cyps information governance training agenda introductions questionnaire information governance...
TRANSCRIPT
CYPS Information Governance TrainingAgenda
• introductions
• questionnaire
• Information Governance presentation
• case studies
• video
Nigel McCoskerCorporate Services
INFORMATION GOVERNANCE - WORKING WITH OPENNESS
• current information access legislation
• information security
• impact on Board and risks
• working with openness
INFORMATION ACCESS LEGISLATION
• creates a statutory obligation on public authorities to consider releasing information in response to a written request
• came fully in to affect on 1 Jan 05
• requests for information must be in writing
• there is no right to know why the information is being requested
Freedom of Information Act 2000 (FOI)
• the requested information must be provided unless it falls in to one of a number of exempt categories
• two types of exemption exist:
•Absolute (information cannot be released - clear cut)•Qualified (must apply a public interest test)
INFORMATION ACCESS LEGISLATION
Freedom of Information Act 2000 (FOI)
INFORMATION ACCESS LEGISLATION
Freedom of Information Act 2000 (FOI)
Examples of Absolute exemptions:
Section 21 - Information accessible by other means
Section 32 - Court records
Section 40 - Personal information
Section 41 - Information provided in confidence
Section 44 - Prohibitions on disclosure
INFORMATION ACCESS LEGISLATION
Freedom of Information Act 2000 (FOI)
Examples of Qualified exemptions:
Section 22 - Information intended for future publication
Section 36 - Prejudice to effective conduct of public affairs
Section 43 - Commercial Interests
INFORMATION ACCESS LEGISLATION
Freedom of Information Act 2000 (FOI)
• the Act is fully retrospective
• anyone can apply for information
• the Act has provisions for dealing with repeat or vexatious requests
• criminal offence to tamper
• any member of staff can receive a request
INFORMATION ACCESS LEGISLATION
Freedom of Information Act 2000 (FOI)
• the public – i.e. pupils and parents
• the media
• pressure groups
• politicians
Who is using FOI?
Data Protection Act 1998 (DPA)
• a legal framework for the proper collection, usage, storage, sharing and disposal of personal data
• underpinned by eight core Principles
• permits Data Subjects access to their records
INFORMATION ACCESS LEGISLATION
What is personal data?
“Personal data” means data which relate to a living individual who can be identified -
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come in to the possession of, the data controller
INFORMATION ACCESS LEGISLATION
What is personal data?
This definition includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual
INFORMATION ACCESS LEGISLATION
What is personal data?
The mere mention of a data subject in a document does not amount to personal data.
In order to be considered personal data the information must be biographical in a significant sense
INFORMATION ACCESS LEGISLATION
Main provisions of the Data Protection Act:
• covers all personal data held on computer and manual records • covers ‘processing' including obtaining, holding and disclosing data
• permits Data Subjects access to their records
• imposes considerable penalties on organisations that mishandle personal data
INFORMATION ACCESS LEGISLATION
• personal data shall be processed fairly and lawfully (with consent)
• processed for specified purposes
• adequate, relevant and not excessive
• kept accurate and up to date
Data Protection Principles
INFORMATION ACCESS LEGISLATION
Data Protection Principles
• not be kept for longer than is necessary (record retention schedule)
• processed in accordance with the rights of the individual
• kept secure
• not transferred to countries outside the European Economic Area unless adequately protected.
INFORMATION ACCESS LEGISLATION
Subject access requests
• right of access to personal data in computer or manual form
• entitled to:- be informed whether personal data is processed- a description of the data held, the purposes for which it is processed and to whom the data may be disclosed;- a copy of the data; Usually within 40 days - information as to the source of the data
• there are limited exemptions
INFORMATION ACCESS LEGISLATION
Data Protection Act (Access to one’s
own personal data)
FOI Act(Access to everything
else)
INFORMATION ACCESS LEGISLATION
INFORMATION ACCESS LEGISLATION
Dealing with information requests
• FOI WELB/SELB have handling procedures in place contact the relevant officer immediately
• Subject Access Request (DPA) WELB/SELB Contact the relevant officer / section immediately
Where does Information Security fit in?
