This newsletter is brought to you by the Strategy, Policy and Compliance team, who provide advice and guidance on the University’s information compliance and information security obligations. We’re a small team with individual specialisms, and are happy to help with any enquiries you may have about our work. To make sure your enquiry reaches the right person please use the following email addresses.
Information security: firstname.lastname@example.org
Computer misuse incident reporting: email@example.com
Freedom of Information: firstname.lastname@example.org
Data protection: email@example.com
The institutions of the EU have finally - after four years of debate - reached agreement on the new General Data Protection Regulations. GDPR will replace the UK Data Protection Act in May 2018 and already there have been plenty of briefings, commentary and news articles published to help us understand what it means for individuals and organisations.
The changes will be significant and the SPC team are already looking at the implications of the new legislation. In the coming months we’ll update you with important news and training opportunities, but in the meantime here are some links to get you started:
Background and key facts from the BBC
Preparation advice from the Information Commissioner's Office (expect to hear a lot more from them)
Some technical detail from ActNow training
And finally, Out-law information law experts speculate on what the outcome of the EU referendum may mean for GDPR in the UK
Lots of enforcement news. First up, the ICO has fined an NHS trust £185,000 for a failure to secure personal data of its staff, including sensitive personal data. It was also very slow to inform those affected even after becoming aware of the breach.
The Health and Social Care Information Centre have signed an Undertaking to improve their practices, after it was found they had not acted on patients' wish to opt of out data sharing with other organisations
Another NHS trust was fined £180,000 for a serious breach of the DPA. A newsletter sent to HIV clinic patients was sent out using the 'To:' field rather than 'Bcc:'
Kent police were fined £80,000 for incorrectly sharing sensitive personal data in a domestic abuse case. Mobile phone data was passed to the accused's solicitors, who refused to return the data on the grounds that it was relevant to their client's defence.
Finally in enforcement news, and showing that privacy rights are not ignored during periods of political campaigning, 'Better for the Country Ltd' were fined £50,000 for not having the consent of the 500,000 people it sent texts to. They had bought the contact details from a supplier, but the ICO confirmed it is not acceptable to rely on assurances of indirect consent without undertaking proper due diligence.
According to information obtained under FOI, Cambridge University's General Board of the Faculties wants to stop publicly releasing students' exam results. Students complained about this practice last year and the Telegraph reports on the outcome to date.
Out-law reports that IP addresses should be treated as personal data if ISPs hold other information that can be matched with the IP address to reveal the identity of an internet user.
The BBC reports that the recent independent commission looking into the FOIA has ruled out any legal changes, including the introduction of fees. There will be a requirement for public bodies to publish more information, including senior staff salaries and expenses. The full Independent Commission on Freedom of Information report, which looked at the development of FOIA over the last ten years, has now been published.
Reflection from the THE on how it now seems highly unlikely that universities will be made exempt from FOI given that the independent commission found the supporting arguments 'unpersuasive'. Article also discusses how universities approach FOI requests.
Jisc Information Legislation and Management Survey 2015. The results from the 2015 survey of HEIs about their information compliance activity have been published. They show a small reduction in the number of requests over 2015 (the first decline since 2005), a trend which was not repeated at UEA.
KCL's fight against revealing staff salaries for those earning over £100K. It was resolved with a decision that academic salaries are commercially sensitive, but senior administrative staff salaries should be released. Last month KCL therefore revealed that their Head of administration and college secretary is paid between £180K and £190K. The legal fight took three years, and the THE has calculated that it cost the college £250K.
Journalists at City University event encourage persistence when requesting information under FOI [PressGazette]
The Guardian used information gained under FOIA to link the rise in students seeking counselling with the rise in tuition fees.
Blog from OUP on why politicians may not like FOI: 'For political leaders, it’s like saying to someone who is hitting you over the head with a stick, ‘Hey, try this instead’, and handing them a mallet.'
The ICO has updated its guidance on use of encryption to protect personal data. The ICO may take action where encryption has not been used to prevent data loss. Systems must be kept up to date to remove vulnerabilities which can be exploited.
Vmware conducted a survey of Universities experiences of cyber attacks. Its conclusion is that universities risk falling behind on IT security, but also given the unique nature of the working environment, a balance needs to be struck with freedoms. See Times Higher and Computerworld articles.
Concordia University in Montreal has found keyloggers installed on workstations in their library. Keyloggers collect all keyboard entry, such as usernames and passwords. HE is being increasingly targeted and is rated as the worst prepared sector for cyber security. [SC magazine]
Information security is the no. 1 issue facing colleges and universities. Here, the Chief Information Security Officer at Virginia Tech describes his day.
Online and face to face training is available for all UEA staff. For those who prefer online training, you can choose from:
- Data Protection (mandatory for any member of staff handling personal data)
- Freedom of Information
- Records Management
- Information Security (available from Blackboard)
- Copyright (available from Blackboard)
Each module takes around 30 minutes to complete, and includes activities to ensure you've mastered the key points.
Face to face training can be booked via CSED, or contact us to find out more about bespoke training for your department.