Data Protection & Freedom of Information Staff Guidance

Data Protection & Freedom of Information – Staff Guidance

Summary

This document is available in large print or in an alternative format that meets your needs.

Please contact the HR Manager. ¾

Data Protection & Freedom of Information – Staff Guidance

Summary

1 Summary

This Data Protection staff guidance encompasses both data held on electronic media and data held on paper.

This guidance is for all college staff accessing and using college data.

2 Further Information

Further information on specific aspects of this guidance can be obtained from the following staff.

·  Director – Information Services

·  ICT Manager

3 Review

This guidance will be reviewed annually in January by the ICT Manager in consultation with the Director - Information Services. ¾

Data Protection & Freedom of Information – Staff Guidance

Guidelines

1 Introduction

The following is intended as guidance for staff to ensure they understand the requirements of the Act and that adequate security is applied to personal data held or processed by college staff and when personal data is sent or taken outside the College. It provides guidelines to comply with the College Data Protection Policy.

These guidelines have been developed, within the context of the Data Protection Act, to protect the privacy, safety and well-being of our students and staff. They are designed to ensure the College complies with its obligations under the Data Protection Act. They should, therefore, be read carefully and observed by all staff.

The aim of the Data Protection Act is not the protection of data itself, but the provision of individuals with a degree of control over the use of their personal data, most notably unforeseen secondary uses of that data, and to provide protection from unwanted or harmful uses of that data. As such, data privacy regimes (such as the College Data Protection Policy) do not seek to stop the flow of data, merely to see that it is collected and used in a responsible and, above all, accountable fashion.

All staff have a duty to make sure they comply with the data protection principles which are set out in the Data Protection Policy. In particular staff must ensure that records are:

·  accurate

·  up to date

·  fair

·  kept and disposed of securely and in accordance with relevant College policy

2 Scope

This guideline covers all documents and all media:

·  documents (eg: databases, spreadsheets, word processed documents, images, zip files)

·  electronic media (eg: e-mail, internet, portable media - memory sticks, CD-ROM, DVD, floppy disk)

·  paper media (eg: faxes, printed documents)

It also applies to data stored on laptops or mobile storage devices (eg: tablets/phones) which are taken off-site.

It applies to any personal data relating to learners, staff or other individuals. This specifically includes, but is not limited to, data items such as: name, address, learner reference numbers, date of birth, age, gender, telephone numbers and sensitive data (eg: ethnicity, learning difficulty, disability). It also includes images of individuals (see Section 7 – Photography / Filming).

It covers both one-off and regular data transfers; whether weekly, monthly, termly or annually. It applies whoever the data recipient is; government bodies (eg: SFA), local bodies (eg: Local Authority) or partner organisations (eg: other colleges). It also applies to software suppliers involved in implementing or maintaining IT systems.

Data Protection & Freedom of Information – Staff Guidance

Guidelines

3 Policy Overview

Managers of all areas should ensure procedures are in place that:

·  identify who is authorised to process what data

·  specify how data is to be processed, including how it is to be stored along with security and disposal arrangements

All staff will process data on a regular basis. Student data will be processed by most staff. Other data, such as that relating to staff or suppliers, will be processed in specific areas of the College.

The College will ensure through admission and enrolment procedures that all students are notified of the reasons why their data is collected and consent for processing is gained. Similar notification and consent will be given and gained for data relating to other types of data subjects (e.g. staff, suppliers).

Some data is considered sensitive and as such requires explicit consent to process. Sensitive data covers areas such as health, sexual orientation, political or religious views, union membership and ethnicity. If there is a need to record this type of data (e.g. recording data about dietary needs prior to a visit, recording that a student is pregnant as part of a counselling session) staff should ensure they use the relevant standard form.

Only authorised staff will process sensitive data unless a non-authorised member of staff is satisfied that the processing of the data is necessary in the interests of the data subject (staff member, student, etc.) or the College AND s/he has either informed an authorised person of this or has been unable to do so and processing is urgent and necessary in the circumstances. This should only happen in very limited circumstances e.g. a student is injured and unconscious and in need of medical attention and a staff member tells the hospital the student is pregnant or a Jehovah’s Witness.

4 Collection & Use of Data

Only personal data which is really necessary should be collected. Nothing should be requested or recorded on the grounds that “it might come in useful”. Neither should it be used for purposes inconsistent with those specified in the College’s Data Protection Policy.

Where personal data is collected, staff should ensure that it is:

·  Accurate

·  Up to date

·  Fair (ie: used only for purposes for which it was collected)

·  Secure (ie: physically secured in a locked filing cabinet, locked drawer, locked office or electronically secured by password)

·  Not held indefinitely

·  Disposed of safely and securely

Extra care should be taken in the handling and storage of sensitive personal data (eg: ethnicity, disabilities).

To minimise the risk of personal data being mishandled, it is recommended that information be held in one place/system wherever possible, rather than being dispersed or duplicated in several places/systems.

Data Protection & Freedom of Information – Staff Guidance

Guidelines

5 Disclosure

Staff must not disclose personal data to anyone except in line with College policy.

