Information Compliance Presented by the Information Compliance Team

Information Compliance Presented by the Information Compliance Team

Topics for Discussion Data Protection and the applied General Data Protection Regulation (GDPR) Freedom of Information (FOI) & the Environmental Information Regulations (EIR) Information Security Records Management

Data Protection

Data Protection Applies to the processing of personal data about a living identifiable individual Privacy – an individual (the data subject) has the right to privacy which places responsibility on the data controller (Uo. N) when processing personal data Two classes Processing – means doing anything with the data e. g. storing, deleting; using it • Personal information • Special Category Information

Personal Information Marital Status Name Address Phone Number Gender Shoe Size Exam Results Personal Information Passport Number Online Identifiers Email Photo NI Number Bank A/C no. Salary

Personal Data - Conditions for Processing Data subject has given consent Performance of a contract Compliance with a legal obligation To protect the vital interests of the data subject or of another natural person; Performance of a task carried out in the public interest, or in the exercise of official authority Legitimate interests

Special Category Data Racial or Ethnic Origin Sexual Orientation Sex Life Political Opinions Special Category Data Religious or Philosophical Beliefs Criminal Convictions * Trade Union Membership Health Biometric Data Genetic Data * Criminal Convictions is not Special Category Data, but must be treated differently from ordinary personal data.

Special Category Data These have their own section in the GDPR and the DPA 2018. This means you must either: • process the data in an official capacity; or • meet a specific condition in Schedule 1 of the Data Protection Act 2018, and comply with the additional safeguards set out in that Act. Even if you have a condition for processing criminal offence data, you can only keep a comprehensive register of criminal convictions if you are doing so in an official capacity.

Special Category Data – Additional Processing Conditions Explicit consent Employment Vital interests Made public by data subject The establishment, exercise or defence of legal claims Substantial public interest Preventive or occupational medicine Public interest in the area of public health Archiving purposes in public interest, scientific or historical research purposes or statistical purposes

Data Subjects’ Rights The right to be informed The right to restrict processing The right of access (Subject Access Request) The right to rectification The right to erasure The right to data portability The right to object Rights in relation to automated decision making and profiling the right to withdraw consent at any time (where relevant) the right to complain to the Information Commissioner

Principles of processing, Art 5 GDPR Processed fairly, lawfully and transparently Processed for specified, explicit and legitimate purposes Adequate, relevant, not excessive for the purposes of processing Accurate, and where necessary, kept up to date Not kept for longer than necessary where data subjects are identifiable Processed to ensure adequate security using technical or organisational measures

Data Protection by Design GDPR highlights the need for privacy to data subjects by those who process personal data. In reality this means we have to consider the rights of the individual (s) when we process personal data. This means: We have to ensure privacy notices tell people what we are doing with their information and the lawful basis for doing so Undertake Data Protection Impact Assessments (DPIA) when undertaking new projects involving personal data or changes to technology which may affect personal data Any data breaches which could have a serious impact must be reported within 72 hours to the regulator (Information Commissioner’s Office – ICO)

FOI & EIR

FOI & EIR Gives people the right of access to information held by public authorities subject to any legal exemptions/exceptions which would prevent disclosure Anyone can make a request for information as long as they give a name & an address to respond to (email or postal) Do not have to give a reason why they want the information Do not have to quote the relevant legislation – it’s up to everyone to recognise a request. Rule of thumb- if it is not BAU consider it may be FOI or EIR

Environmental Information Regulations Definition (a) the state of the elements of the environment, such as air and atmosphere, water, soil, landscape and natural sites including wetlands, coastal and marine areas, biological diversity and its components, including genetically modified organisms, and the interaction among these elements; (d) reports on the implementation of environmental legislation; (b) factors, such as substances, energy, noise, radiation or waste, including radioactive waste, emissions, discharges and other releases into the environment, affecting or likely to affect the elements of the environment referred to in (a); (c) measures (including administrative measures), such as policies, legislation, plans, programmes, environmental agreements, and activities affecting or likely to affect the elements and factors referred to in (a) and (b) as well as measures or activities designed to protect those elements; (e) cost-benefit and other economic analyses and assumptions used within the framework of the measures and activities referred to in (c); and (f) the state of human health and safety, including the contamination of the food chain, where relevant, conditions of human life, cultural sites and built structures inasmuch as they are or may be affected by the state of the elements of the environment referred to in (a) or, through those elements, by any of the matters referred to in (b) and (c);

FOI Overview If it doesn’t fall under the definition of EIR and it is not a request for access to the applicant's own personal data then it is FOI In either case we have 20 working days to provide the information. This differs from Subject Access which is one calendar month In some case we can extend the timescale IF we are considering the use of an exemption and have to consider the public interest test (PIT) All requests need to be logged centrally with the Information Compliance Team (ICT), but you may be asked to help provide information or express any concerns on disclosure. The request will be responded to by the ICT and any subsequent internal review.

