How To Understand The Data Protection Act

Data Protection in Schools

Ian Gover

Education Technology Adviser Somerset LA

© All materials are copyright or licensed and cannot be used without permission

Day supported by

Slides: http://el.im/weictdp Links: http://eli.im/weictdplinks

WEict - Conference on 2nd July at UWE Twitter Feed #weict15

Angie Mason - Learning Exchange Val Hurley - e-safety consultant

Objectives

Delegates will:

• learn about the Data Protection Act and how it affects their school

• explore the challenges that face schools now and in the future especially in regard to cloud services and mobile devices

• learn how they can deal with Freedom of Information requests and Subject Access Requests

• explore the schools statutory obligations regarding the protection of data

• begin to develop policies and procedures to support Data Protection and Information Security throughout a school

• explore the training requirements needed for all staff

Timing of the day

9.10 Arrival and registration 9.30 Introduction

9.40 What is the Data Protection Act and how does it affect Schools?

10.40 Group Discussion – What do I understand? Where is my school?

11.00 Coffee

11.20 Freedom of Information and Subject Access requests – policy to practice

12.20 The trouble with tablets, cloud services and emails 1.00 Lunch

1.45 Scenarios - looking at some solutions

2.30 Training for all - what resources are there for schools 3.00 Policies and Procedures – a practical session

4.00 Plenary 4.20 Finish

Introducing myself...

Activity

Activity Answers

1. What does ICO stand for? Information Commissioner’s Office

2. How many data principles are there? Eight

3. What is encryption? Encryption means to scramble data in such a way that only someone with the secret code or key can read it.

4. How often should you change your password? Advice differs but every 60 -90 days is a general rule, more often for administrators of systems. More

importantly is having a strong password of at least 8 digits long with a mixture of upper/lower case, numbers and characters.

Activity Answers

5. What is FoI? Freedom of Information

6. What is a Privacy Notice? A Privacy Notice is a statement required by law that is issued to parents and staff about the way the school their your information.

7. What is personal data? Personal data means data which relate to a living individual that can be identified that if lost or mislaid could cause harm or distress.

8. What is sensitive personal data? Sensitive Personal Data consists of personal data that includes information of racial or ethnic origin political opinions, religious beliefs or similar, membership of Trade Unions, physical or mental health

condition, sexual life, commission or alleged commission of any offence, any proceedings or sentencing of an offence or alleged offence.

Dippy vs Elmer

Dippy the DP duck - representing effective and manageable security

practice in schools

Elmer Fud Duck - representing Fear, Uncertainty and Doubt

The Data Protection Act

The Data Protection Act 1998 (DPA) is an Act of Parliament of the United Kingdom of Great Britain and Northern Ireland which defines UK law on the processing of data on identifiable living people. It is the main piece of legislation that governs the protection of personal data in the UK. Although the Act itself does not mention privacy, it was enacted to bring British law into line with the EU data protection directive of 1995 which required Member States to protect people's fundamental rights and freedoms and in particular their right to

privacy with respect to the processing of personal data. In practice it provides a way for individuals to control information about

themselves. Most of the Act does not apply to domestic use, for example keeping a personal address book. Anyone holding personal data for other purposes is legally obliged to comply with this Act, subject to some exemptions. The Act defines eight data protection principles. It also requires companies and individuals to keep personal information to themselves.

http://en.wikipedia.org/wiki/Data_Protection_Act_1998

The Data Protection Act

The Data Protection Act

The Data Protection Act

The Data Protection Act

The Data Protection Act

The Data Protection Act

The Data Protection Act

DP Point for schools

The act relates to data held about a living

identifiable individual (Data Subject) – no matter what age!

Schools act as ‘Data Controllers’

The DPA – 8 Principles

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless – (a) at least one of the conditions in Schedule 2 is met, and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

4. Personal data shall be accurate and, where necessary, kept up to date.

5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

6. Personal data shall be processed in accordance with the rights of data subjects under this Act.

7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Principle 1 – Fairly and Lawfully

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be

processed unless –

(a) at least one of the conditions in Schedule 2 is met, and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

Schedule 2 - any

Personal data may be processed:

• with the consent of the data subject

• to establish or perform a contract with the data subject

• to comply with a legal obligation

• to protect the vital interests of the data subject

• for the exercise of certain functions of a public interest nature

• for the legitimate interests of the data controller unless outweighed by the interests of the data subject.

