3. The Data Protection Act 1998
• The Data Protection Act 1998 came into force in March
2001, replacing the Data Protection Act 1984.
• The EU Data Protection Directive (also known as Directive
95/46/EC) is a directive adopted by the European Union
designed to protect the privacy and protection of all
personal data collected for or about citizens of the EU,
especially as it relates to processing, using, or exchanging
such data.
• The Data Protection Act is how the UK implements the
European Directive.
4. The aims of the Data Protection Act
• Anyone who processes personal information must comply
with the eight principles
• It provides individuals with important rights, including the
right to find out what personal information is held about
them
5. The eight data protection principles
Information must be:
• Fairly and lawfully processed
• Processed for specified purposes
• Adequate, relevant and not excessive
• Accurate and up-to-date
• Not kept for longer than is necessary
• Processed in line with individuals’ rights
• Secure
• Not transferred outline the European Economic Area without
adequate protection
6. Individual rights
• Right of access – individuals have a right to know what
information organisations hold about them on a computer or
in certain filing systems.
• Individuals can submit a Subject Access Request to see or
have a copy of this information.
7. Freedom of Information Act 2000
• An Act to make provision for the disclosure of information
held by public authorities or by persons providing services
for them and to amend the Data Protection Act 1998 and
the Public Records Act 1958; and for connected purposes
8. Right of access
•What? Anything
•Who? Anybody
•Where from? Anywhere
•Why? None of your business
•FoIA assumes information will be disclosed
12. Impact levels
Example data types
Impact Level
IL4 Confidential
IL3 Restricted
or
NHS
Confidential
IL2 Protect
IL1/ IL0
eGIF requirements
Aggregated reports
Registration
level
Authentication
requirements
•
•
•
•
Level Three ID
verification with
vetting and
'need to know'
measures
Physical/ personal/
procedural
protection with
appropriate
authorisation
• School MIS
• Teacher access to
learning platform/ portals
• Special educational
needs (with no IL 4 data
elements)
• Pupil characteristic
• Contact point
• Health records
• General student data
• Learning platforms/
portals
Level Two ID
vetting and
'need to know'
measures
IAO approval
Mandatory twofactor user ID,
password and
token
Internet/virtual
private network
(VPN) and token
Level One
basic ID
verification
User ID and
password
• Google search
• BBC News
Anonymous
Authentication not
required
National Pupil Database
Looked-after children
Witness protection
SEN IL4 data elements
Example
networks
External access
Gov PC
Internet
to www
café
PDA
Home Gov
PC LAN
Bootable
USB
Wi-fi
3G card
Bluetooth
Y1
N
N
Y2
N
N
N
Y3
N3
GSI
GCSx
CJX
Y
N
Y4
Y5
Encrypted
internet
VPN
Y6
Y7
N
Y8
Y1
N
Y
Y
Y
Y
Y2
Y
Y
Y
GSi
CJX
Internet
Any
13. Data encryption
Becta guidance states
“Users may not copy or remove sensitive or personal data
from the school or authorised premises unless the media is
encrypted and is transported securely for storage in a secure
location”
What does that mean to us?
•Change in the way USB sticks are used
•Not just USB. Additional encryption when accessing
information across the internet