How To Understand The Data Protection Act

Transcription

1 Data Protection in Schools Ian Gover Education Technology Adviser Somerset LA All materials are copyright or licensed and cannot be used without permission

2 Day supported by Slides: Links: WEict - Conference on 2nd July at UWE Twitter Feed #weict15 Angie Mason - Learning Exchange Val Hurley - e-safety consultant

3 Objectives Delegates will: learn about the Data Protection Act and how it affects their school explore the challenges that face schools now and in the future especially in regard to cloud services and mobile devices learn how they can deal with Freedom of Information requests and Subject Access Requests explore the schools statutory obligations regarding the protection of data begin to develop policies and procedures to support Data Protection and Information Security throughout a school explore the training requirements needed for all staff

4 Timing of the day 9.10 Arrival and registration 9.30 Introduction 9.40 What is the Data Protection Act and how does it affect Schools? Group Discussion What do I understand? Where is my school? Coffee Freedom of Information and Subject Access requests policy to practice The trouble with tablets, cloud services and s 1.00 Lunch 1.45 Scenarios - looking at some solutions 2.30 Training for all - what resources are there for schools 3.00 Policies and Procedures a practical session 4.00 Plenary 4.20 Finish

5 Activity Introducing myself...

6 Activity Answers 1. What does ICO stand for? Information Commissioner s Office 2. How many data principles are there? Eight 3. What is encryption? Encryption means to scramble data in such a way that only someone with the secret code or key can read it. 4. How often should you change your password? Advice differs but every days is a general rule, more often for administrators of systems. More importantly is having a strong password of at least 8 digits long with a mixture of upper/lower case, numbers and characters.

7 Activity Answers 5. What is FoI? Freedom of Information 6. What is a Privacy Notice? A Privacy Notice is a statement required by law that is issued to parents and staff about the way the school their your information. 7. What is personal data? Personal data means data which relate to a living individual that can be identified that if lost or mislaid could cause harm or distress. 8. What is sensitive personal data? Sensitive Personal Data consists of personal data that includes information of racial or ethnic origin political opinions, religious beliefs or similar, membership of Trade Unions, physical or mental health condition, sexual life, commission or alleged commission of any offence, any proceedings or sentencing of an offence or alleged offence.

8 Dippy vs Elmer Dippy the DP duck - representing effective and manageable security practice in schools Elmer Fud Duck - representing Fear, Uncertainty and Doubt

9 The Data Protection Act The Data Protection Act 1998 (DPA) is an Act of Parliament of the United Kingdom of Great Britain and Northern Ireland which defines UK law on the processing of data on identifiable living people. It is the main piece of legislation that governs the protection of personal data in the UK. Although the Act itself does not mention privacy, it was enacted to bring British law into line with the EU data protection directive of 1995 which required Member States to protect people's fundamental rights and freedoms and in particular their right to privacy with respect to the processing of personal data. In practice it provides a way for individuals to control information about themselves. Most of the Act does not apply to domestic use, for example keeping a personal address book. Anyone holding personal data for other purposes is legally obliged to comply with this Act, subject to some exemptions. The Act defines eight data protection principles. It also requires companies and individuals to keep personal information to themselves.

10 The Data Protection Act

11 The Data Protection Act

12 The Data Protection Act

13 The Data Protection Act

14 The Data Protection Act

15 The Data Protection Act

16 The Data Protection Act

17 DP Point for schools The act relates to data held about a living identifiable individual (Data Subject) no matter what age! Schools act as Data Controllers

18 The DPA 8 Principles 1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless (a) at least one of the conditions in Schedule 2 is met, and (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met. 2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. 3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. 4. Personal data shall be accurate and, where necessary, kept up to date. 5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. 6. Personal data shall be processed in accordance with the rights of data subjects under this Act. 7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. 8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

19 Principle 1 Fairly and Lawfully 1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless (a) at least one of the conditions in Schedule 2 is met, and (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

20 Schedule 2 - any Personal data may be processed: with the consent of the data subject to establish or perform a contract with the data subject to comply with a legal obligation to protect the vital interests of the data subject for the exercise of certain functions of a public interest nature for the legitimate interests of the data controller unless outweighed by the interests of the data subject.

21 Schedule 3 - sensitive Sensitive personal data may be processed: with the explicit consent of the data subject to perform any right or obligation under employment law to protect the vital interests of the data subject or another person for the legitimate activities of certain not-for-profit bodies when the data have been made public by the data subject in connection with legal proceedings for the exercise of certain functions of a public interest nature for medical purposes for equal opportunity ethnic monitoring.

22 Principle 1 Fairly and Lawfully This is the first data protection principle. In practice, it means that you must: have legitimate grounds for collecting and using the personal data; not use the data in ways that have unjustified adverse effects on the individuals concerned; be transparent about how you intend to use the data, and give individuals appropriate privacy notices when collecting their personal data; handle people s personal data only in ways they would reasonably expect; and make sure you do not do anything unlawful with the data.

