Data Protection Training Module Legal Department 2017

Transcription

1 Data Protection Training Module Legal Department

2 Welcome to the Data Protection Training Module INSTRUCTIONS This training module is in 2 parts: Part 1 is a slideshow which you can progress at your own pace. When you have read through the slideshow, you will be instructed to complete part 2 of the training, which is a short test. To progress through the training: click your mouse (anywhere on the page) or use the right arrow on your keyboard to view the next section. To leave the training module, click Esc on your keyboard, at any time. 2

3 Why do we need mandatory data protection training? Assets: Information is one of the University s most valuable assets. Personal data is a vital asset the University needs to collect and process in order to function effectively. Risks: However, dealing with personal data is also a responsibility and a risk. The law dictates that we must protect personal data (and tells us how we must do this); it restricts what we are allowed to do with the personal data when it is in our possession; and gives data subjects rights over their data while we hold it. Compliance: The University cannot comply with the Data Protection Act unless staff are trained; and are aware of, and adhere to, the relevant University policies and procedures. Compliance is dependent upon the day to day actions of every member of staff. Most data breaches reported to the ICO are triggered by individuals making mistakes. For example, sending a single to the wrong recipient may be a breach of the law, with serious consequences for both the individuals involved and for the University. Action: Completing this training module, and familiarising yourself with University guidance about data protection issues relevant to your work, will help you to comply with University policies and with the law; and will reduce the risks to our students and staff. It should help you to feel more assured when dealing with personal data in your day to day role. 3

4 What s new? Data protection laws are changing: On 25 th May 2018, the Data Protection Act 1998 will be replaced by the GDPR (the General Data Protection Regulation). This is the biggest change to data protection laws in 20 years. While the main principles of data protection remain largely the same, the GDPR is much stricter than the current Act; more prescribed in terms of how we must comply; and the penalties for non compliance are more severe. The University has commenced its preparations for GDPR compliance. The GDPR emphasises accountability and the need to demonstrate compliance. The impact to the University is significant it will affect all Departments and Services; and all systems and processes involving personal data across the University. This training module serves as a refresher of the data protection principles and as a brief introduction to the GDPR. Further guidance and information will be produced throughout The Legal Department will also be contacting Services across the University, to determine where changes and additional support are required, in the coming weeks. 4

5 Training Menu You will be directed through the following sections in turn. Continue to the next page to learn about Key Terms... Key terms Compliance The 8 Principles of Data Protection Requests for personal data Resources 5

6 Key terms: It is important for anyone who works with personal data to understand the following terms: Data protection Personal data Sensitive personal data ICO Data subject Processing data Data controller & data processor Data protection refers to the Data Protection Act This is the current law in the UK that tells us how we must deal with personal data. All organisations (and staff) processing personal data must comply with the Act. The Act protects an individual s rights regarding their personal data and their right to privacy. It balances the individual s right to privacy with the needs of organisations to legitimately process the personal data of the people they deal with. Failure to comply with the Act is an offence. The GDPR will replace the DPA on 25 th May

7 Key terms: Data protection Personal data Sensitive personal data ICO Data subject Processing data Data controller & data processor Personal data is information about or relating to a living, identifiable person. Anonymised data is not personal data, so it can be processed (eg, worked on outside the University, or published) without risk. However, anonymising data requires care: it is not fully anonymised and remains personal data under the Act, if it is possible to identify someone indirectly from it. Just removing someone s name is not always enough to anonymise the data. Guidance on anonymisation is available at the end of the training. Pseudonomised data is information which has been partially anonymised, eg, using a key/identifier instead of a name for each person. While this can help to protect information, pseudonomised data is still personal data protected by the Act. Examples of personal data are: name, address, student status, expressions of opinion regarding the person, exam results and feedback. Exam scripts and academic coursework are not personal data as they are not about the individual (unless the content of the work is biographical). Personal data is not restricted to paper and electronic documents and s. It also includes photographs; CCTV & video footage; data on mobile devices and websites; and handwritten notes. 7

