DATA PROTECTION and SCRA www.scra.gov.uk Data Protection Act 1998 - - PowerPoint PPT Presentation

www.scra.gov.uk

DATA PROTECTION

and

SCRA

www.scra.gov.uk Data Protection Act 1998 (DPA)

 DPA is the main legislation in the UK governing information on individuals.  It places obligations on organisations that hold and use information on individuals.  It gives individuals important rights, including the right to find out what information is held about them and to ask for it.  It covers all types of records – electronic, paper, other media.

www.scra.gov.uk Why is the DPA important to SCRA?

 Information on children and their families is central to SCRA’s business.  SCRA also holds information on members

• f staff.

 SCRA has a statutory duty to treat both these types of information in accordance with the DPA, and this applies to everyone in SCRA.  Breaches of the DPA can put the safety of child and/or parents at risk, and can have consequences for members of staff and the

• rganisation.

www.scra.gov.uk Anyone or any organisation that holds personal information must comply with the eight principles of good information handling that make up the DPA.

Eight data protection principles

www.scra.gov.uk

Data Protection Principles

Personal data: 1. Must be fairly and lawfully processed. 2. Shall be obtained and processed only for specified and lawful purposes 3. Shall be adequate, relevant and not excessive. 4. Must be accurate and, where necessary, up to date. 5. Shall not be kept for longer than is necessary. 6. Must be processed in line with an individual’s rights. 7. Must be secure. 8. Not transferred outside the European Economic Area (EEA) without adequate protection. .

www.scra.gov.uk

1st data protection principle

SCRA must: Have legitimate reasons for collecting and using the information. Not use the information in ways that could cause unwarranted harm. Be open about how the information will be used. Handle people’s personal data

• nly in ways they would

reasonably expect. Make sure that we do not do anything unlawful with the information.

Personal data must be fairly and lawfully processed.

www.scra.gov.uk

2nd data protection principle

For SCRA this is: ‘We process personal information to enable us to fulfil our statutory functions which include the development of policies and procedures for safeguarding and promoting the welfare

• f children, to maintain our accounts and

records and to support and manage our employees.’ Personal data shall be obtained and processed only for specified and lawful purposes.

www.scra.gov.uk

This means that SCRA should only collect and hold the minimum amount of the personal information needed for our purposes. Personal data shall be adequate, relevant and not excessive.

3rd data protection principle

We have to be forthright with the public. We have to have their confidence. We have to convince them we’re working for the common good. Then we can invade their privacy.

www.scra.gov.uk

SCRA must:  Take reasonable steps to ensure the accuracy of any personal information we

• btain.

 Ensure that the source of the information is clear.  Carefully consider any challenges to the accuracy of information.  Consider whether it is necessary to update the information. Personal data must be accurate and, where necessary, up to date.

4th data protection principle

The databank is slightly mistaken. I’m not an alcoholic. I never attempted to assassinate the MD. I haven’t been married 17 times. I don’t owe £86,000 gambling debts..

www.scra.gov.uk

5th data protection principle

SCRA must:  Review the length of time it keeps personal information.  Securely delete/destroy information that is no longer needed.  Update, archive or securely delete/destroy information if it goes out of date. Personal data shall not be kept for longer than is necessary.

www.scra.gov.uk

6th data protection principle

These rights include:  Rights to access the information we hold about them.  To object to the processing of their information.  To have inaccurate information corrected or destroyed.  Right to claim compensation for damages caused by a breach of the DPA.

Processed in line with individuals’ rights.

www.scra.gov.uk

7th data protection principle

 Potential harm to individuals  Damage to

• rganisation’s

reputation  Financial Information security Contraventions can have SERIOUS implications:

www.scra.gov.uk

Secure

Keeping information secure

Paper records:  Kept in locked cabinet, desk, etc.  Not left unattended.  If taken off-site (inc. home) – must be kept securely as possible and not left unattended.  Must be shredded when no longer needed.

www.scra.gov.uk Keeping information secure

Electronic records:  Must be held on password protected systems.  Must be deleted when no longer required.  Must be held in encrypted laptops or encrypted memory sticks if taken off site.  Must never be transmitted to/via home email or held on home PCs, etc.  Can only be emailed to organisations that have secure email (e.g. gcsx, gsi, pnn, nhs.net, cjsm).

Secure

www.scra.gov.uk

What is personal data?

1. Personal data – relates to the identity of a living person or could be used to find out their identity. Includes any expressions of

• pinion about the individual.

DPA covers two types of information:

www.scra.gov.uk

Personal data

• 2. Sensitive personal data - relates to the identity of a

living person or can be used to establish their identity AND includes one or more on their: – Racial or ethnic origin – Political opinions – Religious beliefs – Trade Union Membership – Physical or mental health – Sexual life – Offending or alleged offending.

www.scra.gov.uk

Personal data

Sensitive personal data – additional conditions  That it is in the vital interests of the individual  Necessary for legal proceedings  Necessary for administering justice or other statutory functions  It is in the public interest. This is balanced by strict conditions.

www.scra.gov.uk

Children’s personal data

Children are data subjects in their own right – from birth Children aged 12 and over – considered mature enough to understand their rights. Parents do not have an automatic entitlement to information

• n their child – must be acting on the child’s behalf.

