Data Protection Policy

Transcription

1 Data Protection Policy August 2017 This document will be put into corporate format but, in the interim, please see the updated un-formatted version supplied in the following pages.

2 Document title Data Protection Policy August 2017 Document author and department Samantha Hill, Information Disclosure and Complaints Manager (and the University s Data Protection Officer), Office of the Director of Corporate Governance Approving body Responsible person and department Adrian Parry, Director of Corporate Governance Date of approval Director of Corporate Governance 22 August 2017 Review date Edition no. ID code 1 June 2018 (to include amendments for GDPR) EITHER For public access online (internet)? Tick as appropriate 7 22 OR For staff access only (intranet)? Tick as appropriate Yes 3 Yes For public access on request copy to be mailed Tick as appropriate Password protected Tick as appropriate Yes 3 No Yes No 3 External queries relating to the document to be referred in the first instance to the Corporate Governance team: corporate-governance@port.ac.uk If you need this document in an alternative format, please corporate.communications@port.ac.uk The latest version of this document is always to be found at:

3 Contents Page no. Summary... 4 Executive summary... 5 Legislation update Introduction Definitions Responsibilities and ownership Related policies Notification of data held and processed by the University Right to access data Responsibilities of staff Research Responsibilities of students Publication of University data Retention of data Training Conclusion... 9 Annex A Data Classification Schema Annex B Data Security Breach Policy UNIVERSITY OF PORTSMOUTH DATA PROTECTION POLICY

4 Data Protection Policy Summary What is this Policy about? This Policy document sets out the University s commitment to adhering to the data protection principles of the Data Protection Act The Policy sets out the responsibilities of everyone who handles personal and sensitive personal data within the University. Who is this Policy for? This Policy is for all students, staff and other individuals who process personal data within, or on behalf of, the University. It will also be of interest to the wider public in relation to how the University processes personal data generally. How does the University check this Policy is followed? Information Governance staff make information about data protection available on the University website and by training staff on the data protection principles. The University encourages staff to raise questions about data protection matters and to report any issues or data breaches they may come across in their work. From the knowledge shown by staff and the questions asked, the University believes the Policy is being followed. Who can you contact if you have any queries about this Policy? All enquirers may contact the University s Data Protection Officer, Samantha Hill, on or samantha.hill@port.ac.uk. 4 DATA PROTECTION POLICY 2017 UNIVERSITY OF PORTSMOUTH

5 Executive summary The Data Protection Policy sets out the University s obligations under the Data Protection Act 1998, the actions it will take to fulfil those obligations and the responsibilities of staff and students in relation to personal data. The Policy applies to all students, staff and other individuals about whom the University might hold personal data or who may process personal data held on behalf of the University. This policy will be updated in line with the General Data Protection Regulation as this legislation is implemented. The main points of the Policy are: 1. It is necessary to collect personal data from students, staff and other individuals in order to be able to carry out the proper functions of an educational institution and an employer. 2. The University will adhere to the data protection principles as set out in the Data Protection Act The University will notify the Information Commissioner s Office of all purposes for which personal and sensitive personal data is processed and will keep this notification up to date. The University s registration number with the Information Commissioner s Office is Z All staff, students and other individuals are able to access details of their own personal and sensitive personal data processed by the University. 5. Students and staff must provide the personal data required by the University to administer their education or employment and must keep this data up to date using the student or staff self-service portals. 6. It is the responsibility of managers to ensure their staff are aware of the requirements of the Data Protection Act 1998 when processing personal data. 7. Training in information governance matters is available to all staff from the induction process onwards. Managers should ensure all staff have attended/completed the Information Governance training options within two years of joining the University/their new post. 8. Any deliberate breach of the requirements of the Data Protection Act 1998 (as amended by the Freedom of Information Act 2000) may result in disciplinary action being taken against the relevant member of staff or student. Legislation The EU Directive 95/46/EC on which the Data Protection Act 1998 is based will be amended by the General Data Protection Regulation (GDPR) to be implemented on 28 May Work to implement the changes in the legislation has commenced around the University and this policy will be updated once the full changes are known. This current policy should be followed until a new policy is published. Any questions about the forthcoming legislative changes should be directed to Samantha Hill [samantha.hill@port.ac.uk or on ]. update 1. Introduction 1.1 As a centre for knowledge, research, education and training, much of the University s work involves information and its use. For both educational and administrative purposes, much of this information will relate to living persons it is their personal data. The University needs to collect and keep personal data about its employees, students and other individuals to allow it to operate effectively and efficiently, for example, to consider applications for students and staff, enrol students, monitor performance, to assure health and safety and to monitor equal opportunities. It is also necessary to process data so that staff can be recruited and paid, courses organised and legal obligations to funding bodies and government properly met. 1.2 To comply with the law, such personal data must be collected and used fairly, stored safely and not disclosed to any other person unlawfully. The principles to ensure that personal data is processed properly, and which the University follow to ensure it complies with the legislation, are set out in the Data Protection Act 1998, available on the Government legislation website ( Under the Data Protection Act 1998, personal data shall: be processed fairly and lawfully; be obtained for a stated purpose(s) and not processed for anything other than the stated purpose(s); UNIVERSITY OF PORTSMOUTH DATA PROTECTION POLICY

