This document is an introduction to data protection presented by Geoff Webb. It discusses how data protection is required by law and covers topics such as personally identifiable data, security and confidentiality of data, the Data Protection Act principles, and information security best practices. The presentation aims to educate CPH staff on their legal obligations to protect personal data and maintain privacy and security.
1. Introduction to Data Protection
• Training prepared by Geoff Webb
Information Security & Governance Consultant
• Data Protection isn’t a choice, it’s the law
• What all CPH staff must do
17/07/2013DPA Presentation v3 1
2. • Person Identifiable Data (PID) - the information
that would enable a person’s identity to be
established
17/07/2013DPA Presentation v3 2
Main Points
3. The term applies to a combination of some of the following data items wherever
it/they may appear and irrespective of the name of any data field in which it/they
may appear, allowing that patient to be identified:
Name - including last name and any forename or aliases
Address – including any current or past address of residence
Postcode - including any current or past postcode of residence
Telephone number
Date of birth
NHS number
Ethnic category
Local Patient identifier
Hospital Encounter number
Patient pathway identifier
SUS spell ID
Unique booking reference number
Date of death
17/07/2013DPA Presentation v3 3
Person Identifiable Data (PID)
4. • Person Identifiable Data (PID) - the information
that would enable a person’s identity to be
established
• Security and confidentiality of PID
17/07/2013DPA Presentation v3 4
Main Points
5. • Keep it safe
• Don’t let someone else have it
• Don’t give someone’s secrets away
17/07/2013DPA Presentation v3 5
• Security and confidentiality of PID
6. • Why not?
• The Data Protection Act is the law that protects
us against illegal and inappropriate use of our
personal information without our consent, and
the same applies to us using the information of
others
17/07/2013DPA Presentation v3 6
Security and confidentiality of PID
7. Anyone who processes personal information must comply with eight principles
of the Data Protection Act, which make sure that personal information is:
1. Fairly and lawfully processed
2. Processed for limited purposes
3. Adequate, relevant and not excessive
4. Accurate and up to date
5. Not kept for longer than is necessary
6. Processed in line with your rights
7. Secure
8. Not transferred to other countries without adequate protection
17/07/2013DPA Presentation v3 7
Data Protection Act Principles
8. • Person Identifiable Data (PID) - the information
that would enable a person’s identity to be
established
• Security and confidentiality of PID
• The need to identify individual data subjects
17/07/2013DPA Presentation v3 8
Main Points
9. • Do you really need to know who they are?
• If so, they must give informed consent
• Anonymisation and Pseudonymisation
17/07/2013DPA Presentation v3 9
The need to identify individuals
10. • Data Protection Act
• Civil Rights
• Freedom of Information
17/07/2013DPA Presentation v3 10
Reasons to be careful – part 1
11. • Information Commissioner’s Office (ICO)
• Wrath of the ICO
• Legal and Financial penalties
17/07/2013DPA Presentation v3 11
Reasons to be careful – part 2
12. If we breach any of the DPA Principles, the ICO can impose heavy financial
penalties, up to £500,000 a time.
If a person thinks that we are not doing all we should with their personal data
they can ask the ICO to investigate. The ICO will arrive unannounced and will
carry out a stringent audit on all our processes for handling Personal Data.
17/07/2013DPA Presentation v3 12
Data Protection Act and the ICO
13. • Information Security
• Maintain Confidentiality
• Always keep on the right side of the law
17/07/2013DPA Presentation v3 13
What can you do?
