Data Protection Act 1998 GDPR Data Protection Act

  • Slides: 28
Download presentation
Data Protection Act 1998 GDPR Data Protection Act 2018 Schools ICT

Data Protection Act 1998 GDPR Data Protection Act 2018 Schools ICT

 • A complete overhaul of data protection regulation with extensive updates of what

• A complete overhaul of data protection regulation with extensive updates of what can be considered identifiable information. • Applies across all member states of the EU (including us after Brexit!) • Applies to all organisations processing the data of EU subjects – wherever the organisation is geographically based • Specific and significant rights for data subjects to seek compensation, rights to erasure and accurate representation • Significant changes related to the processing and controlling of children’s data • Public authorities must appoint a Data Protection Officer • Fines of up to 20, 000 Euros or 4% of global annual turnover Schools ICT GDPR What’s New? General Data Protection Regulation Effective from 25 th May 2018

Data Controller: Determines which personal data will be collected, from whom, why, how long

Data Controller: Determines which personal data will be collected, from whom, why, how long it will be kept for and how it will be processed Data Processor: Processes data on behalf of the data controller and could decide which systems to use to do so The Information Commissioner is the person who has powers to enforce the Data Protection Act. Schools ICT A Reminder

Registration with the Information Commissioner’s Office • It is required that all organisations that

Registration with the Information Commissioner’s Office • It is required that all organisations that process personal data are required to register with the ICO. • Until the GDPR comes into effect the current fees apply. From 25 May 2018 there will be a tiered approach to charges. • Tier 1 – micro organisations. You have a maximum turnover of £ 632, 000 for your financial year or no more than 10 members of staff. The fee for tier 1 is £ 40. • Tier 2 – small and medium organisations. You have a maximum turnover of £ 36 million for your financial year or no more than 250 members of staff. The fee for tier 2 is £ 60. • Tier 3 – large organisations. If you do not meet the criteria for tier 1 or tier 2, you have to pay the tier 3 fee of £ 2, 900. Schools ICT A Reminder

Personal data must be • Processed lawfully • For a specific purpose • Kept

Personal data must be • Processed lawfully • For a specific purpose • Kept to a minimum • Accurate and up-to-date • Retained only for as long as it is needed • Kept securely Schools ICT The Six Data Principles

 • Right to be informed • Right of access • Right of rectification

• Right to be informed • Right of access • Right of rectification • Right of erasure • Right to restrict processing • Right to object • Right to data portability • Rights in relation to automated decision making Schools ICT The Rights of Data Subjects

 • Consent: the individual has given clear consent for you to process their

• Consent: the individual has given clear consent for you to process their personal data for a specific purpose. • Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract. • Legal obligation: the processing is necessary for you to comply with the law. • Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. • Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law. • Vital interests: the processing is necessary to protect someone’s life. Schools ICT Lawful Basis for Data Processing

 • Must be able to demonstrate compliance with the regulation - compliance alone

• Must be able to demonstrate compliance with the regulation - compliance alone is not enough. • How can you do this? • Raise awareness • Establish what data is processed, why and for how long and who that data is shared with and why • Decide which legal grounds apply to each category of data collected • Review Privacy notices • Data protection impact assessments • Review contracts, handbooks and policies • Training Schools ICT Compliance and Accountability

The GDPR contains new provisions intended to enhance the protection of children’s personal data.

The GDPR contains new provisions intended to enhance the protection of children’s personal data. For the GDPR a child is under 16. Member states can amend this but not to lower than 13. In the UK a child is under 13. Where services are offered directly to a child, you must ensure that your privacy notice is written in a clear, plain way that a child will understand. An individual’s right to erasure is particularly relevant if they gave their consent to processing when they were a child. If making ISS (online service) available to children, and you wish to rely on consent to legitimise your processing, you need to verify that anyone providing their own consent is old enough to do so. If service is available to under 13’s the data controller must also make reasonable efforts to verify that the person giving consent does, in fact, hold parental responsibility for the child. Introduction of a code of practice for data controllers on age-appropriate website design. Schools ICT Children & the GDPR

 • “I have read and agree to the Terms” is the biggest lie

• “I have read and agree to the Terms” is the biggest lie told on the web https: //tosdr. org Ofcom’s 2016 media use and attitudes survey of 5 -to 15 -yearolds includes useful indicators about children’s grasp of personal data privacy. These offer some worrying indications. For example, among 12 -15 year olds: • 17% agree “I will give details about myself to a website or app to be able to get something that I want. ” • 13% of those with a social media profile agree “getting more followers is more important to me than keeping my information private. ” • 58% think: “I can easily delete information that I have posted about myself online if I don’t want people to see it. ” Need to develop data protection teaching and practice through the curriculum. Schools ICT Children’s understanding of data privacy

