data protection-training
DESCRIPTION
TRANSCRIPT
Data Protection and Freedom of Information in
schools
Keeping data secure, safe and legal
Why?
Data Protection Act 1998
Freedom of Information (FoI) Act 2000
The Data Protection Act 1998• The Data Protection Act 1998 came into force in March
2001, replacing the Data Protection Act 1984.
• The EU Data Protection Directive (also known as Directive 95/46/EC) is a directive adopted by the European Union designed to protect the privacy and protection of all personal data collected for or about citizens of the EU, especially as it relates to processing, using, or exchanging such data.
• The Data Protection Act is how the UK implements the European Directive.
The aims of the Data Protection Act
• Anyone who processes personal information must comply with the eight principles
• It provides individuals with important rights, including the right to find out what personal information is held about them
The eight data protection principles
Information must be:
• Fairly and lawfully processed
• Processed for specified purposes
• Adequate, relevant and not excessive
• Accurate and up-to-date
• Not kept for longer than is necessary
• Processed in line with individuals’ rights
• Secure
• Not transferred outline the European Economic Area without adequate protection
Individual rights
• Right of access – individuals have a right to know what information organisations hold about them on a computer or in certain filing systems.
• Individuals can submit a Subject Access Request to see or have a copy of this information.
Freedom of Information Act 2000• An Act to make provision for the disclosure of information
held by public authorities or by persons providing services for them and to amend the Data Protection Act 1998 and the Public Records Act 1958; and for connected purposes
Right of access
•What? Anything•Who? Anybody•Where from? Anywhere•Why? None of your business
•FoIA assumes information will be disclosed
Exemptions7 Absolute Exemptions
•S21 Information accessible by other means;•S23 National security;•S32 Court records;•S34 Parliamentary privilege;•S40 Personal information about the applicant;•S41 Information provided in confidence;•S44 Prohibition on disclosure
Exemptions15 Qualified Exemptions• S22 Future publication;• S24 National security;• S26 Defence or armed forces;• S27 International relations;• S28 Relations within the UK• S29 The economy of the UK;• S30 Investigations/proceedings;• S31 Law enforcement;• S36 Effective conduct of public affairs;• S37 Communications with Her Majesty• S38 Health & safety;• S39 Environmental information;• S40 Personal information about third party;• S42 Legal professional privilege;• S43 Commercial interests
School specifics
• Impact levels• Encryption• Questions and examples
Impact levels
Impact Level
Example data types eGIF requirements
Examplenetworks
External access
Aggregated reports Registrationlevel
Authenticationrequirements
Gov PCto www
Internetcafé PDA Home Gov
PC LAN
Wi-fi 3G card Bluetooth BootableUSB
IL4 Confidential • National Pupil Database• Looked-after children• Witness protection• SEN IL4 data elements
Level Three IDverification withvetting and'need to know'measures
Physical/ personal/proceduralprotection withappropriateauthorisation
GSiCJX
Y1 N N Y2
N N N Y3
IL3 RestrictedorNHSConfidential
• School MIS• Teacher access tolearning platform/ portals
• Special educationalneeds (with no IL 4 dataelements)
• Pupil characteristic• Contact point• Health records
Level Two IDvetting and'need to know'measuresIAO approval
Mandatory two-factor user ID,password andtokenInternet/virtualprivate network(VPN) and token
N3GSIGCSxCJX
Y N Y4 Y5
EncryptedinternetVPN
Y6 Y7 N Y8
IL2 Protect • General student data• Learning platforms/portals
Level Onebasic IDverification
User ID andpassword
InternetY1 N Y Y
Y Y Y2 Y
IL1/ IL0 • Google search• BBC News
Anonymous Authentication notrequired Any Y Y
Data encryptionBecta guidance states“Users may not copy or remove sensitive or personal data from the school or authorised premises unless the media is encrypted and is transported securely for storage in a secure location”
What does that mean to us?•Change in the way USB sticks are used•Not just USB. Additional encryption when accessing information across the internet