cyps information governance training agenda introductions questionnaire information governance...

CYPS Information Governance TrainingAgenda

• introductions

• questionnaire

• Information Governance presentation

• case studies

• video

Nigel McCoskerCorporate Services

INFORMATION GOVERNANCE - WORKING WITH OPENNESS

• current information access legislation

• information security

• impact on Board and risks

• working with openness

INFORMATION ACCESS LEGISLATION

• creates a statutory obligation on public authorities to consider releasing information in response to a written request

• came fully in to affect on 1 Jan 05

• requests for information must be in writing

• there is no right to know why the information is being requested

Freedom of Information Act 2000 (FOI)

• the requested information must be provided unless it falls in to one of a number of exempt categories

• two types of exemption exist:

•Absolute (information cannot be released - clear cut)•Qualified (must apply a public interest test)





Examples of Absolute exemptions:

Section 21 - Information accessible by other means

Section 32 - Court records

Section 40 - Personal information

Section 41 - Information provided in confidence

Section 44 - Prohibitions on disclosure



Examples of Qualified exemptions:

Section 22 - Information intended for future publication

Section 36 - Prejudice to effective conduct of public affairs

Section 43 - Commercial Interests



• the Act is fully retrospective

• anyone can apply for information

• the Act has provisions for dealing with repeat or vexatious requests

• criminal offence to tamper

• any member of staff can receive a request



• the public – i.e. pupils and parents

• the media

• pressure groups

• politicians

Who is using FOI?

Data Protection Act 1998 (DPA)

• a legal framework for the proper collection, usage, storage, sharing and disposal of personal data

• underpinned by eight core Principles

• permits Data Subjects access to their records


What is personal data?

“Personal data” means data which relate to a living individual who can be identified -

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come in to the possession of, the data controller



This definition includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual



The mere mention of a data subject in a document does not amount to personal data.

In order to be considered personal data the information must be biographical in a significant sense


Main provisions of the Data Protection Act:

• covers all personal data held on computer and manual records • covers ‘processing' including obtaining, holding and disclosing data

• permits Data Subjects access to their records

• imposes considerable penalties on organisations that mishandle personal data


• personal data shall be processed fairly and lawfully (with consent)

• processed for specified purposes

• adequate, relevant and not excessive

• kept accurate and up to date

Data Protection Principles


Data Protection Principles

• not be kept for longer than is necessary (record retention schedule)

• processed in accordance with the rights of the individual

• kept secure

• not transferred to countries outside the European Economic Area unless adequately protected.


Subject access requests

• right of access to personal data in computer or manual form

• entitled to:- be informed whether personal data is processed- a description of the data held, the purposes for which it is processed and to whom the data may be disclosed;- a copy of the data; Usually within 40 days - information as to the source of the data

• there are limited exemptions


Data Protection Act (Access to one’s

own personal data)

FOI Act(Access to everything

else)



Dealing with information requests

• FOI WELB/SELB have handling procedures in place contact the relevant officer immediately

• Subject Access Request (DPA) WELB/SELB Contact the relevant officer / section immediately

Where does Information Security fit in?

• Data Protection is the ‘what we have to do’

• Information Security is much of the the ‘how we do it’

• Information Security is involved with the protection of all Board information, not just personal data

INFORMATION SECURITY

Manual data keep personal data in a locked filing cabinet or

drawer

operate a clear desk policy; lock all personal data

away when you are finished with it and at the end

of the day

only remove files containing personal information

from storage areas when necessary. Their location

should be tracked at all times


Manual data

pupil or client records transferred between

Boards should be moved securely. Such files

should be hand delivered

• destroy personal data by shredding


Electronic data

do not store personal data on desktops, laptops or

portable media unless protected by encryption

software

usernames and passwords provide legitimate users

access to Board systems and should not be

disclosed to anyone. Always renew passwords

when prompted


Electronic data

• position monitors so others cannot see personal data.

• when leaving your desk, lock your PC (by pressing ‘Ctrl, Alt and Del’ keys simultaneously). Log off when leaving for longer periods

• emails sent to addresses outside the organisation will be transmitted across the internet. Never send personal data to such addresses

• never leave personal data at printers. Collect print jobs promptly


Electronic data

avoid sending personal information by fax. Where this

is necessary do it over a secure protocol.

never leave laptops/portables/media unattended.

When transporting any computer media always ensure

it is out of sight, either in a glove compartment or boot

of a car.

consider pupil databases


do not allow sensitive conversations to be overheard

guard against people seeking information by deception

• if working from home treat that environment like your

work environment. Do not allow friends/family access

to any information.


General good practice

IMPACT ON BOARD AND RISKS

• most Board information is either publicly accessible or releasable to a data subject on request

• public servant = public record. Staff do not own the records they create

• requests for information can highlight a lack of information as well as scrutinise what is available


• information which is unprofessional i.e. not based on sound policy/procedure can undermine public confidence if released

• extra demands are placed on Information management / record keeping systems due to the need to locate information


Records which have been released under FOI/DPA to date

• minutes

• reports

• pupil files

• internal memos

• emails

• diary extracts

WORKING WITH OPENNESS

Writing for disclosure

• does not mean record less

• keep records factual and professional

• write objectively

• document reasons for decisions generally

• record the context of file note / record

• refer to policies in decision making


Telephone conversations

• record relevant detail

• add necessary information to pupil file

• avoid post-its. Record detail in a telephone record book or type it up

• take control of the call where you need to

• say what you mean. You might not be taking notes but the other person may


Diary entries and notebooks

• diary extracts are accessible under FOI and DPA - even if you have bought the diary yourself but use it for work

• non-work related entries are exempt

• make diary entries with the same care as if adding information directly into a pupil file

• Includes electronic diaries and PDAs


Emails

• formal method of Board communication

• no control on where your email might end up

• avoid forwarding discussion threads where this is unnecessary

• accessible under FOI and DPA where related to a request topic or Data Subject

• avoid ‘chat’ emails. Never mix informal discussion within a work related e-mail

• make the subject line clear and concise


Minutes

• providing accountability for decisions

• identify action owners and attributing time-scales

• recording the consideration of alternatives and the reasons for their rejection

• capturing policy development

• change management tool

Purpose of minutes:


Always write with disclosure in mind

• does not mean write less, or write vaguely

• write.. - concisely- factually and - in line with policy/procedure

• consider how the record would read in court

Key points for staff


Record management

Creation

Active use

Retention

Final disposal

The record lifecycle


Record Management

Subject Access Requests

FOI requests

Inspections / audits

Know what information you hold and be able to access it...


What can disposal mean?

• destruction

• offer records to the Public Record Office for Northern Ireland (PRONI)

refer to the Board’s record retention schedule before disposing of records

File Disposal

Help / Support

• WELB ICT Manager ext 1247 [email protected]

• WELB Corporate Information Manager ext 1553 [email protected]

• WELB staff folder (X: Drive) - Policies / Procedures / Guidance for staff

• Information Commissioner's website www.ico.gov.uk

mailto:[email protected]

mailto:[email protected]

Thanks for listening

Questions

cyps information governance training agenda introductions questionnaire information governance...

Documents

absolute information

releasing information

information accessible

data protection act

disposal of personal

personal informationsection

personal datainformation

court records section