6 1.2.3 be adequate, relevant and not excessive for the purpose for which it was obtained; be accurate and kept up to date; not be kept for longer than is necessary for the purpose for which it was obtained; be processed in accordance with the data subject s rights; be kept safe from unauthorised access, accidental loss or destruction; and not be transferred to a country outside the European Economic Area, unless that country has equivalent levels of protection for personal data or has been granted adequacy status by the European Commission. 1.3 The University and its staff who process or use personal data must ensure that they follow these principles at all times. 2. Definitions Many of the terms used in this Policy are taken from the Data Protection Act 1998 and are explained here: personal data: information, including facts and opinions, that identifies a living individual sensitive personal data: personal data relating to issues of: race or ethnic origin of the data subject political opinions religious beliefs or beliefs of a similar nature or no belief trade union membership physical and/or mental health sexual life commission or alleged commission of any offence proceedings for any offences committed or alleged to have been committed processing: the collective term for any action taken relating to personal or sensitive personal data, including obtaining, recording, storing, using, disclosing and destroying data data subject: the individual who is identified by the personal data collected data controller: the organisation that determines the need to collect personal data and the uses to which it will be put. All Departments, Schools and sections of the University, form part of the legal entity which is the University, which is a data controller third party: any external person or organisation that is neither the data subject nor the data controller 3. Responsibilities and ownership 3.1 The University as a corporate body is the Data Controller under the Data Protection Act 1998, and the Board of Governors is therefore ultimately responsible for implementation of the Data Protection Act 1998, ensuring that the University complies with the legislation and maintains its notification with the Information Commissioner s Office (ICO). Responsibility for the overall management of the implementation of the legislation lies with the Director of Corporate Governance, who vests day-to-day responsibility for implementing the provisions of this Policy with the University s Data Protection Officer. 3.2 The responsibilities of staff and students under this Policy are outlined in sections 7 and 9 below. Failure to follow the Policy may result in disciplinary proceedings brought by the University, whilst deliberate breaches of the Data Protection Act 1998 may result in action being taken against the individual by the Information Commissioner's Office (ICO). 3.3 Any member of staff or student who considers that the Policy has not been followed in respect of personal data about him or herself should raise the matter initially with the University s Data Protection Officer (who can be contacted on data-protection@port.ac.uk or ). If the member of staff or student is unhappy with the steps taken by the University to resolve their issue, that individual retains the right to make a complaint to the ICO. 4. Related policies This Policy should be read in conjunction with the following University documents, all of which can be found on the University webpages: ICT Acceptable Use Policy ( Various Information Security policies available in the Document Warehouse under I in the index ( policies.docstore.port.ac.uk/policy-193.pdf) Freedom of Information webpages ( 6 DATA PROTECTION POLICY 2017 UNIVERSITY OF PORTSMOUTH

