Access to Information: Data Protection and Freedom of Information Records Management Section Data protection: key concepts Personal data Sensitive personal data Data subjects Data protection principles www.ed.ac.uk/records-management 1
Personal data Day-to-day definition: Any information about an identifiable, living individual, regardless of the format, e.g.: CCTV footage Computer data Paper files Disorganised notes Detailed definition: http://www.ed.ac.uk/schools-departments/recordsmanagement-section/data-protection/what-isit/definitions/personal-data Sensitive personal data Racial or ethnic origins Political opinions Religious beliefs Trade union membership Physical or mental health Sex life Commission, or alleged commission, of any offence Proceedings for any offence and outcomes www.ed.ac.uk/records-management 2
Data subjects An individual who is the subject of personal data. E.g.: Students Applicants Staff Research participants Customers Data protection principles 1. Fair and lawful processing 2. No incompatible processing 3. Adequate, relevant and not excessive data 4. Accurate and up-to-date data 5. Data kept for no longer than necessary 6. Processed in accordance with the rights of the data subject 7. Security 8. No transfers outside the EEA www.ed.ac.uk/records-management 3
What happens if we get it wrong? Fraud, identity theft, distress Damage to relationships and research access Reputational damage Investigated by the Information Commissioner The University can be fined up to 500,000 The University can be sued Personal criminal offences Unauthorised disclosure Destruction of information required for a request Processing without notification Optical Express slapped over spam text nuisance www.ed.ac.uk/records-management 4
When can we be fined? (1) Serious contravention of the data protection principles by the University or someone acting for it Nature of the information Number of people involved Duration of the breach Extent of the breach For example: Loss of medical records during office move Loss of CD in absence of encryption facilities, procedures, guidance etc When can we be fined? (2) AND likely to cause substantial damage or substantial distress For example: Inaccurate information in an employment reference Exposure to identity fraud Worry and anxiety www.ed.ac.uk/records-management 5
When can we be fined? (3) AND either: The breach was deliberate E.g. collecting information for one stated purpose and using it for another OR must have known or should have known of the risk and failed to take reasonable steps to prevent it E.g. knowing that staff are using sensitive information on laptops and failing to encrypt them What are reasonable steps? Risk assessment Relevant and appropriate polices, procedures, processes, advice and guidance in place and being followed Governance and audit arrangements in place to prevent contraventions Rectifying flaws as soon as they are identified www.ed.ac.uk/records-management 6
Data protection: what you must do 1. Respond to subject access requests within 40 calendar days 2. Tell individuals what you do with information about them 3. Keep personal data securely 4. If you pass data out with the University, follow the policies and procedures, e.g. Model contract clauses Student information Internet publishing Staff Information 5. Use University retention schedules and disposal guidance Subject access requests 40 calendar days to respond 10 statutory fee Co-ordinated by practitioners and Records Management Section Ensure you are not the only person with access to any records Use shared drives Don t keep unnecessary records Be aware that people can ask to see any record Procedures at: http://www.ed.ac.uk/schools-departments/recordsmanagement-section/data-protection/subject-access-requests www.ed.ac.uk/records-management 7
Collecting personal data Tell data subjects what you do with personal data Privacy notice Only use personal data for the purpose it was collected Meet the processing conditions, e.g.: Consent In pursuit of legitimate interests and does not cause unwarranted prejudice to the data subject More stringent conditions for sensitive personal data Only keep relevant and accurate personal data Marketing Marketing: privacy and electronic communications regulations (PECR) Direct marketing: The communication (by whatever means) of any advertising or marketing material which is directed to particular individuals. Marketing is not just the offer for sale of goods and services, but also the promotion of an organisation s aims and ideals. Collecting contact details for direct marketing: 1. Obtain positive opt-in before sending any messages Think about form design for collecting contact details and optins 2. Provide privacy notice Type of marketing materials you intend to send How you intend to contact recipients Clear opt-out opportunities www.ed.ac.uk/records-management 8
Sending direct marketing communications Clearly identify the sender Traditional letters and telephone calls Screen against the MPS/TPS register Screen against our suppression list Provide a valid address or free phone number to opt-out of further letters and calls Email, SMS, voicemail / answer phone messages Obtain opt-in before sending any messages (unless soft opt-in applies) Provide an opt-out on each message Patients medical histories stored on stolen laptop A LAPTOP containing personal details of scores of NHS patients is one of nearly 200 computers either stolen or missing from public bodies in the Lothians. The computer held "extensive" data on the psychiatric and personal histories of participants in a medical study, as well as information on whether they had suffered physical or sexual abuse. Edinburgh Evening News, 25 February 2008 www.ed.ac.uk/records-management 9