Children’s understanding of data privacy Schools ICT

Children’s understanding of data privacy Schools ICT

 • The Information Commissioner’s Office (ICO) suggest a number of ways in which

• The Information Commissioner’s Office (ICO) suggest a number of ways in which organisations can prepare for these changes and has published a 12 -step checklist. In summary: • Awareness: ensure decision makers and key individuals in are aware that the DPA is changing with the introduction of the GDPR. They need to appreciate the impact it will have and how the new legislation will affect your organisation. • Information you hold: organise an information audit and document the personal staff and child data you currently hold, where it came from and who it is shared with. • Communicating privacy information: review your current privacy notices and put a plan in place for making any necessary changes in good time. Schools ICT Action Plan

 • Legal basis for processing personal data: review the various types of data

• Legal basis for processing personal data: review the various types of data processing you carry out, identify and document your legal basis for carrying it out. • Consent: review how you are seeking, obtaining and recording consent and whether any changes are required. • Individuals’ rights: check your current procedures to ensure they cover all rights of individuals, including how personal data is deleted. Schools ICT Action Plan

 • Children: start thinking what systems you are going to put in place

• Children: start thinking what systems you are going to put in place to gather parental or guardian consent for the data processing activity. • Subject access requests: update your procedures, plan how you will handle requests within the new timescales and provide any additional information. • Data breaches: ensure you have got the right procedures in place to detect, report and investigate a personal data breach. Schools ICT Action Plan

 • Data protection by design and data protection impact assessments: consider when to

• Data protection by design and data protection impact assessments: consider when to begin implementation of the Privacy Impact Assessments at your school. • Data Protection Officers: designate a data protection officer or an individual to take responsibility for data protection compliance. • Training; for all new staff. Regular and refresher training for existing staff. • International considerations: consider the implications for those organisations with international operations. Schools ICT Action Plan

Data held or collected by the school Information assets Pupil data (within MIS) Pupil

Data held or collected by the school Information assets Pupil data (within MIS) Pupil records Safeguarding / Child Protection data SEN EAL Exclusion, behaviour Reports Examination results / Statutory Assessments Attendance registers Student photos Staff data (within MIS) Staff Personal File Performance / CPD data Staff absence data Staff photos Other Personnel Data Recruitment records for new headteacher Recruitment of new staff DBS / vetting checks Appraisal / CPD data Disciplinary and grievance records Allegation of a child protection matter Malicious allegation of a child protection matter Health and safety assessments Health and safety accident reports Admissions papers (successful or unsuccessful) Student medical records and reports Student social service records and reports Financial matters Annual accounts Purchase Orders, Invoices, Payments Records around budget management Asset management School Fund FSM* - free school meals registers School meals registers Records relating to school lettings Records relating to school maintenance Access control / passwords* into systems Authorise data access / Nominated Contacts Password to Df. E or LA systems Network administration / password lists USO password information Email management Web filtering management School website administration Social media platforms, e. g. Twitter Learning Platform password information Communications Information added to website Information added to social media Learning Platform content Parental messaging system correspondence Student photos* (not required for pupil record) Staff photos* (not required for Personal record) Early Years assessments (not in core MIS) Student reports (not in core MIS) Student assessments (not in core MIS) Third Party comparative performance data USO School Open Check Back-up media (where on site) Back-up media in Cloud Emergency mobile phone loaded with data Governors' documents with sensitive content Governors' standard published meeting documents Reports presented to Governors meeting Annual governors reports Schools ICT Other T&L potentially sensitive material Annual parents’ meeting papers Policies and plans adminstered by Governing body Other operational potentially sensitive material CCTV saved footage Visitor signing-in book / management system Biometric system - registration Biometric system - other Newsletters and information with a short operational life Data in your setting

Task Using the data log; • identify the people responsible for data in your

Task Using the data log; • identify the people responsible for data in your setting • for the child records, identify who can access the information • for the child records, identify where they are stored • for the child records, identify any that are shared • for communications data, identify which data you need consent for, and discuss how you will do this • Identify any other systems/apps that process your data Schools ICT Data Audit log

 • Should be provided at the point of collection of the data explaining:

• Should be provided at the point of collection of the data explaining: • Source of the data • Who will receive it • The intended purposes of the processing and the legal basis for the processing • The period for which data will be stored • The existence of the data subject rights • The rights to object, withdraw and complain • If relying on the legitimate interests basis, what the legitimate interests are • Ensure the notice can be understood by the data subject e. g. pupils (over 13) • The Df. E have updated their template privacy notice for children and we have incorporated some (but not all) in to our template Schools ICT Privacy Notices

