A brief introduction to Data Protection Act and keeping personal information secure. North Glasgow College, 18 June 2013

1. Protecting personal
information

2. Overview
• To understand key terms and principles
of the Data Protection Act (DPA)
• Understand types of information
personal/sensitive
• How an organisation can comply with
the DPA

3. Intro to Data Protection Act
• Established 1998 to safe guard
personal data
• Framework for how organisations can
collect and use personal data
• Personal data means data which relates
to a living individual who can be
identified:
– From those data
– From those data and other information in
the possession of the data controller

4. Eight Principles of DPA
1. fairly and lawfully processed
2. processed for limited purposes
3. adequate, relevant and not excessive
4. accurate and up to date
5. kept for no longer than is necessary
6. processed in line with the date subjects’
rights
7. secure
8. not transferred to other countries without
adequate protection
Anyone who processes personal information must comply
with eight principles, which make sure that personal
information is:

5. Types of information I
– Names,
addresses,
– Birth details,
– Contact details,
– Age, gender
– NI number,
– Marital history,
partnerships
– Travel details,
leisure activities,
membership of
organisations,
– Employment
details
– Finance details

6. Types of information II
• Sensitive
– Mental or physical health
– Racial or ethnic origin
– Political opinions
– Religious or related beliefs
– Trade union membership
– Sexual life
– Criminal convictions
– Offences, including alleged
http://www.ico.gov.uk/for_organisations/data_pro

7. Data Protection and FE
• Data protection is important to FE and HE
institutions
– collect, process and use the data of
individuals such as students, staff,
alumni and enquirers for various
purposes.
Specific guidance for education sector:
http://www.ico.gov.uk/for_organisations/sector_guides/
examination records
expected requirements under FOI(S)A

8. Roles within the DPA
• Data controller: determines the
purposes for which and the manner in
which personal data are to be
processed
• Data Processor: person who processes
the data on behalf of the data controller
• Data Subject: an individual who is the
subject of personal data

9. Who’s responsible!
• North Glasgow College is the data
controller
• Data controllers must register with the
Information Commissioner’s Office
(ICO)
http://www.ico.gov.uk/what_we_cover/registe
• S.4 (4) of the DPA: ultimate
responsibility for adhering to the Act
lies with the ‘Data Controller’.

10. Information Commissioner’s Office
(ICO)
• independent public body set up to
uphold information rights in the public
interest, promoting openness by public
bodies and data privacy for individuals
http://www.ico.gov.uk/for_organisations/da
• Also a Scottish Information Commission
but ICO has specific regulatory
responsibility for DPA

11. £500,000

12. £150,000
7 June 2013
Issued to Glasgow City Council the
loss of two unencrypted laptops,
one of which contained the personal
information of 20,143 people.

13. 24 January 2013
Sony PlayStation Network Platform was
hacked in April 2011, compromising the
personal information of millions of
customers, including their names,
addresses, email addresses, dates of
birth and account passwords. Customers’
payment card details were also at risk.
£250,000

14. £250,000
11 September 2012
Issued to Scottish Borders Council after
former employees’ pension records were
found in an over-filled paper recycle bank
in a supermarket car park.
All monetary penalties and decisions by
the ICO can be viewed at:
http://www.ico.gov.uk/enforcement/fines.aspx

15. Data Day Hygiene
http://www.youtube.com/watch?v=CdYW

16. Scenario one
A new admin assistant was asked to fax a child protection report to
a solicitors. The report contained extensive sensitive personal
data about the child, and a number of her family relations.
The law firm was a regular contact, but had recently changed its fax
number. The admin assistant used the contact list to find the
number. The new number had been handwritten over the previous
number.
The following day the law firm called to say it had not received the
faxed report. On checking what had happened, the admin
assistant had misread a number on the new fax contact number.
Identify and discuss any data
protection issues in this incident

17. Scenario two
An HR worker asked an administrator to send some documents to her
work email address so that she could work on them at home.
The documents included a spread sheet listing a number of her clients,
their names and addresses and contact time. Additional information
included descriptors of their physical and mental health problems. The
spread sheet also contained notes relating to family members.
The administrator attempted to email the social worker but there were
problems with the organisations email system. The social worker asked
the administrator to email her personal email instead, and she would
then transfer the documents from her home computer.
The administrator emailed the documents to the social worker’s personal
email. Later in the evening, the social worker checked her email but the
documents had not been received. On checking with the administrator, it
transpired that the email address had been taken down incorrectly.
• Identify and discuss any data protection
issues in this incident

18. Scenario three
• The organisation operates a number of services in conjunction with a range of
voluntary agencies. One of the services is an outreach centre for young
people. The outreach workers and social workers will routinely share
information about the users of the service. The people who use the centre will
typically only frequent it for 3 to 6 months before moving on.
• The outreach centre has three desktop computers. One of these is used to
send and store the reports for the council. That computer, and the relevant
folders are password protected. The password is XYZ123 and has never been
updated. It is pinned on the inside of a drawer in the office.
• The centre also keeps information for its own purposes, which might include
details of disruptive attendees and notes about their external associates. This
information is kept on all three computers.
•
• The centre is broken into and the three desktop computers are stolen. During
the council’s investigation, the centre informs the investigating officer that
reports had not been deleted from their computers for at least the past five
years.
• Identify and discuss any data protection
issues in this incident

19. Scenario one - issues• Fax breach – security of sensitive personal data sent by fax:
• No phone ahead fax policy; No checking policy to make sure faxes are
received by the intended recipients; pre-programmed fax numbers, no
evidence of an appointed person responsible for checking or updating fax
numbers;
• No fax cover sheet mentioned;
• The data controller should have been aware of the risks associated with
faxing sensitive personal data, as the risks have been previously well
publicised by the ICO;
• No evidence that other methods had been considered for transmitting
sensitive personal data;
• Higher risk of error with hand written fax contact list of numbers;
• Had the administration assistant involved with this breach received data
protection training?
• Should a relatively new member of staff have been entrusted with faxing
sensitive personal data, is it reasonable to assume this task requires a
certain level of experience and responsibility?

