Cost Codes - PowerPoint PPT Presentation

1 / 34

About This Presentation

Title:

Cost Codes

Description:

... outside the C2K Network (ie. Hotmail.com) will be transmitted across the internet. ... browsers, Windows updates or any hacking tools and should not switch ... – PowerPoint PPT presentation

Number of Views:92

Avg rating:3.0/5.0

Slides: 35

Provided by: MCO143

Learn more at: https://www.welbni.org

Category:

more less

Transcript and Presenter's Notes

Title: Cost Codes

1
Data Security Freedom ofInformation
2
INFORMATION GOVERNANCE

Freedom of Information Act 2000
Data Protection Act 1998
Information Security
Record Management

3
FREEDOM OF INFORMATION ACT 2000
Background

Creates a statutory obligation on public
authorities to formally consider written
requests for information and respond within 20
days
Two stage introduction
first stage of introduction - Publication
Schemes (02-04)
second stage - full Rights of Access came into
effect on 1 Jan 05
Requests for information must be in writing
(including fax / e- mail)
There is no right to know why the information is
being requested

4
FREEDOM OF INFORMATION ACT 2000
Publication Schemes

Proactive publishing of information
Similar structure for all public sector
organisations
Information split into broad categories known as
classes
info. published in the School Prospectus
info. on School Profile and other information
relating to the governing body
policies that relate to Pupils Curriculum
School Policies and other information related to
the school
All schools must adopt a scheme
Model schemes available at
http//www.ico.gov.uk/Home/what_we_cover/freedom_o
f_information/publication_schemes/model_schemes.as
px

5
FREEDOM OF INFORMATION ACT 2000
Full Rights of Access - Dealing with Individual
Requests

Identify and acknowledge FOI requests
Dearcurrently dealing with your request will
be in touch as soon as possible
Review material being requested - apply
exemptions
Provide a response, either
- provide all requested information, or
- withhold all, or in part, explain which
exemption is being applied and provide
opportunity to appeal decision

6
FREEDOM OF INFORMATION ACT 2000
More about Exemptions

Exemptions exist to protect information that
should not be released.
Some exemptions that may apply in a school
setting
Request for a teachers home address or career
development
information
- Section 40 Personal data exemption
Request by a parent for a copy of another
parents written
complaint
- Section 41 Information provided in confidence
Request for copy of legal advice obtained by a
school
- Section 42 Legal professional privilege
No exemption for embarrassment

Full list of exemptions available at
http//www.foi.gov.uk/guidance/index.htm
7
FREEDOM OF INFORMATION ACT 2000
Things to remember when responding

Must respond within 20 working days
Straightforward disclosures can be dealt with by
the Principal
Complex requests and decisions to withhold, must
involve the BOGs
- consider the public interest test
It may not always be appropriate, or required,
to disclose the identity of the applicant to the
BOGs
The decision which must be made is - can this
information be made public?

8
FREEDOM OF INFORMATION ACT 2000

As much of school information is now open to
public scrutiny its important that we write for
disclosure
Write objectively
Ensure what you write is relevant and
professional
Document reasons for decisions generally
Refer to policies in decision making
Dont forget about e-mails and diaries!

9
FREEDOM OF INFORMATION ACT 2000
What can the applicant do if dissatisfied?

Lodge an appeal with the school must be heard by
the BOGs -
preferably those not involved in the original
decision.
If still dissatisfied the applicant can
approach the Information
Commissioner (IC) for an independent review.
IC will approach school requesting copies of
information and details around the handling of
the request.
IC will either uphold the schools decision or
overturn, and issue school with an enforcement
notice to release the information.

10
FREEDOM OF INFORMATION ACT 2000
Key points

Ensure your school adopts a Publication Scheme.
See that requests are identified and dealt with
promptly.
Labour intensive requests can be charged for or
refused.
duty to offer assistance
Dont make decisions quickly. Acknowledge
requests and consider them carefully.
Just because someone asks, doesnt mean they get!
(appropriate disclosure)
Where information is refused an adequate
explanation must be provided and details on how
to appeal decision.
Ensure nothing is written which may embarrass
consider diaries, emails notebooks etc.
WHEN IN DOUBT - SEEK ADVICE

11
DATA PROTECTION ACT 1998 (DPA)

The DPA is a legal framework for the proper
collection, usage, storage, sharing and disposal
of personal data.
It permits Data Subjects access to their
records.
It can impose considerable penalties on
organisations individuals who fail to comply.
Personal data it is any information that
identifies and relates to a living individual
such as name, address, date of birth,
educational record, financial details and even
expressions of opinions or intentions. The Act
covers such information held on computer and
paper file.

