Understanding Data Protection

Slides:



Advertisements
Similar presentations
Data Protection for Process S staff Matt Morrison, Information Rights Officer, Secretarys Office
Advertisements

The Data Protection (Jersey) Law 2005.
Data Protection.
DATA PROTECTION AND PATIENT CONFIDENTIALITY IN RESEARCH Nic Drew Data Protection Manager University Hospital of Wales   
Audiences NI Data Protection Workshop
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview
The Data Protection Act
Data Protection Act. Lesson Objectives To understand the data protection act.
 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.
Data Protection for Church of Scotland Congregations
CENTRAL SCOTLAND POLICE Data Protection & Information Security Stuart Macfarlane Information Governance Unit Police Service of Scotland.
Information Security Decision- Making Tool What kind of data do I have and how do I protect it appropriately? Continue Information Security decision making.
Practical Information Management
Information Governance Jym Bates Head of Information Assurance.
Health & Social Care Apprenticeships & Diploma
OCR Nationals Level 3 Unit 3.  To understand how the Data Protection Act 1998 relates to the data you will be collecting, storing and processing  To.
Data Protection Act & Freedom of Information Simon Mansell Corporate Governance and Information Team.
Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
The Data Protection Act What Data is Held on Individuals? By institutions: –Criminal information, –Educational information; –Medical Information;
IT Applications Theory Slideshows By Mark Kelly Vceit.com Privacy Laws.
Data Protection Property Management Conference. What’s it got to do with me ? As a member of a management committee responsible for Guiding property you.
Data Protection for Church of Scotland Congregations.
12/12/2015 Data Protection Act /12/2015 The DP Act A law that protects personal privacy and upholds individual’s rights Anyone who handles personal.
Data Protection Act The Data Protection Act (DPA) is a balance between rights of the DATA SUBJECT and obligations of the DATA CONTROLLER DATA CONTROLLER.
Data Protection and research Rachael Maguire Records Manager.
DATA PROTECTION ACT (DPA). WHAT IS THE DATA PROTECTION ACT?  The Data Protection Act The Data Protection Act (DPA) gives individuals the right.
DATA PROTECTION ACT INTRODUCTION The Data Protection Act 1998 came into force on the 1 st March It is more far reaching than its predecessor,
GCSE ICT Data and you: The Data Protection Act. Loyalty cards Many companies use loyalty cards to encourage consumers to use their shops and services.
Session 11 Data protection. 1 Contents Part 1: Introduction Part 2: Applicability and responsibility Part 3: Our procedures on data protection Part 4:
1 Information Governance (For Dental Practices) Norman Pottinger Information Governance Manager NHS Suffolk.
Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.
Understanding Privacy An Overview of our Responsibilities.
Introduction to Data Protection Plan »Brief Introduction to Data Protection  Example  Principles  P3, 4, 7  Sensitive Data  Conditions for Processing.
Data protection act. During the second half of the 20th century, businesses, organisations and the government began using computers to store information.
Understanding Privacy An Overview of our Responsibilities.
Data Protection GCSE ICT Mrs N Steventon-2005.
PowerPoint presentation
Data Protection and Confidentiality
Level 2 Diploma in Customer Service
INFORMATION GOVERNANCE
Handout 2: Data Protection and Copyright
Data Protection Act.
IT Applications Theory Slideshows
General Data Protection Regulation
GDPR Overview Gydeline – October 2017
Data Protection Act 1988 and Data Protection (Amendment) Act 2003
GDPR Overview Gydeline – October 2017
GDPR Road map to Compliance.
Data Protection & Freedom of Information- An Introduction
GENERAL DATA PROTECTION REGULATION (GDPR)
The General Data Protection Regulation (GDPR)
New Data Protection Legislation
GDPR and Health and Safety
Information Governance
ScHARR Bite Size Research Ethics and GDPR: legal requirements for research - what you need to know.

Data Protection principles
Data Protection and You
Unit 7 – Organisational Systems Security
Data Protection What’s new about The General Data Protection Regulation (GDPR) May 2018? Call Kerry on Or .
Information management and communication
General Data Protection Regulations 2018
Data Protection Act 1988 and Data Protection (Amendment) Act 2003
#eaThinkData Get Ready for GDPR #eaThinkData.
GDPR – General Data Protection Regulation
Data Protection for SDS Employers Alison Johnston Lead Policy Officer (Scotland) Information Commissioner’s Office.
General Data Protection Regulation Q & A Session
Dr Elizabeth Lomas The General Data Protection Regulation (GDPR): Changing the data protection landscape Dr Elizabeth Lomas
ScHARR Bite Size Research Ethics and GDPR: legal requirements for research - what you need to know.
Presentation transcript:

Understanding Data Protection HRIS Programme Version: v1.2 START

GDPR and related UK data protection legislation The GDPR and related UK data protection legislation has two aspects: Giving people the ‘right to know’ what information organisations hold about them. Providing a framework for organisations handling personal data. The primary purpose of data protection legislation is to protect individuals against possible misuse of personal data information about them, held by others. The legislation is underpinned by eight straightforward, common- sense principles. 1