Schedule 3 - sensitive

Sensitive personal data may be processed:

• with the explicit consent of the data subject

• to perform any right or obligation under employment law

• to protect the vital interests of the data subject or another person

• for the legitimate activities of certain not-for-profit bodies

• when the data have been made public by the data subject

• in connection with legal proceedings

• for the exercise of certain functions of a public interest nature

• for medical purposes

• for equal opportunity ethnic monitoring.

Principle 1 – Fairly and Lawfully

This is the first data protection principle. In practice, it means that you must:

• have legitimate grounds for collecting and using the personal data;

• not use the data in ways that have unjustified adverse effects on the individuals concerned;

• be transparent about how you intend to use the data, and give individuals appropriate privacy notices when collecting their personal data;

• handle people’s personal data only in ways they would reasonably expect; and

• make sure you do not do anything unlawful with the data.

DP Point for schools

There are two types of personal data.

Can we think of ‘unjustified adverse effects’?

Privacy Notices for all – including workforce

Principle 2 - Purposes

2 Personal data shall be obtained only for one or more specified and lawful

purposes, and shall not be further

processed in any manner incompatible with that purpose or those purposes.

Principle 2 - Purpose

In practice, the second data protection principle means that you must:

• be clear from the outset about why you are collecting personal data and what you intend to do with it;

• comply with the Act’s fair processing requirements – including the duty to give privacy notices to individuals when collecting their personal data;

• comply with what the Act says about notifying the Information Commissioner; and

• ensure that if you wish to use or disclose the personal data for any purpose that is additional to or different from the originally specified purpose, the new use or disclosure is fair.

DP Point for schools

You must state why you are collecting the data and what you intend to do with it

You must issue Privacy Notices to learners and staff You must inform ICO of Data breaches

Are new uses of data ‘fair’?

Principle 3 - adequacy

3 Personal data shall be adequate, relevant and not excessive in relation to the

purpose or purposes for which they are processed.

Principle 3 - adequacy

This is the third data protection principle. In practice, it means you should ensure that:

• you hold personal data about an individual that is sufficient for the purpose you are

holding it for in relation to that individual; and

• you do not hold more information than you need for that purpose.

DP Point for schools

You are allowed to hold personal data that is sufficient to be a school.

You must think of why you are asking for the data?

What is the minimum data you require?

Do you delete old and excessive data?

Principle 4 - accuracy

4 Personal data shall be accurate and, where necessary, kept up to date.

Principle 4 - accuracy

To comply with these provisions you should:

• take reasonable steps to ensure the accuracy of any personal data you obtain;

• ensure that the source of any personal data is clear;

• carefully consider any challenges to the accuracy of information; and

• consider whether it is necessary to update the information.

DP Point for schools

How do you chase those people that are late with returning forms?

Do you check staff details?

Principle 5 - retention

5 Personal data processed for any purpose or purposes shall not be kept for longer

than is necessary for that purpose or those purposes.

Principle 5 - retention

This is the fifth data protection principle. In practice, it means that you will need to:

• review the length of time you keep personal data;

• consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it;

• securely delete information that is no longer needed for this purpose or these purposes; and

• update, archive or securely delete information if it goes out of date.

DP Point for schools

The Act does not set minimum or maximum times for retention

IRMS guidance

What does securely delete mean in practice?

How does this apply to hard drives?

Principle 6 - rights

6 Personal data shall be processed in

accordance with the rights of data subjects under this Act.

Principle 6 - rights

This is the sixth data protection principle, and the rights of individuals that it refers to are:

• a right of access to a copy of the information comprised in their personal data;

• a right to object to processing that is likely to cause or is causing damage or distress;

• a right to prevent processing for direct marketing;

• a right to object to decisions being taken by automated means;

• a right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed; and

• a right to claim compensation for damages caused by a breach of the Act.

DP Point for schools

Who has the right to see the data?

What is an individual entitled to?

• told whether any personal data is being processed;

• given a description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people;

• given a copy of the information comprising the data;

and given details of the source of the data (where this is available).

