Happy Data Protection Day!
What is Data Protection Day?
28 January 2023 is the 17th Data Protection Day (outside Europe it’s called Data Privacy Day). It’s a day to raise awareness about the importance of individuals’ rights to data protection and protection of their privacy. Although it’s an everyday task to ensure that we’re managing people’s data in compliance with UK Data Protection legislation (the UK GDPR and the Data Protection Act 2018).
To celebrate Data Protection Day, this year the Information Governance team is raising continued awareness about three particular areas: Personal Data Breaches, DPIAs and Data sharing/processing agreements.
- Personal Data Breaches
A personal data breach is the unlawful or accidental loss, alteration, destruction or unauthorised disclosure of personal data.
For example, sending an email or letter containing personal data to the wrong recipient; loss of a USB pen drive on which data is stored; folders/diaries left in a café or on top of a car roof; discussing personal information in a public place; inputting personal data into unsecured websites etc.
It’s imperative that all Data Breaches are reported as soon as they are known or suspected.
All suspected or known data breaches must be reported to databreach@moray.gov.uk promptly, as the Council’s Data Protection Officer has only 72 hours to investigate severe breaches and report them to the Information Commissioner’s Office (ICO). The 72 hours commences as soon as anyone in the Council becomes aware of, or suspects, a breach.
How do I report a Data Breach?
Report the breach to your Line Manager; they should then report the incident to the Information Governance team at databreach@moray.gov.uk as soon as possible by completing a Data Breach Reporting form
If your Line Manager (or their cover) is unavailable, then the employee should report the breach, cc.’ing in their Line Manager or a relevant Manager.
The Information Governance team will assist with investigation of the breach, advise on containment and recovery, and, assess the risks to establish whether the breach meets the threshold for reporting to the ICO and potentially the data subjects too.
All potential and confirmed data breaches are recorded on the Council’s Data Breach Register and mitigations put in place to reduce the risk of a repeat or similar breach in future. In 2022 there were 119 breaches reported, two of which were reported to the ICO.
The Data Breach Reporting form and guidance on Data Security Breach Management are available under section 3 of the Data Protection interchange page:
http://interchange.moray.gov.uk/int_standard/Page_132347.html
- Data Protection Impact Assessments (DPIAs)
A DPIA is a tool designed to identify the Data Protection risks of a project or process, and record how those risks have been addressed and mitigated. DPIAs help ensure that personal information is managed correctly, and assist the Council in adopting a culture of ‘data protection by design and by default’, as well as demonstrating compliance with Data Protection Legislation.
When do I need to complete a DPIA?
The Council must consider and integrate Data Protection (DP) requirements into processing activities throughout the lifecycle of a project or process.
DPIAs are required whenever personal information is to be collected, used or shared, for example if a service user is registering for a process/course/event, or, a school is considering an online resource/learning platform, or, a new collaboration with an external party is being considered.
Please ensure that no personal information is collected or shared on any forms, websites or suchlike until a DPIA has been completed and agreed. For projects or processes that are already established a DPIA should be undertaken as soon as feasible.
The DPIA Register
The Council is legally required to document our information processing activities, and a register is maintained of all DPIAs.
DPIAs are signed off by the Council’s Data Protection Officer (DPO), Alison Morris. However, the responsibility for ensuring that DPIAs are completed in a timely manner, that caveats and mitigations are implemented, and, that DPIAs are kept up-to-date, lies with departments.
A DPIA template is available on the Data Protection interchange page. The Council’s DPIA register of approved DPIAs is now available as well.
The register is updated when submitted DPIAs are reviewed and approved. If a resource/project/platform is not visible on the DPIA register, please contact the Information Governance Team before completing a DPIA. The team can advise whether a DPIA is required, if one has been submitted for review, and, if there are any other DP considerations. To get in touch please email: dataprotection@moray.gov.uk
Schools have a slightly different process to follow and should contact LearnTech@moray.gov.uk before starting a DPIA, and, look at their weekly bulletin for current information on the DPIA RAG list, links to scenario documents and other supportive documentation.
- Data Sharing Agreements (DSAs), Data Processing Agreement (DPAs)
Data Sharing Agreements (DSAs), Data Processing Agreements (DPAs) Information Sharing Protocols (ISPs), Memorandums of Understanding (MoUs) and similar provide frameworks for the secure and confidential collection, control, storage and sharing of information between participating parties. They ensure everyone is aware of the purposes of the exchange of information, what happens at each stage and their various responsibilities.
These agreements are also a way for the Council to demonstrate compliance with our accountability obligations under Data Protection legislation, as such a register of all DSAs, DPAs, ISPs and similar, and, a library of signed agreements are kept.
Please ensure all information sharing or processing agreements are sent to: dataprotection@moray.gov.uk prior to signature. The Information Governance team will review these agreements and advise as to any concerns regarding signature, however, the responsibility for signing and returning agreements ultimately falls with departments.
Further information
These are just a few of our Data Protection obligations; there are also requirements for the Council’s Information Asset Register (IAR) and Record of Processing Activites (RoPA) to be kept up to date, as well as Privacy notices to be available whenever personal information is collected and Data Subject Rights to be met. Please keep an eye on the Interchange notice board throughout the year for reminders about these too.
For Data Protection queries, please email: dataprotection@moray.gov.uk
Data Protection training modules are available on CLIVE (a.k.a. LearnPro):
http://interchange.moray.gov.uk/int_standard/Page_107125.html
A suite of Data Protection guidance is also available on the Interchange here:
http://interchange.moray.gov.uk/int_standard/Page_132347.html