ICO guidance: any court orders, duty of confidence to child, consequences of providing parents with child’s information (e.g. abusive parents), child’s views on whether parents can have access to their information, etc.

www.scra.gov.uk

Who is responsible in SCRA? Data Controller = SCRA

 Determines how and why personal data is used.  Responsible for ensuring compliance with the DPA. Director of Support Services – Maggie McManus – has lead responsibility in SCRA.

www.scra.gov.uk

Who is responsible in SCRA?

ALL OF US

www.scra.gov.uk

Information Commissioner

Wide ranging powers:  Publicising breaches  Enforcement Notices  Fines  Audits www.ico.org.uk

www.scra.gov.uk

www.scra.gov.uk

SCRA policies - DPA

1. Case Information Policy 2. Case Information Breaches Reporting 3. Non Disclosure – Practice Direction 04 4. Information Sharing Guidance 5. Records Management Policy – inc. Employment Records Management Policy and Procedures 6. Information Security Handbook All available on Data Protection page on Connect

www.scra.gov.uk

SCRA compliance

SCRA information breaches Most common:  Incorrect addresses  Hearings papers for different children being sent together Others:  Incorrect email addresses  Office moves – documents left in filing cabinets.

www.scra.gov.uk

SCRA compliance

Case information breaches - examples

• 1. Mother’s new address noted in social work report but not

picked up by SCRA and CMS not updated. Member of public phoned SCRA to say that they had received papers that were not for them. Mother did not get any papers for her child’s Hearing.

• How could this have been prevented?
• What remedial action was needed?
• Was there a breach of the DPA?

www.scra.gov.uk

SCRA compliance

Case information breaches - examples

• 2. During copying of papers for forthcoming Hearings, a set of

grounds was copied into another child’s papers and sent. Mother who received papers reported to SCRA that she had received grounds for another child. Both children’s mothers distressed by this breach.

• How could this have been prevented?
• What remedial action was needed?
• Was there a breach of the DPA?

www.scra.gov.uk

SCRA compliance

Case information breaches – examples

• 3. Old filing cabinets are being removed from an SCRA office.

Removals company contracted to remove and dispose of

• ld filing cabinets. Contractor contacts SCRA to say that

filing cabinets he removed contain papers with names on them.

• How could this have been prevented?
• What remedial action was needed?
• Was there a breach of the DPA?

www.scra.gov.uk Requests for personal information

Right of access to information:

• Individuals have a right to know what information
• rganisations hold about them. Individuals can submit a

Subject Access Request to see or have a copy of this information.

• Relevant persons can make Subject Access Requests

for information on behalf of their child. But need to consider rights of child.

• Children aged 12 and more can make Subject Access
• Requests. Their consent should be sought if another

person (inc. relevant persons) requests information about them.

www.scra.gov.uk Requests for personal information

Subject Access Requests

• Must be in writing (letter, email).
• Can be sent to anyone in SCRA.
• Made by an individual or by someone acting for them

(solicitor, MSP).

• We must be sure of the identity of the individual (and

we can ask for ID)

• We have 40 calendar days to respond.
• The are exemptions in the DPA to release of

information to individuals even if it is about them.

• Individuals can appeal to the ICO if they are unhappy

with how we have dealt with their request.

www.scra.gov.uk

Requests for personal data

If in doubt:  Ask for advice  Don’t release

www.scra.gov.uk

Exercise 1

You receive a referral for a child who is not familiar to you. On checking CMS to enter the referral you find another child with a very similar name. How do you make sure that these children are different?

www.scra.gov.uk

Exercise 2

A late report is received for a Hearing. It is a Non Disclosure case. To be in time for the Hearing, the report needs to be sent that day. The Locality is short-staffed as a number of support staff are on leave or involved in training. How do you deal with this?

www.scra.gov.uk

Exercise 3

A solicitor representing a father writes to SCRA to request the referral from social work of their client’s

• child. The solicitor provides a mandate signed by

his client. The referral concerns the neglect of the child by her parents. Do you provide the information requested to the solicitor?

www.scra.gov.uk

QUIZ True or false?

• 1. A parent has the automatic right to see the

information SCRA holds on their child.

• 2. Information on members of staff is not sensitive

personal data.

• 3. SCRA should inform individuals about how we will

use information about them.

www.scra.gov.uk

True or false?

• 4. It’s OK for me to give out my SCOTS password to a

colleague who has been locked out of their SCOTS account.

• 5. When a child’s Supervision Order is terminated their case

file should be destroyed.

• 6. I can talk about cases with my friends outside work so long

as I do not mention the children’s names

QUIZ

www.scra.gov.uk

True or false?

• 7. If someone phones and asks for information about

themselves we should provide it.

• 8. It is the responsibility of support staff in SCRA to make

sure that CMS records are accurate and up to date.

QUIZ

www.scra.gov.uk

True or false?

• 9. You are concerned about allegations in your community

that your neighbour is abusive to children. In the interests of safeguarding your own child, it is acceptable for you to access the CMS records on your neighbour’s children to find out more.

• 10. SCRA should not inform the family when a breach of their

child’s case information occurs as it could upset them.

QUIZ