University Policy on taking sensitive information and personal data outside the secure computing environment All medium and high risk personal data or sensitive business information must be encrypted if it leaves the University environment http://www.ed.ac.uk/schoolsdepartments/records-management-section/dataprotection/guidance-policies/encrypting-sensitivedata Classification of risk Sensitive personal data Medium High High High Fraud or identity theft data Low Medium Medium High Identifiable individual Low Low Medium High 5 9 Individuals 10-50 Individuals 50-1000 Individuals > 1000 Individuals www.ed.ac.uk/records-management 10
High risk personal data and business information Any set of data relating to 1000+ individuals Information about 50+ that could be use for fraud or identity theft Information about personal/family lives of 50+ individuals Proposals having a significant impact on 50+ individuals Sensitive personal data relating to 10+ individuals Health records of any identifiable person Security arrangements (whilst still relevant) Changes to high profile strategies, policies and procedures Medium risk personal data and business information Information relating to identifiable research participants Sensitive personal data relating to 1-9 individuals Information about personal/family lives of 10-49 Information about 10-49 individuals that could be used for fraud or identity theft Any set of data relating to 50-999 individuals Information provided in confidence Information that could disadvantage the University s negotiations Proposals having a significant impact on 10-49 individuals www.ed.ac.uk/records-management 11
Key Principles 1. Avoid using personal data wherever possible 2. Anonymise 3. Use secure shared drive 4. Use remote access facilities 5. If cannot avoid using a mobile device, encrypt Key Principles 6. Do not use personal equipment or third party hosting services 7. Avoid email Encrypt Indicate content in title 8. Do not use in public places 9. Take physical security measures 10. Implement University retention and disposal policies www.ed.ac.uk/records-management 12
What do you need to do? Comply with policy Follow guidance Use recommended USB stick Encrypt laptops Take sensible precautions Passwords, autolocking Log out Destroy, don t recycle Know your software Get to know the IT Security website http://www.ed.ac.uk/is/security Model contract clauses Why? It is a legal requirement We are responsible for our contractors / suppliers use of personal data If things go wrong, the buck stops with the University How? Cover data protection requirements in the contract Use the appropriate model clauses Procedures at: http://www.ed.ac.uk/schools-departments/recordsmanagement-section/data-protection/guidancepolicies/transferring-data/overview www.ed.ac.uk/records-management 13
Disclosing student information Information about students is confidential Disclose only in line with policy/procedures or on decision of relevant head of department Decision is the responsibility of the owner of the data/function Immigration Service Embassies and high commissions Parents have no entitlement to information Do not confirm or deny that someone is a student Tell the student Procedures at: http://www.ed.ac.uk/schools-departments/recordsmanagement-section/data-protection/guidancepolicies/student-information When can I disclose? To the student or their representative With student s consent To University staff for declared purposes Disclosure is required by law e.g. immigration Confirm identity of enquirer Check the law For the prevention or detection of crime Usually Registry Not a fishing exercise Serious offence Get the relevant paperwork Fraud Forward the case to Registry www.ed.ac.uk/records-management 14
Internet publishing Before publishing get consent Written or verbal consent? Appropriate to the risk Allow individuals to manage publication themselves? Ensure information can be quickly removed Procedures at: http://www.ed.ac.uk/schools-departments/recordsmanagement-section/data-protection/guidancepolicies/publish-personal-data Disclosing staff information Information about staff is confidential Enquiries for information should be handled in line with policy/procedures or on decision of relevant head of section Do not confirm or deny that someone is a member of staff unless the information is publicly available If in doubt do not disclose the information and seek advice from the Records Management Section Model letters are available Procedures at: http://www.ed.ac.uk/schools-departments/records-managementsection/data-protection/guidance-policies/staff-information www.ed.ac.uk/records-management 15
When can I disclose? With the staff member s consent Disclosure required by law e.g. HESA, UKBA For the prevention and detection of crime Non-disclosure would prejudice interests Necessary to protect from fraud or misrepresentation To University staff for declared purposes Media enquiries Freedom of information requests Implications for research If promising confidentiality, be specific If using personal data, two options: Completely anonymise the data, or Comply with the Data Protection Act Collect only what you need Inform data subjects what you intend to do with the data Keep and dispose of data securely Identify and implement retention policy for research data www.ed.ac.uk/records-management 16
Implications for teaching Do not collect unnecessary student information Don t share student info outwith the University Use remote access facilities, don t store student information at home or elsewhere Take care where you access and use student info Freedom of information: principal requirements 450 400 350 300 250 200 150 100 50 Ten years of FOI requests 0 Year 2006 2008 2010 2012 Individual requests Received 440 requests in 2014 Popular topics: expenses, salaries, finance/investments, student population and conduct Publication scheme Must keep up-to-date Must publish in line with obligations www.pubs.recordsmanagement.ed.ac.uk Records management Helps to find information www.ed.ac.uk/records-management 17
