23
2010 Case Study – A Pig of a Day Document Risk Management

2010 Case Study – A Pig of a Day Document Risk Management

Embed Size (px)

Citation preview

Page 1: 2010 Case Study – A Pig of a Day Document Risk Management

2010

Case Study – A Pig of a Day

Document Risk Management

Page 2: 2010 Case Study – A Pig of a Day Document Risk Management

Statistics are like bikinis.

What they reveal is suggestive, but what they conceal is vital. 

~Aaron Levenstein

Page 3: 2010 Case Study – A Pig of a Day Document Risk Management

Monday Morning – First Thing

• Due Diligence

• Fidelity Guarantee Insurance

• References. Pre-Employment Checks

Know How Source:

Article in Birketts LLP Public Opinion pages 2 & 3

Page 4: 2010 Case Study – A Pig of a Day Document Risk Management

Monday Mid Morning

Denny Grate

• The letter should be treated as a subject access request

• The University is required to inform DG if it keeps personal information about him, provide a description of this information, the purposes for which it is used and provide him with a hard copy of it (unless it would involve disproportionate effort.

• Hard copy documents are only discloseable if they are filed in a ‘relevant filing system’ so whether his personal file is discloseable depends on how organised that file is.

Page 5: 2010 Case Study – A Pig of a Day Document Risk Management

Monday Mid Morning

• Emails are discloseable insofar as they are about DG. It is not sufficient he is just a recipient of them – the content of the email must relate to him

• In respect of references – the DPA provides an exemption from disclosure of any reference in the hands of the provider, but this does not extend to any reference in the hands of the recipient.

• An employer has 40 days to comply with a subject access request. The remedies for non-compliance include the IC issuing an enforcement notice or the employee applying to the courts for an order of disclosure and/or damages for the breach (but only if the employee has suffered any damage/distress).

Page 6: 2010 Case Study – A Pig of a Day Document Risk Management

Monday Mid Morning

Code Red

The University should conduct an impact assessment before deciding to

monitor an employee by any means.

The University needs to weigh up the needs of the University versus the

adverse impact it will have on the individual and should consider:

• The purpose behind the monitoring and the benefits it is likely to deliver

• What likely adverse impact the monitoring will have on the employee

Page 7: 2010 Case Study – A Pig of a Day Document Risk Management

Monday Mid Morning

• What alternatives are available to monitoring or the different ways in which it could be carried out

• The obligations that arise from monitoring

• Whether the monitoring is justified.

The University would also need to consider other legal obligations. For

example, DS’s right to privacy under the Human Rights Act and The

Regulation of Investigatory Powers Act which applies to monitoring of

electronic communications

Page 8: 2010 Case Study – A Pig of a Day Document Risk Management

Monday Afternoon

The Freedom of Information Act 2000 (“FOIA”)

Providing a right of access to the general public to information by publicauthorities.

Who can make an information request?

• any individual, partnership, unincorporated body or company, whether or not they are UK national or resident, and regardless of the purpose of the application.

To whom can a request be made?

• to a “public authority”. This is a wide ranging definition, which includes most UK colleges and universities.

Page 9: 2010 Case Study – A Pig of a Day Document Risk Management

Monday Afternoon

What information is covered by the FOIA?

• all information and records held in whatever media is potentially discloseable subject to exemption (see below).

What formality is required in making the request?

• the request must be made in writing;

• it must include name and address of applicant; and

• it must describe in as much detail as possible the required information.

Page 10: 2010 Case Study – A Pig of a Day Document Risk Management

Monday AfternoonPublication Schemes

In summary:-

• HE institutions must adopt and maintain a publication scheme approved by the Information Commissioner; and

• may adopt the model scheme which has been approved by the Information Commissioner.

The schemes must set out the classes of information the institution publishes:

• the manner of publication of the information;• details of any charges for accessing information. Charges relating to

publication are not subject to a set charging scheme, unlike requests for information under the Act, where a set charging scheme applies.

Page 11: 2010 Case Study – A Pig of a Day Document Risk Management

Monday Afternoon

Exemptions

3 types:-• Absolute

• Qualified – public interest test

• Qualified – public interest test and prejudice test

Page 12: 2010 Case Study – A Pig of a Day Document Risk Management

Monday Afternoon

Absolute Exemptions

If one applies, it is not necessary to consider whether disclosure is in thepublic interest. Commonly claimed absolute exemptions which might apply to a University include:

• Accessible to applicant by other means (eg. Publication Scheme) – even if it applies, only releases the University from the duty to disclose and not to the duty to confirm or deny possession of the information;

• Personal Information: if the applicant should be making a subject access request under the Data Protection Act then he should pursue his request under the correct legislation.

• Confidential Information: if it applies the University need not confirm or deny that it holds the information or supply the information.

