Data Protection Workshop FSSU Training June 2016 by Bernadette Kinsella, JMB

Transcription

1 Data Protection Workshop FSSU Training June 2016 by Bernadette Kinsella, JMB The presentation material remains the intellectual property of the Joint Managerial Body. For further use/distribution, please contact the presenter, Bernadette Kinsella at for permission. Bernadette Kinsella, LL.B., MA Ed Assistant General Secretary, Joint Managerial Body June 2016 A new way forward from 2018 The General Data Protection Regulation (GDPR) has been agreed at the EU Parliament. It shall come into force in The reform will replace the current data protection directive, dating back to 1995 when the internet was still in its infancy, with a general regulation designed to give citizens more control over their own private information in a digitised world of smartphones, social media, internet banking and global transfers

2 New Provisions include a right to be forgotten, "clear and affirmative consent" to the processing of private data by the person concerned, a right to transfer your data to another service provider, the right to know when your data has been hacked, ensuring that privacy policies are explained in clear and understandable language, and stronger enforcement/sanctions Pro-active approach to changes Legal basis for processing personal data You should look at the various types of data processing you carry out, identify your legal basis for carrying it out and document it. Information you hold - You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit. Consent - You should review how you are seeking, obtaining and recording consent and whether you need to make any changes

3 Data Protection is about. At its heart, data protection is about protecting an individual s right to privacy

4 Questions for today What is Data Protection? Why is it so important? Have I got a role to play? What do I need to know? What work practices do I need to implement to ensure that I process data in a fair and secure manner? Why is a Data Protection Policy important? What does a Data Access Request form look like? What resources are available? Data Protection Acts The law regulating the use of such personal information is the Data Protection Act 1988 and the Data Protection (Amendment) Act 2003 together with the numerous Statutory Instruments amending or extending same collectively referred to the Data Protection Acts Data Protection law legitimises the processing of data and providing a framework for organisations to process data in a fair way. It provides a legitimate, legal basis for collecting, using and storing personal data. When you give your personal details to an organisation or individual, they have a duty to keep these details private and safe. This process is known as data protection

5 Eight Data Protection Principles Obtain and process the information fairly Keep it only for one or more specified and lawful purposes Process it only in ways compatible with the purposes for which it was given to you initially Keep it safe and secure Keep it accurate and up-to-date Ensure that it is adequate, relevant and not excessive Retain it no longer than is necessary for the specified purpose or purposes Give a copy of his/her personal data to the individual, on request. Data Controller/Data Subject Under the Data Protection Acts, an organisation holding data is referred to as a data controller and the person to whom that data relates is a data subject

6 School as a Data Controller Definition of a Data Controller: If you, as an individual or an organisation, collect, store or process any data about living people on any type of computer or in a structured filing system, then you are a data controller Schools hold large amounts of personal data and, notwithstanding the fact that Schools are not commercial organisations, they are deemed to be data controllers under the Data Protection Acts School Data protection applies whenever the School collects, handles, processes, transfers or does anything with an individual s data. Individual Data protection law empowers individuals to obtain certain information about themselves held by organisations, and can also be used to prevent organisations from doing certain things with that information

7 Personal Data is that which relates to a living individual, and is defined as including Automated data and Manual data Relevant Filing System A relevant filing system means any set of information that, while not computerised, is structured by reference to individuals or by reference to criteria relating to individuals, so that specific information relating to a particular individual is readily accessible. Examples might include student or personnel files stored in alphabetical order. Sensitive Personal Data

8 Data Protection Issues Data protection issues arise on a day-to-day basis; however, they usually only become contentious in the event of a crisis situation such as a data breach, employment-law related disputes (particularly during the course of disciplinary procedures), and in litigation. The Data Protection Policy The policy considers the type of data which may be gathered, and states the rationale and justification for holding this data (e.g. payroll, timetabling, emergency contacts etc.) If the collection is necessary and proportionate, it enables the organisation to justify the collection and retention of that data on a compelling and legitimate basis

9 The Policy The Policy sets out guidance on how data should be processed, including that of students, parents/guardians, staff, and all other individuals who come into contact with the school. It gives a complete picture of all the data collected, the uses to which this data will be put, and the types of organisations it will be shared with (DES, TUSLA, An Garda Síochaná etc). It also acts as a prompt for staff to remind them how they are expected to treat the data which they process. It s the little things! Training/Awareness IT Security Physical Security Trickery/Impersonation Data Protection Compliance Audit DARs

10 Training/Awareness Induction training, and regular refresher training, it is important that the systems and procedures within the workplace are conducive to all employees fulfilling their data protection duties. IT Security Consideration should be given to: the level of IT security logging and audit trail capability on software access permission levels fire-wall software encryption software physical and boundary security for offices and file storage areas (including CCTV systems), and the safe and secure destruction of data and data-storage devices

11 Physical and Boundary Security It is important not to forget issues like doors, locks, filing cabinets, alarms, security lighting physical and boundary security for offices and file storage areas (including CCTV systems), and the safe and secure destruction of data and data-storage devices. Where hardware has become outdated and is being replaced (e.g. servers and personal computers), due consideration needs to be given as to how the personal data stored on those units can be securely destroyed. What can I do in my role? Data Protection Compliance Audit Positioning reception-area computer screens so they cannot be viewed by visitors to the School office Turning off computer screens Clear desk policy Mail merges Post CCTV Signage BYOD (Bring your own device) Medical Certificates Government Departments - communications

12 Taking work home? The School needs to ensure that employees are fully trained on how to use such devices securely. Where employees take work home or off-site in the form of manual files, (which is more vulnerable to loss) consideration needs to be given as to whether manual data should be converted to electronic data to avoid the need to take manual data off-site. Trickery and Impersonation Front-line staff are the individuals most susceptible to blagging and phishing attempts (i.e. obtaining personal information about third parties without that party s knowledge and without their consent, through the use of impersonation, trickery, or deception)

