Welcome to the first of our seasonal information compliance bulletins.
We’ve selected the latest Data Protection, Freedom of Information and Information Security news so you can quickly find out how these might affect you at work and home. We’ve also included information about what the University is doing to help protect our data assets and ensure we meet our legal obligations.
We hope you find this useful. If you’d like to tell us what you think, email email@example.com.
- The recent judgment in the case of Vidal-Hall v Google [Panoptican blog] has redefined the meaning of DPA s.13. It would seem that it is no longer necessary to demonstrate financial loss to make a valid claim for damages from unfair processing of personal data.
- Ever wondered what employers can legally do to monitor staff activities at work? This blog post from Act Now explains the key issues.
- Janet have published guidelines on the use of student data for learning analytics. A useful reminder of the privacy implications of using ‘big data’. A code of practice for universities is also being drafted.
- The Guardian considers what can be learned from the experience of losing a laptop. Includes tips on how to protect your data.
- It’s 10 years since FOIA became law. The Information Commissioner’s Office (the body that oversees compliance with the Act) reflects on ten years of FOIA in their blog.
- We recently responded to a request from Times Higher Education on International student recruitment. The article shows how ‘round robin’ requests are used by journalists to get an - often incomplete - overview of current HE trends.
- Another article showing how journalists use FOI [PressGazette], marking the 10th anniversary of the enactment of FOIA.
- The new FOI research exemption [Justice.gov] is of specific interest to universities. This is often an area of concern for researchers, although in practice UEA receives few such requests.
- Want to find out if your department is fit for FOI? Try the Scottish FOI self-assessment module [itspublicknowledge.info]
- FOIA Case Law roundup [ActNow blog], including commentary on the recent KCL ruling regarding disclosure of staff salaries.
- Information Commissioner’s Office fines for non-compliance [V3.co.uk] with PCI DSS security standards
- The recent news article [Independent] regarding Queen Mary University’s security compromise highlights the changing assumption that higher education establishments were not of interest to would be attackers.
- Universities are of interest to hacker groups [databreaches.net] and look for vulnerabilities on the systems managed by them. Any vulnerability found gives an opportunity for system compromise and potential access.
- According to a report by security firm GFI [zdnet], Apple's Mac OS X is the most vulnerable operating system, with the iOS platform coming in second.
- A student placed key loggers on systems used by staff [Independent - article no longer available] at the University of Birmingham to capture their login details and passwords. These devices are small, easily hidden and available to buy on the Internet. The student was caught and convicted for offences under the Computer Misuse Act 1990, and received a 4 month jail sentence.
2015 sees the launch of several new online training packages. All modules take around 30 minutes to complete, and are ideal if you want to know the basics about information compliance, but can’t make it along to one of our face to face CSED sessions.
If you’d like to arrange FOI or DPA training tailored for your team, just contact firstname.lastname@example.org
Copyright training from JISC can also be found on Blackboard. Access details on our training website
Dave Palmer has been at the University’s FOI frontline since the Act came into force. It’s been an occasionally rocky road during which he’s discovered some surprising facts about the University and that no question is too obscure to be asked – see our disclosure log to find out what people really want to know about UEA.
Some FOIA facts and figures from the past 10 years:
- Total number of requests: 1567
- Average number of requests per year (2005-2008) – 62
- Average number of requests per year (2009-2014) – 176
- Top five request subject areas: 1. Management & administration; 2. Admissions; 3. Student issues/numbers; 4. Research; 5. Teaching & assessment
- Top five types of requester: 1. Members of the public; 2. Journalists; 3. Staff and students from other HEIs; 4. Commercial organisations; 5. UEA students
In addition to responding to requests for information, FOIA also requires us to proactively publish certain information about the University. We’re about to start our annual review of UEA’s Publication Scheme and have several gaps to be filled. Can you help us add any information for your areas?
We recently reviewed the University’s Data Protection Policy. Includes a new section on data sharing and additional information about the use of personal data for marketing purposes. Significantly, there is now an expectation that anyone handling personal data will have completed DPA training. The February ISSC meeting also approved updated policies for FOIA, EIR and Information Classification. Read more. The committee cover sheets detail any changes.