12
DATA PROTECTION ACT 1998 (DPA)
Eight DPA Principles are key to compliance
Personal data (PD) shall be processed
fairly and lawfully PD must be collected and
used only where there is valid reason. It is
good practice to advise subjects how their data
may be used through forms, posters, annual
reports etc. Processed for specified
purposes Where any planned use of the
information falls outside what has been
explained to the data subject, or what they might
expect, consent must be obtained before
proceeding Adequate, relevant and not
excessive We must be able to demonstrate that the
level of personal information we collect is
required for the effective delivery of services
13
DATA PROTECTION ACT 1998 (DPA)
Eight DPA Principles are key to compliance
PD shall be accurate and up to date Where
we are making decisions based on such data, we
have a responsibility to ensure it is
accurate and kept up to date Not be kept for
longer than is necessary PD should not be kept
for longer than necessary. Some personal data
needs to be retained for legal reasons. Schools
must refer to the School Record Retention and
Disposal Schedule before destroying records
14
DATA PROTECTION ACT 1998 (DPA)
Eight DPA Principles are key to compliance
Processed in accordance with the rights of the
individual Data subjects have rights under the
Act. These include right of access to their
records, right to have any inaccurate information
corrected and a right to prevent processing
likely to cause damage or distress Kept secure -
One of the biggest obligations placed on a
school. - Equally important for manual and
electronic data - Applies throughout all stages
of data processing, from obtaining and using
to sharing and destruction
15
DATA PROTECTION ACT 1998 (DPA)
Eight DPA Principles are key to compliance
PD must not be transferred to countries outside
the European Economic Area unless the information
is adequately protected. Personal data cannot be
transferred to countries which do not have
similar personal data legislation to our own.
When dealing with personal data we should always
ask ourselves the question if this was my
personal data, how would I like it to be treated?
16
DATA PROTECTION ACT 1998 (DPA)
Examples of Sensitive Personal Data
Data relating to Racial or ethnic
origin Political opinions Religious/similar
beliefs TU membership Physical or mental
health Sexual life Criminal allegations Criminal
proceedings/record Information relating to a child
Special care must be taken when processing
Sensitive Personal Data, especially around
collection, use and sharing.
17
DATA PROTECTION ACT 1998 (DPA)
Subject access rights
Right of access to personal data in computer or
manual form Entitled to Be informed whether
personal data is processed A description of the
data held, the purposes for which it is processed
and to whom the data may be disclosed A copy of
the data usually within 40 days Information as
to the source of the data There are limited
exemptions.
18
DATA PROTECTION ACT 1998 (DPA)
Information access summary
Data Protection Act (Access to personal data by
data subject) 40 days
FOI Act (Access to everything else) 20 days
19
DATA PROTECTION ACT 1998 (DPA)
Duty to Notify

Organisations which process personal information
must notify the IC
Costs 35 to register
Bogus agencies
Failure to notify criminal offence
Details on how to notify can be found below
http//www.ico.gov.uk/Home/what_we_cover/data_prot
ection/noti
cation.aspx

20
DATA PROTECTION ACT 1998 (DPA)
Summary of key points for staff
Duty to OBTAIN information fairly Duty to
PROTECT information Duty to ensure information
is SECURE Duty to JUSTIFY use and storage of
personal data DONT PASS on information unless
on a need to know basis and you are sure of the
recipients validity
21
INFORMATION SECURITY
Use and Management of Passwords
Use passwords to protect against unauthorised
access. It is a schools responsibility to
ensure that enabled usernames are available only
for current staff and students. Leavers
usernames must be removed (ie deleted or
disabled) promptly. The usernames of anyone
under investigation for inappropriate use must be
disabled promptly. Usernames must never be
created for fictitious staff or students (this
includes the creation of generic or group
usernames i.e. usernames that could be used by
more than one person).
22
INFORMATION SECURITY
Use of E-Mail
Emails sent to addresses outside the C2K Network
(ie. Hotmail.com) will be transmitted across the
internet. Never send personal data to such
addresses. Never send Sensitive Personal Data by
e-mail. Do not transmit unsolicited advertising
or attachments as these may conceal
viruses. Restrict messages to those who may have
an interest in them. Check E-Mail messages
every day ( if practical ). Do not subscribe to
non work related services / alerts. Delete
unwanted messages.
23
INFORMATION SECURITY
Securing Automated Data
Portables/Laptops Never leave laptops/portables/m
edia unattended. When transporting any computer
media always ensure it is out of sight, either in
a glove compartment or boot of a car. Never
disclose your username or password. Do not hold
confidential or pupil level data on laptops. No
additional devices may be connected to data
points on the C2k network without the specific
agreement of C2k random checks will be carried
out to identify such violations.
24
INFORMATION SECURITY
Securing Automated Data
Portables/Laptops Only software which is
licensed and appropriate for school needs may be
installed on laptops. Laptop users may not
install alternative versions of Internet
Explorer, any other Internet browsers, Windows
updates or any hacking tools and should not
switch off Windows firewall. Antivirus software
is provided and automatically updated in school.
This protection must be kept up to date if the
laptop has not been connected to the school
network for more than one week.
25
INFORMATION SECURITY
Securing Automated Data
Portables/Laptops The laptop should not be
given, lent or used by anyone other than the
nominated member of staff when outside
school. If the laptop is lost or stolen, the
school should be notified immediately, or during
school holidays, the C2k Helpdesk (0870 6011
666). The laptop must be returned to school if
the nominated member of staff ceases employment
with the school.
26
INFORMATION SECURITY
C2k Networks
No additional devices may be connected to data
points on the C2k network without the specific
agreement of C2k random checks will be carried
out to identify such violations. It is the
schools responsibility to ensure that software
added to desktops on the C2k network is
appropriately licensed. The schools C2k
Manager/Administrator must ensure that software
which represents a security threat is not
installed on any desktop. The school should make
all users aware that attempts to bypass
filtering, or to access inappropriate or illegal
material will be reported to the school authority.
27
INFORMATION SECURITY
Legacy networks connected to Internet via C2k
All legacy network servers and desktops must have
adequate, up to-date anti-virus protection with
automatic updates. Appropriate, up to date
security patches and service packs must be in
place on the school legacy network. Other
Internet or wireless connections must not be made
available to equipment which is connected to the
C2k network unless C2k has granted permission for
such connections.
28
INFORMATION SECURITY
Manual Records

Keep personal data in a locked filing cabinet or
drawer.
Operate a clear desk policy Lock all personal
data away when you are finished with it and at
the end of the day.
Only remove files containing personal information
from storage areas when necessary. Their location
should be tracked at all times.
Destroy personal data by shredding.

29
INFORMATION SECURITY
General Good Practice

Personal information should only be passed on, on
a need to know basis.
Do not allow sensitive conversations to be
overheard.
Guard against people seeking information by
deception.
Never leave personal data at printers. Collect
print jobs promptly.
If working from home treat that environment like
your work environment. Do not allow
friends/family access to any information.
Avoid sending personal information by fax. Where
this is necessary do it over a secure protocol.

30
RECORD MANAGEMENT
The Record Life Cycle
Creation
Final disposal

Active use
Retention
31
RECORD MANAGEMENT
Information Access
Know what information you hold and be able to
access it.

Subject Access Requests
FOI requests
Inspections / audits

32
RECORD MANAGEMENT
File Disposal
What can disposal mean?

Archive
Offer records to the Public Record
Office for Northern Ireland (PRONI)
Destruction
Adopt and refer to the School Record Retention
Schedule before disposing of records
available at http//www.deni.gov.uk/index/85-schoo
ls/5-school-management/85-disposal-of-school-recor
ds.htm

33
RECORD MANAGEMENT
Dont forget about electronic records

34
CONTACTS / GUIDANCE