processes of the University that uses personal information in whatever format. University of Westminster Personal Data Protection Policy For Compliance with the Data Protection Act 1998 1. Background 1.1 The Data Protection Act 1998 (DPA) defines personal data as data and information

More information

DATA PROTECTION ACT 1998 COUNCIL POLICY

DATA PROTECTION ACT 1998 COUNCIL POLICY DATA PROTECTION ACT 1998 COUNCIL POLICY Page 1 of 5 POLICY STATEMENT Blackpool Council recognises the need to fully comply with the requirements of the Data Protection Act 1998 (DPA) and the obligations

More information

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK Log / Control Sheet Responsible Officer: Chief Finance Officer Clinical Lead: Dr J Parker, Caldicott Guardian Author: Associate IG Specialist, Yorkshire

More information

Information Governance Strategy & Policy

Information Governance Strategy & Policy Information Governance Strategy & Policy March 2014 CONTENT Page 1 Introduction 1 2 Strategic Aims 1 3 Policy 2 4 Responsibilities 3 5 Information Governance Reporting Structure 4 6 Managing Information

More information

1. Introduction... 3. 2. Statement of Policy. 3. 3. The Eight Principles of Data Protection... 4. 4. Scope... 5. 5. Roles and Responsibilities.

1. Introduction... 3. 2. Statement of Policy. 3. 3. The Eight Principles of Data Protection... 4. 4. Scope... 5. 5. Roles and Responsibilities. Data Protection Policy 2011 Contents Page 1. Introduction... 3 2. Statement of Policy. 3 3. The Eight Principles of Data Protection...... 4 4. Scope.... 5 5. Roles and Responsibilities. 5 6. Development

More information

Data Protection. Policy and Application July 2009

Data Protection. Policy and Application July 2009 Data Protection Policy and Application July 2009 Produced for staff of the House of Commons Service by the Department of Resources Information Rights and Information Security (IRIS) Service Data Policy:

More information

Caedmon College Whitby

Caedmon College Whitby Caedmon College Whitby Data Protection and Information Security Policy College Governance Status This policy was re-issued in June 2014 and was adopted by the Governing Body on 26 June 2014. It will be

More information

Data Protection Policy

Data Protection Policy Data Protection Policy CONTENTS Introduction...2 1. Statement of Intent...2 2. Fair Processing or Privacy Statement...3 3. Data Uses and Processes...4 4. Data Quality and Integrity...4 5. Technical and

More information

Data Protection Procedures

Data Protection Procedures Data Protection Procedures PROCEDURE OVERVIEW: This Procedure outlines Down District Council s ( the Council ) commitment to the Data Protection Act 1998 ( the Act ) and provides a framework for the Council

More information

Data Protection Act. Privacy & Security in the Information Age. April 26, 2013. Ministry of Communications, Ghana

Data Protection Act. Privacy & Security in the Information Age. April 26, 2013. Ministry of Communications, Ghana Data Protection Act Privacy & Security in the Information Age April 26, 2013 Agenda Privacy in The Information Age The right to privacy Why We Need Legislation Purpose of the Act The Data Protection Act

More information

The Manitowoc Company, Inc.

The Manitowoc Company, Inc. The Manitowoc Company, Inc. DATA PROTECTION POLICY 11FitzPatrick & Associates 4/5/04 1 Proprietary Material Version 4.0 CONTENTS PART 1 - Policy Statement PART 2 - Processing Personal Data PART 3 - Organisational

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Version: V1 Ratified by: Operational Management Executive Committee Date ratified: 26 September 2013 Name and Title of originator/author(s): Chris Brady, FOI, Data Protection and

More information

Non ASPH Trust Staff - DATA ACCESS REQUEST Page 1/3

Non ASPH Trust Staff - DATA ACCESS REQUEST Page 1/3 Paper 9 Non ASPH Trust Staff - DATA ACCESS REQUEST Page 1/3 Please ensure that all THREE pages of this contract are returned to: Information Governance Manager, Health Informatics, Chertsey House, St Peter

More information

Dublin City University

Dublin City University Dublin City University Data Protection Policy Data Protection Policy Contents Purpose... 1 Scope... 1 Data Protection Principles... 1 Disclosure of Personal Data... 2 Summary of Responsibilities... 3 Rights

More information

Information Sharing Policy

Information Sharing Policy Information Sharing Policy REFERENCE NUMBER IG 010 / 0v3 February 2013 VERSION V1.0 APPROVING COMMITTEE & DATE Clinical Executive Committee 5.2.13 REVIEW DUE DATE February 2016 West Lancashire CCG is committed

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY DATA PROTECTION POLICY Document Control Information Title Data Protection Policy Version V1.0 Author Diana Watt Date Approved 21 February 2013 Review Date Annually, on the anniversary

More information

INTERNATIONAL SOS. Data Protection Policy. Version 1.05

INTERNATIONAL SOS. Data Protection Policy. Version 1.05 INTERNATIONAL SOS Data Protection Policy Document Owner: LCIS Division Document Manager: Group General Counsel Effective: December 2008 Revised: 2015 All copyright in these materials are reserved to AEA

