Cost Codes

1
Data Security Freedom ofInformation
2
INFORMATION GOVERNANCE

• Freedom of Information Act 2000
• Data Protection Act 1998
• Information Security
• Record Management

3
FREEDOM OF INFORMATION ACT 2000
Background

• Creates a statutory obligation on public
  authorities to formally consider written
  requests for information and respond within 20
  days
• Two stage introduction
• first stage of introduction - Publication
  Schemes (02-04)
• second stage - full Rights of Access came into
  effect on 1 Jan 05
• Requests for information must be in writing
  (including fax / e- mail)
• There is no right to know why the information is
  being requested

4
FREEDOM OF INFORMATION ACT 2000
Publication Schemes

• Proactive publishing of information
• Similar structure for all public sector
  organisations
• Information split into broad categories known as
  classes
• info. published in the School Prospectus
• info. on School Profile and other information
  relating to the governing body
• policies that relate to Pupils Curriculum
• School Policies and other information related to
  the school
• All schools must adopt a scheme
• Model schemes available at
• http//www.ico.gov.uk/Home/what_we_cover/freedom_o
  f_information/publication_schemes/model_schemes.as
  px

5
FREEDOM OF INFORMATION ACT 2000
Full Rights of Access - Dealing with Individual
Requests

• Identify and acknowledge FOI requests
• Dearcurrently dealing with your request will
  be in touch as soon as possible
• Review material being requested - apply
  exemptions
• Provide a response, either
• - provide all requested information, or
• - withhold all, or in part, explain which
  exemption is being applied and provide
  opportunity to appeal decision

6
FREEDOM OF INFORMATION ACT 2000
More about Exemptions

• Exemptions exist to protect information that
  should not be released.
• Some exemptions that may apply in a school
  setting
• Request for a teachers home address or career
  development
• information
• - Section 40 Personal data exemption
• Request by a parent for a copy of another
  parents written
• complaint
• - Section 41 Information provided in confidence
• Request for copy of legal advice obtained by a
  school
• - Section 42 Legal professional privilege
• No exemption for embarrassment

Full list of exemptions available at
http//www.foi.gov.uk/guidance/index.htm
7
FREEDOM OF INFORMATION ACT 2000
Things to remember when responding

• Must respond within 20 working days
• Straightforward disclosures can be dealt with by
  the Principal
• Complex requests and decisions to withhold, must
  involve the BOGs
• - consider the public interest test
• It may not always be appropriate, or required,
  to disclose the identity of the applicant to the
  BOGs
• The decision which must be made is - can this
  information be made public?

8
FREEDOM OF INFORMATION ACT 2000

• As much of school information is now open to
  public scrutiny its important that we write for
  disclosure
• Write objectively
• Ensure what you write is relevant and
  professional
• Document reasons for decisions generally
• Refer to policies in decision making
• Dont forget about e-mails and diaries!

9
FREEDOM OF INFORMATION ACT 2000
What can the applicant do if dissatisfied?

• Lodge an appeal with the school must be heard by
  the BOGs -
• preferably those not involved in the original
  decision.
• If still dissatisfied the applicant can
  approach the Information
• Commissioner (IC) for an independent review.
• IC will approach school requesting copies of
  information and details around the handling of
  the request.
• IC will either uphold the schools decision or
  overturn, and issue school with an enforcement
  notice to release the information.

10
FREEDOM OF INFORMATION ACT 2000
Key points

• Ensure your school adopts a Publication Scheme.
• See that requests are identified and dealt with
  promptly.
• Labour intensive requests can be charged for or
  refused.
• duty to offer assistance
• Dont make decisions quickly. Acknowledge
  requests and consider them carefully.
• Just because someone asks, doesnt mean they get!
  (appropriate disclosure)
• Where information is refused an adequate
  explanation must be provided and details on how
  to appeal decision.
• Ensure nothing is written which may embarrass
  consider diaries, emails notebooks etc.
• WHEN IN DOUBT - SEEK ADVICE

11
DATA PROTECTION ACT 1998 (DPA)

• The DPA is a legal framework for the proper
  collection, usage, storage, sharing and disposal
  of personal data.
• It permits Data Subjects access to their
  records.
• It can impose considerable penalties on
  organisations individuals who fail to comply.
• Personal data it is any information that
  identifies and relates to a living individual
  such as name, address, date of birth,
  educational record, financial details and even
  expressions of opinions or intentions. The Act
  covers such information held on computer and
  paper file.

