Presentation is loading. Please wait.

Presentation is loading. Please wait.

2010 Case Study – A Pig of a Day Document Risk Management.

Published byGinger Alexander Modified over 9 years ago

Similar presentations

Presentation on theme: "2010 Case Study – A Pig of a Day Document Risk Management."— Presentation transcript:

1 2010 Case Study – A Pig of a Day Document Risk Management

2 Statistics are like bikinis. What they reveal is suggestive, but what they conceal is vital. ~Aaron Levenstein

3 Monday Morning – First Thing Due Diligence Fidelity Guarantee Insurance References. Pre-Employment Checks Know How Source: Article in Birketts LLP Public Opinion pages 2 & 3

4 Monday Mid Morning Denny Grate The letter should be treated as a subject access request The University is required to inform DG if it keeps personal information about him, provide a description of this information, the purposes for which it is used and provide him with a hard copy of it (unless it would involve disproportionate effort. Hard copy documents are only discloseable if they are filed in a ‘relevant filing system’ so whether his personal file is discloseable depends on how organised that file is.

5 Monday Mid Morning Emails are discloseable insofar as they are about DG. It is not sufficient he is just a recipient of them – the content of the email must relate to him In respect of references – the DPA provides an exemption from disclosure of any reference in the hands of the provider, but this does not extend to any reference in the hands of the recipient. An employer has 40 days to comply with a subject access request. The remedies for non-compliance include the IC issuing an enforcement notice or the employee applying to the courts for an order of disclosure and/or damages for the breach (but only if the employee has suffered any damage/distress).

6 Monday Mid Morning Code Red The University should conduct an impact assessment before deciding to monitor an employee by any means. The University needs to weigh up the needs of the University versus the adverse impact it will have on the individual and should consider: The purpose behind the monitoring and the benefits it is likely to deliver What likely adverse impact the monitoring will have on the employee

7 Monday Mid Morning What alternatives are available to monitoring or the different ways in which it could be carried out The obligations that arise from monitoring Whether the monitoring is justified. The University would also need to consider other legal obligations. For example, DS’s right to privacy under the Human Rights Act and The Regulation of Investigatory Powers Act which applies to monitoring of electronic communications

8 Monday Afternoon The Freedom of Information Act 2000 (“FOIA”) Providing a right of access to the general public to information by public authorities. Who can make an information request? any individual, partnership, unincorporated body or company, whether or not they are UK national or resident, and regardless of the purpose of the application. To whom can a request be made? to a “public authority”. This is a wide ranging definition, which includes most UK colleges and universities.

9 Monday Afternoon What information is covered by the FOIA? all information and records held in whatever media is potentially discloseable subject to exemption (see below). What formality is required in making the request? the request must be made in writing; it must include name and address of applicant; and it must describe in as much detail as possible the required information.

10 Monday Afternoon Publication Schemes In summary:- HE institutions must adopt and maintain a publication scheme approved by the Information Commissioner; and may adopt the model scheme which has been approved by the Information Commissioner. The schemes must set out the classes of information the institution publishes: the manner of publication of the information; details of any charges for accessing information. Charges relating to publication are not subject to a set charging scheme, unlike requests for information under the Act, where a set charging scheme applies.

11 Monday Afternoon Exemptions 3 types:- Absolute Qualified – public interest test Qualified – public interest test and prejudice test

12 Monday Afternoon Absolute Exemptions If one applies, it is not necessary to consider whether disclosure is in the public interest. Commonly claimed absolute exemptions which might apply to a University include: Accessible to applicant by other means (eg. Publication Scheme) – even if it applies, only releases the University from the duty to disclose and not to the duty to confirm or deny possession of the information; Personal Information: if the applicant should be making a subject access request under the Data Protection Act then he should pursue his request under the correct legislation. Confidential Information: if it applies the University need not confirm or deny that it holds the information or supply the information.

13 Monday Afternoon Confidential Information Often claimed, but less often succeeds as an exemption. Not sufficient that a document is marked as “confidential”: must have been obtained from outside the University; and disclosure would be an actionable breach of confidence. Therefore the information must have the necessary quality of confidence to justify the assertion of a contractual or equitable obligation of confidence.

14 Monday Afternoon Public Interest Test Commonly claimed exemptions under this category include: information intended for future publication; investigations and proceedings conducted by public authorities; and trade secrets. In order to rely on this test, the institution must conclude that the public interest in withholding the exempt information outweighs the public interest in releasing it. The Act does not define public interest.

15 Monday Afternoon Public Interest Test and Prejudice The exemptions can only be relied on where the public interest test is met and, in addition, the disclosure of particular information would, or would be held to, prejudice (in general terms) the interest of the United Kingdom abroad or law enforcement.

16 Monday Afternoon 8 Data Protection principles: The personal data must be fairly and lawfully processed Personal data must be processed for limited purposes Personal data must be adequate, relevant and not excessive Personal data must be accurate and up-to-date Personal data must not be kept longer than necessary It should be processed in accordance with the individual’s rights It must be kept secure It must not be transferred outside the European Economic Area unless the transferee country has adequate protection for the individual

17 Monday Afternoon Responding to a subject access request under the Act For a DPA subject access request the University can charge a nominal fee of £10 Request must be in writing (includes e-mail) 40 calendar day time limit to respond by providing relevant information

18 Monday Afternoon The Legal Position The seventh data publication principle, often called the Security Principle, requires data controllers to take appropriate technical and organisational measures against: unauthorised processing of personal data; unlawful processing of personal data; and accidental loss or destruction of, or damage to, personal data.