23 DP Point for schools There are two types of personal data. Can we think of unjustified adverse effects? Privacy Notices for all including workforce

24 Principle 2 - Purposes 2 Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

25 Principle 2 - Purpose In practice, the second data protection principle means that you must: be clear from the outset about why you are collecting personal data and what you intend to do with it; comply with the Act s fair processing requirements including the duty to give privacy notices to individuals when collecting their personal data; comply with what the Act says about notifying the Information Commissioner; and ensure that if you wish to use or disclose the personal data for any purpose that is additional to or different from the originally specified purpose, the new use or disclosure is fair.

26 DP Point for schools You must state why you are collecting the data and what you intend to do with it You must issue Privacy Notices to learners and staff You must inform ICO of Data breaches Are new uses of data fair?

27 Principle 3 - adequacy 3 Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

28 Principle 3 - adequacy This is the third data protection principle. In practice, it means you should ensure that: you hold personal data about an individual that is sufficient for the purpose you are holding it for in relation to that individual; and you do not hold more information than you need for that purpose.

29 DP Point for schools You are allowed to hold personal data that is sufficient to be a school. You must think of why you are asking for the data? What is the minimum data you require? Do you delete old and excessive data?

30 Principle 4 - accuracy 4 Personal data shall be accurate and, where necessary, kept up to date.

31 Principle 4 - accuracy To comply with these provisions you should: take reasonable steps to ensure the accuracy of any personal data you obtain; ensure that the source of any personal data is clear; carefully consider any challenges to the accuracy of information; and consider whether it is necessary to update the information.

32 DP Point for schools How do you chase those people that are late with returning forms? Do you check staff details?

33 Principle 5 - retention 5 Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

34 Principle 5 - retention This is the fifth data protection principle. In practice, it means that you will need to: review the length of time you keep personal data; consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it; securely delete information that is no longer needed for this purpose or these purposes; and update, archive or securely delete information if it goes out of date.

35 DP Point for schools The Act does not set minimum or maximum times for retention IRMS guidance What does securely delete mean in practice? How does this apply to hard drives?

36 Principle 6 - rights 6 Personal data shall be processed in accordance with the rights of data subjects under this Act.

37 Principle 6 - rights This is the sixth data protection principle, and the rights of individuals that it refers to are: a right of access to a copy of the information comprised in their personal data; a right to object to processing that is likely to cause or is causing damage or distress; a right to prevent processing for direct marketing; a right to object to decisions being taken by automated means; a right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed; and a right to claim compensation for damages caused by a breach of the Act.

38 DP Point for schools Who has the right to see the data? What is an individual entitled to? told whether any personal data is being processed; given a description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people; given a copy of the information comprising the data; and given details of the source of the data (where this is available).

39 DP Point for schools Who owns the data? What exemptions are there? School records will not be disclosed if: the record would give information about another pupil the record holder believes that disclosure would cause serious harm to the pupil in question or to someone else the record holder believes the record is relevant to whether the pupil is at risk of child abuse or has been a victim of child abuse.

40 Principle 7 - security 7 Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

41 Principle 7 - security This is the seventh data protection principle. In practice, it means you must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised. In particular, you will need to: design and organise your security to fit the nature of the personal data you hold and the harm that may result from a security breach; be clear about who in your organisation is responsible for ensuring information security; make sure you have the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff; and be ready to respond to any breach of security swiftly and effectively.

42 DP Point for schools Security refers to procedures as well as physical guards. Who is responsible for Information Security at your school? As Data Controllers you have the final say in the security of your data not your tech support. Have your tech support practised getting the system working again after a systems failure.

43 DP Point for schools The ICO recommends that portable and mobile devices including magnetic media, used to store and transmit personal information, the loss of which could cause damage or distress to individuals, should be protected using approved encryption software which is designed to guard against the compromise of information. Are you laptops and memory sticks encrypted?

44 Principle 8 - international 8 Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

45 DP Point for schools Where could the school personal data be stored outside of the EU? What is Cloud storage?

46 Why worry

47 Why worry - ICO Number of breaches in Education in 2014 Q1 Q2 Q3 Q4 Overall

48 Why worry

49 EU General Data New regulations end of this year 2 years to change More control Easier to access No matter where it is sent EU seal of approval five year certification

50 ICO Video (YouTube)

51 Group Discussion What do I understand? Where is my school?

52 Freedom of Information "Openness is fundamental to the political health of a modern state. This White Paper marks a watershed in the relationship between the government and people of the United Kingdom. At last there is a government ready to trust the people with a legal right to information. Published by 1997 to 2001 Labour Government

53 Freedom of Information Tony Blair s Views

54 Freedom of Information "Freedom of Information Act. Three harmless words. I look at those words as I write them, and feel like shaking my head 'til it drops off. You idiot. You naive, foolish, irresponsible nincompoop. There is really no description of stupidity, no matter how vivid, that is adequate. I quake at the imbecility of it. Tony Blair

55 Freedom of Information Covers all policies, procedures, decision making process - any recorded information Environmental Information Regulations cover recycling, fuel use, car parking etc

56 Freedom of Information Theory: Better decisions Strengthening democracy Better public services Openness and accountability Reality: Requests- not looking for the good we do Parents with a grievance Press looking for a story

57 ICO Tick Tock

58 FoI Your Responsibilities To deal with requests - legal duty to assist applicants and to inform on charging/how to appeal etc. To consider 'the public interest' when making information available. To explain why - information is not being released. Act gives a legal right to access information we can t insist on knowing why the applicant is making the request!

