DATA PROTECTION and SCRA www.scra.gov.uk
Data Protection Act 1998 (DPA) DPA is the main legislation in the UK governing information on individuals. It places obligations on organisations that hold and use information on individuals. It gives individuals important rights, including the right to find out what information is held about them and to ask for it. It covers all types of records – electronic, paper, other media. www.scra.gov.uk
Why is the DPA important to SCRA? Information on children and their families is central to SCRA’s business. SCRA also holds information on members of staff. SCRA has a statutory duty to treat both these types of information in accordance with the DPA, and this applies to everyone in SCRA. Breaches of the DPA can put the safety of child and/or parents at risk, and can have consequences for members of staff and the organisation. www.scra.gov.uk
Eight data protection principles Anyone or any organisation that holds personal information must comply with the eight principles of good information handling that make up the DPA. www.scra.gov.uk
Data Protection Principles . Personal data: 1. Must be fairly and lawfully processed. 2. Shall be obtained and processed only for specified and lawful purposes 3. Shall be adequate, relevant and not excessive. 4. Must be accurate and, where necessary, up to date. 5. Shall not be kept for longer than is necessary. 6. Must be processed in line with an individual’s rights. 7. Must be secure. 8. Not transferred outside the European Economic Area (EEA) without adequate protection. www.scra.gov.uk
1st data protection principle Personal data must be fairly and lawfully processed. SCRA must: Have legitimate reasons for collecting and using the information. Not use the information in ways that could cause unwarranted harm. Be open about how the information will be used. Handle people’s personal data only in ways they would reasonably expect. Make sure that we do not do anything unlawful with the information. www.scra.gov.uk
2nd data protection principle Personal data shall be obtained and processed only for specified and lawful purposes. For SCRA this is: ‘ We process personal information to enable us to fulfil our statutory functions which include the development of policies and procedures for safeguarding and promoting the welfare of children, to maintain our accounts and records and to support and manage our employees .’ www.scra.gov.uk
3rd data protection principle Personal data shall be adequate, relevant and not excessive. This means that SCRA should only collect and hold the minimum amount of the personal information needed for our We have to be forthright with the public. We have to have their confidence. We have to convince purposes. them we’re working for the common good. Then we can invade their privacy. www.scra.gov.uk
4th data protection principle Personal data must be accurate and, where necessary, up to date. SCRA must: Take reasonable steps to ensure the accuracy of any personal information we obtain. Ensure that the source of the information is clear. Carefully consider any The databank is slightly mistaken. I’m not challenges to the accuracy of an alcoholic. I never attempted to information. assassinate the MD. I haven’t been married 17 times. I don’t owe £86,000 Consider whether it is gambling debts.. necessary to update the information. www.scra.gov.uk
5th data protection principle Personal data shall not be kept for longer than is necessary. SCRA must: Review the length of time it keeps personal information. Securely delete/destroy information that is no longer needed. Update, archive or securely delete/destroy information if it goes out of date. www.scra.gov.uk
6th data protection principle Processed in line with individuals’ rights. These rights include: Rights to access the information we hold about them. To object to the processing of their information. To have inaccurate information corrected or destroyed. Right to claim compensation for damages caused by a breach of the DPA. www.scra.gov.uk
7th data protection principle Information security Contraventions can have SERIOUS implications: Potential harm to individuals Damage to organisation’s reputation Financial www.scra.gov.uk
Secure Keeping information secure Paper records: Kept in locked cabinet, desk, etc. Not left unattended. If taken off-site (inc. home) – must be kept securely as possible and not left unattended. Must be shredded when no longer needed. www.scra.gov.uk
Secure Keeping information secure Electronic records: Must be held on password protected systems. Must be deleted when no longer required. Must be held in encrypted laptops or encrypted memory sticks if taken off site. Must never be transmitted to/ via home email or held on home PCs, etc. Can only be emailed to organisations that have secure email (e.g. gcsx, gsi, pnn, nhs.net, cjsm). www.scra.gov.uk
What is personal data? DPA covers two types of information: 1. Personal data – relates to the identity of a living person or could be used to find out their identity. Includes any expressions of opinion about the individual. www.scra.gov.uk
Personal data 2. Sensitive personal data - relates to the identity of a living person or can be used to establish their identity AND includes one or more on their: – Racial or ethnic origin – Political opinions – Religious beliefs – Trade Union Membership – Physical or mental health – Sexual life Offending or alleged offending . – www.scra.gov.uk
Personal data Sensitive personal data – additional conditions That it is in the vital interests of the individual Necessary for legal proceedings Necessary for administering justice or other statutory functions It is in the public interest. This is balanced by strict conditions. www.scra.gov.uk
Children’s personal data Children are data subjects in their own right – from birth Children aged 12 and over – considered mature enough to understand their rights. Parents do not have an automatic entitlement to information on their child – must be acting on the child’s behalf. ICO guidance: any court orders, duty of confidence to child, consequences of providing parents with child’s information (e.g. abusive parents), child’s views on whether parents can have access to their information, etc. www.scra.gov.uk
Who is responsible in SCRA? Data Controller = SCRA Determines how and why personal data is used. Responsible for ensuring compliance with the DPA. Director of Support Services – Maggie McManus – has lead responsibility in SCRA. www.scra.gov.uk
Who is responsible in SCRA? ALL OF US www.scra.gov.uk
Information Commissioner Wide ranging powers: Publicising breaches Enforcement Notices Fines Audits www.ico.org.uk www.scra.gov.uk
www.scra.gov.uk
SCRA policies - DPA 1. Case Information Policy 2. Case Information Breaches Reporting 3. Non Disclosure – Practice Direction 04 4. Information Sharing Guidance 5. Records Management Policy – inc. Employment Records Management Policy and Procedures 6. Information Security Handbook All available on Data Protection page on Connect www.scra.gov.uk
SCRA compliance SCRA information breaches Most common: Incorrect addresses Hearings papers for different children being sent together Others: Incorrect email addresses Office moves – documents left in filing cabinets. www.scra.gov.uk
SCRA compliance Case information breaches - examples 1. Mother’s new address noted in social work report but not picked up by SCRA and CMS not updated. Member of public phoned SCRA to say that they had received papers that were not for them. Mother did not get any papers for her child’s Hearing. • How could this have been prevented? • What remedial action was needed? • Was there a breach of the DPA? www.scra.gov.uk
SCRA compliance Case information breaches - examples 2. During copying of papers for forthcoming Hearings, a set of grounds was copied into another child’s papers and sent. Mother who received papers reported to SCRA that she had received grounds for another child. Both children’s mothers distressed by this breach. • How could this have been prevented? • What remedial action was needed? • Was there a breach of the DPA? www.scra.gov.uk
SCRA compliance Case information breaches – examples 3. Old filing cabinets are being removed from an SCRA office. Removals company contracted to remove and dispose of old filing cabinets. Contractor contacts SCRA to say that filing cabinets he removed contain papers with names on them. • How could this have been prevented? • What remedial action was needed? • Was there a breach of the DPA? www.scra.gov.uk
Recommend
More recommend