7 Records Management webpages ( Guidelines for Dealing with and Post in Cases of Staff Absence ( directorate/filetodownload,63476,en.pdf currently under review) Policy (Staff) ( Policy (Student) ( 5. Notification of data held and processed by the University 5.1 The University will maintain and use records of personal and sensitive personal data relating to staff and students such as is necessary for its effective operation as an educational organisation and employer. Those who are offered study places or posts of employment at the University will be notified of the standard data kept about them, and the uses to which it may be put, as declared in the University s notification with the Information Commissioner. (A copy of the University s notification is available at then enter the Registration Number Z ). All members of staff processing personal data as part of their work for the University are covered by this notification. 5.2 Acceptance of a place or post will be understood to signify acceptance of such standard processing of personal data. Students will be formally asked to check the accuracy of their personal data at enrolment each year and can update this data through the student portal. Staff are able to update their HR records at any time through the employee Self-Service online system but will also be formally asked to check the accuracy of the data held about them at least once every two years. 5.3 It may be necessary to process sensitive personal data to operate or monitor University policies (e.g. sick pay, equality and diversity, to make the appropriate relevant adjustments for staff or students) to ensure the University is a safe place to work or study, or to enable the institution to comply with the law. It is recognised that in some circumstances the processing of such data may be a matter of particular concern to individuals. Accordingly, in respect of sensitive data, staff and students will be made aware of the sensitive nature of the information they are being asked for and may also be asked to give separate consent for the use of this data. The one exception to this would be if a situation occurred where there were concerns for the safety of the individual. In such a situation the Data Protection Act 1998 allows sensitive personal data to be processed without referral to the individual in advance. 5.4 All staff, students and other persons about whom personal data is held, are entitled to: know what data the University holds and processes about them, why it is necessary to process the information and the third parties to whom that data might be given; know how to gain access to such data, through a Subject Access Request; know that it is up to date; know what the University is doing to comply with its obligations under the Data Protection Act The University will therefore provide its staff, students and other relevant users with a standard statement via the University web pages at the following urls: Staff: Students: These statements outline the types of personal data that the University holds and processes as part of its standard procedures, and the reasons for which it is processed. Where, in addition, specific types of data are held on particular groups of students or staff for specific purposes, this will be separately notified on a group or individual basis by the department processing that data. 6. Right to access data 6.1 Staff, students and other users of the University have the right under the Data Protection Act 1998 to access any personal data that is being kept about them either in electronic or manual files. Any person who wishes to exercise this right should complete the University Subject Access Request form available from the University s Data Protection Officer, or from the University webpages at departments/services/universitysecretary/dataprotection/subjectaccessrequestform/. 6.2 The University will comply with requests for access to personal data as quickly as possible, but will ensure that it is provided within the statutory 40 days time limit. UNIVERSITY OF PORTSMOUTH DATA PROTECTION POLICY

