2010 Case Study – A Pig of a Day Document Risk Management

Statistics are like bikinis. What they reveal is suggestive, but what they conceal is vital. ~Aaron Levenstein

Monday Morning – First Thing Due Diligence Fidelity Guarantee Insurance References. Pre-Employment Checks Know How Source: Article in Birketts LLP Public Opinion pages 2 & 3

Monday Mid Morning Denny Grate The letter should be treated as a subject access request The University is required to inform DG if it keeps personal information about him, provide a description of this information, the purposes for which it is used and provide him with a hard copy of it (unless it would involve disproportionate effort. Hard copy documents are only discloseable if they are filed in a ‘relevant filing system’ so whether his personal file is discloseable depends on how organised that file is.

Monday Mid Morning s are discloseable insofar as they are about DG. It is not sufficient he is just a recipient of them – the content of the must relate to him In respect of references – the DPA provides an exemption from disclosure of any reference in the hands of the provider, but this does not extend to any reference in the hands of the recipient. An employer has 40 days to comply with a subject access request. The remedies for non-compliance include the IC issuing an enforcement notice or the employee applying to the courts for an order of disclosure and/or damages for the breach (but only if the employee has suffered any damage/distress).

Monday Mid Morning Code Red The University should conduct an impact assessment before deciding to monitor an employee by any means. The University needs to weigh up the needs of the University versus the adverse impact it will have on the individual and should consider: The purpose behind the monitoring and the benefits it is likely to deliver What likely adverse impact the monitoring will have on the employee

Monday Mid Morning What alternatives are available to monitoring or the different ways in which it could be carried out The obligations that arise from monitoring Whether the monitoring is justified. The University would also need to consider other legal obligations. For example, DS’s right to privacy under the Human Rights Act and The Regulation of Investigatory Powers Act which applies to monitoring of electronic communications

Monday Afternoon The Freedom of Information Act 2000 (“FOIA”) Providing a right of access to the general public to information by public authorities. Who can make an information request? any individual, partnership, unincorporated body or company, whether or not they are UK national or resident, and regardless of the purpose of the application. To whom can a request be made? to a “public authority”. This is a wide ranging definition, which includes most UK colleges and universities.

Monday Afternoon What information is covered by the FOIA? all information and records held in whatever media is potentially discloseable subject to exemption (see below). What formality is required in making the request? the request must be made in writing; it must include name and address of applicant; and it must describe in as much detail as possible the required information.

Monday Afternoon Publication Schemes In summary:- HE institutions must adopt and maintain a publication scheme approved by the Information Commissioner; and may adopt the model scheme which has been approved by the Information Commissioner. The schemes must set out the classes of information the institution publishes: the manner of publication of the information; details of any charges for accessing information. Charges relating to publication are not subject to a set charging scheme, unlike requests for information under the Act, where a set charging scheme applies.

Monday Afternoon Exemptions 3 types:- Absolute Qualified – public interest test Qualified – public interest test and prejudice test

Monday Afternoon Absolute Exemptions If one applies, it is not necessary to consider whether disclosure is in the public interest. Commonly claimed absolute exemptions which might apply to a University include: Accessible to applicant by other means (eg. Publication Scheme) – even if it applies, only releases the University from the duty to disclose and not to the duty to confirm or deny possession of the information; Personal Information: if the applicant should be making a subject access request under the Data Protection Act then he should pursue his request under the correct legislation. Confidential Information: if it applies the University need not confirm or deny that it holds the information or supply the information.

Monday Afternoon Confidential Information Often claimed, but less often succeeds as an exemption. Not sufficient that a document is marked as “confidential”: must have been obtained from outside the University; and disclosure would be an actionable breach of confidence. Therefore the information must have the necessary quality of confidence to justify the assertion of a contractual or equitable obligation of confidence.

Monday Afternoon Public Interest Test Commonly claimed exemptions under this category include: information intended for future publication; investigations and proceedings conducted by public authorities; and trade secrets. In order to rely on this test, the institution must conclude that the public interest in withholding the exempt information outweighs the public interest in releasing it. The Act does not define public interest.

Monday Afternoon Public Interest Test and Prejudice The exemptions can only be relied on where the public interest test is met and, in addition, the disclosure of particular information would, or would be held to, prejudice (in general terms) the interest of the United Kingdom abroad or law enforcement.

Monday Afternoon 8 Data Protection principles: The personal data must be fairly and lawfully processed Personal data must be processed for limited purposes Personal data must be adequate, relevant and not excessive Personal data must be accurate and up-to-date Personal data must not be kept longer than necessary It should be processed in accordance with the individual’s rights It must be kept secure It must not be transferred outside the European Economic Area unless the transferee country has adequate protection for the individual

Monday Afternoon Responding to a subject access request under the Act For a DPA subject access request the University can charge a nominal fee of £10 Request must be in writing (includes ) 40 calendar day time limit to respond by providing relevant information

Monday Afternoon The Legal Position The seventh data publication principle, often called the Security Principle, requires data controllers to take appropriate technical and organisational measures against: unauthorised processing of personal data; unlawful processing of personal data; and accidental loss or destruction of, or damage to, personal data.

Monday Afternoon Guidance on Data Security Breach Management Containment and recovery (initial response, investigation, containment and recovery plan including damage limitation). Assessing the risks. Notification of breaches (whether the breach of security should be notified, who should be notified, what information should be provided in the notification). Evaluation and response (evaluation of the causes of the breach and the effectiveness of the organisation’s response to it).

Monday Afternoon If Information Commissioner office notified, what will it do? It can provide guidance and assistance in dealing with the security breach. If it considers that there has been a breach of the Seventh Data Protection Principle, it may carry out enforcement action. It may “name and shame”. It may negotiate legally binding undertakings from the organisation in breach and publish the undertakings on the website of the Information Commissioner’s office and issue a press release. Typical undertakings include:- obligation to admit a breach; and agreement to implement remedial action specified by Information Commissioner, including agreement to be audited by Information Commissioner.

Monday Afternoon What preventative measures should be taken to reduce the risk of a breach? No definition in the DPA of what actually constitutes “appropriate” technical or organisational measures. But will depend on the likely harm from unlawful or unauthorised processing or accidental loss or destruction, and the nature of the data. Therefore, carry out a risk assessment. Devise a security policy. Apply security standards that take account of the risks of unauthorised access to, accidental loss or destruction of, or damage to personal data.

Monday Afternoon Institute a system of secure cabinets, access controls and passwords. Use the audit trail capabilities of automated systems to trade who accesses and amends personal data. Take steps to ensure reliability of staff who have access to workers’ records. Ensure appropriate control of records being taken off site (eg. on laptops). Make sure only necessary information is taken and there are security rules for staff to follow. Take account of risks of transmitting confidential personal information by fax or – make sure a secure network or comparable arrangements are in place.

Birketts LLP Contact Details Abigail Trencher – Head of Employment Education Direct Dial: Mobile: Sara Sayer – Head of Education Dispute Management and Student Issues Direct Dial: Mobile: