Upload
jeffrey-herbison
View
214
Download
0
Tags:
Embed Size (px)
Citation preview
Slide 1
Wednesday, 3 July 2013Sir George Monoux College
Data Protection: Data Protection: What You Need to KnowWhat You Need to Know
Slide 2
Hi!• Jason Miles-Campbell
JISC Legal Service Manager• jason.miles-campbell
@jisclegal.ac.uk• 0141 548 4939• www.jisclegal.ac.uk
Slide 3
Slide 4
Law, ICT and Data ProtectionLaw, ICT and Data Protection
Slide 5
Have you heard of JISC Legal before?
1. 2. 3. 4. 5.
5%10%
62%
19%
5%
1. Hello again, Jason2. Yes, fairly often3. Yes, used occasionally4. Vague acquaintance5. What’s that, then?
Slide 6
When it comes to data protection...
1. 2. 3. 4. 5.
14%
62%
0%
10%14%
1. I’m confident2. I’ve a fair idea3. I dabble4. I ask others5. I hide in the toilet
Slide 7 7
www.ico.gov.uk
Data Protection Act 1998
Slide 8
Why Comply?
1. It’s the law2. Good business practice 3. Sets a good example 4. Confidence 5. Risk (id theft)
1. 2. 3. 4. 5.
84%
5% 5%5%0%
Slide 9 99
Data Protection Essentials
“Data protection ..regimes…do not seek to protect data itself, rather they seek to provide the individual with a degree of control over the use of their personal data”
“data privacy regimes do not seek to cut off the flow of data, merely to see that it is collected and used in a responsible and, above all, accountable, fashion”
Source: DP Code of Practice for FE and HE
i.e. Data Protection law does not prevent using and sharing personal data but ..
Criminal Justice and Immigration Act 2008 – gives ICO power to impose fines direct for serious security breaches
Slide 10 10
Understanding Your Duties
• Data Subject
• Data Controller
• Data Processor
• Processing
Slide 11 11
What is Personal Data?
• Any information which relates to an
identified or identifiable person
• Living persons
• Must be significant biographical
information which affects privacy
• Sensitive personal data
Slide 12
The Age of Data Protection
1. From birth2. From age 53. From age 124. From age 165. From age 18
1. 2. 3. 4. 5.
86%
10%5%
0%0%
From what age does DP apply to protect someone?
Slide 13
1: fair and lawful2: limited purposes3: adequate, relevant and not excessive4: accurate and current5: no kept longer than necessary6: respect the rights of the individual7: appropriate security8: transfer outside EEA needs adequate protection
The Eight DP PrinciplesThe Eight DP Principles
Slide 14 14
Fair and Lawful Processing
Fair processing –
• A processing notice – transparency
• Weighing up interests v privacy
• Would you be happy?
Slide 15 15
Fair and Lawful Processing
Lawful processing -To process, a Schedule 2 condition must be met:• Consent• Legitimate interest of the data controller• Fulfilment of a contractual obligationMore stringent conditions for ‘sensitive’
personal data
Slide 16
The Age of Data Protection
1. From birth2. From age 53. From age 124. From age 165. From age 18
1. 2. 3. 4. 5.
8%
0%
25%
58%
8%
From what age can someone give DP consent?
Slide 17
Security Situations
1. At your desk2. On your laptop3. On your mobile phone4. On the train5. At home
1. 2. 3. 4. 5.
38%
31%
19%
0%
13%
Where are the greatest security risks?
Slide 18 18
Appropriate Security
Your PCYour laptop
Your mobile phoneYour IT infrastructure / VLE
Your deskYour rubbish
Slide 19
When handling personal data in your role:
1. Purpose: why are you collecting personal data,
2. Fairness: is the reason fair to the data subject and
3. Transparency: does the data subject know about it
4. Security: at an appropriate level of security
Important PointsImportant Points
Slide 20
Some Scenarios……..
Over to youOver to you
Slide 21
A parent asks for information on her son’s progress. Do you…
1. 2. 3. 4.
0%
100%
0%0%
1. Supply it - nothing wrong in doing this
2. Supply it – he is under 183. Withhold it as she should never
access it4. Withhold it until you have
consent of her son
Slide 22
The police ask for information on one of your students. Do you…
1. 2. 3.
0% 0%0%
1. Supply it because it’s the police2. Supply it only when you know
what it’s for and think it is relevant information to the investigation
3. Never supply it
Slide 23
A student asks his tutor if he can see the reference the tutor wrote for him. Do you
1. 2. 3.
0% 0%0%
1. Say no - he has no right to see it under DPA
2. Say yes – he is entitled under DPA to see it
3. Not sure so seek help before replying
Slide 24
The College decides to retain all emails for a period of 10 years. Is this in line with
the DPA?
1. 2. 3. 4.
0% 0%0%0%
1. Yes2. No3. Maybe4. Can I phone a friend?
Slide 25
A member of staff clicks the wrong email group and instead of sending to relevant tutors, sends info
relating to student health issues to other students.
1. 2. 3.
0% 0%0%
1. The College is liable for the breach2. There is no liability, it was an
accident, not deliberate3. The member of staff is liable
not the College
Slide 26
What security should be on mobile devices holding personal data?
1. 2. 3.
0% 0%0%
1. Password protection and encryption
2. None as only used on College premises
3. It depends on the type of information
Slide 27
• Where the DP policy is, how to access it and its contents
• Have awareness of DP and how it may affect students, staff etc.
• That what you’re doing is covered by the data protection notice to students, staff etc.
• How to store/share personal information on and off campus
• How to keep personal information secure(mobiles, social networking)
• Where to get help
What should you know?What should you know?
Slide 28
Sources of help Sources of help
• Your institution’s DP officer• Your institutional policies and procedures• [email protected] and www.jisclegal.ac.uk
(code of practice)
Slide 29
Next steps?
1. 2. 3. 4. 5. 6.
0% 0% 0%0%0%0%
1. Go back and say well done!2. Start a conversation with
management3. Re-write a few policies4. Monitor what’s in place already5. Get further support6. Point at someone else and say
‘his problem!’ or ‘her problem!’
Slide 30 [email protected]
0141 548 4939
Questions and Follow UpQuestions and Follow Up
http://jiscleg.al/sgm3pm Friday