14. • Electronic data security
• Physical security
• What to watch out for
17/07/2013DPA Presentation v3 14
Information Security
20. Types of risk?
• Worms
• Trojan Horses
• Botnet
• Phishing
17/07/2013DPA Presentation v3 20
Stay safe online
If you click on My Account Activity you
will go to somewhere quite unexpected
21. Can you avoid the risk?
17/07/2013DPA Presentation v3 21
Stay safe online
22. Can you avoid the risk?
• Not really
17/07/2013DPA Presentation v3 22
Stay safe online
23. Can you avoid the risk?
• Not really
• Damage limitation
17/07/2013DPA Presentation v3 23
Stay safe online
24. Can you avoid the risk?
• Not really
• Damage limitation
• Use Encryption
17/07/2013DPA Presentation v3 24
Stay safe online
25. Avoid being the risk
• Email protocol
• Using social media
• Follow the rules
17/07/2013DPA Presentation v3 25
Stay safe online
26. What if you are targeted?
• SPAM
• Suspected Malware
• You said something you shouldn’t have
17/07/2013DPA Presentation v3 26
Stay safe online
27. What you need to do
1. Think before you Send
2. Don’t fall for hoaxes
3. Take care with social media
17/07/2013DPA Presentation v3 27
Stay safe online
28. Finally
If a process isn’t intuitive, use a Checklist
Know where the Policies, Procedures and
Guidelines are stored
When in doubt, ask!
17/07/2013DPA Presentation v3 28
Always keep on the right side of the law
Notes de l'éditeur
The purpose of this presentation is to show all staff what must be done to preserve the security and confidentiality of personal data and to comply with Data Protection Laws.
For research purpose we normally don’t need to identify individuals and in fact normally we cannot hold information that could identify someone, unless we have their written consent.
This is all covered by the Data Protection Act, which, amongst other things, protects us all against having our personal information misused.
Whenever we use data about someone (a data subject) we must comply with the principles of the Data Protection Act (DPA), which is administered by the Information Commissioner’s Office (ICO)
That shouldn’t mean we have extra work to do, it means that what we do must be done in a certain way, taking due care of the data we are dealing with.
There is more information about the DPA on the intranet in DPA01 DPA Local Guide
Definitions follow
This is what we must protect.
PID is the information about a person which would enable that person’s identity to be established, information such as a combination of some of those shown on the slide.
Photographs and video recordings can also identify an individual.
You could add dignity to what we must protect. It may not be part of the Data Protection Act, but is in the overarching remit of the ICO
Here’s an example of a gross lack of respect of patient dignity:
Case Study - a celebrity went to the Maternity unit to be at his wife’s side as she was about to give birth to their first child. It all went well but on his way home he kept receiving calls and text messages of congratulations. He had told nobody and neither had his wife. Eventually he discovered that the entire birth had been video recorded by a nurse on her i-phone who then put it on YouTube. The nurse was dismissed and the Hospital was fined for allowing it to happen.
Make sure that the data you are using is not available to any unauthorised person.
However interesting it might be, if you recognise someone from the data you have, it is not permitted to inform others of that person’s details.
Case study - a clinic arranged for their paper patient records to be transferred to disk by a reputable UK company. Due to high volumes of work that UK company subcontracted it out to another organisation, who in turn sent it all to a processing centre in India. There they produced a copy of the patient information and emailed it back to the clinic, without any security. They also produced other copies that were sold to pharmaceutical companies who used the data for direct marketing, having the names, addresses and clinical condition of 10,000 patients who they could target with drugs at lower prices than prescription charges. The pharmaceutical companies paid £5 per data subject so £50,000 was a very low price for that direct marketing data.
How to keep PID safe – examples:
All mobile storage devices including USB Memory sticks must be encrypted. That way if lost we just lose the value of the device and not the data because the encryption protects it.
Always encrypt emails and their attachments. Do this for every email regardless of its contents. That way you won’t have to remember to do it whenever PID is included.
Always transport PID in a closed opaque container (Brown envelope?) so that the details cannot be seen by the casual observer.
Don’t send PID by fax unless you know that Safe Haven procedures are in place and are being followed:
The ICO's guidance on the secure use of fax machines advises that organisations sending personal information by fax should:
Consider whether sending the information by a means other than fax is more appropriate, such as using a courier service or secure email. Make sure you only send the information that is required. For example, if a solicitor asks you to forward a statement, send only the statement specifically asked for, not all statements available on the file.
Make sure you double check the fax number you are using. It is best to dial from a directory of previously verified numbers.
Check that you are sending a fax to a recipient with adequate security measures in place. For example, your fax should not be left uncollected in an open plan office.
If the fax is sensitive, ask the recipient to confirm that they are at the fax machine, they are ready to receive the document, and there is sufficient paper in the machine.
Ring up or email to make sure the whole document has been received safely.
Use a cover sheet. This will let anyone know who the information is for and whether it is confidential or sensitive, without them having to look at the contents.