8 Key terms: Data protection Personal data Sensitive personal data ICO Data subject Processing data Data controller & data processor The Act recognises that certain categories of personal data require a higher degree of privacy than others; these categories are sensitive personal data, and are defined by the Act: Racial or ethnic origin Political opinions Religious (or similar) beliefs Trade union membership Physical or mental health/condition Sexual life The (alleged) commission of any offence by the data subject and associated proceedings or sentence of any court. The University s Data Classification Policy sets out procedures for processing data, according to its sensitivity. You will learn more about rules for processing personal and sensitive personal data in the section on the 8 Principles. Under GDPR, there will be some changes to the definitions for personal and sensitive personal data, eg, including genetic & biometric data. 8

9 Key terms: Data protection Personal data Sensitive personal data ICO Data subject Processing data Data controller & data processor The ICO is the Information Commissioner s Office the regulatory body which oversees compliance with the Data Protection Act in the UK. It: sets codes of practice for organisations. provides advice and guidance on how to comply. investigates complaints and data breaches. has the power to prosecute organisations and individuals, and impose monetary penalties of up to 500,000, for failure to comply with the Act. Guidance is available from the ICO website at: Under GDPR, fines will increase significantly: up to a maximum penalty of 2 million Euros or 4% of turnover 9

10 Key terms: Data protection Personal data Sensitive personal data ICO Data subject Processing data Data controller & data processor A data subject is the person who is the subject of the information the person the data relates to or is about. Staff and students are data subjects, because the University processes personal data about them. We also process personal data about other data subjects, including: next of kin/parents and relatives of students and staff non employed individuals, such as agency staff or those working under a contract for services applicants and enquirers referees research subjects business associates 10

11 Key terms: Data protection Personal data Sensitive personal data ICO Data subject Processing data Data controller & data processor Processing personal data means any action involving the data, from collecting the information for the first time, to the destruction of the data; and everything in between. Every time you view/read, amend, share or discuss, file, store or delete personal data, you are processing it. 11

12 Key terms: Data protection Personal data Sensitive personal data ICO Data subject Processing data Data controller & data processor Organisations that process personal data may be Data Controllers or Data Processors: The Data Controller is the organisation with authority to decide how and why personal data is processed. It is responsible for compliance with the Act. The University is a registered Data Controller. A Data Processor collects or processes personal data for a Data Controller, under the Data Controller s instructions. The University may use an external data processor for some activities; and it may also act as a data processor for another organisation. Arrangements involving sharing of personal data between Data Controllers, or with Data Processors, require a Data Sharing Agreement, which is a legal agreement, setting out the roles and responsibilities of each organisation. 12

13 Training Menu Key terms Compliance The 8 Principles of Data Protection Requests for personal data Resources 13

14 How the University complies with the Act: 1. Policies the Data Protection Policy applies to staff and students: Additional policies and procedures are also important for data protection compliance, these include Information Security, IT Services and Records Management policies. 2. Registration The University is a registered data controller. Our registration notice is published on the ICO s website. It sets out in detail how the University may process, and with whom it may share, personal data: New activities and data sharing arrangements should be checked against and recorded on our Registration. 3. Training, guidance and advice for staff is provided by the Legal Department. Contact legal@mmu.ac.uk 4. Subject Access Requests are managed by the Legal Department. Contact dataprotection@mmu.ac.uk 5. Staff the University s compliance is reliant upon the day to day actions of its staff when dealing with personal data. Training works only when staff complete it. Policies and guidance work only when staff read them, refer back to them when needed, and follow the instructions provided. Training materials, policies and guidance are tools provided by the University to enable staff to comply. 14

15 How you can comply: Training & awareness Manage Plan Report Respond promptly Training: Complete training when asked and refer back to it as a reference tool, when needed. Ensure that new staff in your team also receive training. Policies: Familiarise yourself with the Data Protection policy, and the other policies listed under Resources. The Data Classification Policy, Information Security Policy and several IT Services polices will be of particular practical use in enabling you to comply with the Data Protection Act. Awareness: Review your procedures and look for ways to reduce risks within your service. Look out for new guidance and instructions and ensure that you implement these within your Service. New guidance and instructions will be issued prior to May Look out for notices and s about Data Protection, Information Security and Records Management; check how these apply to your Service and implement any changes required. 15

16 How you can comply: Training & awareness Manage Plan Report Respond promptly Manage the personal data in your department: Establish procedures for dealing with personal data within your department/service. Check these against the 8 Principles (set out in this Module), and University policies & procedures, to identify ways of reducing risks. Setting practical procedures and protocols and dealing with personal data in a consistent way reduces the likelihood of individuals making mistakes. Ensure that Data Protection, Record Management and Information Security policies are fully implemented within your Service/Department. 16

