Steve Penny is the Chair of the Board of a secondary academy. In his day job, after leaving the Royal Air Force, Steve worked as a communications engineer, seconded to the US and UK Governments working in both London and Washington. He currently advises government departments in the area of Information Security. He has written this blog on my request so that governors can gain some understanding of principles of data protection.
Noting from Twitter that blogging can be detrimental to your health, it is with some nervousness that I’ve responded to a request from @5N_Afzal so to do. So, with the caveat that I am mainly a traditionalist, albeit with progressive leanings…….
Do clubs and societies use your school premises after hours? Are offices left unlocked; personal data left out on desks?
A school in Hampshire was found to be in breach of the Data Protection Act (DPA) after sensitive personal data it held on pupils and others was hacked. The breach put the personal details of nearly 20,000 individuals, including some 7,600 pupils at risk. The details included names, addresses, photographs and some sensitive information relating to the pupils’ medical history.
Hackers, including one of the school’s own pupils, gained access to the data due to the school staff incorrectly using passwords. Despite having a policy in place outlining the use of passwords, no checks were in place to make sure this policy was being followed.
This school became another in a long line of public sector organisations to be reprimanded
If you handle school data in the course of your job, and most of us do, you’ll need to know about the Data Protection Act. This blog guides you through the Data Protection ‘essentials’ with links for further information.
It concludes with a checklist to help you ensure best practice. A follow up blog will deal with the connectivity of school IT to external systems ie ‘the Cloud’ and the consequent implications for data protection.
The Data Protection Act
The Data Protection Act 1998 controls how personal information can be used and our rights to ask for information about ourselves.
Everyone responsible for using data has to follow strict rules called ‘data protection principles’. They must make sure the information is:
- Used fairly and lawfully
- Used for limited, specifically stated purposes
- Used in a way that is adequate, relevant and not excessive
- Kept for no longer than is absolutely necessary
- Handled according to people’s data protection rights
- Kept safe and secure
If an organisation handles personal information about individuals, it has obligations to protect that information under the Data Protection Act. Organisations can be fined up to £500,000 by the Information Commissioner for serious contraventions of the Data Protection Act. For instance, a serious contravention could be the failure of a data controller to take adequate security measures that results in the loss of personal data.
As an example, in Nov 2015, The Crown Prosecution Service (CPS) was fined £200,000 after laptops containing videos of police interviews with victims and witnesses were stolen from a private film studio. The CPS sent data on an unencrypted CD/DVD – which the film company then put on an unencrypted laptop.
The requirement to notify (register)
The Data Protection Act requires every data controller (from sole trader to large organisation) who is processing personal information to register with the ICO, unless they are exempt. More than 400,000 organisations are currently registered. Failure to notify is a criminal offence and is the responsibility of the data controller.
The Information Commissioner’s Office publishes a guide for those who have day-to-day responsibility for data protection. It explains the purpose and effect of each of its data protection principles, gives practical examples and answers frequently asked questions.
For brevity purposes, I won’t list them in full – you can find a summary on the Information Commissioner’s Office
website. However, of particular relevance is Principle 7 – covering information security.
This principle asks if you have pragmatic, appropriate and cost effective measures in place to protect the data that you hold:
‘Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.’
For example, consider the Confidentiality, Integrity and Availability of your data:
- Confidentiality: What are you doing to prevent unauthorised access? How do you enforce the ‘Need to Know’ principle (see footnote)?
- Integrity: What are you doing to prevent the data being altered accidentally or in an unauthorised manner?
- Availability: What are you doing to ensure that the data is available when required for the purpose for which it is kept? Is the data backed up? Do you have access controls in place?
Data protection checklist
The following recommendations are best practice for data protection, irrespective of compliance with legal requirements.
- Write a policy that describes how you are managing personal data in line with the requirements of the eight principles of the Data Protection Act.
- Produce an Impact Statement as part of your data policy so that you can identify the risks and mitigate them in order to reduce the risk of harm to individuals through the misuse of personal information.
Consider implementing the principles of ‘Privacy by Design’. ie rather than data security being an afterthought, design your policies, systems and practices to cater for the protection of personal data from the outset.
- Define your storage location. Many enterprises are not entirely sure where all, or indeed what, data is actually stored.
- Determine access. Understand who has access to your data and ensure that they understand their obligations under your policy and that there are robust controls in place to secure and manage this access.
- Assess the risk. Protecting information is all about risk management ie implementing controls proportionate to nature of the information held and the ‘risk/impact of misuse or loss. It is always wise to identify areas of potential risk and develop systems and solutions to address any shortfalls.
The ‘Need to Know’ principle states that:
‘Knowledge, possession of, or access to, sensitive information shall not be given to any individual solely by virtue of the individual’s office, position or, indeed, level of authorisation or security clearance.’
Note that ‘need to know’ is not the same as ‘nice to know’ or ‘want to know’!
This means that having the authority to access information is only half of the issue. The other half is having the need-to-know ie the ‘someone’ actually needs to know the information in order to perform his or her job.
As an example, there is nothing in the ‘rules’ that prevents governors knowing details about specific, named students but, they very rarely need to have such information in order for them to do their job
This position is confirmed by advice from the Information Commissioner’s Office:
‘..under the Data Protection Act, named pupil data or information should only be shared on a “need-to-know basis”, such as when governing bodies are required to consider an exclusion.’
‘….as governors are not involved with the day-to-day running of a school, they do not need to see named pupil performance data. Therefore, data given to governors on a routine basis should be anonymised, or a summary account should be provided.’
Recent legislation on data protection and freedom of information has given greater rights to the individual but, alongside them, greater responsibilities on those who hold personal data, whether on paper or electronically.
A little investment now by schools to ensure that they are compliant with the current data protection regime will go a long way to avoiding a knock on the door and a hefty fine from the ICO!
A video by ICO aimed primarily at headteachers, deputy headsteachers, SBMs and governors and focuses on areas that ICO consider most relevant.