8 7. Responsibilities of staff 7.1 All staff have the following responsibilities: To check, when requested, that any data they provide to the University in connection with their employment is accurate and up to date. To inform the University of any changes to, or errors in, the data held. To comply with the guidelines for staff below, if and when as part of their responsibilities, they collect or disclose data about other persons. 7.2 Managers have an additional responsibility to ensure that their staff are aware of the data protection principles and know how to correctly process personal and sensitive personal data as part of their work. Managers should also ensure that their staff have taken the IG Information Governance elearning module on the University's elearning site (Moodle) - this is mandatory for all staff and forms part of the core training. 7.3 Staff whose work involves the use of personal data are responsible for ensuring that: any personal data which they hold whether electronically or in hard copy is kept securely, in locked cabinets or through password protection or encryption of electronic files where necessary; personal data is not disclosed by them either orally or in writing, to any unauthorised third party; the personal data is accurate and kept up to date, held for the appropriate length of time and destroyed confidentially when/if no longer needed, in line with the University retention schedules at corporategovernance/recordsmanagement/uop_retention/; and they do not access any personal data which is not necessary for carrying out their work. 7.4 Any deliberate breach of these responsibilities or of the statutory obligations in the Data Protection Act 1998 may result in disciplinary action being taken against the relevant member of staff. 8. Research 8.1 Personal data can be processed for research purposes, even if that was not the original purpose for which the data was collected and can be kept indefinitely (contrary to usual practice) so long as the relevant conditions are met. 8.2 The relevant conditions are that the data will not be used to make or support decisions relating to particular individuals nor will it be processed in such a way as to cause damage or distress to the data subject. 8.3 Once personal data has been anonymised to the point where a living individual can no longer be identified by it, it ceases to be personal data and therefore the constraints of the Data Protection Act 1998 no longer apply. 8.4 It is important when recruiting participants for research projects, to reassure them that their personal data will be processed in accordance with the Data Protection Act 1998 and that they have a right to see the data that is held about them, unless it has been anonymised so that they can no longer be identified by the data. This information should be given to participants in a durable format so they may refer to it after their participation in the research activity is complete. 8.5 Research and Innovation You should only provide personal data to third parties if this has previously been agreed by the data subjects. You must have a written agreement in place to govern the deployment, ethical use, integrity and security of the data. This written agreement must also stipulate the third party s obligations to retain the data for a defined period of time and to destroy the data when it is no longer needed. You must also have procedures in place to ensure that the transfer of all personal data is secure If you are using personal data that has been provided by another organisation then you must ensure that your research is compatible with what the data subjects were told would happen to the data You should ensure that activities that involve third parties who are contracted to secure or collect data do so according to the principles set out in the University Ethics Policy. 9. Responsibilities of students 9.1 Students must assist the University in ensuring that all their own personal data as provided to the University at registration is accurate and up to date. Students who need to notify the University of any subsequent changes of address etc. can do so via the My Details tab on their Myport account which can be accessed via the address. 9.2 Students may themselves need to process personal data for project or research purposes (e.g. in carrying out surveys) or they may be employed by the University in a part-time job that handles staff or student personal data. If students are carrying out projects or research work they must notify their personal and project tutors and obtain the agreement of their Faculty Ethics Committee to the need to process the data before collecting any personal data. Part of the submission to the Faculty Ethics Committee must contain details on how long the personal data will be held, in which format, and how it will be destroyed. Any reporting based on personal data collected during research must be done anonymously unless the subject has agreed in writing to their personal data being used in such a way as to identify them. 9.3 Students employed by the University in positions that allow them access to personal data about any student/applicant or member of staff must abide by the responsibilities for staff as set out in section 7 above and take care not to access any personal data about anyone not related to the work being carried out. 10. Publication of University data 10.1 The University is required, under the Freedom of Information Act 2000 (FOIA), to make publicly available information about the University and the way it is run. This the University does through its publication scheme at accesstoinformation/freedomofinformation/universityofportsmouthpublicationscheme/ and by answering 8 DATA PROTECTION POLICY 2017 UNIVERSITY OF PORTSMOUTH

9 requests made under the FOIA. Staff who receive an FOI request should ensure they know how to handle it by reading the guidance for dealing with individual requests, available at freedomofinformation/requestinginformationfromtheuniversity/ Personal data will not normally be included in a response to an individual request, in the published classes of data unless names are given to identify a member of staff as a contact for any particular part of the University s business, or where the personal data is part of a webpage established by a Department/School or service The document Freedom of Information Act 2000: Release of Staff Information available at accesstoinformation/policies/freedomofinformation/filetodownload,79909,en.pdf gives an indication, however, of the types of information about staff that might be disclosed if it is warranted as part of a request. 11. Retention of data 11.1 The University is committed to the keeping and disclosing of all personal data in a responsible and secure manner and will therefore keep data for the minimum time necessary to fulfil its purpose The University will keep enough data about a student to be able to confirm the qualifications achieved whilst at the University for 80 years from the date that a student graduates or withdraws from the University. Any other data will be removed from student files six years after the student graduates or otherwise leaves the University. For further details of the retention of student data please see section 11 (Student and Course Records) of the University Retention Schedule at information-governance/urs-11.pdf The University will keep employment history data about former employees for 100 years from the staff member's date of birth in order to verify employment details of former staff. Most other data will be removed a minimum of six years after their employment with the University has finished, in order to meet data needs for pensions, taxation, potential or current disputes or job references. For further details on the retention of staff details please see section 06 (Human Resource Records) of the University's Retention Schedule at The University will also keep the health and safety records of accidents that happen to visitors to the University for three years after the date of the accident Personal data that is no longer required will be destroyed in as secure a manner as possible. Paper based records will, at least, 12.Training be put in a confidential waste sack or confidential waste bin for collection as soon as possible by the secure waste collection contractor or preferably, shredded. Electronic records will be deleted if hardware such as hard drives, laptops, smart phones etc. are decommissioned. The IS department of the University has a contract with a third party organisation to dispose of redundant electronic equipment. Further details are available from Robbie Walker, the University s Information Security Architect on extension 3279 or robbie.walker@port.ac.uk. It is the responsibility of the University to ensure that staff are aware of the obligations of the Data Protection Act 1998 and it has therefore produced the IG Information Governance elearning training module accessible via the University's elearning site (Moodle). This training package also covers topics relating to the freedom of information legislation, records management and information security. The training module is core training and therefore should be taken by all members of staff. The training is accessible via docs.google.com/a/port.ac.uk/document/d/1egcz20rla--9ts220hjjqlgi8hdt4flvxkrd9e5d8jq/edit?usp=sharing. However, staff in the Information Governance team are also happy to provide bespoke training sessions for groups / departments - should you wish to discuss further training requirements please send an to information-matters@port.ac.uk and you will be contacted as soon as possible. More information about data protection can be found on the data protection webpages at Members of the Information Governance team also present an Information Governance Management Information Briefing. Details of the content of, and dates for, this briefing can be found at informationgovernance/infomatters/. 13.Conclusion 13.1 Compliance with the Data Protection Act 1998 is the responsibility of all members of the University. Any breach of the Data Protection Policy may lead to disciplinary action being taken, or access to University facilities being withdrawn, or in the most serious circumstances, a criminal prosecution Information on how data protection relates to specific topics, for example, references or the use of photographs is available in a series of Frequently Asked Questions on the University website at corporategovernance/dataprotection/faqs Any further questions or concerns about the interpretation or operation of this Policy should be raised with Samantha Hill, Information Disclosure Manager, and who is also the University s Data Protection Officer, based in the Office of the Director of Corporate Governance This Policy will be reviewed and updated to include new requirements for data in relation to the General Data Protection Regulation. UNIVERSITY OF PORTSMOUTH DATA PROTECTION POLICY