DP Point for schools

Who owns the data?

What exemptions are there?

‘School records will not be disclosed if:

• the record would give information about another pupil

• the record holder believes that disclosure would cause serious harm to the pupil in question or to someone else

• the record holder believes the record is relevant to whether the pupil is at risk of child abuse or has been a victim of

child abuse.’

https://www.citizensadvice.org.uk/education/school-education/problems-at-school/#h-access-to-school-records

Principle 7 - security

7 Appropriate technical and organisational measures shall be taken against

unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

Principle 7 - security

This is the seventh data protection principle. In practice, it means you must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised. In particular, you will need to:

• design and organise your security to fit the nature of the personal data you hold and the harm that may result from a security breach;

• be clear about who in your organisation is responsible for ensuring information security;

• make sure you have the right physical and technical

security, backed up by robust policies and procedures and reliable, well-trained staff; and

• be ready to respond to any breach of security swiftly and effectively.

DP Point for schools

Security refers to procedures as well as physical guards.

Who is responsible for Information Security at your school?

As Data Controllers you have the final say in the security of your data – not your tech support.

Have your tech support practised getting the system working again after a systems failure.

DP Point for schools

The ICO recommends that portable and mobile devices including magnetic media, used to store and transmit personal information, the loss of which could cause damage or distress to individuals, should be protected using approved encryption software which is designed to guard against the compromise of information.

Are you laptops and memory sticks encrypted?

Principle 8 - international

8 Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or

territory ensures an adequate level of

protection for the rights and freedoms of data subjects in relation to the processing of personal data.

DP Point for schools

Where could the school personal data be stored outside of the EU?

What is ‘Cloud’ storage?

Why worry

https://ico.org.uk/action-weve-taken/data-breach-trends/

Why worry - ICO

https://ico.org.uk/action-weve-taken/data-breach-trends/

Number of breaches in Education in 2014

Q1 Q2 Q3 Q4

39 31 34 35 139

Why worry

https://ico.org.uk/action-weve-taken/data-breach-trends/

EU General Data

• New regulations end of this year

• 2 years to change

• More control

• Easier to access

• No matter where it is sent

• EU seal of approval five year certification

ICO Video (YouTube)

Group Discussion

What do I understand?

Where is my school?

Freedom of Information

"Openness is fundamental to the political health of a modern state. This White Paper marks a

watershed in the relationship between the

government and people of the United Kingdom.

At last there is a government ready to trust the people with a legal right to information.“

Published by 1997 to 2001 Labour Government

Freedom of Information

Tony Blair’s Views

https://www.youtube.com/watch?v=eGbiZeclJu0

Freedom of Information

"Freedom of Information Act. Three harmless

words. I look at those words as I write them, and feel like shaking my head 'til it drops off. You

idiot. You naive, foolish, irresponsible

nincompoop. There is really no description of stupidity, no matter how vivid, that is adequate.

I quake at the imbecility of it.“

Tony Blair

Freedom of Information

Covers all policies, procedures, decision making process - any recorded information

Environmental Information Regulations cover recycling, fuel use, car parking etc

Freedom of Information

Theory:

• Better decisions

• Strengthening democracy

• Better public services

• Openness and accountability Reality:

• Requests- not looking for the good we do

• Parents with a grievance

• Press looking for a story

ICO Tick Tock

FoI – Your Responsibilities

• To deal with requests - legal duty to assist

applicants and to inform on charging/how to appeal etc.

• To consider 'the public interest' when making information available.

• To explain why - information is not being released.

• Act gives a legal right to access information – we can’t insist on knowing why the applicant is

making the request!

Freedom of Information

What can be dealt with as 'normal course of business'?

Publish as much as you can

• make it easy

• why hide policies

• why hide results available on other sites Have a system to deal with enquiries

FoI v Subject Access Request

What are the differences?

FoI v Subject Access Request

FoI

Must be made in writing (email)

Environmental can be verbal

20 working days There can be a

charge for

photocopying or postage

SAR

Must be made in writing (email) 40 working days

£10 Maximum fee

Group discussion - Process

Depends on size of school

What is the process at your school?

What needs to be recorded?

Do you keep a log?

'What do they know' site

https://www.whatdotheyknow.com/

The trouble with progress

The trouble with progress…..

'Anything that gets invented after you’re thirty is against the natural order of things and the

beginning of the end of civilisation as we know it until it’s been around for about ten years when it gradually turns out to be alright really.'

Douglas Adams

Make a list of….

The technology that you had in your house in 2005

This is the year that the first videoto YouTube was posted

Best selling mobile phone was Nokia 1110 – it made phone calls

Make a list of….

The technology that you have in your house today?

What are the differences?

What could the problems if teachers use...

Think of a possible Data Protection breech.

Think of a safeguarding issue.

How could they be prevented?

What could the problems if teachers use...

• Mobile phones/tablets to access school email

• Their own personal computers/tablets

• Smart watches

• Wearable cameras

• Drones

• Tablets to video class behaviour

• Apps on tablets such as Class Dojo

• Cloud services such as Edmodo

• Twitter, Facebook, Blogs on school trips

The schools' responsibility

As Data Controllers the school has the rights and responsibility to inform staff and others how

they can use personal data that belongs to the school.

You can make demands!

You can create procedures!

You should must training!

Lunch

Data Protection and Freedom of

Information Scenarios

Scenario 1

Child Moving School

You are the head of a small primary school.

A child who attended your school has just moved into another school.

The parents thought that their child had special educational needs and had made extensive efforts to get her classed as such. The reason for the move is that the parents feel that they had exhausted the possibilities at your school.

The child’s personal folder includes many reports from outside experts and also comments about her behavior from many of your staff. There are also some comments about the parents

themselves and their forceful nature. In fact during the discussions the parents did mention that they were prepared to take the school to court if they did not get the support they thought was necessary.

The new school has asked for the pupils record.

What are your next steps?

Scenario 2

Home tuition asking for information.

You are the head of a small secondary school.

A 12 year old boy has just left your school to be tutored at home by their grandparent.

The grandparent has phoned the school quoting the

Freedom of Information law requesting to see the child’s educational record.

What are your next steps?

Scenario 3

Teachers leaving personal data out on desks

You are the head of a large community primary school.

You have come into school early for a governors meeting. As always there are people from the community using the classrooms and today it is weightwatchers. Normally they occupy the hall but this is having its floor polished so they are using a classroom.

You notice that one of the people attending weightwatchers is a ‘difficult’ parent and he is going to the classroom that his daughter studies.

As you go to the room where your meeting is held you notice that the teacher has left her mark book behind on her desk. You also notice that her lesson plan folders with Schemes of Work are on the shelves around the room.

What do you do next?

Scenario 4

Teacher personal equipment

You are the head of a large secondary school.

A parent has contacted the school stating that they have just purchased a secondhand phone from a teacher.

They are contacting you because the phone was not wiped of contacts, downloads and pictures.

What are your next steps?

Scenario 5

Teachers salaries

You are the head of a large federation of 5 schools.

Ofsted has just inspected a couple of the schools in your federation, with one being placed in special measures and another requiring improvement. In both inspections there were some negative comments about Leadership and Management.

You receive an email, which you think has come from a local reporter, asking for a list of the salaries of all your staff. The email does not mention Freedom of Information and you are sure that it is for an article that will put the federation in poor light.

What are your next steps?

Training

Where can I find training materials?

Who should I train?

ICO Data Day Hygiene

Staff Training

• Who should I train?

• Who should lead the training?

• When should I train?

• How should I train?

Policies and Procedures

Use the checklist

What does your school do well? Celebrate Where are the gaps in the provision?

Look at the SWGfL sample policy

What does your school policy cover? Celebrate Where are the gaps?

Plenary

Be a swan - glide don't drown

Your interest in coming today is the first step List the things that you think you must do.

Use the Evaluation sheet to guide you.

Prioritise the activities

Plenary - The end

Whatever you have been doing has been okay

Identify someone to take a lead Make improvements one flipper movement at a time

Contacts

In case of data breach where do you go for support and advice?

In the case of policies or procedures where do you go for advice?

Thanks

igover@somerset.gov.uk

blog www.mostlysecure.wordpress.com Twitter @mostlysecure