17 How you can comply: Training & awareness Manage Plan Report Respond promptly Check whether new activities/projects (or changes to existing University procedures or systems) are likely to involve or impact upon personal data. If so, the project or activity will need to be assessed; and practical ways of ensuring that the activity is compliant will need to be incorporated into the activity. This may be as simple as identifying the need for a data sharing agreement; documenting the way you will share the data (eg encrypted attachment), or identifying that the information can be fully anonymised. This is known as a Privacy Impact Assessment, or PIA. This process should take place at the design phase of any activity; and prior to any agreement with another organisation. New guidance on PIA s will be issued soon. PIAs will be mandatory under GDPR 17

18 How you can comply: Training & awareness Manage Plan Report Respond promptly Report the following to the Legal Department immediately: Breaches/incidents and risks likely to result in a breach involving personal data. The Legal team will provide instructions regarding how to deal with the incident and limit any damage. Legal staff will investigate the breach, determine whether it should be reported to the ICO and provide followup instructions and advice regarding breach prevention. What is a breach? A breach/incident includes any loss, or unauthorised disclosure involving personal or sensitive personal data. Complaints relating to personal data. Under GDPR, it will be mandatory to report all serious data breaches to the ICO within 72 hours 18

19 How you can comply: Training & awareness Manage Plan Report Respond promptly If you are contacted about any data protection related matter you must act quickly: Subject Access Requests are subject to strict timescales. If you receive a SAR, send it to the Legal Department immediately. If you are asked by the Legal Department for information, you must respond quickly. Complaints, incidents and breaches must all be reported and investigated quickly. The more quickly they are reported, the greater the chance of reducing any harm. Delays may result in missed deadlines and a further breach of the Act. Police requests are often urgent and may impact an individual s safety or welfare all police requests should be referred to Legal or to Security. Under GDPR, deadlines will be reduced, increasing the burden on the University. The risk of any delay will also increase, eg: we could be penalised twice a fine for the original incident leading to a breach/complaint and a second fine for the delay in reporting/responding. 19

20 Training Menu Key terms Compliance The 8 Principles of Data Protection Requests for personal data Preparing for GDPR: 2018 Resources 20

21 The 8 Data Protection Principles The 8 Principles are defined by the Data Protection Act. A breach of any one of the 8 Principles is a breach of the Act. They are important as they have practical implications for how you deal with personal data in your day to day role: A summary of the 8 Principles is provided below. You will learn more about each principle in the following slides. Personal data must be: 1. Obtained fairly & lawfully 2. Processed for specified & lawful purposes 3. Adequate, relevant and not excessive 4. Kept accurate and up to date 5. Kept no longer than necessary 6. Processed in accordance with the data subject s rights 7. Kept safe & secure 8. Not transferred outside the EEA 21

22 Principle 1 Personal data must be obtained and processed fairly and lawfully, and not processed unless certain conditions are met: Fairness means transparency: we must communicate to data subjects, in a privacy notice, what data we will collect and process, the purpose of the processing, who we will share it with and how long we will retain it. We can only process personal data if one of the Conditions under Schedule 2 of the Act applies. Sensitive data can only be processed if we can satisfy a condition under Schedule 2 and a condition under Schedule 3. Schedule 2 Conditions: Consent from the data subject, or Necessary for fulfilment of a contract Necessary for fulfilment of a legal obligation Necessary to protect the vital interests of a person Necessary for justice/public functions in the public interest Necessary for legitimate interests The Legal Dept will determine if a condition applies and if the processing meets the general principle of fair and lawful. Under GDPR, we will have to provide much more information in our privacy notices, such as the source of personal data held. We may need to create privacy notices for each University service. The conditions for processing will also change and it will be more difficult to rely on consent. Valid consent can only be by active opt in; as opt outs, silence, inaction or lack of response are no longer valid. The legitimate interests condition will no longer be available for public authorities. 22