59 Freedom of Information What can be dealt with as 'normal course of business'? Publish as much as you can make it easy why hide policies why hide results available on other sites Have a system to deal with enquiries

60 FoI v Subject Access Request What are the differences?

61 FoI v Subject Access Request FoI Must be made in writing ( ) Environmental can be verbal 20 working days There can be a charge for photocopying or postage SAR Must be made in writing ( ) 40 working days 10 Maximum fee

62 Group discussion - Process Depends on size of school What is the process at your school? What needs to be recorded? Do you keep a log?

63 'What do they know' site

64 The trouble with progress

65 The trouble with progress.. 'Anything that gets invented after you re thirty is against the natural order of things and the beginning of the end of civilisation as we know it until it s been around for about ten years when it gradually turns out to be alright really.' Douglas Adams

66 Make a list of. The technology that you had in your house in 2005 This is the year that the first videoto YouTube was posted Best selling mobile phone was Nokia 1110 it made phone calls

67 Make a list of. The technology that you have in your house today? What are the differences?

68 What could the problems if teachers use... Think of a possible Data Protection breech. Think of a safeguarding issue. How could they be prevented?

69 What could the problems if teachers use... Mobile phones/tablets to access school Their own personal computers/tablets Smart watches Wearable cameras Drones Tablets to video class behaviour Apps on tablets such as Class Dojo Cloud services such as Edmodo Twitter, Facebook, Blogs on school trips

70 The schools' responsibility As Data Controllers the school has the rights and responsibility to inform staff and others how they can use personal data that belongs to the school. You can make demands! You can create procedures! You should must training!

71 Lunch

72 Data Protection and Freedom of Information Scenarios

73 Scenario 1 Child Moving School You are the head of a small primary school. A child who attended your school has just moved into another school. The parents thought that their child had special educational needs and had made extensive efforts to get her classed as such. The reason for the move is that the parents feel that they had exhausted the possibilities at your school. The child s personal folder includes many reports from outside experts and also comments about her behavior from many of your staff. There are also some comments about the parents themselves and their forceful nature. In fact during the discussions the parents did mention that they were prepared to take the school to court if they did not get the support they thought was necessary. The new school has asked for the pupils record. What are your next steps?

74 Scenario 2 Home tuition asking for information. You are the head of a small secondary school. A 12 year old boy has just left your school to be tutored at home by their grandparent. The grandparent has phoned the school quoting the Freedom of Information law requesting to see the child s educational record. What are your next steps?

75 Scenario 3 Teachers leaving personal data out on desks You are the head of a large community primary school. You have come into school early for a governors meeting. As always there are people from the community using the classrooms and today it is weightwatchers. Normally they occupy the hall but this is having its floor polished so they are using a classroom. You notice that one of the people attending weightwatchers is a difficult parent and he is going to the classroom that his daughter studies. As you go to the room where your meeting is held you notice that the teacher has left her mark book behind on her desk. You also notice that her lesson plan folders with Schemes of Work are on the shelves around the room. What do you do next?

76 Scenario 4 Teacher personal equipment You are the head of a large secondary school. A parent has contacted the school stating that they have just purchased a secondhand phone from a teacher. They are contacting you because the phone was not wiped of contacts, downloads and pictures. What are your next steps?

77 Scenario 5 Teachers salaries You are the head of a large federation of 5 schools. Ofsted has just inspected a couple of the schools in your federation, with one being placed in special measures and another requiring improvement. In both inspections there were some negative comments about Leadership and Management. You receive an , which you think has come from a local reporter, asking for a list of the salaries of all your staff. The does not mention Freedom of Information and you are sure that it is for an article that will put the federation in poor light. What are your next steps?

78 Training Where can I find training materials? Who should I train?

79 ICO Data Day Hygiene

80 Staff Training Who should I train? Who should lead the training? When should I train? How should I train?

81 Policies and Procedures Use the checklist What does your school do well? Celebrate Where are the gaps in the provision? Look at the SWGfL sample policy What does your school policy cover? Celebrate Where are the gaps?

82 Plenary Be a swan - glide don't drown Your interest in coming today is the first step List the things that you think you must do. Use the Evaluation sheet to guide you. Prioritise the activities

83 Plenary - The end Whatever you have been doing has been okay Identify someone to take a lead Make improvements one flipper movement at a time

84 Contacts In case of data breach where do you go for support and advice? In the case of policies or procedures where do you go for advice?

85 Thanks blog