Avoid giving PID away:
Don’t send PID using internal envelops because they could easily go to the wrong person if previous recipients are not crossed out.
Be sure to have a clear desk policy and a clear screen policy to avoid leaving PID for others to see.
If we don’t keep it safe and respect the confidentiality of the data subjects we are breaking the law.
This is not just ignoring a Policy, but actually committing a criminal act. If detected, the CPH would receive a financial penalty of up to £500,000 imposed by the ICO as well as the reputational damage that is bound to follow with revelations in the media. Also, you personally would face the CPH and LJMU disciplinary action and Police involvement would follow if the ICO considers the breach of law warrants it.
Check the ICO website and you can see what fines have been imposed recently with details of what happened.
The Data Protection Principles, for handling person identifiable data (PID) are explained on this slide and more details are given in DPA01 the Local Guide.
Talk through practical examples where appropriate:
1. Normally we can’t just take information, we must explain why and what will happen to it, in compliance with the law.
2. This is aimed at the point of collecting information. We don’t collect information just in case it might be useful one day. We must tell people what we will use their data for.
3. We must not hold elements of data for which there is no need in the work we are doing.
4. No point working with incorrect data, you might just as well make it all up. Ensure the accuracy and currency of the data as much as possible.
5. You have to dispose of information if/when it has served its purpose, and in accordance with the guidelines on the Information Commissioner’s website http://www.ico.org.uk/
6. All uses of identifiable data must comply with the DPA, UK and European Human Rights Acts and Civil Rights Acts.
7. Data must only be stored on devices that are encrypted. A laptop owned by an Orthotics Supplier to the NHS was stolen from an employee’s car. It had no encryption and contained an icon which gave instant access to the company’s on-line ordering system which included a patient list. This gave access to personal details of 25,000 people. The organisation received a heavy fine and was obliged to write an apology to all 25,000 people. The employee was disciplined.
8. Governments of all countries within the EEA have signed an agreement to respect personal information. However, in some countries outside EEA, PID is freely available.
Here’s an example of what can happen:
A former employee moves to a country outside the EEA and emails their former manager requesting a reference. Complying with that request but without encryption puts the PID at a very high risk of being intercepted and used for fraudulent purposes.
Before sending PID outside the EEA you must inform the data subject of the risks.
Is it really necessary to hold the PID? If so there is even more need to keep it all secure.
If they must be identifiable it is even more important to take great care of the data.
If you don’t need it to be identifiable but the data contains PID, you must make it so that it isn’t identifiable using Anonymisation or Psdeudonymisation
Look at the possibilities of applying for a Section 251 exemption which allows you to hold PID without getting consent, in cases where the work being done is “in the public interest”. The Health Research Authority website gives more detail under the heading of Confidentiality Advisory Group.
Great care must be taken to avoid breaching the Data Protection and Civil Rights Acts.
As a public organisation all corporate information and decision making processes must be freely available to the public via the Freedom of Information (FOI) Act.
Remember that everything you write down in the course of your work is corporate information, including emails, and as such could be requested under FOI
1. The Information Commissioner’s Office (ICO) upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
2. The ICO regulates the Data Protection Act 1998, the Freedom of Information Act 2000, the Privacy and Electronic Communications Regulations 2003 and the Environmental Information Regulations 2004.
3. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:
Fairly and lawfully processed
Processed for limited purposes
Adequate, relevant and not excessive
Accurate and up to date
Not kept for longer than is necessary
Processed in line with your rights
Secure
Not transferred to other countries without adequate protection
http://www.ico.org.uk/
The Information Commissioner’s Office (ICO) has issued a monetary penalty of £55,000 to North Staffordshire Combined Healthcare NHS Trust. The penalty follows a serious breach of the Data Protection Act which resulted in sensitive medical details of three patients being sent to a member of the public.
Three separate faxes, which should have been faxed to the trust’s Wellbeing Centre, were sent to the same member of the public.
The Information Commissioner’s Office (ICO) has served a Manchester company with a monetary penalty of £45,000 for blighting the public with unwanted marketing calls.
The Information Commissioner’s Office (ICO) has served Google Inc with an enforcement notice over the collection of payload data by Google’s Street View cars in the UK.