10 Annex A Data Classification Schema What kinds of data must be protected? Any item of information relating to the business or interests of the University is an information asset. This includes strategy documents, research papers, student applications, staff contact details, course materials, results data etc. If these assets were compromised, then the impact could be potentially damaging to the University (including damaging reputation) and detrimental to students or staff. Impact potential Not all information assets have the same impact potential and therefore do not need the same protection. For instance, it would be a nuisance and a waste of resources if we applied the same security controls to routine correspondence as we do to sensitive medical reports. It is important to understand the impact potential and know the location of our information assets. Without this knowledge, we do not know how much time, effort and money to spend on security. If read by unauthorised persons, lost or damaged then some data has the potential to: harm academic relations breach copyright cause considerable departmental embarrassment cause considerable inconvenience to staff or students damage operational effectiveness or security cause considerable financial loss facilitate fraud, improper gain or advantage for individuals or third parties jeopardise an investigation facilitate the commission of crime undermine the proper management of a Department/School/service By understanding the impact potential and classifying the data on that basis, we can suggest the most effective ways to handle this information in terms of backup, encryption, rules for safe transmission and disposal etc. Classifying data enables us to focus resources on its protection more effectively. There are three types of information which we classify as RESTRICTED. Personal data Personal data identifies a living individual. For example, a name accompanied by other data about the individual such as address, age, telephone number, data regarding his/her financial status. Personal data can be an expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual. Sensitive personal data Personal data which identifies a living individual and includes any of the following types of data about that individual is considered to be sensitive personal data: racial or ethnic origin political opinions religious beliefs trade union membership physical or mental health sexual life commission of offences or alleged offences 10 DATA PROTECTION POLICY 2017 UNIVERSITY OF PORTSMOUTH

11 Commercially sensitive data Commercially sensitive data is defined as: Financial, commercial, scientific or technical or other information the unauthorised disclosure of which could reasonably be expected to result in a material financial loss to the person or organisation to which the information relates, or could prejudice the competitive position of that person in the conduct of his or her profession or business or otherwise in his or her occupation. Information whose disclosure could prejudice the conduct or outcome of contractual or other negotiations of the person to whom the information relates. Transfer of restricted data Any transfer of restricted data to a third party must be carried out securely. As a minimum, paper records should be sent by a trusted courier service. Best practice should be that the paper records are delivered by hand by the officer responsible for the transfer (where feasible), directly into the hands of the officer in the third party to whom responsibility for the data has been assigned. Electronic records should, as a minimum, be encrypted and either sent over a secure connection or put onto a CD and delivered by a trusted courier service. Best practice should be that the records are encrypted and the password provided separately by another means. Again, electronic records on an encrypted CD should preferably be delivered directly by the officer responsible for the transfer (where feasible), directly into the hands of the officer in the third party to whom responsibility for the data has been assigned. Any queries about this Schema should be directed to information-matters@port.ac.uk. UNIVERSITY OF PORTSMOUTH DATA PROTECTION POLICY