20. Scenario two - issues
• Email breach – security of sensitive personal data sent by email, also third
data protection principle
• No clear email security policy;
• No mention of a contractual agreement between the council and the
outsourced third party finance provider;
• Potential contravention of the third data protection principle, excessive and
irrelevant amount of information going to finance department;
• Potential contravention of the third and seventh data protection principles,
irrelevant personal data being sent by insecure email to a third party
finance provider;
• Administrator should not have emailed spreadsheets to a personal email
address, without first checking data security protocols, or using encryption;
• No cross checking of personal email address to ensure accuracy;
• The council’s home working policy is vague about the security and storage
of personal data when working from home.

21. Scenario three - issues
• Theft of data – organisational and technical security of personal data, also fifth
data protection principle, retention of personal data
• No evidence that a data sharing agreement was in place between the council and
the outreach centre
• Potential contravention of the fifth data protection principle, reports kept for 5
years, when people who use the centre generally only attend for 3-6 months;
• Password to computer storing reports shouldn’t have been kept in a drawer and
should have demonstrated a higher degree of complexity (alphanumerical, upper
and lower case, symbols etc), the password should also have been changed on a
regular basis;
• Lack of technical security x2 desktop computers storing personal data not
password protected, (there is generally no obligation to encrypt desktop
computers);
• What physical security measures were in place at the outreach centre?
• What DPA training would voluntary outreach workers have undertaken and were
such volunteers vetted by the council – how did the council satisfy themselves
about this?
• This breach could involve sensitive personal data as defined by section 2 of the

22. Ensure your compliant
• Governance
• Policy and guidance, risk register, impact levels,
protective marking
• Training
• protecting information course, knowing where to get
help and advice on DPA
• Records management
• retention schedules, disposal records, information asset
register
• Security of personal data
• mobile devices, physical security of manual records,
owner/responsibility, incident reporting/third party
contracts
• Dealing with requests
• Owner/responsibility, log of incidents,
monitoring/redaction, data sharing agreements, SAR
log

23. Governance
• Policies and procedures ( data
protection, information security, email
policies, portable devices)
• Measure and impact, risk register
– http://www.nationalarchives.gov.uk/documents

24. Assessing the risk to personal
information
• Identify the risk
• Treat the risk
• Monitor and review
• review what personal data is held
(privacy impact assessment)
• Apply security measures for physical or
electronic assets
• Create an information asset register

25. The right of access to
personal data
• individual can send you a subject
access request (SAR) requiring you to
tell them about the personal information
you hold about them, and to provide
them with a copy of that information.
• In most cases you must respond to a
valid subject access request within 40
calendar days of receiving it.
• Example of a SAR form

26. Requests for personal data
• owner / procedure
• record and log requests
• redaction
• Exemptions
http://www.ico.gov.uk/for_organisations/data
• data sharing agreements

27. Training and awareness
http://www.ico.gov.uk/Global/think_privacy_t
x
Protecting Personal Information course

28. Records Management
• roles and responsibilities
• retention schedules
• indexing/tracking records
• destruction/disposition

29. Retention for SARs
Record of subject
access request
Initial request,
response, related
correspondence
and other
supporting
documentation
Completion of
request + 3 years
Statutory Destroy
Record of subject
access request
where appeal
made to UK
Information
Commissioner
Initial request,
response, appeal
records, related
correspondence
and other
supporting
documentation
Outcome of
appeal + 6 years
Statutory Destroy
General
compliance
records
Files re DP audit,
general
compliance, data
breaches, security
training etc
Current year + 3 Business req Destroy
Notification and
changes
Current year + 3 Statutory Destroy

30. Security Measures
http://www.ico.gov.uk/for_organisations/data_
https://www.getsafeonline.org/video/
https://www.getsafeonline.org/businesses/

31. Security measures
• owner/responsibility (North Glasgow
College Data Protection policy)
• physical security of manual records
• network security and access permissions
• mobile devices
• security incident log
• remote working risk assessment
http://www.reading.ac.uk/internal/imps/D
ataProtection/DataProtectionGuidelines/i
mps-d-p-encryption-remote-working.aspx

32. How the ICO can help
http://www.ico.gov.uk/what_we_cover/au
dits_advisory_visits_and_self_assessmen
ts.aspx
http://www.ico.gov.uk/~/media/document
s/library/data_protection/detailed_specia
list_guides/personal_information_online_
cop.pdf

33. Ensure that…
• only collect information that you need
for a specific purpose;
• keep it secure;
• ensure it is relevant and up to date;
• only hold as much as you need, and
only for as long as you need it; and
• allow the subject of the information to
see it on request.
• ensure all staff are aware of their
responsibility

34. Keep Safe!
http://www.bbc.co.uk/learningzone/clips/
5594.html

35. Thank you
Penny Robertson
twitter.com/@PennyRobertson
penny.robertson@rsc-scotland.ac.uk
Jisc RSC Scotland
http://jiscrsc.ac.uk/scotland

36. North Glasgow College
Civil Service Learning / Protecting
Information course
Level 1: provides useful information and
advice to help you protect and share
information safely and appropriately.
Approx.: 45 minutes to complete
https://north-gla.blackboard.com/