Individual requests Anyone, anywhere can ask for anything held by the University Any question to any member of staff counts They do not have to cite freedom of information Includes information created by other organisations Cannot ask why they want to know Duty to provide advice and assistance Maximum of 20 working days to respond Must provide information or claim an exemption Exemptions are narrowly drawn Relevant exemptions Information otherwise accessible Research information Commercial interests Trade secret Actionable breach of confidence Breach of the data protection principles Effective conduct of public affairs BUT: Exemptions are narrow and subject to the public interest test www.ed.ac.uk/records-management 18
*Not* exemptions I don t like / don t trust the applicant I m too busy I don t know I can t find the information easily It s embarrassing It looks bad It is bad Good records management 1. Helps you to do your job better 2. Protects you and the University 3. Saves you time 4. Reduces costs 5. Gives you records you can rely on Creating records Organising records Retention and disposal Managing email Dos and don ts www.ed.ac.uk/records-management 19
Creating records Consider the purpose of the record Ensure that the record fulfils its purpose Do not create records unnecessarily Document the University s activities Be sure of the facts Provide evidence Is it about an identifiable, living individual? Ensure that the information is relevant, accurate and not excessive Guidance at: http://www.ed.ac.uk/schools-departments/records-managementsection/freedom-of-information/guidance-policies/creating-records Organising records Create files Containing information on the same issues/ responsibility/ transaction Designate a single, lead file or golden copy Storage of records Accessible to all relevant staff Format paper, electronic, microfilm, etc. Irrespective of the format, use the same records management principles www.ed.ac.uk/records-management 20
Filing Scheme LEVEL 1 LEVEL 1 LEVEL 1 LEVEL 2 LEVEL 2 LEVEL 2 LEVEL 2 LEVEL 3 LEVEL 3 LEVEL 3 LEVEL 3 LEVEL 3 LEVEL 4 FOLDER LEVEL 4 FOLDER LEVEL 4 FOLDER LEVEL 4 FOLDER LEVEL 4 FOLDER LEVEL 4 FOLDER LEVEL 4 FOLDER LEVEL 4 FOLDER 4 level hierarchy: Level 1 = broad categories Levels 2-3 = more refined categories Level 4 = folders to file your records Only file records at level 4 LEVEL 3 LEVEL 4 FOLDER LEVEL 2 LEVEL 1 An example of an electronic filing scheme www.ed.ac.uk/records-management 21
How long should we keep records? Ask your practitioner about your unit s local retention schedule See Records Management Section advice: University retention schedules: http://www.ed.ac.uk/schools-departments/recordsmanagement-section/records-management/staffguidance/retention-schedules/overview Disposal: destruction or transfer to archive Risk assessment Procedures: http://www.ed.ac.uk/schoolsdepartments/records-managementsection/records-management/staffguidance/general/disposing-records Creating a retention schedule Duplicate records vs. golden copies Legal or regulatory requirements? Current business processes Document business processes/ decisions taken/ actions carried out for future reference Accountability purposes? Long-term research value? http://www.ed.ac.uk/schools-departments/recordsmanagement-section/records-management/staffguidance/university-archives www.ed.ac.uk/records-management 22
Managing email Issues to consider: Work emails are University documents Work emails may be open to scrutiny Email is not secure Recommended management techniques: File important emails so that they are accessible to others Delete unwanted emails When replying, keep the original text as part of your response Set up a separate folder for personal emails Guidance at: http://www.ed.ac.uk/schools-departments/records-managementsection/records-management/staff-guidance/general/managing-youremail Records Management Best Practice Do: Organise your records into files Store records in such a way that any other user can readily find relevant information Ensure that work done at home is added into your unit s records systems Mark personal material clearly as such Remember every email is a University record Store important email information with the relevant file(s) www.ed.ac.uk/records-management 23
Records Management Best Practice Don t: Keep records for any longer than they are needed Keep files that duplicate information held elsewhere in your unit (except to meet short-term operational requirements) Keep University records on personal drives, unless it is highly confidential Keep sensitive University information on your home computer Store information on your c: drive Name folders on shared drives after yourself What does freedom of information mean for you? Use the procedures available to answer requests www.ed.ac.uk/records-management 24
What does freedom of information mean for you? (1) Any request for information must be answered in 20 working days Follow the procedures to avoid complications http://www.ed.ac.uk/recordsmanagement/handling-foi-requests Keep a record of what you did Contact your local practitioner: If in doubt To refuse a request When it is not in your remit to release this information What does freedom of information mean for you? (2) All documents & e-mails may be open to scrutiny Create clear and professional information Encourage use of Internet Make sure someone can find your information in your absence Preserve & share key information Delete unnecessary information www.ed.ac.uk/records-management 25
Enforcement Complain to the Scottish Information Commissioner Personal criminal offence Destruction of information required for a request Contempt of court Advice and assistance Your local practitioner http://www.ed.ac.uk/records-management/foipractitioners The Records Management Section recordsmanagement@ed.ac.uk http://www.ed.ac.uk/records-management 0131 651 4099 www.ed.ac.uk/records-management 26
Questions? www.ed.ac.uk/records-management 27