Page 13: 2010 Case Study – A Pig of a Day Document Risk Management

Monday Afternoon

Confidential Information

Often claimed, but less often succeeds as an exemption. Not sufficient that a document is marked as “confidential”:

• must have been obtained from outside the University; and

• disclosure would be an actionable breach of confidence.

Therefore the information must have the necessary quality of confidenceto justify the assertion of a contractual or equitable obligation of confidence.

Page 14: 2010 Case Study – A Pig of a Day Document Risk Management

Monday Afternoon

Public Interest TestCommonly claimed exemptions under this category include:

• information intended for future publication;

• investigations and proceedings conducted by public authorities; and

• trade secrets.

In order to rely on this test, the institution must conclude that the public interest in withholding the exempt information outweighs the public interest in releasing it.

• The Act does not define public interest.

Page 15: 2010 Case Study – A Pig of a Day Document Risk Management

Monday Afternoon

Public Interest Test and Prejudice

The exemptions can only be relied on where the public interest test is met and, in addition, the disclosure of particular information would, or would be held to, prejudice (in general terms) the interest of the United Kingdom abroad or law enforcement.

Page 16: 2010 Case Study – A Pig of a Day Document Risk Management

Monday Afternoon

8 Data Protection principles:

• The personal data must be fairly and lawfully processed

• Personal data must be processed for limited purposes

• Personal data must be adequate, relevant and not excessive • • Personal data must be accurate and up-to-date

• Personal data must not be kept longer than necessary

• It should be processed in accordance with the individual’s rights

• It must be kept secure

• It must not be transferred outside the European Economic Area unless the transferee country has adequate protection for the individual

Page 17: 2010 Case Study – A Pig of a Day Document Risk Management

Monday Afternoon

Responding to a subject access request under the Act

For a DPA subject access request the University can charge a nominal fee of £10

Request must be in writing (includes e-mail)

40 calendar day time limit to respond by providing relevant information

Page 18: 2010 Case Study – A Pig of a Day Document Risk Management

Monday Afternoon

The Legal Position

The seventh data publication principle, often called the Security Principle, requires data controllers to take appropriate technical andorganisational measures against:

• unauthorised processing of personal data;

• unlawful processing of personal data; and

• accidental loss or destruction of, or damage to, personal data.

Page 19: 2010 Case Study – A Pig of a Day Document Risk Management

Monday Afternoon

Guidance on Data Security Breach Management

• Containment and recovery (initial response, investigation, containment and recovery plan including damage limitation).

• Assessing the risks.

• Notification of breaches (whether the breach of security should be notified, who should be notified, what information should be provided in the notification).

• Evaluation and response (evaluation of the causes of the breach and the effectiveness of the organisation’s response to it).

Page 20: 2010 Case Study – A Pig of a Day Document Risk Management

Monday AfternoonIf Information Commissioner office notified, what will it do?• It can provide guidance and assistance in dealing with the security breach.

• If it considers that there has been a breach of the Seventh Data Protection Principle, it may carry out enforcement action.

• It may “name and shame”.

• It may negotiate legally binding undertakings from the organisation in breach and publish the undertakings on the website of the Information Commissioner’s office and issue a press release.

• Typical undertakings include:-• obligation to admit a breach; and• agreement to implement remedial action specified by Information

Commissioner, including agreement to be audited by Information Commissioner.

Page 21: 2010 Case Study – A Pig of a Day Document Risk Management

Monday Afternoon

What preventative measures should be taken to reduce the risk of a breach?

No definition in the DPA of what actually constitutes “appropriate” technical or organisational measures.

But will depend on the likely harm from unlawful or unauthorised processing or accidental loss or destruction, and the nature of the data.

• Therefore, carry out a risk assessment.

• Devise a security policy.

• Apply security standards that take account of the risks of unauthorised access to, accidental loss or destruction of, or damage to personal data.

Page 22: 2010 Case Study – A Pig of a Day Document Risk Management

Monday Afternoon

• Institute a system of secure cabinets, access controls and passwords.

• Use the audit trail capabilities of automated systems to trade who accesses and amends personal data.

• Take steps to ensure reliability of staff who have access to workers’ records.

• Ensure appropriate control of records being taken off site (eg. on laptops). Make sure only necessary information is taken and there are security rules for staff to follow.

• Take account of risks of transmitting confidential personal information by fax or e-mail – make sure a secure network or comparable arrangements are in place.

Page 23: 2010 Case Study – A Pig of a Day Document Risk Management

Birketts LLP Contact Details

Abigail Trencher – Head of Employment Education

Direct Dial: 01223 326622

Mobile: 07983 385842

Email: [email protected]

Sara Sayer – Head of Education Dispute Management and Student Issues

Direct Dial: 01223 326763

Mobile: 07983 385840

Email: [email protected]