Practical Information Management

Privacy Notice (Principle 1 & 2)

In general terms, a privacy notice should state:

• the purpose or purposes for which you intend to process the information; and

• any extra information you need to give individuals in the circumstances to enable you to process the information fairly.

Policy Statement: Northamptonshire County Council will ensure its information assets are protected and that the personal data we process is secured at all times

Information Security(Principle 7)

Protective Marking Scheme

Impact Level •Little or no impact on the finances of the Authority

•No inconvenience or distress to the customer

•Little or no financial impact to the customer

•Little or no impact on the Authority’s standing orreputation

Examples

Short-term inconvenience, harm or distress to anindividual

Cause financial loss or loss of earning potential, or tofacilitate improper gain

Damage to the Authority’s standing or reputation

Financial impact to the Authority (up to £1M)

Breach proper undertakings to maintain the confidenceof information provided by individuals or third parties

Breach statutory restrictions on the disclosure ofinformation

•Substantial inconvenience, harm or distress toindividuals

•Cause financial loss or loss of earning potential, or tofacilitate improper gain or advantage

•Substantial damage to the Authority’s standing orreputation

•Significant Financial impact to the Authority (£1m+)

•Prejudice the investigation of or facilitate thecommission of low-level crime, hinder detection ofserious crime

•Policies and procedures

•Documents available in the public domain or on theNCC public website

•Names and contact details of specific employees orindividuals that are in the public domain or anindividual has authorised

•Personal information relating to any customer oremployee such as a name, address and contactdetails, VAT number or National Insurance number forwhich we have a duty of care.

•Exempt Committee papers excluded from the public

•An employee record / customer case file

•Draft documents before approval for release intopublic domain

•Complete set of an individual’s social care files orhealth record

•Investigation files

•A smaller multiple of complete customer/employeerecords where information is sensitive, or hasfinancial or identity data (remembering that themarking reflects the highest impact individual item)

•Volumes of “Protect” data about a reasonably largenumber (hundreds) of customers or employees

Res

tric

ted

Pro

tect

edN

ot

Pro

tecti

vely

m

arke

d

Why is information security important?- Some

examples • Croydon Council has been handed a penalty of £100,000 after a bag

containing papers relating to the care of a child sex abuse victim was stolen from a London pub.

• The Information Commissioner's Office (ICO) fined Midlothian Council £140,000 for disclosing sensitive personal data about children and their carers to the wrong people on five separate occasions

• Norfolk County Council has been served with an £80,000 penalty for disclosing information about allegations against a parent and the welfare of their child to the wrong recipient

• The ICO fined Worcestershire County Council £80,000 for an incident in March 2011 in which a member of staff inadvertently emailed data on a large number of vulnerable individuals to 23 people on the wrong contact list

• Scottish Borders Council employed an outside company to digitise their pension records, but failed to seek appropriate guarantees on how the personal data would be kept secure. The ICO issued a fine of £250,000 when personal data was found in a supermarket paper recycle bank.

While we have to accept that some incidents will always occur, it is not acceptable where adherence to our policies and guidelines would have prevented the breach

Information Disclosure

What is disclosure?• Verbally – over the phone or in face to face conversation• E-mail • Letter• Suggestion • Loss of devices• Mislaid paperwork

Before disclosing you should ask yourself:• Am I authorised to disclose this information • Is the person requesting it entitled to receive it • Are there any specific processes for disclosure e.g.

redaction of 3rd party data

IT security and the AUP

• If you are required to use a computer for your job then you will need to comply with the acceptable use policy.

• If you don’t agree with the policy your access to IT system and services will be withdrawn.

You must also comply with the Portable Storage and Devices Policy

Paper files...

• Should be kept secure• Should not be taken out of the office

without permission and appropriate risk assessment

• Should be stored in an appropriate filing system

• Must not be left unattended if taken off site

• Should not be kept longer than are necessary

Managing paper files and records (Principle 5)

• Records created or stored by the Council must be managed in accordance with Council’s Records Management Retention and Disposal schedule.

• This means that we will not waste valuable space and money in storing information that we no longer need, and will also mean we are not in breach of the Data Protection Act.

• All filing systems should be designed to ensure that they are accessible and understandable in an emergency situation and relevant information can be located without the need of specialist knowledge

Data Protection Act & Information Sharing (principle 1&2)

• DPA does not prevent the sharing of information but sets some controls over how information should be shared.

• SORP 7 States: Within the parameters of the law

and good practice, we will always share our information where there is a clearly defined purpose for doing so.

Data Protection Act & Information Sharing – The Caldicott Principles

• Justify the purpose(s) for using patient data

• Don't use patient-identifiable information unless it is absolutely necessary

• Use the minimum necessary patient-identifiable information

• Access to patient-identifiable information should be on a strict need to know basis

• Everyone should be aware of their responsibilities to maintain confidentiality

• Understand and comply with the law, in particular the Data Protection Act

Disposal

Paper documents containing personal information must be disposed of securely – using the secure bins or shredded

Practical tips to aid compliance (1)

1. Complete the on line training2. Read the Information Security Policy and seek

clarification if you need it.3. Read SORP 7 4. Ensure you use strong Passwords – and know the

rules around passwords 5. Ensure any personal data you hold is relevant and

up to date.6. Archive properly – know and apply the correct

retention periods and destroy when the retention period has passed

Practical tips to aid compliance (2)

7. Identify FOIs and SARs and send them to the DP/FOI Team , but be prepared to deal with certain requests under “business as usual”

8. Never give out personal data without verifying the caller is entitled to it.

9. Know what information you have, where it is and how secure it is.

10.Remember – it can be OK to share data- if you are in a receipt of an appropriate request - but seek advice first

11.Be aware of information security in everything you do – would you want your information treated the same way?

Any Questions?