Do... Data Protection Act Good practice tips

advertisement

LONDON’S GLOBAL UNIVERSITY

Do...

Good practice tips

• think before you click and ensure personal data is

sent securely using the technology available

e.g. 7-zip, IDHS etc.

• ensure data sharing procedures respect the confidentiality of individuals and there is a data sharing agreement in

place with the other party

• consider if the disclosure of personal data is within

the reasonable expectations of the individual whose personal data is involved

• assess that the disclosure, sharing or transfer of

personal data is lawful

• make sure you have read and understood the internet

and email policies relevant to UCL and any other

organisation

• post large attachments to secure folders and inform

your audience by email of the file location

• scan email attachments for viruses before you

open them

• only address emails to people who need to know

• include a relevant title for your email message

• make sure you are aware of confidentiality and data sensitivity issues before sending messages

• be sure that information published on a website is accurate and up to date before using it.

07/13

Email

The data subject will expect that a data controller processes the personal data securely and respects their confidentiality.

Email is an insecure method of transferring personal data.

To make it secure you must use AES 256-bit encryption.

UCL SLMS provides such software and you can use 7-Zip to protect personal and sensitive personal data. You can obtain further information on 7-Zip here: www.ucl.ac.uk/ slms/ident-data/

The use of NHSmail to NHSmail is secure as it uses AES 256bit encryption. If using NHSmail ensure that the email suffix is

@nhs.net for both receiving and sending addresses.

File transfer

Personal and sensitive personal data may also be sent by file transfer from one data controller to another. There are various methods for doing this. SLMS offers a unique service the Identifiable Data Handling Service (IDHS). This allows data files to be sent securely using state of the art encryption technology. You can obtain further information on IDHS here.

www.ucl.ac.uk/slms/ident-data/

Data Protection Act

Researchers should be aware that they must comply with the eight principles of the Data Protection Act 1998. The 7th principle requires appropriate information security to be in place. A contravention of the data protection principles can result in a penalty of up to £500,000.

If you lose personal or sensitive personal data you can face a fine of up to £500,000 from the Information

Commissioner’s Office (ICO).

Case Study

A monetary penalty notice for £325,000 was served on

Brighton and Sussex University Hospitals NHS Trust following the discovery of highly sensitive personal data belonging to tens of thousands of patients and staff – including some relating to HIV and Genito Urinary

Medicine patients – on hard drives sold on an internet auction site in October and November 2010.

The ICO investigated the case from December 2010 to

May 2012. The Sussex Health Informatics Service was implicated for not providing sufficient controls and in

April 2012 lost business worth £5 million from Sussex

Partnership NHS Foundation Trust to a competitor service company 2E2.

07/13

www.ucl.ac.uk/slms/ident-data/

Good Practice Guidance: on the sharing, consent, use and disclosure of personal data

Email: slms.pid@ucl.ac.uk

Web: www.ucl.ac.uk/slms/ident-data/

Good practice guidance Some definitions… Good practice tips Don’t...

Personal data needs to be treated with respect and used fairly and lawfully. Processing of personal data must be on a legal basis and cannot be disclosed without the knowledge of an individual.

A Fair Processing Notice (FPN) must be provided to an individual before that person’s data can be legally processed.

This FPN provides” informed consent” to the person before they disclose their personal data to an organisation.

Therefore, the person will know the following: a) The identity of the organisation (data controller); b) The purpose(s) for which the personal data is used

(healthcare research); and c) The disclosures, including sharing and any overseas transfer of the personal data.

The individual (data subject) must be provided with opportunity to opt out of any element of the processing that they are not happy with. It is the data controller’s legal responsibility to respect these wishes.

It is good practice to enter into a Data Sharing Agreement if you are sharing or transferring personal data to another data controller. UCL has a variety of such agreements ready for use. Further information can be obtained on such agreements can be found at:

www.ucl.ac.uk/slms/ident-data/

Personal data is any information that can identify an individual.

Sensitive data is personal data that can be one or more of the following: mental or physical health; sexual life; ethnicity; religious or other similar beliefs; trade union membership; political opinions; criminal offences or potential offences committed and any associated sentence.

Good practice tips

Portable media

The rise in the use and availability of portable media is due to convenience for users. However, from an information governance perspective there are several dangers. By their very nature portable media are prone to loss, or theft and are generally lacking any good security controls. If you use portable media for the processing of any personal or sensitive personal data you must consider the use of security controls such as:

• AES 256-bit encryption e.g. 7-Zip;

• Anonymisation; or

• Pseudonymisation.

You can obtain further information on the latter two here www.ucl.ac.uk/slms/ident-data/

Telephone

Ensure that answerphone messages when played back cannot be overheard. Verify the identity of callers and only disclose information to known individuals. If using a mobile phone in a public area ensure that you are not breaching confidentiality by disclosing personal identifiable data. On a similar basis also ensure that if you are in a general office that confidentiality is not breached by telephone conversations being overheard.

Fax

Fax messages that contain personal and sensitive data must be sent using safe haven procedures. These procedures are available on the UCL Information Governance pages. It is recommended that fax machines are not used for sending such data because of the inherent security weaknesses associated with the technology. A preferable means of sending such information is the use of email with the use of AES 256-bit encryption such as 7-Zip.

Post and Couriers

Ensure that envelopes are marked “private and confidential”.

Double check the full postal address of the recipient. Choose a secure method for sending personal or sensitive data. Ideally this should be recorded delivery and if using a courier a signed receipt should be obtained from the recipient. Ensure incoming post is handled securely and that unauthorised persons are not able to gain access to post rooms and incoming and outgoing post areas.

• ignore the Data Protection Act’s eight principles

• disclose personal data without confirming the identity of the recipient and that they have a justifiable need to know

• send any more personal data than the minimum necessary dataset

• where an alternative is available, send personal or sensitive personal data by fax

• access websites that may contain inappropriate or offensive material

• include personal or sensitive data in the title of your

email message

• download files or open email attachments without being absolutely certain that you can trust the sender and

the content

• send large attachments to multiple recipients

• send or forward junk mail, chain letters or virus warnings - these may be hoaxes or dangerous.

Contact

Email:

slms.pid@ucl.ac.uk

Web:

www.ucl.ac.uk/slms/ident-data/

Download