• Data Protection is the ‘what we have to do’
• Information Security is much of the the ‘how we do it’
• Information Security is involved with the protection of all Board information, not just personal data
INFORMATION SECURITY
Manual data keep personal data in a locked filing cabinet or
drawer
operate a clear desk policy; lock all personal data
away when you are finished with it and at the end
of the day
only remove files containing personal information
from storage areas when necessary. Their location
should be tracked at all times
INFORMATION SECURITY
Manual data
pupil or client records transferred between
Boards should be moved securely. Such files
should be hand delivered
• destroy personal data by shredding
INFORMATION SECURITY
Electronic data
do not store personal data on desktops, laptops or
portable media unless protected by encryption
software
usernames and passwords provide legitimate users
access to Board systems and should not be
disclosed to anyone. Always renew passwords
when prompted
INFORMATION SECURITY
Electronic data
• position monitors so others cannot see personal data.
• when leaving your desk, lock your PC (by pressing ‘Ctrl, Alt and Del’ keys simultaneously). Log off when leaving for longer periods
• emails sent to addresses outside the organisation will be transmitted across the internet. Never send personal data to such addresses
• never leave personal data at printers. Collect print jobs promptly
INFORMATION SECURITY
Electronic data
avoid sending personal information by fax. Where this
is necessary do it over a secure protocol.
never leave laptops/portables/media unattended.
When transporting any computer media always ensure
it is out of sight, either in a glove compartment or boot
of a car.
consider pupil databases
INFORMATION SECURITY
do not allow sensitive conversations to be overheard
guard against people seeking information by deception
• if working from home treat that environment like your
work environment. Do not allow friends/family access
to any information.
INFORMATION SECURITY
General good practice
IMPACT ON BOARD AND RISKS
• most Board information is either publicly accessible or releasable to a data subject on request
• public servant = public record. Staff do not own the records they create
• requests for information can highlight a lack of information as well as scrutinise what is available
IMPACT ON BOARD AND RISKS
• information which is unprofessional i.e. not based on sound policy/procedure can undermine public confidence if released
• extra demands are placed on Information management / record keeping systems due to the need to locate information
IMPACT ON BOARD AND RISKS
Records which have been released under FOI/DPA to date
• minutes
• reports
• pupil files
• internal memos
• emails
• diary extracts
WORKING WITH OPENNESS
Writing for disclosure
• does not mean record less
• keep records factual and professional
• write objectively
• document reasons for decisions generally
• record the context of file note / record
• refer to policies in decision making
WORKING WITH OPENNESS
Telephone conversations
• record relevant detail
• add necessary information to pupil file
• avoid post-its. Record detail in a telephone record book or type it up
• take control of the call where you need to
• say what you mean. You might not be taking notes but the other person may
WORKING WITH OPENNESS
Diary entries and notebooks
• diary extracts are accessible under FOI and DPA - even if you have bought the diary yourself but use it for work
• non-work related entries are exempt
• make diary entries with the same care as if adding information directly into a pupil file
• Includes electronic diaries and PDAs
WORKING WITH OPENNESS
Emails
• formal method of Board communication
• no control on where your email might end up
• avoid forwarding discussion threads where this is unnecessary
• accessible under FOI and DPA where related to a request topic or Data Subject
• avoid ‘chat’ emails. Never mix informal discussion within a work related e-mail
• make the subject line clear and concise
WORKING WITH OPENNESS
Minutes
• providing accountability for decisions
• identify action owners and attributing time-scales
• recording the consideration of alternatives and the reasons for their rejection
• capturing policy development
• change management tool
Purpose of minutes:
WORKING WITH OPENNESS
Always write with disclosure in mind
• does not mean write less, or write vaguely
• write.. - concisely- factually and - in line with policy/procedure
• consider how the record would read in court
Key points for staff
WORKING WITH OPENNESS
Record management
Creation
Active use
Retention
Final disposal
The record lifecycle
WORKING WITH OPENNESS
Record Management
Subject Access Requests
FOI requests
Inspections / audits
Know what information you hold and be able to access it...
WORKING WITH OPENNESS
What can disposal mean?
• destruction
• offer records to the Public Record Office for Northern Ireland (PRONI)
refer to the Board’s record retention schedule before disposing of records
File Disposal
Help / Support
• WELB ICT Manager ext 1247 [email protected]
• WELB Corporate Information Manager ext 1553 [email protected]
• WELB staff folder (X: Drive) - Policies / Procedures / Guidance for staff
• Information Commissioner's website www.ico.gov.uk
Thanks for listening
Questions