More information

Data and Information Security Policy

Data and Information Security Policy St. Giles School Inspire and achieve through creativity School Policy for: Date: February 2014 Data and Information Security Policy Legislation: Policy lead(s) The Data Protection Act 1998 (with consideration

More information

UNIVERSITY OF ABERDEEN POLICY ON DATA PROTECTION

UNIVERSITY OF ABERDEEN POLICY ON DATA PROTECTION UNIVERSITY OF ABERDEEN POLICY ON DATA PROTECTION The Data Protection Act 1998 (DPA) was passed in order to implement the EU Data Protection Directive (95/46/EC) and applies to all data relating to, and

More information

Information governance strategy 2014-16

Information governance strategy 2014-16 Information Commissioner s Office Information governance strategy 2014-16 Page 1 of 16 Contents 1.0 Executive summary 2.0 Introduction 3.0 ICO s corporate plan 2014-17 4.0 Regulatory environment 5.0 Scope

More information

A Mobile Phone and Camera Toolkit for Early Years Settings. Early Years Services April 2013 Version 1.0

A Mobile Phone and Camera Toolkit for Early Years Settings. Early Years Services April 2013 Version 1.0 A Mobile Phone and Camera Toolkit for Early Years Settings Early Years Services April 2013 Version 1.0 Contents 1.0 Introduction Who is the Toolkit for? 2.0 Mobile Phone Policy and Procedure 2.1 Aim 2.2

More information

Human Resources Policy No. HR46

Human Resources Policy No. HR46 Human Resources Policy No. HR46 Maintaining Personal Files and ESR Records Additionally refer to HR04 Verification of Professional Registration HR33 Recruitment and Selection HR34 Policy for Carrying Out

More information

Senior School 1 PURPOSE 2 SCOPE 3 SCHOOL RESPONSIBILITIES

Senior School 1 PURPOSE 2 SCOPE 3 SCHOOL RESPONSIBILITIES Senior School 1 PURPOSE The policy defines and describes the acceptable use of ICT (Information and Communications Technology) and mobile phones for school-based employees. Its purpose is to minimise the

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Version: 1.0 Date: October 2013 Table of Contents 1 Introduction The need for a Data Protection Policy... 3 2 Scope... 3 3 Principles... 3 4 Staff Roles & Responsibilities... 4 5

More information

ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY INFORMATION HANDLING

ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY INFORMATION HANDLING ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY INFORMATION HANDLING Introduction and Policy Aim The Royal Borough of Windsor and Maidenhead (the Council) recognises the need to protect Council

More information

Guidance on data security breach management

Guidance on data security breach management ICO lo Guidance on data security breach management Data Protection Act Contents... 1 Data Protection Act... 1 Overview... 1 Containment and recovery... 2 Assessing the risks... 3 Notification of breaches...

More information

HAZELDENE LOWER SCHOOL

HAZELDENE LOWER SCHOOL HAZELDENE LOWER SCHOOL POLICY AND PROCEDURES FOR MONITORING EQUIPMENT AND APPROPRIATE ICT USE WRITTEN MARCH 2015 SIGNED HEADTEACHER SIGNED CHAIR OF GOVERNORS DATE.. DATE. TO BE REVIEWED SEPTEMBER 2016

More information

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1 Protection of Personal Data RPC001147_EN_WB_L_1 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Responsibility of Employees

More information

CORE SKILLS FRAMEWORK INFORMATION GOVERNANCE LESSON NOTES AND TIPS FOR A SUGGESTED APPROACH

CORE SKILLS FRAMEWORK INFORMATION GOVERNANCE LESSON NOTES AND TIPS FOR A SUGGESTED APPROACH CORE SKILLS FRAMEWORK INFORMATION GOVERNANCE LESSON NOTES AND TIPS FOR A SUGGESTED APPROACH These notes are designed to be used in conjunction with the core training PowerPoint slides. The purpose of the

More information

Data Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk

Data Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk Data Protection Act 1998 The for the Borough Council of King's Lynn & West Norfolk 1 Contents Introduction 3 1. Statement of Intent 4 2. Fair Obtaining I Processing 5 3. Data Uses and Processes 6 4. Data

More information

Information Management Handbook for Schools. Information Management Handbook for Schools London Borough of Barnet

Information Management Handbook for Schools. Information Management Handbook for Schools London Borough of Barnet Information Management Handbook for Schools London Borough of Barnet Document Name Document Description Information Management Handbook for Schools This document is intended for use by Barnet Borough Schools.