13 Proof of Identity Schools should establish simple procedures that staff can understand and follow easily. For example, frontline staff should be trained to seek proof of identity so that they can verify the identity of the person with whom they are dealing before they release information to that person. Basic Tips for dealing with members of the public Always be suspicious! Ask for proof of identity before disclosing any information

14 Providing Information? Do not provide information unless you are certain of the person s identity and can show proof that you have taken steps to verify that identity. Legal entitlement to data? Always take steps to ensure that the person to whom you are providing the information has a valid, legal entitlement to receive that information. If in doubt, ask them to furnish their request in writing and take that written request to the School Principal for direction

15 State Departments The normal rigours should not be relaxed just because the person making the request for information works for a Government Department, or is a State official (e.g.. TUSLA, the Department of Social Protection, An Garda Síochaná). Ask questions Ideally staff should be trained to ask for the legal basis upon which the requester is entitled to receive the information and the legal basis upon which the School is required to provide that information

16 Data Access Requests Data Access Request (DAR) Access to one s personal data is a cornerstone of the data protection regime. Subject to certain exemptions and exceptions, legally an individual is entitled to be told what information the organisation holds about them, and to be furnished with copies of same. For a small fee (which cannot exceed 6.35) the individual can request the data controller to provide them with a copy of any information (either in electronic or manual form) which the data controller holds about that individual. This is referred to as a data access request ( DAR )

17 The data subject is entitled to, inter alia, the following: The categories of data being processed by or on behalf of the data controller, The personal data constituting the data of which that individual is the data subject, The purpose or purposes of the processing, The recipients or categories of recipients to whom the data can or may be disclosed, Any information available to the data controller as to the source of those data unless the communication of that information is contrary to the public interest. DAR and timeframe The data controller then has 40 days in which to comply with the DAR. Schools will need to give consideration to what will happen in the event of a DAR being submitted to the School during the summer holidays. There is no method to extend the 40 day deadline, and the legislation gives no leeway, so forward planning will be essential to ensure that there is an established protocol for how the School will handle the DAR received out of termtime

18 Handling a DAR There are a number of important points to note when training staff as to how they handle DARs: Firstly: it is important that staff are trained to recognise what a Data Access Request looks like and to understand that even where a request for information does not specifically mention the DPAs (or perhaps mistakenly cites the Freedom of Information legislation), that the request should be treated as a DAR. Deadlines Secondly: staff should be aware of the time limits for dealing with DARs, and have a system in place to ensure that the information is provided within that period. 40 day deadline (for a section 4 request) 21 day deadline (for dealing with a section 3 request)

19 DARs must be attended to! Thirdly: consideration should be given to having one designated person within the organisation who deals with DARs. The ODPC has advised that a DAR must be dealt with no matter how inconvenient or disagreeable it may be to a data controller, unless a statutory restriction or exemption applies in the circumstances. Under the new GDPR 2018 a DAR will be required to be processed within 28 days or sanctions up to 250k will be imposed

20 CCTV Policy While many schools utilise CCTV systems to monitor and protect their property the use of CCTV must be justifiable, necessary, proportionate and reasonable in all the circumstances. Where the CCTV records individuals or is capable of capturing recognisable images then the data captured by the CCTV system will be considered personal data and the provisions of the Data Protection Acts will apply. CCTV Retention CCTV Retention it would be difficult to justify retention beyond a month, except where the images identify an issue such as a breakin or theft and is retained specifically in the context of an investigation of that issue. So in most cases, the retention period should be 28 days. Guidelines for furnishing data to An Garda Síochaná Consistent decisions ensures that ill-judged decisions are not made in a crisis

21 Record Retention Schedule One important principle is that the data must be retained for no longer than is necessary. The School must have a legitimate reason to retain the data for certain period for a particular purpose. The time period may be tied to a statutory provision requiring an employer to keep certain information for a minimum period (e.g. time-sheets etc), or may be tied to protecting the legitimate interests of the school (e.g.. to defend litigation). These records should be retained securely with the highest possible level of data security to ensure that they are adequately protected against accidental disclosure or loss

22 Cloud Service Providers (CSP) Key questions Public Bodies should ask Cloud Service Providers include: 1. What will the CSP do with your data? 2. Who can access your data and under what circumstances? Have CSP staff been properly trained and vetted? 3. Will third-party vendors have access to your data and under what circumstances? 4. Who ensures that data is protected within computer systems? 5. What encryption mechanisms does the CSP offer? 6. With what, if any, industry standards does the CSP s security architecture comply? 7. What happens to your data after the Cloud Service comes to an end? 8. Where will your data be processed? 9. What measures are used to safeguard customer data that is transferred outside the State and/or the EEA? 10. What measures are in place to prevent customer data being transferred outside the State and/or the EEA if that is a requirement?

23 Data Security Breach Ensure you have a Personal Data Security Breach Code of Practice Obligations of Data Processor to report loss to Data Controller Obligations to the ODPC Obligations to data subjects Written report to the ODPC Investigation Recommendations Enforcement powers 2018: How to be GDPR ready? Know and understand the Data Protection Principles Carry out a data protection compliance audit Evaluate your Data Protection Policies and Procedures JMB Training: School Administrative Personnel (June) JMB Training: Board of Management/Principal (September) Resources available:

24 Additional Resources - Free Data Protection Programme log on and select Data Protection. Website of the Office of the Data Protection Commissioner Ireland s website for all details relating to data compliance right up to managing a breach of data. Website for use by primary and post-primary schools with respect to all matters relating to Data Protection for schools. Library/Cloud%20Advice%20Note.pdf Cloud Service Providers