23 Principle 2 Personal data must be obtained for specified and lawful purposes and not processed in any manner incompatible with those purposes: This means that, once we have collected and are holding personal data, we cannot then use the data for another activity or for any reason the data subject would not expect or did not originally agree to. Any use of personal data should be checked against what the data subject was originally told and the consent previously provided. Any additional or re use of the data collected for some other purpose will normally require obtaining new consent from the data subject. This principle is of particular relevance to staff involved in research or marketing activities. Just because the University holds data about lots of students, it does not mean we can then use that data to conduct research, or use/share that information for advertising purposes, without notifying or obtaining the data subject s consent. 23

24 Principle 3 3 Personal data must be adequate, relevant and not excessive for the purpose: We must collect sufficient information for the intended purpose; insufficient data may be a breach under Principle 3, for example, destroying a student s marks or feedback before an Exam Board or before the deadline for submitting an appeal. However, too much information may also be a breach anything that isn t required is an unnecessary invasion of privacy. Collect and retain the minimum data necessary for the stated purpose. Collecting or recording information in case it might be useful is not permitted. Beware of recording or sharing opinions or excessive details stick to factual information. This principle is also important when designing forms / questionnaires, stick to what is relevant and necessary. The GDPR emphasises data minimisation (collecting and using the minimum data necessary to fulfil the purpose) and privacy by design (determining at the outset the data required for the purpose). 24

25 Principle 4 Principle 4 Personal data must be accurate and kept up to date: Mistakes in this area are easy to make, but can have serious consequences: Failing to update an address quickly or accurately can result in a disclosure of data to the wrong person. Simple procedures and good practice can prevent a breach: Always use central sources of data (eg QLS) where possible these are most likely to be up to date and accurate. Avoid creating unnecessary copies of data (such as your own list of contacts) which will quickly become out of date and inaccurate. Act promptly to ensure that records are updated quickly when there is any change in staff/student circumstances or data. Ensure records are checked and updated regularly. Follow the University s record management policy and schedule. Regularly destroy out of date information and data which is no longer required. 25

26 Principle 5 Principle 5 Personal data must not be kept for longer than is necessary for the purpose: Effective records management is vital for data protection compliance: You should not store information indefinitely just in case keeping data for too long is a breach of Principle 5. Regularly review, archive and delete older data. Information no longer needed or out of date should be safely destroyed/deleted. Records management applies not just to paper files/documents but to electronic records and s. Ensure you are familiar with the University s Record Management policy and retention schedules applicable to your area. See: management/ Paper & electronic files and s should be tidy and well organised. You should know what data you are holding and where to find it, quickly, when required. Instructions on how to dispose of confidential waste (including items such as CDs/DVDs) are available on the University website, see: waste diposal guidance.pdf For instructions on how to dispose of IT equipment, contact IT Services. Under GDPR, we will have to include retention periods in our privacy notices 26

27 Principle 6 Personal data must be processed in accordance with the data subject s rights under the Act: These include the right to: know why their data is being collected, what it will be used for, how long it will be kept for; know who the University will share their data with; ask for access to the data that the University holds about them; give permission for their data to be held/processed; to opt out of unnecessary processing; object to data processing that causes damage or distress. More information about the data subject s right of access is provided in this module in the section on Requests for Personal Data. Under GDPR, data subjects will have more rights; and the timescales for the University to respond will be reduced. 27

28 Principle 7 Personal data must be kept safe from unauthorised access and processing, and from accidental loss, damage or destruction Breaches of Principle 7 are the most common cause of fines issued by the ICO, usually as a result of a simple error by an individual. Because of the potential for serious harm as a result of a breach in data security, the Information Commissioner has imposed fines on organisations even where a breach caused no unauthorised disclosure or actual harm to the data subject. Practical advice for staff on measures for keeping personal (and other types of confidential) data secure is provided in the next slide. 28

29 Principle 7: Data security measures for staff Identity checks Access controls Secure systems Physical security s Verify the identity of data subjects before you release any information to them, for example: check the ID badge, take and compare signatures, ask for verifying information that matches their student/staff record, such as their date of birth or national insurance number, request a copy of their driving licence/passport. The exact method of identity check will vary, depending upon whether the individual is current or former staff/student and the nature of the situation. Set a departmental protocol for identity checks, especially if you regularly disclose information to staff/students. 29

30 Principle 7: Data security measures for staff Identity checks Access controls Secure systems Physical security Implement departmental controls to restrict access to systems/documents containing personal data, so that only those staff who are authorised and need to view the data for specific work purposes can do so. Personal data should not be available to all staff at all times, just in case it might be useful. Information should be available and shared on a need to know basis only. s 30

31 Principle 7: Data security measures for staff Identity checks Access controls Secure systems Physical security s Use the secure areas provided (or approved by) the University for working on and storing personal data such as encrypted devices and network drives. Software and cloud storage solutions which are not approved by the University are a risk as they may store information on servers outside the EEA, which may breach Principle 8 of the Act. Do not download or store any data on nonencrypted computers/devices. Refer to the Data Classification Policy for more details on how to store/send information according to its level of sensitivity. 31

32 Principle 7: Data security measures for staff Identity checks Access controls Secure systems Physical security s Keep documents and screens out of sight of others Position computer screens so that they cannot be viewed by an unauthorised person from a window or glass partition behind you Use screen locks when you move away from your desk Use secure passwords Lock doors and filing cabinets Clear your desk! Tidy confidential data away when it is not being used. Papers containing personal data should not be taken out of the University. Anonymising data makes it safe. Pseudonymising data also reduces risk. 32

33 Principle 7: Data security measures for staff Identity checks s require particular care: Once you click send, s cannot be retrieved. Remember: STOP CHECK SEND Access controls Secure systems Physical security s is not generally a secure method for transmitting personal data use these checks to avoid a breach: Does it contain personal data? Is it ok to ? Check the Data Classification Policy. Remove unnecessary content and attachments. Avoid forwarding entire s, trails, and attachments, unless you have checked it for personal data and it is necessary for recipients to see. Sensitive content can be sent in an encrypted attachment (password protected word or pdf document) with the password provided separately. Beware of the autocomplete function which can easily result in s being sent to the wrong recipient. Should you blind copy (bcc) the recipients? Do you have the sender s permission to forward or share their name/ address? 33

34 Principle 7: Data security measures for staff Identity checks Beware autocomplete! When you start to type the name of a recipient, Outlook will suggest addresses you have used before. It is very easy to accidentally select the wrong one without realising. Access controls Secure systems Physical security s Always double check the address you have selected before you hit Send. Regularly clear the autocomplete memory, so that out of date contacts or those you no longer need are removed from the suggestions box/list: Go to File, Option, Mail, and click on the Empty Auto Complete Listbutton (under the Send Messages header). Disable autocomplete this is recommended for all staff who regularly individual students, and those dealing with sensitive personal data. If you choose this option, instead of relying on autocomplete, you will need to type the name of the recipient / address, or select an address from the address book, by clicking the To, Cc, or Bcc button: In Outlook click the File tab. Select Options from the menu on the left, then Mail. Scroll down to Send messages and un check the Use Auto Complete List to suggest names when typing in the To, Cc, and Bcc lines box. Autocomplete can be re enabled again, at any time, by following the steps above and re checking the box. 34

35 Principle 7: Data security measures for staff Identity checks Access controls Secure systems Physical security When to use the bcc function: Multiple recipients There are two types of group 1. Where the recipients need to know who the other recipients are, to have an conversation with each other. In this case, you should insert the recipients into the to or cc fields. 2. Where the recipients do not need to know who the other recipients are. The is sent to multiple recipients for convenience, where sending one is preferable to lots of separate s (eg, as a mail shot). In this case, it is unlikely that the recipients have consented to having their contact details (or the contents of the mail as it relates to them), shared with the other recipients. In this situation, you should always use the bcc (blind copy) function so the recipients can t identify each other: s 35

36 Principle 8 Personal data must not be transferred to a country outside the EEA*, unless that country has equivalent levels of protection for personal data: As Data Controller, the University is responsibile for protecting personal data which is sent, transferred to, or stored in non EEA countries. Contractual clauses therefore need to be sufficient to ensure protection in countries where there is no Data Protection Act (or equivalent) in place. If your project is doing business with a company outside the EEA, you must ensure the Data Protection clauses in the contract are approved by the Legal Department. Many types of software and mobile app providers are not UK based and they store information outside the EEA, via the cloud. You should only use the University s approved methods of data sharing and storage. See the University s IT Services policies & guidance for more information. If in doubt, contact the Legal Department. *The UK s decision to leave the EU has not resulted in any change to this requirement. We still need to comply with these rules. 36