Task Using the Privacy Notice template • Review the examples of why the setting

Task Using the Privacy Notice template • Review the examples of why the setting collects information • Review the section on Who you share information with • Feedback on anything that should be widely included or omitted Schools ICT Privacy Notices

 • No fee (some scope to charge for multiple copies*) – currently £

• No fee (some scope to charge for multiple copies*) – currently £ 10 • One month to comply (some scope to extend) • What will you do if you receive a request over the holidays? • Watch out for an overlap with the Freedom of Information Act 2000 • Volume : Where a large volume of data held, may ask data subject to specify precisely what the request relates to • * May charge a fee or refuse to act if the request is “manifestly unfounded or excessive” (Article 12) Schools ICT Subject Access Requests

GDPR Article 28 “…the controller shall use only processors providing sufficient guarantees to implement

GDPR Article 28 “…the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject. ” Only use processors that comply with GDPR and prove it. Schools ICT Contract Review

 • Bespoke data protection training was not in place for staff. • Processes

• Bespoke data protection training was not in place for staff. • Processes for reporting and investigating security incidents involving personal data were not documented. • A process for dealing with subject access requests was not documented. • A documented retention schedule for personal data was not always in place. • USB sticks and laptops were not always encrypted and in nurseries where USB sticks were not used, USB ports were not always locked down. • Staff often shared login information and passwords, rather than having their own individual profile for electronic case management systems and other applications. Schools ICT Findings from ICO advisory visits to nurseries February 2018

 • It was unknown whether anti-virus and firewall protection was always kept up

• It was unknown whether anti-virus and firewall protection was always kept up to date. • Passwords on electronic devices tended to be weak and were not changed regularly enough. • Where remote or homeworking was permitted, there was no documented policy or procedure to advise staff of their obligations for personal data. • If third party organisations were utilised for services such as; record disposal, hardware disposal and IT services, contracts were not in place, or it was unclear whether these contracts included appropriate security clauses to protect the personal information that was accessed. • If a fingerprint entry system was used to allow access to the setting, it was not always clear whether appropriate, storage and retention periods were applied to this information. Schools ICT Findings from ICO advisory visits to nurseries February 2018

 • • Losing data Sending it to the wrong person Unauthorised people accessing

• • Losing data Sending it to the wrong person Unauthorised people accessing it Emailing it over unencrypted email • Applies to electronic and paper copies of data • Serious breaches must be reported to the ICO within 72 hours • Encrypted data does not have to be reported, eg encrypted memory sticks Schools ICT Data breaches

 • Notification dependent upon risk • Three categories: No Risk; High Risk •

• Notification dependent upon risk • Three categories: No Risk; High Risk • “If unaddressed, such a breach is likely to have a significant detrimental effect on individuals” • Notification must be sent to the ICO without undue delay and normally within 72 hours after discovery of the breach where that is feasible • Notification to Data Subjects if a breach is likely to result in a high risk to the rights and freedoms of individuals • Data breach systems need to be robust, rehearsed and regularly reviewed • Maintain an internal breach register Schools ICT Data breach notification

 • Public authorities (to be defined) must appoint a DPO • This is

• Public authorities (to be defined) must appoint a DPO • This is a statutory position • Can be shared across settings • Must be impartial, report to the board/manager and have no conflicts of interest Takes an advisory and monitoring role Guides your setting to compliance Leads on any data breach process Schools ICT The Data Protection Officer

Requirement Activity Raise awareness & provide training Ensure all staff and governors are aware

Requirement Activity Raise awareness & provide training Ensure all staff and governors are aware of the changes. Arrange training for staff to ensure their understanding of the requirements of the GDPR, an on-going requirement Know what data you use and how you use it Map your data fully using the data audit log Privacy by Design Review your data and ensure that your privacy notices and other policies align (e. g. consent, PIA, AUP’s) Data Security & Incident Have a robust policy and processes to keep your Management data secure and a process for investigating, managing and reporting any security incidents Roles & Responsibility Schools ICT Appoint a Data Protection Officer Action Plan

GDPR full text http: //ec. europa. eu/justice/data-protection/reform/files/regulation_oj_en. pdf ICO data protection for the education

GDPR full text http: //ec. europa. eu/justice/data-protection/reform/files/regulation_oj_en. pdf ICO data protection for the education sector https: //ico. org. uk/for-organisations/education/ Df. E GDPR guidance for schools https: //www. youtube. com/watch? v=y 09 IHXv 6 u 6 M Wandsworth Info for Schools https: //wandsworthpublic. sharepoint. com/info 4 schools/Site. Pages/Data%20 Protection%20 Act%20 and%20 Freedom%20 of%20 Information. aspx Schools ICT Further help & guidance