Personal data should only be disclosed to the following persons/organisations by authorised staff. Any other disclosure, and disclosure of sensitive data in all cases, should be checked with the Senior Leadership Team member for your area or with the Data Protection Officer (Director – Information Systems):

·  The data subject (student, staff member etc.)

·  The parent/guardian of a student (where consent has been gained via the standard enrolment form) – note that the enrolment form only gains consent for the College to contact the parent/guardian, not to respond to requests for information from parents/guardian

·  Government funding agencies (EFA, SFA, HEFCE, DfE and their successors) (staff and students)

·  Local Authorities party to data sharing agreements – check with Data Protection Officer in the first instance (students)

·  Payroll (staff)

·  Employers – limited to progress/performance on employer sponsored courses (students)

·  The Disclosure and Barring Service (staff, students)

·  The police – in response to a request accompanied by a warrant or, in more normal circumstances, in response to a standard police data request form D9 (an example of which can be found at appendix 4 of the Data Protection and Freedom of Information Policy)

Personal data can be passed internally between departments within the College if it is required to carry out our daily duties. Sensitive data, such as that held by the Safeguarding Team or Human Resources, has more restricted access and is only available through request to the relevant team.

Information should not be given to any third party without the permission of the person concerned (note however that this permission has often been obtained at enrolment in the case of student or at recruitment in the case of a staff member – check if unsure). Third parties include parents or other relations, partners, friends, colleagues or fellow students.

It should be noted that the police have certain powers under the act to access personal information which we hold. This is not an automatic right, however, and must be in relation to the investigation/detection of a crime and/or apprehension of an offender. Extreme care must be taken to establish the identity of the caller and no information should be divulged without an official written communication (Humberside Police have a specific form for this).

If you are contacted regarding Child Protection, DBS or Safeguarding, refer to the Safeguarding Team.

All requests for information under the Data Protection Act 1998 from third parties should be passed to the Director – Information Services.

Data Protection & Freedom of Information – Staff Guidance

Guidelines

6 Storage

Data security

Passwords used should be “strong” (ie: they contain letters that do not form words, use both upper and lower case letters, use numbers and use special characters such as %#^). For example: Act10n% is fairly easy to remember but difficult to guess. Record all passwords separately and securely as IT cannot recover them.

The college network software automatically forces users to change their password every 60 days. Users cannot use old passwords. The password must be made up of a minimum of 8 characters. After 3 incorrect attempts the account is locked out.

Please contact IT Support (ext 4140) if you need advice or assistance in securing college or personal data.

Personal data should only be taken off-site where absolutely necessary (i.e. a personal preference to work on data at home is not a sufficient reason). Remote access to data and files on the college network is available off-site and this method should be used rather than copying data to take off-site. Please note that data taken off-site on paper (eg: trips and visits documentation), on portable media (eg: memory sticks) and on laptops or mobile devices is particularly vulnerable to loss and therefore great care should be taken to prevent this occurring.

Personal data taken off-site must be kept secure and safe from unauthorised access or theft. Mobile storage devices (eg: laptops, tablets) containing personal data must not be left unattended (e.g. not left in a parked car). Personal data taken off-site should be encrypted (contact IT Support for instruction if necessary).

Transfer of personal data using electronic media

Personal data should always be sent in secure electronic form unless the recipient is unable to receive the data by this means (i.e. they have no PC). External data transfers should preferably be carried out via secure portals (e.g. SFA, Local Authority). Only central data processing teams (e.g. Registry) should transmit bulk personal data off-site.

Staff should not assume that documents transferred by electronic means (e.g. e-mail, memory stick) are secure. Any files containing personal data, and in particular sensitive personal data, should be both password protected and encrypted before transmission or copying to portable media.

Passwords must not be kept or sent with the document(s), whether kept on portable media or sent by e-mail. Passwords should be given or sent to recipients when they confirm receipt of the media or e-mail, to prevent access to data in the event it is received by the wrong person.

Transfer of personal data via paper media

Personal data should not be sent in hardcopy form unless there is no alternative. The convenience of the recipient is not an acceptable reason for sending data in this manner.

If it must be sent in hardcopy form, it should either be:

·  delivered in person (and signed for)

·  delivered using a secure delivery provider (with recorded delivery)

All bulk personal data transfers outside the college via paper media must be recorded.

Loss of Data

You must report any loss of personal data to your line manager and to the ICT Manager as soon as possible.

Data Protection & Freedom of Information – Staff Guidance

Guidelines

7 Disposal

Personal data must be deleted when no longer needed, taking note of mandatory data retention requirements of funding bodies, etc.

Manual records must be disposed of securely through shredding or incineration to ensure no accidental disclosure to third parties. The Premises Department provides a shredding service and staff should use their confidential waste bags for this purpose.

Particular care and caution must be exercised in the reuse or disposal of computers and mobile devices. Staff must return all such equipment, whether working or not, to the IT Department for data erasure prior to disposal or reissue.

The IT Department have the means to ensure data erasure in accordance with the British HMG Infosec Standard 5, Enhanced Standard.

8 Photography / Filming

Identifying when the provisions of the Data Protection Act apply is not always straightforward. The Act will apply where the image is being stored with other personal data (eg: student records system, ID Card system, paper file). In other situations, common sense is the best guide.