12 Annex B Data Security Breach Policy Summary This Policy provides a framework for recognising, investigating and resolving a data security breach. The Policy relates to all members of staff including honorary and visiting staff and governors. 1. Purpose The purpose of this policy is to: define the term data security breach ; describe the information which is at particular risk; detail the actions to be taken in the event of a data security breach; identify those individuals that should be involved in handling a data security breach; detail the actions that the University should take to resolve the breach. 2. Responsibilities and ownership Responsibility for reviewing and updating this Policy lies with the member of the University Executive Board in charge of security and Information Services matters. All members of staff including honorary and visiting staff and governors have a responsibility for the security of information held by the University and therefore must be aware of, and comply with, this Policy. 3. Definitions 3.1 Data security breach A loss or compromise, whether accidental or deliberate, of information held by the University, whether in paper or electronic format, that would cause a significant detrimental impact or embarrassment to the University, individuals working or studying at the University or third parties working with the University The detrimental impact of a data security breach This could affect academic standing, organisational reputation, individual privacy, commercial activities or financial position. Examples include: exposing individuals to risk through the loss of personal details exposing individuals to concern if sensitive personal data is lost exposing the University to fraudulent activities litigation and official censure loss of commercially valuable or sensitive intellectual property loss of commercially valuable or sensitive information harm the commercial interests of the University cause considerable departmental embarrassment damage to operational effectiveness or security damages relationship with a third party with which the University is working closely cause considerable financial loss facilitate fraud, improper gain or advantage for individuals or third parties undermine the proper management of Department/School/service 3.2 Information at particular risk The following types of information must be kept securely and if lost, damaged or compromised, would constitute a data security breach: Personal data about staff, students or third parties Sensitive personal data about staff or students Financial data about staff, students or third parties 12 DATA PROTECTION POLICY 2017 UNIVERSITY OF PORTSMOUTH

13 Commercially sensitive information Information exempt from disclosure under the Freedom of Information Act 2000, Environmental Information Regulations 2004 and the Data Protection Act Personal data about staff, students or third parties Personal data is defined as any information that can identify a living individual. These individuals include staff, students, alumni, business partners and other third party contacts that have disclosed their personal details to the University. The mere mention of someone s name in a document, for example, as a record of attendance at an open meeting, is not enough in itself to make the information in that document personal data, but this, plus other information about an individual could make it personal data. It is important to remember that personal data is not simply details of name and address, but can also be an expression of an opinion about an individual or an indication of the intentions of any person towards that individual. Examples of personal data include, but are not limited to: the contents of an individual student file a staff appraisal assessment name, address, home phone number details about lecture attendance, course work marks and grades notes of personal supervision, including matters of behaviour and discipline Sensitive personal data about staff or students Personal data becomes sensitive if it includes any of the following types of information about an identifiable, living individual: racial or ethnic origin political opinions religious beliefs trade union membership physical or mental health sexual life commission or alleged commission of offences Special care must also be applied to any data which if lost, whilst not included in the definition of sensitive personal data in the Data Protection Act 1998, could still be considered to be sensitive, and could lead to theft or identity fraud (e.g. payroll data, personal financial data, SFE (Student Finance England) uploads) Commercially sensitive information Examples of commercially sensitive information include but are not limited to: business plans in development/draft strategy documents which have yet to be formally approved pre-tender documentation which could give an unfair advantage if disclosed Volume of data lost Where a large volume of personal data is concerned and there is a real risk of individuals suffering some harm, then the loss must be regarded as serious and must be reported to the Information Commissioner s Office (ICO). It is difficult to be precise what constitutes a large volume of personal data. Every case must be considered on its own merits but an example used by the ICO suggests that the loss of 100 records which include the names, addresses, dates of birth and NI numbers of individuals should be reported to it. The ICO also considers the nature of the data lost and has stated that it may be appropriate to notify the loss of a single record if the information lost is particularly sensitive Information exempt from disclosure Any individual can request information of any nature from the University under either the Freedom of Information Act 2000 or the Environmental Information Regulations There are instances where the University would be exempt from disclosing the information, using the exemptions in both pieces of legislation. The disclosure of information where an exemption would otherwise apply would therefore also constitute a data security breach. 1 Notification of data security breaches to the Information Commissioner s Office (ICO) Version ( library/data_protection/practical_application/breach_reporting.ashx). UNIVERSITY OF PORTSMOUTH DATA PROTECTION POLICY