19 Monday Afternoon Guidance on Data Security Breach Management Containment and recovery (initial response, investigation, containment and recovery plan including damage limitation). Assessing the risks. Notification of breaches (whether the breach of security should be notified, who should be notified, what information should be provided in the notification). Evaluation and response (evaluation of the causes of the breach and the effectiveness of the organisation’s response to it).

20 Monday Afternoon If Information Commissioner office notified, what will it do? It can provide guidance and assistance in dealing with the security breach. If it considers that there has been a breach of the Seventh Data Protection Principle, it may carry out enforcement action. It may “name and shame”. It may negotiate legally binding undertakings from the organisation in breach and publish the undertakings on the website of the Information Commissioner’s office and issue a press release. Typical undertakings include:- obligation to admit a breach; and agreement to implement remedial action specified by Information Commissioner, including agreement to be audited by Information Commissioner.

21 Monday Afternoon What preventative measures should be taken to reduce the risk of a breach? No definition in the DPA of what actually constitutes “appropriate” technical or organisational measures. But will depend on the likely harm from unlawful or unauthorised processing or accidental loss or destruction, and the nature of the data. Therefore, carry out a risk assessment. Devise a security policy. Apply security standards that take account of the risks of unauthorised access to, accidental loss or destruction of, or damage to personal data.

22 Monday Afternoon Institute a system of secure cabinets, access controls and passwords. Use the audit trail capabilities of automated systems to trade who accesses and amends personal data. Take steps to ensure reliability of staff who have access to workers’ records. Ensure appropriate control of records being taken off site (eg. on laptops). Make sure only necessary information is taken and there are security rules for staff to follow. Take account of risks of transmitting confidential personal information by fax or e-mail – make sure a secure network or comparable arrangements are in place.

23 Birketts LLP Contact Details Abigail Trencher – Head of Employment Education Direct Dial: 01223 326622 Mobile: 07983 385842 Email: abigail-trencher@birketts.co.ukabigail-trencher@birketts.co.uk Sara Sayer – Head of Education Dispute Management and Student Issues Direct Dial: 01223 326763 Mobile: 07983 385840 Email: sara-sayer@birketts.co.uksara-sayer@birketts.co.uk

Download ppt "2010 Case Study – A Pig of a Day Document Risk Management."

Similar presentations

Identifying Data Protection Issues Developing Lifelong Learner Record Systems and ePortfolios in FE and HE: Planning for, and Coping with, Legal Issues.

Identifying Data Protection Issues Developing Lifelong Learner Record Systems and ePortfolios in FE and HE: Planning for, and Coping with, Legal Issues.
IMPS Information Management and Policy Services Information Services Directorate A briefing for all University staff November 2004 New Information Legislation.

IMPS Information Management and Policy Services Information Services Directorate A briefing for all University staff November 2004 New Information Legislation.
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
Getting data sharing right for every child

Getting data sharing right for every child
Data Protection & Freedom of Information The Practical Implications of Data Protection and Freedom of Information Caroline Dominey Data Protection Officer.

Data Protection & Freedom of Information The Practical Implications of Data Protection and Freedom of Information Caroline Dominey Data Protection Officer.
Duncan Woodhouse – Assistant Registrar for Information Security, Risk Management and Business Continuity Helen Wollerton – Administrative Officer (Legal.

Duncan Woodhouse – Assistant Registrar for Information Security, Risk Management and Business Continuity Helen Wollerton – Administrative Officer (Legal.
Towards a Freedom of Information Law in Qatar Fahad bin Mohammed Al Attiya Executive Chairman, Qatar National Food Security Programme.

Towards a Freedom of Information Law in Qatar Fahad bin Mohammed Al Attiya Executive Chairman, Qatar National Food Security Programme.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview

Data Protection Overview
An overview of the Data Protection Act 1998. Legal framework The Data Protection Act 1998 came into force in March 2001, replacing the Data Protection.

An overview of the Data Protection Act Legal framework The Data Protection Act 1998 came into force in March 2001, replacing the Data Protection.
The ICO and the DPA Ken Macdonald Assistant Commissioner Information Commissioner’s Office ScotStat Public Sector Analysts Network 30 th September 2010.

The ICO and the DPA Ken Macdonald Assistant Commissioner Information Commissioner’s Office ScotStat Public Sector Analysts Network 30 th September 2010.
 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.

 The Data Protection Act 1998 is an Act of Parliament which defines UK law on the processing of data on identifiable living people and it is the main.
1 OVERVIEW PRESENTATION FREEDOM OF INFORMATION (SCOTLAND) ACT 2002.

1 OVERVIEW PRESENTATION FREEDOM OF INFORMATION (SCOTLAND) ACT 2002.
Exemptions and the Public Interest Test Louise Townsend - Masons.

Exemptions and the Public Interest Test Louise Townsend - Masons.
Data Protection for Church of Scotland Congregations

Data Protection for Church of Scotland Congregations
CENTRAL SCOTLAND POLICE Data Protection & Information Security Stuart Macfarlane Information Governance Unit Police Service of Scotland.

CENTRAL SCOTLAND POLICE Data Protection & Information Security Stuart Macfarlane Information Governance Unit Police Service of Scotland.
The Information Commissioner’s Office David Evans.

The Information Commissioner’s Office David Evans.
Regulation of Personal Information Daniel Pettitt, Leon Sewell and Matthew Pallot.

Regulation of Personal Information Daniel Pettitt, Leon Sewell and Matthew Pallot.
Implementation of Security and Confidentiality in GP Practices.

Implementation of Security and Confidentiality in GP Practices.
Health & Social Care Apprenticeships & Diploma

Health & Social Care Apprenticeships & Diploma

Similar presentations

Ads by Google