12
DATA PROTECTION ACT 1998 (DPA)
Eight DPA Principles are key to compliance
Personal data (PD) shall be processed
fairly and lawfully PD must be collected and
used only where there is valid reason. It is
good practice to advise subjects how their data
may be used through forms, posters, annual
reports etc. Processed for specified
purposes Where any planned use of the
information falls outside what has been
explained to the data subject, or what they might
expect, consent must be obtained before
proceeding Adequate, relevant and not
excessive We must be able to demonstrate that the
level of personal information we collect is
required for the effective delivery of services
13
DATA PROTECTION ACT 1998 (DPA)
Eight DPA Principles are key to compliance
PD shall be accurate and up to date Where
we are making decisions based on such data, we
have a responsibility to ensure it is
accurate and kept up to date Not be kept for
longer than is necessary PD should not be kept
for longer than necessary. Some personal data
needs to be retained for legal reasons. Schools
must refer to the School Record Retention and
Disposal Schedule before destroying records
14
DATA PROTECTION ACT 1998 (DPA)
Eight DPA Principles are key to compliance
Processed in accordance with the rights of the
individual Data subjects have rights under the
Act. These include right of access to their
records, right to have any inaccurate information
corrected and a right to prevent processing
likely to cause damage or distress Kept secure -
One of the biggest obligations placed on a
school. - Equally important for manual and
electronic data - Applies throughout all stages
of data processing, from obtaining and using
to sharing and destruction
15
DATA PROTECTION ACT 1998 (DPA)
Eight DPA Principles are key to compliance
PD must not be transferred to countries outside
the European Economic Area unless the information
is adequately protected. Personal data cannot be
transferred to countries which do not have
similar personal data legislation to our own.
When dealing with personal data we should always
ask ourselves the question if this was my
personal data, how would I like it to be treated?
16
DATA PROTECTION ACT 1998 (DPA)
Examples of Sensitive Personal Data
Data relating to Racial or ethnic
origin Political opinions Religious/similar
beliefs TU membership Physical or mental
health Sexual life Criminal allegations Criminal
proceedings/record Information relating to a child
Special care must be taken when processing
Sensitive Personal Data, especially around
collection, use and sharing.
17
DATA PROTECTION ACT 1998 (DPA)
Subject access rights
Right of access to personal data in computer or
manual form Entitled to Be informed whether
personal data is processed A description of the
data held, the purposes for which it is processed
and to whom the data may be disclosed A copy of
the data usually within 40 days Information as
to the source of the data There are limited
exemptions.
18
DATA PROTECTION ACT 1998 (DPA)
Information access summary
Data Protection Act (Access to personal data by
data subject) 40 days
FOI Act (Access to everything else) 20 days
19
DATA PROTECTION ACT 1998 (DPA)
Duty to Notify

• Organisations which process personal information
  must notify the IC
• Costs 35 to register
• Bogus agencies
• Failure to notify criminal offence
• Details on how to notify can be found below
• http//www.ico.gov.uk/Home/what_we_cover/data_prot
  ection/noti
• cation.aspx

20
DATA PROTECTION ACT 1998 (DPA)
Summary of key points for staff
Duty to OBTAIN information fairly Duty to
PROTECT information Duty to ensure information
is SECURE Duty to JUSTIFY use and storage of
personal data DONT PASS on information unless
on a need to know basis and you are sure of the
recipients validity
21
INFORMATION SECURITY
Use and Management of Passwords
Use passwords to protect against unauthorised
access. It is a schools responsibility to
ensure that enabled usernames are available only
for current staff and students. Leavers
usernames must be removed (ie deleted or
disabled) promptly. The usernames of anyone
under investigation for inappropriate use must be
disabled promptly. Usernames must never be
created for fictitious staff or students (this
includes the creation of generic or group
usernames i.e. usernames that could be used by
more than one person).
22
INFORMATION SECURITY
Use of E-Mail
Emails sent to addresses outside the C2K Network
(ie. Hotmail.com) will be transmitted across the
internet. Never send personal data to such
addresses. Never send Sensitive Personal Data by
e-mail. Do not transmit unsolicited advertising
or attachments as these may conceal
viruses. Restrict messages to those who may have
an interest in them. Check E-Mail messages
every day ( if practical ). Do not subscribe to
non work related services / alerts. Delete
unwanted messages.
23
INFORMATION SECURITY
Securing Automated Data
Portables/Laptops Never leave laptops/portables/m
edia unattended. When transporting any computer
media always ensure it is out of sight, either in
a glove compartment or boot of a car. Never
disclose your username or password. Do not hold
confidential or pupil level data on laptops. No
additional devices may be connected to data
points on the C2k network without the specific
agreement of C2k random checks will be carried
out to identify such violations.
24
INFORMATION SECURITY
Securing Automated Data
Portables/Laptops Only software which is
licensed and appropriate for school needs may be
installed on laptops. Laptop users may not
install alternative versions of Internet
Explorer, any other Internet browsers, Windows
updates or any hacking tools and should not
switch off Windows firewall. Antivirus software
is provided and automatically updated in school.
This protection must be kept up to date if the
laptop has not been connected to the school
network for more than one week.
25
INFORMATION SECURITY
Securing Automated Data
Portables/Laptops The laptop should not be
given, lent or used by anyone other than the
nominated member of staff when outside
school. If the laptop is lost or stolen, the
school should be notified immediately, or during
school holidays, the C2k Helpdesk (0870 6011
666). The laptop must be returned to school if
the nominated member of staff ceases employment
with the school.
26
INFORMATION SECURITY
C2k Networks
No additional devices may be connected to data
points on the C2k network without the specific
agreement of C2k random checks will be carried
out to identify such violations. It is the
schools responsibility to ensure that software
added to desktops on the C2k network is
appropriately licensed. The schools C2k
Manager/Administrator must ensure that software
which represents a security threat is not
installed on any desktop. The school should make
all users aware that attempts to bypass
filtering, or to access inappropriate or illegal
material will be reported to the school authority.
27
INFORMATION SECURITY
Legacy networks connected to Internet via C2k
All legacy network servers and desktops must have
adequate, up to-date anti-virus protection with
automatic updates. Appropriate, up to date
security patches and service packs must be in
place on the school legacy network. Other
Internet or wireless connections must not be made
available to equipment which is connected to the
C2k network unless C2k has granted permission for
such connections.
28
INFORMATION SECURITY
Manual Records

• Keep personal data in a locked filing cabinet or
  drawer.
• Operate a clear desk policy Lock all personal
  data away when you are finished with it and at
  the end of the day.
• Only remove files containing personal information
  from storage areas when necessary. Their location
  should be tracked at all times.
• Destroy personal data by shredding.

29
INFORMATION SECURITY
General Good Practice

• Personal information should only be passed on, on
  a need to know basis.
• Do not allow sensitive conversations to be
  overheard.
• Guard against people seeking information by
  deception.
• Never leave personal data at printers. Collect
  print jobs promptly.
• If working from home treat that environment like
  your work environment. Do not allow
  friends/family access to any information.
• Avoid sending personal information by fax. Where
  this is necessary do it over a secure protocol.

30
RECORD MANAGEMENT
The Record Life Cycle
Creation
Final disposal

Active use
Retention
31
RECORD MANAGEMENT
Information Access
Know what information you hold and be able to
access it.

• Subject Access Requests
• FOI requests
• Inspections / audits

32
RECORD MANAGEMENT
File Disposal
What can disposal mean?

• Archive
• Offer records to the Public Record
• Office for Northern Ireland (PRONI)
• Destruction
• Adopt and refer to the School Record Retention
  Schedule before disposing of records
• available at http//www.deni.gov.uk/index/85-schoo
  ls/5-school-management/85-disposal-of-school-recor
  ds.htm

33
RECORD MANAGEMENT
Dont forget about electronic records

34
CONTACTS / GUIDANCE

• Freedom of Information
• WELB Corporate Information Manager 02882 411553
• www.foi.gov.uk/guidance/index.htm
• www.ico.gov.uk/
• http//www.welbni.org/index.cfm/do/GuidSch
• Data Protection
• http//www.ico.gov.uk/for_organisations/data_prote
  ction_guide.aspx
• WELB Corporate Information Manager 02882 411553
• WELB Data Protection officer 02882 411247
• Information Security
• C2k Helpdesk 0870 6011 666
• WELB Corporate Information Manager 02882 411553
• WELB Data Protection officer 02882 411247
• Record Management
• WELB Corporate Information Manager 02882 411553
• www.proni.gov.uk