More information

Lord Chancellor s Code of Practice on the management of records issued under section 46 of the Freedom of Information Act 2000

Lord Chancellor s Code of Practice on the management of records issued under section 46 of the Freedom of Information Act 2000 Lord Chancellor s Code of Practice on the management of records issued under section 46 of the Freedom of Information Act 2000 Lord Chancellor s Code of Practice on the management of records issued under

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Primary Intranet Location Information Management & Governance Version Number Next Review Year Next Review Month 7.0 2018 January Current Author Phil Cottis Author s Job Title

More information

Photography and filming in schools Code of Practice

Photography and filming in schools Code of Practice Photography and filming in schools Code of Practice Data Protection compliance September 2010 Photography and filming in schools September 2010 1 Contents 1. About this code 3 2. Complying with the Data

More information

Summary Electronic Information Security Policy

Summary Electronic Information Security Policy University of Chichester Summary Electronic Information Security Policy 2015 Summary Electronic Information Security Policy Date of Issue 24 December 2015 Policy Owner Head of ICT, Strategy and Architecture

More information

Communications with the Public by Text and Social Media Policy London Borough of Barnet

Communications with the Public by Text and Social Media Policy London Borough of Barnet Communications with the Public by Text and Social Media Policy London Borough of Barnet POLICY NAME Document Description Communications with the public by text and social media policy. Policy which provides

More information

Good Practice in Records Management and Information Security

Good Practice in Records Management and Information Security Good Practice in Records Management and Information Security BELB LJ Schools 2013 How Valuable are Records & Documents? Valuable only because of the information they contain. Usable if they can be accessed

More information

How To Protect School Data From Harm

How To Protect School Data From Harm 43: DATA SECURITY POLICY DATE OF POLICY: FEBRUARY 2013 STAFF RESPONSIBLE: HEAD/DEPUTY HEAD STATUS: STATUTORY LEGISLATION: THE DATA PROTECTION ACT 1998 REVIEWED BY GOVERNING BODY: FEBRUARY 2013 EDITED:

More information

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19 Protection of Personal Data RPC001147_EN_D_19 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Rules Responsibility

More information

Islington Data Protection Policy. A council-wide information policy Version 1.1 June 2014

Islington Data Protection Policy. A council-wide information policy Version 1.1 June 2014 A council-wide information policy Version 1.1 June 2014 Copyright Notification Copyright London Borough of Islington 2014 This document is distributed under the Creative Commons Attribution 2.5 license.

More information

John Leggott College. Data Protection Policy. Introduction

John Leggott College. Data Protection Policy. Introduction John Leggott College Data Protection Policy Introduction The College needs to keep certain information about its employees, students and other users to allow it to monitor performance, achievements, and

More information

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Information Governance Strategic

More information

IM&T POLICY & PROCEDURE (IM&TPP 01) Anti-Virus Policy. Notification of Policy Release: Distribution by Communication Managers

IM&T POLICY & PROCEDURE (IM&TPP 01) Anti-Virus Policy. Notification of Policy Release: Distribution by Communication Managers IM&T POLICY & PROCEDURE (IM&TPP 01) Anti-Virus Policy DOCUMENT INFORMATION Author: Vince Weldon Associate Director of IM&T Approval: Executive This document replaces: IM&T Policy No. 1 Anti Virus Version

More information

Data Protection Avoiding Information Commissioner Fines. Caroline Egan 5 June 2014

Data Protection Avoiding Information Commissioner Fines. Caroline Egan 5 June 2014 Data Protection Avoiding Information Commissioner Fines Caroline Egan 5 June 2014 Why is data protection a hot topic in pensions? Pension schemes hold large amounts of personal data Individuals more aware

More information

Data Protection Policy

Data Protection Policy Data Protection Policy September 2015 Contents 1. Scope 2. Purpose 3. Data protection roles 4. Staff training and guidance 5. About the Data Protection Act 1998 6. Policy 7. The Information Commissioner's

More information

Email Policy. Version: 1.1. Date ratified: February 2014 Name of originator /author (s): Responsible Committee / individual:

Email Policy. Version: 1.1. Date ratified: February 2014 Name of originator /author (s): Responsible Committee / individual: Version: 1.1 Ratified by: NHS Bury CCG IM&T Steering Group Date ratified: February 2014 Name of originator /author (s): Responsible Committee / individual: Greater Manchester CSU - IT Department NHS Bury

More information

Data protection. Report on the data protection guidance we gave schools in 2012

Data protection. Report on the data protection guidance we gave schools in 2012 Data protection Report on the data protection guidance we gave schools in 2012 Contents 1. Background 2. Summary of recommendations 3. tification 4. Personal data 5. Fair processing 6. Information security

More information

Career Connection, Inc. Data Privacy. Bringing Talent Together With Opportunity

Career Connection, Inc. Data Privacy. Bringing Talent Together With Opportunity Career Connection, Inc. Data Privacy Objectives This course is intended for CCI employees. The course gives guidance on data privacy concepts and describes how data privacy is relevant when delivering

More information

All CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid.

All CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid. Policy Type Information Governance Corporate Standing Operating Procedure Human Resources X Policy Name CCG IG03 Information Governance & Information Risk Policy Status Committee approved by Final Governance,

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Owner : Head of Information Management Document ID : ICT-PL-0099 Version : 2.0 Date : May 2015 We will on request produce this Policy, or particular parts of it, in other languages

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information