Principles The eight principles require that personal data is: .Fairly and lawfully processed. .Processed for limited purposes. .Adequate, relevant and not excessive. .Accurate and up to date. .Not kept for longer than necessary. Processed in line with the rights of individuals. .Secure. .Not transferred to other countries without adequate protection. 2

Personal data HRIS stores personal and sensitive personal data on employees (current and former) and job applicants (successful and unsuccessful). Personal data is any information which identifies an individual e.g. name, photograph, applicant or employee number. Sensitive personal data is personal data relating to the individual e.g. race or ethnic origin, political opinion, religious beliefs, physical or mental health, trade union membership, sexual life or criminal activities. Special conditions apply to the processing of sensitive personal data, including an obligation to obtain the explicit consent of the individual. 3

Handling personal data The GDPR and related UK data protection legislation covers personal data where specific information about a named employee may be readily found within: Computer systems, such as HRIS. Manual filing systems, where data is stored under topic headings or folders where data is stored within file dividers. Documents which contain personal data but are not filed or referenced to a particular individual Particular care should be taken in handling sensitive personal data Other information which should be handled with care includes next of kin details, bank details or other financial information, and information collected for the purposes of staff recruitment 4

Subject Access Requests A Subject Access Request is where an individual asks for the data the University holds on them. Requests must be processed within 40 calendar days. The University can be asked to disclose all information held in electronic or paper form, that identify the individual making the SAR. E.g. emails & letters; handwritten notes; comments made in HRIS; shortlisting forms; interview notes; references. If you receive a request for information under either the GDPR and related UK data protection legislation or the Freedom of Information Act you must inform HRIS Support immediately (hr.systems@admin.ox.ac.uk) and follow their instructions. 5

Subject Access Requests Everything you write or email about an individual is potentially disclosable to them... From: Peter Headley (p.headley@ox.ac.uk) Subject: This stupid data protection request (again!!!!) To: Colleagues Hi there…. The Data Protection Officer has demanded George Lambert’s personal file again……!! Can you all have a flick through the file and remove anything you don’t want him to see, before I send it on to the DPO…. Ta. Pete 6

Subject Access Requests Everything you write or email about an individual is potentially disclosable to them...even if it is marked confidential or draft. From: Peter Headley (p.headley@ox.ac.uk) Subject: This stupid data protection request (again!!!!) To: Colleagues Hi there…. The Data Protection Officer has demanded George Lambert’s personal file again……!! Can you all have a flick through the file and remove anything you don’t want him to see, before I send it on to the DPO…. Ta. Pete CONFIDENTIAL 7

Risks of non compliance Breaching the GDPR and related UK data protection legislation represents a reputational and financial risk to the University The Information Commissioner’s Office has the power to fine organisations up to €20 million or 4% of annual turnover for breaches of the GDPR and related UK data protection legislation Ealing Council and Hounslow Council fined £70,000 and £80,000 for losing password-protected but unencrypted laptops. Hertfordshire County Council fined £100,000 for accidentally faxing sensitive personal information to the wrong recipient. Company A4e fined £60,000 for losing an unencrypted laptop containing sensitive personal details about salaries, criminal activity and employment status. 8

Security Rules for Accessing HRIS Keep your HRIS password and log-in private – they should not be shared. If you are leaving your desk either log out of HRIS or lock your computer. HRIS may be accessed within the ox.ac.uk domain or via secured network access such as VPN. Other than via secured network access, HRIS must not be accessed in a public place and data from the system must not be sent to personal email accounts. HRIS must not be used on personal off site computers or portable devices without the express consent of the HR Systems Support. Where it is necessary to download sensitive personal data from the system to be held in electronic form, the data shall be held on encrypted USB stick or in a secure ZIP file. The User shall keep the encryption details confidential in the interests of maintaining security. Where it is necessary to download data other than sensitive personal data, to be held in electronic form, it shall, at a minimum be password protected. If data is downloaded from the system to be held in paper form, the data shall be stored in locked filing cabinets. 9

Further information data.protection@admin.ox.ac.uk Further guidance at: www.admin.ox.ac.uk/councilsec/dp https://ico.org.uk/ The Data Protection Team can provide specific advice on the Data Protection Act at an individual, section or department level. data.protection@admin.ox.ac.uk HR Systems Support hr.systems@admin.ox.ac.uk 10

Individual User Agreement for HRIS All information in HRIS is treated as highly confidential and should not be divulged, shared or given to any other person, including after your employment with the University terminates. In order for you to be granted access to HRIS you must: Take the Assessment (and score at least 8/10). Go to WebLearn > Tests > Understanding Data Protection Assessment Read and accept the Terms and Conditions set out in the Individual User Agreement. Go to WebLearn > Tests > Individual User Agreement 11

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.