Data Protection

Paul Smallcombe

Today’s session

What you need to know:

• What personal and sensitive personal data are

• Overview of DP Act and some of the DP Principles

• Your responsibilities

• Some work-based examples to give context

Data Protection Act 1998

• Came in to force March 2000

• Replaces 1984 Act

• Concerns data relating to living individuals

What is personal data?

• Data which relate to a living individual who can be identified from such data

from such data and other information which is or is likely be in the possession of the data controller

and which are in electronic form or held manually in a relevant filing system

E.g. name, address, date of birth, marital status, for whom you work etc.

What is sensitive personal data?

• Personal data consisting of information on: racial or ethnic origin

political opinions

religious or similar beliefs

trade union details

health data

sexual life data

offences or alleged offences

court proceedings

What is not included?

Data Protection Act does NOT cover:

• Information about the deceased

• Aggregated data

• Anonymised data

Roles• A “data controller” is a person or organisation that

(alone or with others) determines the purposes for which and the manner in which personal data will be processed i.e. QMUL…and you!

• A “data processor” is any person or organisation (other than an employee of the data controller) who processes personal data on behalf of the data controller

• A “data subject” is a person about whom the data is held

The Principles1. Data must be fairly and lawfully processed with the (express)

consent of the individual

2. Data may only be obtained for specified lawful purposes, and may not be further processed in any manner incompatible with that purpose

3. Data must be adequate, relevant, and not excessive in relation to the purpose(s) for which it is collected

4. Data must be accurate and, where necessary, kept up to date

5. Data must not be kept longer than necessary

6. Data must be processed in accordance with rights of data subjects (right to inspect and correct data)

7. Security measures must be taken against unauthorised or unlawful processing, and against accidental loss, destruction, or damage of data

8. Data must not be transferred outside EEA unless recipient country provides adequate data protection

The First Principle

“Personal data shall be processed fairly and lawfully”

•Consent

•Explicit consent - sensitive personal data

Higher incidence of student appeals nowadays – don’t give them more ammunition!

The Second Principle

“personal data shall be obtained only for a specified and lawful purpose, and must not be processed in a manner incompatible with that purpose (i.e. must be no “further processing”)”

• We should only collect data for the reasons which are covered by our Notification with ICO

• We must not use the data later for an entirely different/new purpose unless permitted by the DPA

The Sixth Principle

Individuals have a right to:

• have inaccurate information corrected

• stop the College using their information

• stop receiving direct marketing from the College

• obtain a copy of information the College holds about them

Subject Access Requests• Must be in writing

• Must verify the ID of the requester & ask them to pay £10 fee

• 40 calendar days to respond

Possible exemptions:– prejudice crime prevention/detection– endanger physical or mental health– disclose other people’s personal data– involve disproportionate effort

The Seventh Principle

“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

Consider:

• Remote access - firewalls

• Passwords/encryption

• Home working, taking files offsite

Security Measures

Keep personal data safe and secure

Technical securitye.g. passwords, firewalls, virus protection,Information Security Policies

Organisational securitye.g. disposal of information as per the retention schedule, contracts with data processors, staff training and awareness

Security breaches are receiving increased publicity

The Eighth Principle - Transfers

Abroad “Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data”

Consider:• Access rights• Sensitivity of data• 3rd parties• Fair processing requirements

For the Eighth PrincipleTo determine whether a transfer to a third country is permitted under European law, consider the following:

• Is the data “personal data”?• Does the “third country” ensure an adequate level of

protection by reason of its domestic laws, or its international commitments (e.g. the U.S. Safe Harbor)

• Do one or more of the exceptions apply?• Have the parties themselves ensured adequate

protection by alternative means (e.g. by contract)?

Notification with the Information Commissioner’s Office

• QMUL has registered with U.K. ICO

• This notification is viewable online

• Processing may only be carried out for the purposes stated in the notification

• If you process data, check the notification to see purpose is covered

• Data Subject is primarily responsible for notifying the ICO

• Currently the naming and shaming is by ICO

• ICO has just got more powers

• Personal liability

Data Breaches

Examinations and the DPA

• Comments on scripts but not scripts themselves can be accessed under DPA

• Exam Board minutes can be accessed under DPA• Achievement/progression data can be accessed under

DPA• It is okay to put lists of those who have passed on the

noticeboard but by number is preferable and only if you have told students that this is how their results are published

• You should not pass on an individual student’s results to a third party

Research and the DPA

• Personal data may be used for purposes beyond the originally stated purpose

• Can be retained indefinitely

• Exempt from SARs – as long as published research does not identify individuals

Some scenarios (1)

1.Student wants to see the minutes from an exam board at which their case has been discussed

A. Yes, they can see these as long as any other individual’s details are redacted

Some scenarios (2)

2. Policeman comes in to your dept. and asks to see a student’s file

A. Treat with caution! Their request should be specific as to why access is needed. Need to balance the rights of the student

Some scenarios (3)

3. Someone rings up to ask:a) for their exam resultsb) to enquire if a student has been attending

A. Treat with caution! Don’t give out personal data over the ‘phone unless sure it’s the Data Subject. Offer to call back or pass on a message

Some scenarios (4)

4. Someone claims to be at work at a certain time (e.g. working shifts or flexitime), but you suspect they’re not and want to use CCTV to check

A. The CCTV system is not for this purpose

Measures to Take

• Treat spoken communications e.g. with colleagues with as much care as written

• Be aware of who might overhear confidential conversations or see your screen

• Protect personal data with passwords and a clear desk policy; don’t take offsite

• Be aware of College Policy

What are my responsibilities?

• Audit - who, what, when, where, why, how?

• Ask yourself the questions in the Staff Checklist

• Possibly re-engineer consent processes

• Implement internal policies & procedures

• Review data security

• Put in place security breach procedures

• Review contracts (third parties, international transfers)

• Know the purposes for which data you handle has been collected and only use it for these

• Ongoing training, audits and management

Data Protection Policy & Guidelines

• On intranet athttp://www.arcs.qmul.ac.uk/governance/information-governance/data-protection/index.html

• Appendix of guidelines – what to do in certain circumstances and additional information

Contact Details

• Paul Smallcombe, Records & Information Compliance Manager

• E04 Queens’ Building

• E-mail: xxxxxxxxxxxxxxx@xxxx.xx.xx