14 4. Related policies The following exemptions have direct relevance to University activities: Information relating to law enforcement. Information which might jeopardise Health and Safety. Information which would be prejudicial to the effective conduct of public affairs. Information which is provided in confidence. Information bound by legal professional privilege. Information detailing commercial interests, copyright, trade secrets etc. This policy should be read in conjunction with the following policies: ICT Acceptable Use Policy available at Data Protection Policy available at pdf Records Management Policy available at Information security guidance and advice is available the Myport website at: Index/12/4?id=2711&fromwidget=false&searchid=0&isSearch=true 5. On discovering or suspecting a data security breach 5.1 Who to contact A member of staff who identifies or suspects a data security breach should contact the Information Security Architect where electronic records are involved or the Information Disclosure Manager where paper records are involved. If these individuals are not available, please contact the Director of Corporate Governance or the member of the University Executive Board with responsibility for security matters. If a member of staff is in any doubt, they should contact the Security Architect or Information Disclosure Manager for advice. 5.2 What information to provide It would be useful to provide the following information: When the data security breach happened/is thought to have happened. The actual nature of the breach, e.g. whether computer equipment has been stolen, misuse of log-in, paper files gone missing. The nature and quantity of the data believed to be held on the equipment/in the files, e.g. whether personal, financial or otherwise sensitive. Where the breach has occurred. Whether any electronic data was encrypted. Details of anyone else who may know about the alleged/actual breach. 6. What happens next? The Security Architect and/or the Information Disclosure Manager will inform the member of the University Executive Board with responsibility for security matters of the information they have received and will advise on the following options: Whether it is necessary to inform individuals about the loss and what they should be told. What actions the University should take to reduce the risk of harm. Whether any external bodies need to be alerted to the loss, e.g. the police, the Information Commissioner s Office, JISC, JANET. Whether and what the third parties whose data has been lost should be told. 6.1 Notifying those affected In the interests of transparency, the University will notify any individuals or third parties of any data security breaches where the University believes there is a risk of harm. For example, where information on a stolen laptop was not encrypted. These notifications should contain information on the actions taken by the University to minimise the effects of the loss, what the University will do to prevent any further similar losses and the contact details of someone who can provide more information/answer any questions the individuals might have The appropriate member of the University Executive Board will determine, on the basis of the data lost, who else within the University needs to be made aware of the breach in order to contain and manage the loss. If necessary, a meeting of appropriate staff from relevant University departments will be called to manage the consequences of the breach. 14 DATA PROTECTION POLICY 2017 UNIVERSITY OF PORTSMOUTH

15 6.2 Data security breaches relating to individuals Where the data lost relates to individual members of the University community, the appropriate member of the University Executive Board will determine the extent of the possible harm and consider what actions the University can take to minimise the impact. Examples could include assisting individuals to alert banks, paying for regular credit checks for a given period, alerting any other agencies such as the passport agency. 6.3 Data security breaches relating to third parties Where the data lost relates to details of another organisation, the appropriate member of the University Executive Board will alert its senior management and liaise as necessary to minimise risks and impacts to all parties. 7. Investigations into data security breaches The member of the University Executive Board with responsibility for security matters will set up an investigation into the breach to determine how it occurred and what should be done to prevent any future similar losses. A report into the investigation should be made to the Vice- Chancellor within five working days of the breach being reported. All such reports will be referred to the Audit and Quality Committee for information and action. Disciplinary action may be taken against individuals responsible for deliberate or accidental data security breaches. 8. For further information on this policy please contact Samantha Hill, Information Disclosure Manager (samantha.hill@port.ac.uk) or Robbie Walker, Information Security Architect (robbie.walker@port.ac.uk) UNIVERSITY OF PORTSMOUTH DATA PROTECTION POLICY

16 University of Portsmouth Directorate University House Winston Churchill Avenue Portsmouth PO1 2UP United Kingdom T: +44 (0) E: W: