Summer 2015 information compliance newsletter Summer 2015 information compliance newsletter

Summer is finally here. What better time than the quiet(?) holiday period to catch up on some information compliance news. See below for a round-up of recent Data Protection and Freedom of Information news, as well as updates on information security and training links. We hope you find this useful. If you’d like to tell us what you think, email isd.spc@uea.ac.uk

Freedom of Information in the news Freedom of Information in the news

  • A German student has used his country’s FOI equivalent laws to request advance access to exam questions [Guardian]. Displaying admirable pragmatism - and a disappointing lack of faith in the FOI system - the student commented ‘I’m already revising, and I’m not relying on them to get back to me’.
  • Does FOI give access to documents or the information within those documents? A recent case indicates entire documents may need to be disclosed, if requested. [Act Now]
  • FOI is generally held to be ‘motive and requester blind’, but recent guidance from the ICO explains there are a few situations where the identity and motives of the requester may be taken into consideration.
  • THE and the Guardian have both recently published articles relating to requests for information on senior staff salaries.
  • The Law Society’s Gazette has published a useful round up of FOI law clarifications.

Data protection in the news Data protection in the news

  • The Guardian reports on a student petition against the Cambridge University practice of publicly displaying their exam results. One concern is that the practice ignores their right to privacy.
  • Access to your own personal information is a fundamental right within the Data Protection Act. This story from the BBC on a recent sex discrimination case shows what can be uncovered and how information can be used. 
  • A recent paper from the UK Information Commissioner’s Office (ICO), discussed by Out-Law, suggests organisations may be able to process big data sets containing personal data if they can show they have ‘legitimate interests’ in doing so. Previous ICO guidance focused on gaining consent of data subjects.
  • 80 academics, including UEA’s Paul Bernal, have written an open letter to Google [published on Medium], seeking transparency on how it manages requests from EU citizens to be removed from search results - known as the ‘right to be forgotten’.
  • Courts can now impose unlimited fines on individuals for the Data Protection Act offence of obtaining or disclosing personal data without the consent of the data controller – previously the limit was £5000. [PDP]. UEA will always inform the Information Commissioner’s Office of any such breach of the Act involving UEA-controlled personal data.

Information security update Information security update

  • University suffers a sophisticated security breach [Ars technica] Penn State University were notified by the FBI that attackers had breached systems at its College of Engineering in a "highly sophisticated" breach. Roughly 18,000 individuals’ information was accessed and the attack appeared to target research data as well. Comment: Universities are now seen as easy targets in comparison with many other organisations of their size, and have the additional incentive of having valuable intellectual property. Understanding where that valuable data resides within the University is key to being able to protect it.
  • Apple Macs reported to be wide open to malware [The Register] Researchers have discovered it is possible to bypass Apple’s built-in mechanisms that should prevent unsigned code from running on MAC OS PCs. Comment: This is another example of why it is important to ensure all systems have additional security mechanisms installed such as anti-malware. How many Apple devices are running on the University’s network without such protection is currently unknown. Owners of such devices should contact the IT Helpdesk for advice. 
  • Student goes to jail for hacking staff PCs and adjusting his grades [Independent - article no loner available] A University of Birmingham student hid key logging devices in computers used by staff to collect their login details. These then allowed him to access the student information system and alter his records. The incident came to light when a lecturer discovered one of the logging devices. Comment: Staff with access to key information systems should remain vigilant and report any suspicious behaviour or devices attached to their work machines.
  • ULCC suffers cyberattack which takes numerous services offline [THE]  The attack against the University of London Computing Centre (ULCC) affected over 300 UK institutions and 2 million higher and further education students. It would appear that the attack was implemented to cause maximum disturbance at a peak usage time. Comment: The best defence is good preparation and this sort of event would be a very robust test of incident response procedures and business continuity plans.

Spotlight on MFDs and data security risks Spotlight on MFDs and data security risks

Multi-Functional Devices - printers, scanners & photocopiers - have been the source of several high-profile data breaches. Sensitive documents can be forgotten or collected by mistake and, as networked devices, MFDs themselves may be vulnerable to attack. Most of us regularly use MFDs and there’s a lot we can do to prevent loss of sensitive or personal data:

  • Lock print jobs
  • Don’t leave documents lying on the photocopier glass or trays
  • If scanning documents, scan to your own email address (and check this is correct), rather than the device itself or shared filestore
  • Restrict physical access to the MFD
  • Contact the IT Helpdesk for advice

Training Training

Online training is available for anyone who can’t wait until the CSED sessions next semester. These modules take around 30 minutes and can be accessed whenever you like.

Managers and team leaders: If you’d like to arrange FOI or DPA training tailored for your team, just contact isd.spc@uea.ac.uk.

We can also monitor completion of online training if required (e.g. as a precondition of accessing certain systems).

Freedom of Information and the new government Freedom of Information and the new government

As the election becomes a distant memory, Information Policy & Compliance Manager Dave Palmer reflects on what FOI might look like under the new government:

There has been some speculation as to what the new government has planned for the future of FOIA. Perhaps no government is convinced of the merits of the Act; after all former PM Tony Blair called himself a nincompoop for bringing in the legislation. The new government initially gave responsibility for the Act to the Ministry of Justice headed by Michael Gove who has had his own troubles with the Act but, as of 17 July 2015, this responsibility now lies with the Cabinet Office. As some commentators have stated, given the record of the Cabinet Office, this may not be terribly comforting.

Despite this government's stated commitment to transparency, it appears their view of what that means is not completely consistent with the current Act. Minister Gove's recent comments seem to indicate the government is very much in favour of releasing ‘data', such as how much is spent by a government department, but that their view of ‘information’ which might include correspondence between government officials is very different.  The establishment of a new Commission to review Act would seem to indicate that the misgivings of defenders of the Act are well-founded.

So, what can we expect?  The government has already signalled a desire to increase fees to discourage requests, to widen the 18 hour time limit exemption to include more activities, and to amend legislation to increase the power and application of the Ministerial veto. More recently, Gove’s stated objective to further protect intra-governmental communication and formulation of government policy, and the rumoured plans to count government officials “thinking time” when deciding whether FOIA requests fall under spending limits.  Whatever emerges, it is clear that the government wants to limit the reach of the Act within government, reduce the ability of journalists to use the Act to interrogate the government and increase the ability of the government to avoid revealing its inner workings.

The government may state it is in favour of ‘transparency’ but it is not transparency as we know it.

Data protection champions Data protection champions

The Strategy, Policy & Compliance team will soon be creating a network of data protection ‘champions’ to help all areas of the University become more privacy aware. If you’re interested in getting involved, please contact Ellen Paterson in the SPC team for more details.

UEA policy update UEA policy update

The University’s Conditions of Computer Use have recently been updated and the new version approved at the June ISSC meeting. All staff need to be aware of these conditions and the consequences of contravention. 

Information compliance news on Twitter Information compliance news on Twitter

Follow ISDTN on Twitter to get this and a lot more daily news of interest covering HE, information security, education, research, and information compliance.