37 Training Menu Key terms Compliance The 8 Principles of Data Protection Requests for personal data Resources 37

38 Requests for personal data Please send me all the info you have about me Data subjects Third parties All written information held for/on behalf the University may be released to the data subject, including items normally considered private or confidential. A data subject s request to see their personal data is called a Subject Access Request (SAR). 38 The University charges a fee of 10 for a SAR. The Data Protection Act says that SARs must be responded to promptly and within 40 calendar days. Failure to comply with a SAR is an offence. The Legal Department manages SARs, checking the request is valid, advising which information must be disclosed (or withheld) under the Act, and ensuring that no personal data relating to any other person is released. Staff are also responsible for complying with SARs Under GDPR, the SAR deadline will reduce from 40 days to 1 month; and we will no longer be able to charge a fee.

39 Requests for personal data Data subjects Third parties Staff are also responsible for Subject Access Requests: Promptly refer all Subject Access Requests received to A SAR is any written ( or paper) request for their own personal data. It doesn t have to say SAR, subject access or data protection. Promptly respond to the Legal Department providing copies of the data requested. Note: it is an offence to delete or destroy information to avoid disclosure via a SAR. Ensure your records and s, are well organised, so you can identify and retrieve information quickly, on request. Comply with record management policies and destroy / delete data at the end of its retention period. This will make it much easier to respond to requests within the legal time limits. Failure to provide data in time (because you have too much data or it is not sufficiently organised) is a breach of the Act. Never assume anything you write on University records or s will be private. 39

40 Requests for personal data Data subjects Third parties Not all requests from a data subject need to be formal SARs: The University s duty is to ensure that information is easily accessible to data subjects. A request will require a formal SAR if the data subject asks for: a high volume of data ( send me all data about me ), data which is not normally or routinely released, or documents containing personal data about more than one person. However, a student should not have to pay 10, submit a formal request and wait for up to 40 days for a simple document he/she has already seen previously, such as a copy of a council tax exemption certificate or a feedback sheet. Check with the Legal Department about any requests you regularly receive for personal data, for advice on establishing a protocol for dealing with them. Requests for transcripts of marks should be referred directly to awards@mmu.ac.uk 40

41 Requests for personal data Data subjects Third parties The default position is that information about staff and students should not be shared with any third party without the data subject s consent. However, there are some exceptions to this rule, such as part of a formal data sharing arrangement which has been approved by the Legal Department, or where an exemption under the Data Protection Act applies. Third parties are : All external organisations (eg, police, solicitors, Council Tax offices, business partners) All individuals other than the data subject him/herself (such as parents and relatives). What to do if a third party individual/organisation asks for personal data: Contact the Legal Department: legal@mmu.ac.uk For urgent/emergency situations outside of normal office hours, contact Security If you are regularly asked for particular types of personal data, eg Council Tax exemption requests, or employers/sponsors who fund students, contact the Legal Department for advice on setting a protocol for dealing with these. If you need to set up a data sharing arrangement with any third party organisation, contact the Legal Department for advice. Parents: The University is not permitted to release or discuss personal data relating to a student with parents/friends or relatives, without the student s consent. This is made clear in our data protection statement to students: For advice on dealing with queries from parents, contact the Legal Department. More detailed guidance on dealing with parents will soon be published on the Legal Department s website. 41

42 Training Menu Key terms Compliance The 8 Principles of Data Protection Requests for personal data Resources 42

43 Resources University Resources: Data Protection Policy: CCTV Policy: Information Security and IT Services policies: This includes Data Classification, Mobile Devices, Acceptable Use, etc. E Security Training is available for any staff who would like further training in information security. This can be completed at your own pace as a complete training module, or used as a reference tool, by viewing the particular section(s) of interest. See: Staff Resources Section in Moodle. Log in here: Records Management: management/ Student Reference Policy (writing references for students): This is available on the CELT website, under Supporting Student Success, then Personal Tutoring. See the following link (you will need to log in): Contact us: Legal Department: legal@mmu.ac.uk External Resources: Information Commissioner s Office: For more detailed guidance available online, such as the ICO Guide to Anonymisation 43

44 To complete your training, please go the Data Protection Test in Moodle. Good luck! 44