Data Protection Act – Myths & Musts Rick Byers Head of Operations, CTI Group Brought to you in conjunction with Edugeek

Welcome to Education Innovation Who am I? –Head of Operations for the CTI Group, an international software house, dealing this most of the worlds mobile tier 1 telcos and their data –Member of the British Computer Society Information Security Group (BCS ISSG) –Certified ISO27001:2005 Lead Implementer What Are we going to talk about in this session? –DPA, what, why, who, where etc –Impact on schools –FUD – Fear, Uncertainty and Doubt

Disclaimer I am not a lawyer! If you have a question around certain parts of law, seek professional, legal advise It might not be any different, but because you’ve paid for it, you’ll feel better! I am a cynic

Data Protection Act What is it? –It’s a piece of legislation, across the EEA (not just the EU), that is supposed to allow the free transfer of personal data, whilst safeguarding that data. What is it not? –It’s not designed to stop the flow of data –Although some countries implement more stringent laws than others –It’s not designed to stop people knowing things

The 8 Principles 1.Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless: (a) at least one of the conditions in Schedule 2 is met, and (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met. 2.Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. 3.Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. 4.Personal data shall be accurate and, where necessary, kept up to date. 5.Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. 6.Personal data shall be processed in accordance with the rights of data subjects under this Act. 7.Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. 8.Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

OK – But what is meant by Personal Data? Personal data means data which relate to a living individual who can be identified – –(a) from those data, or –(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, –and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

OK, what are my responsibilities? - Musts You must obey the law – sort of goes without saying The law can be found here: You (your organisation) must be registered with the DPA, if it processes Personal Data

Myths #1 “The Data Protection Act stops parents from taking photos in schools” - False “The Data Protection Act stops parents from finding out their children’s exam results” - False “Data protection law aims to protect people’s privacy.” - False –Or rather, half false “Laws across the EU provide the same level of data protection.” - False “Personal data” is… well, private information about a person, surely?" - False “'Processing' personal data involves doing something with it.” - False

Myths #2 "You can process personal data freely if it's already public knowledge." – False “Only personal data of EU residents is protected.” - False "Only EU organisations are caught by EU data protection laws." – False "You can easily get hold of all documents an organisation holds that contain your personal data." - False "If someone processes your personal data without your consent –you can get compensation –they're committing a criminal offence." –- False x 2

Myths #3 “You can stop others from processing your personal data if you don’t want them to.” - False “Posting other people’s personal data on Facebook etc is fine.” - False “Journalists and bloggers can freely publish personal data.” - False Myths taken from:

Recent DPA Related News North Lincolnshire Council – Lost USB stick Bay House School – Hacked Freehold Community School – laptop and paperwork stolen from a car Norwich City College – Sensitive data not disposed of appropriately Here we can see 4 different types of data breach – Loss, hacking, theft & mismanagement You can find all this information, and more, at: breachwatch.com

Summary The DPA is here to protect us, not hinder us – intentionally anyway We all benefit from the act We are all bound by the act As Data Controllers we have special responsibilities –Remember you can delegate tasks, but not responsibility The ICO has lots of good advice

Useful Information ICO Docs: Guidance on Exams: ion_good_practice_note_access_to_exam_results.pdf ion_good_practice_note_access_to_exam_results.pdf Sample lessons – complete with PowerPoint presentations – how easy is that? Specific guidance for schools: earch_and_reports/report_dp_guidance_for_schools.ashx Breach watch:

Thank You for your time – any questions?