Embed Size (px)
Citation preview
40
1
Caldicott Version -Workbook
Information Governance
Non Caldicott Version - Workbook
Version 12 January 2015
CONTROLLED
2
Don’t Get Bitten by the Data Demon
Using this Workbook
The objective of this workbook is to provide you with guidance covering:
• Information Governance
• SafeHaven Guidance
• Data Protection
• Confidentiality
• Freedom of Information
• Records Management
And to ensure you are familiar with good working practice to reduce the risk of
security and data breaches for anyone working for the Council - don’t get bit
by the ‘Data Demon’ for example, being the cause of a data breach.
You will find a number of references to the Council’s Information Management
Policy, Guidelines and Procedures in this course. You should read these if
you have not already done so.
39
Notes
38
Notes
3
Hi, I am Judith Greenhalgh, the Strategic Director of
Corporate Resources.
One of my responsibilities is to chair the Information
Governance Group where representatives from all
service areas across the Council meet to review and
agree consistent policies and procedures relating to
information management and ensure the Council
adheres to these.
By law, we are all responsible for Information Security
and it is our individual responsibility to comply with
this. The Council continually reviews security breaches and the audits
undertaken and seeks to raise awareness and standards of compliance.
It is essential that the Council maintains the trust and confidence of both the
public and staff in handling their personal data. The same standards also apply
to handling information relating to employees.
I cannot over emphasise the importance of ensuring that personal data is
always managed in a secure way and is governed by the highest standards.
We expect all our staff to follow the agreed policies and procedures in how to
manage any type of information.
Within the Council there is always advice at hand or someone to speak to for
clarification. If you are unsure of any issue relating to Information Security, then
the simple rule is not to disclose information until we are clear that you are
acting appropriately.
The financial penalties for breaches of Information Security can be very serious.
It is not uncommon to be fined hundreds of thousands of pounds for serious
breaches. The Council has high standards of compliance and it is important to
maintain public confidence and reputation.
Introduction by Judith Greenhalgh
4
Introduction by Judith Greenhalgh continued
It is important that where an information security breach arises that you
report this immediately to your manager. Your early action can minimise risk.
If you observe potential security breaches such as leaving a desk and not
locking a computer screen, or speaking openly about confidential issues, you
should point this out.
The Council takes its responsibility for Information Security very seriously.
When I was appointed to my post, the expectation of my compliance was
stated in my Appointment Letter and the Code of Conduct I was provided
with. All newly appointed employees receive the same information.
Similarly, Information Security is referred to in all procedures covering your
conduct at work and forms an integral aspect of Induction for all employees
and throughout your employment.
I highly recommend the short training course you are about to undertake.
This has been designed to increase your knowledge and understanding.
You may find that as part of your work you require more detailed information
and training on Information Security. If so, please discuss this with your
manager as more detailed information and training is available.
I hope that you enjoy this e Learning course.
Please take the time to complete the comments form at the end. Your
feedback will be used to develop and improve this training.
Judith Greenhalgh
Strategic Director of Corporate Resources
37
Reference documents continued:
The Derbyshire Partnership Forum -
Sets out the principles for Data sharing among Derbyshire’s partners
Records Retention Schedule
Scanning and Disposal Policy
Social Media Policy
Subject Access Requests
Departmental Data Protection Contacts
Departmental Freedom of Information Contacts
Information Commissioners Office
EDRM Departmental Contacts
Similarly, if you need to report a security breach, contact your manager at
the earliest opportunity who will assist you.
*Resource
36
*Resource
Because of the nature of your employment you may not have access to a
computer and the Council’s Dnet. The reference documents below may be
obtained by speaking to your line manager.
E mail and Internet Acceptable Use Policy -
Accidental Misuse of E Mail or Internet Form
Data Demon
Accidental Misuse of E-Mail and Internet
Document Classification and Handling Policy
Derbyshire Safe Haven Guidance
ICT Security Policy
ICT Acceptable Use Policy
Information Security Breach Reporting Tool
Off-site Document Storage Guidance
Derbyshire Children’s Safeguarding Board
5
Information Governance is the framework which Enables the
organisation and you as an employee to comply with legal and
statutory requirements.
It includes best practice
guidance when handling
person identifiable
information and
organisational records.
Underpinning the Information Governance Framework, in
regard to personal data, is the Data Protection Act 1998.
Information Governance
6
Derbyshire County Council
SafeHaven Guidance
As an employee you must be aware of your responsibility for secure
personal and confidential information handling and management.
It is the responsibility of managers, senior managers and strategic
directors, to ensure all employees reporting to them have appropriate
training in information security and confidentiality.
The key documents that YOU as an employee should read in relation
to information security are in the Derbyshire SafeHaven Guidance.
35
Ways of Avoiding Security Breaches
Your responses on page 20 to Ways of avoiding security breaches could also
include:
• One way you can reduce the risk of commi)ng a data breach is to ensure
that you have read, understood and comply with the Council’s Data Security
policies
• Save files to secure network drives
• Obtain wri0en consent before sharing personal data
• Have a process in place to double check that correspondence by whatever
media has been sent to correct recipient
• Non DCC devices such as personal mobile phones or tablets should not be
used to share confiden2al data via text, email or social media other than in
emergencies
• Never use unencrypted devices to store personal data
• Lock your prin2ng requests
• When using social media i.e. SMS texts, Facebook, Twi0er etc., ensure you
comply with the Council’s Social Media Policy
• Lock away any papers containing personal data when you leave your desk
• Avoid sending personal data by e-mail unless through a secure network or in
an encrypted state
• Verify recipients iden2ty and address before sharing data par2cularly where
telephone contact is involved
• Log out of IT systems when you leave your worksta2on
34
Information Governance:
Your Responsibility
It is the responsibility of every employee of the Council to be aware
of and adhere to the Information Governance policies of the
organisation.
For further information contact your departmental Data Protection or
Freedom of Information contact.*
7
DCC SafeHaven Guidance
• Paper record security
• Mail internal and external
• Verbal communica�on
• Electronic records
• Establishment security
• Taking work outside the workplace
• Informa�on sharing
• Management of confiden�al informa�on
The DCC SafeHaven Guidance document gives you advice and
guidance in key areas of information security covering: -
8
The Data Protection Act 1998
The Data Protection Act 1998 tells you how
to deal with all aspects of peoples Personal
Data.
We will now look at the key aspects of this.
33
Records Management / Classification
To support compliance with Code of Practice the Council has intro-
duced a new policy requiring the labelling of all electronic and paper
documents into the following classifications:
CONTROLLED
This information is generally available to anyone within areas of the Council
and contains business value to the organisation or requires protection due
to personal data
RESTRICTED
Unauthorised disclosure of this information (even within the organisation)
would cause serious damage in terms of financial loss, legal action or loss
of reputation
PUBLIC
This is information that is freely available to anyone, e.g. information that is
provided in flyers, leaflets, press releases, or the Council website and does
not require any access restrictions
32
Why do we need to adhere to the Code?
Freedom of information is only as good as the records/information it
provides access to:
• Access rights are of limited value if the information cannot be
found, or, when found, cannot be relied upon as being
authoritative
• By adhering to the Code of Practice the Council will give
some assurance that the information it holds is complete and
reliable
• Failure to comply with the practice outlined in the Code can
result in the Information Commissioner issuing a practice
recommendation, or an information notice. Failure to act on
both of these can result in the Council being found in contempt
of court
• It can affect the Authority’s reputation if we get it wrong.
9
The Data Protection Act 1998
The Data Protection Act 1998 is underpinned by a set of eight
straightforward, common-sense principles and establishes a framework of
rights and duties which are designed to safeguard personal data.
The framework balances the legitimate needs of organisations to collect
and use personal data for business and other purposes against the right of
individuals for their personal data to be treated with respect and privacy.
If you make sure you handle personal data in line with the spirit of these
principles, this will go a long way towards ensuring that you comply with the
letter of the law.
10
The Data Protection Act 1998
What is Personal Data?
Personal data means data which relates to a living
individual who can be identified from that information or
other information in the possession of the organisation
or likely to be in the future.
A Data Subject is the person to whom the data relates.
31
What does the Code of Practice say?
As a Local Authority we should:-
• Ensure that records are stored
securely and that access to them is
controlled
• Define how long they need to keep
particular records, should dispose of
them when they are no longer needed,
and should be able to explain why
records are no longer held
• Please refer to the Council’s Retention
and Disposal Policy for further
information*
• Ensure that records shared with other
bodies or held on their behalf by other
bodies are managed in accordance with the
code
The Council is rolling out an Electronic Document and Records
Management system to improve our compliance with this requirement.
Contact your EDRM representative for further details.*
30
What does the Code of Practice say?
The Code of Practice states:
• All staff have a legal and professional obligation in respect of
any records which they create or use in the performance of
their duties
• By records it means files, minutes, policies, procedures,
e mails, letters, videos, pictures, web content etc.
• Any record created as a consequence of providing Council
services, is an official record and subject to information
requests (FOI, EIR and Subject Access)
11
Types of Personal Information
What types of Personal
Information are there?
Personal - Anything that focuses on or has the potential to impact
on an individual, e.g., name, date of birth, home address.
Sensitive - Ethnicity, medical history, sexual orientation,
criminality, trade union membership, religion.
For further guidance speak to your Departmental Data Protection
contact.
12
The 8 Data Protection Principles are:
1. Personal data shall be processed fairly and lawfully. There
are specific conditions in the Act that must be followed before
personal data and sensitive personal data can be processed
2. Personal data shall be obtained only for one or more
specified and lawful purposes and shall not be further processed
in any manner incompatible with that purpose or those purposes
3. Personal data shall be adequate, relevant and not excessive
in relation to the purpose or those purposes
4. Personal data shall be accurate and where necessary, kept
up to date
5. Personal data processed for any purpose or purposes shall
not be kept for longer than is necessary for that purpose or
those purposes
6. Personal data shall be processed in accordance with the
rights of data subjects under this Act
7. Appropriate technical and organisational measures shall be
taken against unauthorised or unlawful processing of personal
data and against accidental loss or destruction of, or damage to
it
8. Personal data shall not be transferred to a country or
territory outside the European Economic Area unless that
country or territory ensures an adequate level of protection for
the rights and freedoms of data subjects in relation to the
processing of personal data
The Data Protection Act 1998
29
Records Management
Records Management is important. It is
a key piece of the Information Govern-
ance jigsaw!
Section 46: Records Management Code of
Practice
• Freedom of Information allows public
access to all recorded information
held by public authorities
• As part of FOI the Lord Chancellor
issued a code of practice on Records
Management
• The Code of Practice outlines the
practice that the Council should
conform to so that it is able to
respond to FOI requests
28
Freedom of Information
Key principles in answering requests for
information:
• Make sure that everyone knows who is
responsible for dealing with FOI requests
and where to send them
• Don’t leave FOI requests on your desk
or on your PC, forward them on to your
departmental contact without delay, 20
work days can pass very quickly
• Practice good records management to
ensure information can be quickly
identified and retrieved. Check your
records retention schedule to establish
whether we still hold the information at all
• Remember that an FOI request must be
dealt with as soon as possible, but
certainly within 20 days of receipt
13
Subject Access Requests
What is a subject access
request?
A Subject Access Request under The Data Protection Act 1998 is a
request to access personal data held by an organisation that relates to
a person.
The request can be made by the person themselves or someone with
the authority to represent them.
You must respond to a Subject Access Request promptly and in any
event within 40 calendar days of receiving it.
Some types of personal data are exempt from the right of subject
access and so cannot be obtained by making a subject access
request. An example would be data concerning an investigation of the
data subject.
14
Safeguarding and the Data
Protection Act 1998
Am I ok to share personal
information relating to a
Safeguarding issue?
If you are sharing personal information relating to a Safeguarding
issue, the safety of the individuals concerned should be your first
priority. As long as you can justify your decision to share information
under these circumstances and record it, you will not be in breach of
the Act.
Safeguarding means the protection from maltreatment, preventing
impairment of health or development, proving an environment of safe
and effective care and promoting the best outcomes for children and
vulnerable adults.
If you are involved in Safeguarding of children or vulnerable adults
please ensure you are aware of the Information Sharing Guidance
from Derbyshire Children’s Safeguarding Board.
27
Freedom of Information
Sometimes when applying an
exemption it is necessary to consider
the public interest in the information
being requested. However, “what the
public are interested in” and “what is
in the public interest” are not
necessarily the same thing.
Newspapers for example can contain
stories that the public may find
interesting, however, not all the
information that is disclosed is
something the ‘public need to know’
in the wider public interest.
Apart from exemptions a request can
be refused if the cost exceeds the
Fees Regulations limit (equivalent to
18 hours) or if the request is
vexatious or repeated.
26
Freedom of Information
The FOI Act provides a right of access to information. Information
should therefore be released wherever possible.
There are recognised “exemptions” in the FOI Act, for example:
• Commercial interests
• Information intended for future
publication
• Personal Data
• Information reasonably accessible
to the applicant by other means
(e.g. it is already published on the
Derbyshire Website)
However, it would clearly not be appropriate for all information to be
made public.
15
The Information Commissioner’s Office
The information Commissioner’s Office (ICO) is the UK’s independent
authority set up to promote access to official information and to protect
personal information.
You will now learn how it achieves these aims.
16
The Information Commissioner’s Office
The ICO’s mission is to uphold information rights in the public interest,
promoting openness by public bodies and data privacy for individuals.
The ICO can prosecute those who commit criminal offences under the
Act.
Offences include:
• Unlawfully obtaining or disclosing personal data or
information
• Arranging the disclosure of personal data to
someone else
• Selling personal data which was unlawfully obtained
Action that can be taken by the
Information Commissioner’s Office
The Information Commissioner’s Office can:
• Issue monetary penalty notices, requiring
organisations to pay up to £500,000 for serious
breaches of the Data Protection Act
• Prosecute those who commit criminal offences
under the Act
• Report to Parliament on data protection issues of
concern
• Provide information and advice for individuals and
organisations. Much of this can be found on the
Information Commissioners Office website
25
Freedom of Information
• A Freedom of Information request must be made in
writing (an EIR request need not).
• The requester must supply a name and a postal or
email address for the Authority to reply to.
• FOI requests can be made by members of the
public, the media (television, radio, newspapers),
MPs, Charities etc.
• FOI requests can be made by anyone anywhere in
the world.
• The Council is required to reply to a request as soon
as possible within 20 working days
24
Freedom of Information
All recorded information held by, or on behalf of, a public authority is
within the scope of the Act. However, disclosure of personal data is
subject to the Data Protection Act. The legislation applies to any
recorded information held by the Council.
It covers files, letters, databases, loose reports and letters, e-mails,
office notebooks, videos, photographs, wall charts and maps etc.
It extends to closed files and archived material as well as information in
current use. It also extends to social media such as SMS texts,
Facebook, Twitter etc. if it relates to DCC business.
Where information relates to the environment this is covered by the
Environment Information Regulations 2004 (EIR) which has broadly
similar provisions.
17
ICO – Financial Penalties
Apart from offences by individuals, the ICO has issued penalties for a
variety of data breaches by organisations:
Scottish Borders Council - whose former employees’ pension
records were found in an over -filled paper recycle bank in a supermarket
car park - fined £250,000 for the data breach
NHS Surrey after leaving 3,000 patient records on a computer
subsequently sold online - fined £200,000.
Greater Manchester Police after the theft of a memory stick
containing sensitive personal data from an officer’s home - fined £150,000
for the data breach.
Aberdeen City Council after publishing sensitive material online,
including details relating to the care of vulnerable children fined £100,000.
London Borough of Lewisham after a social worker left sensitive
documents in a plastic shopping bag on a train taking them home to work
on - fined £70,000 for the data breach.
Since 2010 the Information Commissioner has handed out penalties
totalling over £3 million to over 28 public sector organisations for breaking
one or more of the 8 Data Protection principles. In particular relating to
Information Security.
18
Ways of Avoiding Security Breaches
How can I stop security breaches and
keep this Data Demon away?
Think of ways you could stop security breaches and note them down here:
23
Freedom of Information
Since 1st January 2005 all requests for information
received by a public authority have had to be answered in
accordance with the Freedom of Information Act 2000.
You must be familiar with the basics of the act as any
employee may receive a request.
The access legislation is primarily about a culture change
from “need to know” to “right to know”.
For public authorities it represents a balance between:
• Greater openness and transparency of decision
making
• The need to protect information where disclosure
would cause harm or otherwise be contrary to the
public interest
22
Confidentiality
Please be aware if you access or disclose any confidential data, which
includes all personal data, held by the Council. Without appropriate
authorisation you could face both internal disciplinary action and criminal
proceedings under the Data Protection and Computer Misuse acts.
Confidentiality is wider than just personal data.
19
Recent Security Breaches
Examples of recent security breaches include:
• Unshredded confidential waste left in corridors
for collection
• Visitors not being signed in entering a building
• Personal data being sent to the wrong recipient
either via post or e-mail
• Personal data being lost i.e. from a stolen
laptop, memory stick or briefcase (never leave
items on display in a parked car)
• Personal data left on a shared printer….last few
pages of confidential document left on printer
after it had run out of paper
20
Information Security Breaches
You have a responsibility to ensure that personal data is held securely and
that confidentiality is respected and safeguarded.
If you discover or commit an information security breach you should report
it immediately to your line manager and ensure it is recorded on the online
incident report form.
You will find the information Security Breach Reporting Tool on DNET.*
Using the reporting tool will support the identification of any weaknesses in
our systems and working practices. The more examples that are recorded,
the more it will help us to plan and implement preventative measures.
21
Inappropriate Use of Internet and Email
You are required to abide by the council’s E mail and Internet Acceptable
Use Policy.
The use of social media is also covered by the Council policy and all
employees are required to abide by the policy.
However if you do accidentally access inappropriate material on the web,
inform your line manager and complete the report Accidental Misuse of E
mail or Internet Form.*
@
