The Data Protection Act 1998 Clare Hall Data Protection Policy

Transcription

1 The Data Protection Act 1998 Clare Hall Data Protection Policy Introduction This document is a guide to the main requirements of the new Data Protection Act (DPA) that came into force on 24th October Full details can be found on College Staff with access to personal data need to act in accordance with the terms of the Act, and must sign the certificate of compliance at Appendix 1. The Act has wide-reaching implications and the purpose of the document is to introduce its the key elements and, most importantly, to outline the ways in which each Staff member either in possession of, or collecting so-called open data (see below) should act, in order to be DPA compliant. The main requirements of the Act are that data should be: Fairly and lawfully processed Processed for limited purposes Adequate, relevant and not excessive Accurate Not kept longer than necessary Processed in accordance with the data subject's rights Secure Not transferred to approved countries without adequate protection Data Protection Responsibilities within Clare Hall Data protection within the College is the responsibility of the Bursar (Data Protection Officer - DPO), with the Senior Tutor as his or her Deputy. Both posts are ex officio. Staff Responsibilities All staff will, through appropriate training and responsible management: Observe all forms of guidance, codes of practice and procedures about the collection and use of personal information. Understand fully the purposes for which the College uses personal information. Collect and process appropriate information only in accordance with the purposes for which it is to be used by the College to meet its needs and legal requirements. Only access personal data that they require to carry out their jobs properly. Ensure the information is recorded accurately and correctly in the College s systems by following its standard format (as attached). Ensure the information is destroyed when it is no longer required

2 On receipt of a request (Subject Access Request) from an individual for information held about them by or on behalf of the College, immediately notify the Data Protection Officer, deal with all personal information in accordance with the College s security procedures. Any breach of the 1998 Act and the College s data protection policy shall be viewed as gross misconduct and may lead to dismissal. Such training will be fully documented for all staff. Types of Data The only data that has the potential to fall within the terms of the Act is personal data; that is, data pertaining to a living person. Personal data can be divided into four categories: Open Data. That is data by which individuals can be readily identified. This data does not have to have individuals names attached to it. It could be that the constellation of data is such that it could only refer to a small group of people (in practice 50 or less), thus making individual identification a significant risk. Coded Data. That is data where the main data set has a code that identifies an individual and the code decryption that links to the individual s name is kept separate from the data set within the same institution. To all intents and purposes this data should be treated the same way as open data under the terms of the Act. Linked Anonymised Data. This is a particular form of coded data, where the code is kept by another data controller, such as the University. Unlinked Anonymised Data. This data has no individual reference within it and does not link to any code elsewhere. Such data has no implications for data protection and falls outside of the remit of the Act. Since the vast majority of any data handled by the College will be open data, the rest of the document will deal only with its treatment. Essentially, if data can be linked to any individual in any way it should be treated as open data and follow the guidelines in this document. Further advice may be obtained from one of the Data Protection Officers. Basic protection of open data The following rules apply to all open data: All open electronic data should be stored on code-word protected disk space. This also applies to portable computers, and home computers. All open paper data should be stored in a locked storage facility (e.g. filing cabinet) in a locked room/building. This might require some pruning of paper data

3 Open data taken off-site must be secure. This involves code-word protection of off-site disk space, the use of locked storage space, and the prevention of casual viewing by others. In particular steps must be taken to prevent access to the data during transportation. Open data must not be discussed in a way that can be overheard, such that individuals can be identified. It must not be left around for others to read on desks or on printers. All electronic mail that discusses identifiable individuals must be treated as open data, codeword protected and sent only to known addressees. Data should not be sent to countries that are not recognised by the Act (see the Act web site). The acquisition of data When acquiring open data it is imperative that informed consent is obtained for all of the possible future uses of the data. If staff work involves additional disposal of the data, separate consent should be obtained. It is important to be clear that the principles of Data Protection do not mean that staff cannot do things with personal data such as publish it in College publications, talk about it at conferences and meetings (even with reference to named individuals). It just means that before doing these things the written informed consent of the individuals involved must be obtained. The registration of data Under the terms of the act all of the open data acquired and kept by the College needs to be registered. In practical term this means that it is stored in College secure files and College Members personal files and afforded the appropriate degree of security. Requests to Access Open Data Under the terms of the Act individuals on whom data is kept have the right to access that data. For this reason the above guidelines on the security of data must be adhered to. In the event of a request for access to data, the member of staff concerned should: Be aware that deception may be used to obtain information. Note that telephone requests for information should rarely if ever be complied with. Establish the identity of a person requiring disclosure before responding. Confirm that they do indeed possess data on that individual. Consult with one of the data protection officers if in doubt before making any disclosure

4 Ensure that the request is made in writing. Keep a record of any routine and non-routine disclosures. Record the person who made the disclosure and authorised it and the person requesting the data and the reasons for making the disclosure in the appropriate Personal File. The date and time must also be recorded. Loss of data Guidelines for the loss of data are at Appendix 1. April

5 Appendix 1 NOTIFICATION OF COMPLIANCE WITH 2001 DATA PROTECTION ACT Name: Position: This is to confirm that the terms of 2001 Data Protection Act have been communicated to me and that I am, and will continue to be, compliant with the Act in the normal conduct of my duties I am aware of, and will implement, the appropriate procedures regarding access to data and loss of data should the circumstances arise. I confirm that if, for any reason, I am unable to continue complying with the Act, I will inform the College DPO immediately. Signed Date - 5 -

6 Appendix 2 Action in the Event of Lost or Stolen Data The first action should be for the DPO or his/her deputy to be informed about the loss. He/she will immediately take charge of the situation and establish as far as is possible what data has been lost or stolen and the associated circumstances. Risk Assessment A preliminary assessment of the risks to individuals and organisations should be undertaken to scope necessary action: Does the data contain information about people? On the personnel front data may contain information about College staff and permanent members, visiting fellows and non-college employees, third parties, contacts and mailing lists, visitors (possibly high profile) and referees. Has business data been lost? Data may contain information about organisational issues and structures, contractual arrangements, strategic planning activities, security procedures, research issues, including progress and intellectual property rights, accommodation plans and financial matters. The key issues to be determined are: If data has been stolen, what damage could be caused by its illegal use? If information about identifiable people has been lost should the individuals be informed? If data about external organisations has been lost is there a risk to their business? In this event, what embarrassment and impact on relationships might be caused? Can the data be reconstructed from back-ups etc. Notifications Consideration needs to be given to contacting the individuals or agencies concerned. Data subjects should only be contacted once a full investigation and impact assessment has been completed. College members may need to be informed if personnel data is lost. Third parties may also need to be informed

7 Recovery Recovery from a loss will be high priority. Sound backup, and effective backup storage security will of course ensure that this can be done effectively and quickly. Review of Security A review of both physical and IT security arrangements may be necessary not only to ensure that further problems will not arise, but also to establish lessons that might be productively passed on to other Colleges