Stephen Eckersley, ICO Head of Enforcement, said:
“Today’s enforcement notice strengthens the action already taken by our office, placing a legal requirement on Google to delete the remaining payload data identified last year within the next 35 days and immediately inform the ICO if any further disks are found. Failure to abide by the notice will be considered as contempt of court, which is a criminal offence.”
Examples of recent fines for breaches can be seen on the ICO website.
To achieve the correct level of compliance, ensure that you follow all of the CPH Policies and Procedures which are on the intranet.
There are guidelines for maintaining electronic data security on the Intranet under DPA but for the Physical security of the building including access to the CPH offices, refer to the LJMU Policies and Procedures.
Watch out for people wandering around looking lost, they might have got in by “tailgating” or following others through access doors that the others have opened. Watch out for people who do not have some form of LJMU identity badge. Challenge anyone acting in a suspicious manner or call security with your concerns and ask them to deal with it.
Don’t talk about an individual, although is OK to discuss an anonymous person (someone who can’t be identified) for valid reasons.
If you hear others gossiping, or acting in a way that goes against the DPA principles of security or confidentiality, remind them that they shouldn’t.
Personal Information: Identity, Financial,
Corporate Information: Network resources, access, response time, CPH reputation
Virus writers: Challenge, boredom, peer group targets
Email attachments: an email is just text, danger is in attachments/macros, 80% of viruses are spread with ActiveX (used for website content that has moving graphics/streaming videos etc.)
Worms: able to replicate, exploit weaknesses in operating systems
Trojan Horses: hidden side effects in software (runs as expected but does other things behind the scene)
Botnet: group of software robots (bots) used in generating SPAM and distributed denial of service attacks (DDOS)
Phishing: data stealing (attempts to get bank details, access codes)
This is an actual Phishing attempt. It needs operator action to activate.
Phishing: data stealing (attempts to get bank details, access codes)
With emails like this, DON’T click on anything, just delete it.
DON’T be fooled into clicking on Unsubscribe, this will certainly activate the Phishing attack.
Not really: unless you avoid using the internet, which isn’t practical
Damage limitation: all the things you can do to minimise the risk – virus and other malware detection, stay squeaky clean
Encryption: whenever you send personal information make sure you use encryption (WinZip v11 or later includes that)
Not really: unless you avoid using the internet, which isn’t practical
Damage limitation: all the things you can do to minimise the risk – virus and other malware detection, stay squeaky clean
Encryption: whenever you send personal information make sure you use encryption (WinZip v11 or later includes that)
Not really: unless you avoid using the internet, which isn’t practical
Damage limitation: all the things you can do to minimise the risk – virus and other malware detection, stay squeaky clean
Encryption: whenever you send personal information make sure you use encryption (WinZip v11 or later includes that)
Not really: unless you avoid using the internet, which isn’t practical
Damage limitation: all the things you can do to minimise the risk – virus and other malware detection, stay squeaky clean
Encryption: whenever you send personal information make sure you use encryption (WinZip v11 or later includes that)
Email protocol:
All too easy to click on Send before you mean to, consequences
Take care with what you send (check down the email trail)
Check who will get the email if you Reply All
Social media: Careful what you connect to, careful what you say about other people, the university, staff etc. The internet is just like a newspaper regarding libel laws.
Follow the rules:
Data Protection Act: Make sure you know what you can and can’t do.
Breaching the Data Protection Act can find you personally liable and involved in criminal proceedings.
Follow CPH Policies and Procedures, make sure you know which ones affect you. Know where to find them.
SPAM: Don’t make it worse by sending it to IT, block the sender and then just delete it. Don’t become an internal Spammer.
Suspected Malware: disconnect your PC from the network and report it to IT.
You said something you shouldn’t have: work out your apology and start repair work. Be proactive, own up before you are put on the defensive
If you remember nothing else of the presentation please take away these three things to Stay Safe online:
Check emails so that you know what you’re sending, encrypted if it includes personal information.
Phishing email hoaxes, report them and delete them; NEVER click on any links they contain.
Social Media works well, but take great care with what you say and who or what you invite into your life.
Write checklists so that someone else could follow them and do that part of your job, for example if you are ill.
Keep aware of the location of Policies, Procedure and Guidelines and make sure you are aware of updates to documentation.