Commonly-Used FOI Exemptions In some cases we may not disclose information for various reasons. There are 2 types of exemption Absolute and Qualified. If it is a qualified exemption it means we have to consider the PIT. The most common exemptions used here are: Information not held – if we don’t hold the information we can’t give it. We are not obliged to create information in order to disclose it. Section 21 – Information reasonably accessible by other means e. g. it is already in the public domain and we can point to where it is Section 22 – Information intended for future publication – if we are intending to publish information at any point in the future we can refuse to disclose although we should consider if we can disclose it before any published date Section 40 - personal data (of someone other than the applicant and it is not reasonable to disclose). This could be someone’s name, ethnicity, salary etc. Section 41 – Information provided in confidence – if the information given to us was provided in confidence (i. e. if we disclosed it and we could be taken to court for a breach of confidence) then we can refuse it Section 43 – Commercial Interests – often used regarding contract information where disclosure could risk either a company or the Uo. N’s commercial status in procuring/supplying goods

Information Security

Information Security The security of the Uo. N’s information should be paramount to all everyone. This doesn’t just mean the safety of hardware, but also how you use information. The majority of data breaches are down to human error. Whilst none of us are infallible we must take responsibility for how we use information in our day to day roles. Using Office 365 we can create, store and share information internally & externally and by not sending emails with attachments, or limiting access to only those that need it reduces the risk of breaching data. Further information on Office 365 can be found here https: //uniofnottm. sharepoint. com/sites/Office 365

Good Practice Think before you send – are you sending it in the safest mode? Have you restricted access to recipients, or put a time limit for access? Is it going to the correct person (s) – have you completed the Bcc field not the To field or have you checked the postal address? Is it going internally or externally? Do you really need to send it? Can you speak in person or telephone? Are you using a third party to process? There are rules & guidance on this practice including due diligence checks Have you undertaken a DPIA?

Common Data Breaches Emails sent to the wrong recipient (s) or failing to Bcc recipients Forwarding emails without reviewing the content trail Agents uploading the wrong information on student records Loss of DBS forms by not having proper processes in place Sending personal data by post to incorrect recipient Auto complete switch it off or delete on a regular basis

Breach Investigations Inform Info Compliance Team ASAP Discover what happened Minimise impact on affected parties Minimise impact on Uo. N Inform Relevant Parties Learn Lessons & Compensation

Penalties The ICO can issue a monetary fine; this could be the standard minimum (up to 2% of total worldwide turnover) or higher maximum (up to 4%) Assessment can be ordered on processes and procedures Enforcement notice issued: can restrict processing; enforce changes Powers to inspect and access without notification Appeals process Reputational damage Recent cases include British Airways and the Marriott Hotel Group

Records Management

Records Management The Uo. N retention schedule is currently being revised but the existing one can be found on the web site as a general guide There is often a standard retention period for certain types of information e. g. finance = 6 years; Asbestos information = 40 years In accordance with principle 5 of the DPA we should only store data for as long as is needed. This means we should not keep it indefinitely only for the business purpose plus any review period afterwards or in accordance with recommended timescales as defined by legislation Emails should be retained only for specific timescales e. g. 90 days for deleted items and 180 days for sent items If you need to retain them for longer then save it as a record and file it in your one drive or team area JISC has updated the model records retention guide for HE in 2019; useful for statutory guidance, but too granular overall – speak to the team!

Benefits of Good Practice Being able to retrieve the information quickly By storing in O 365 and/or Share. Point other people can access it if required Compliance with Data Protection Being able to provide the information if requested under EIR/FOI/Subject Access Being able to confirm the information is not held, if disposed of in accordance with the retention schedule

What Can You Do? Seek advice from the ICT on specific projects or in general Visit our workspace for guidance and templates Ensure you and your colleagues are not retaining information for longer than is required. Introduce best practice now. Start managing your information Ensure that all data breaches are recorded on the breach reporting form ASK – if you are unsure about anything in respect of personal data contact us for advice. Don’t leave it to somebody else.

Contacts and links General data protection advice – dataprotection@Nottingham. ac. uk FOI/EIR – freedom-ofinformation@Nottingham. ac. uk Info Compliance Team Subject Access Requests (SAR) - dataprotection@Nottingham. ac. uk • Sara Smith Head of Information Compliance • Chris Manise/Fraser Marshall – Senior Information Compliance Officers • Catherine Allin – Information Compliance & Quality Officer • Karen Page – Information Compliance Officer