3
May
Data Protection
Category : Blog
Data Protection – An Introduction
Concerns and losses of personal information and sensitive data can lead to regulatory fines and significant risk to an organisation’s reputation. By implementing good practices and conforming to the associated requirements training organisations can be compliant. There is the large amount of data held by training organisations, the number of people who need to access this as part of their job and the number of forms, reports, systems and databases where data is held. Veri ensures this data is encrypted and only accessible by those that need to use the information. Furthermore it informs both tutors and learners about their rights and responsibilities around their data and that they work with. The following explains what Veri does in terms of the data commissioners 7 rules to maintain compliance.
8 RULES OF DATA PROTECTION
Rule 1: Fair obtaining
Automated communication to Learner with User ID and Password includes
- Making Client aware of the uses for that information
- Making Client aware of QQI or other body disclosures of their data to third parties
- Ask for Client’s consent for any secondary uses of their personal data, which might not be obvious to them
Rule 2: Clarifies Purpose specification
No longer shared spreadsheets in drop boxes and attached to emails
- We are clear about the purpose (or purposes) for which we keep personal information
- If we are required to register with the Data Protection Commissioner, does our register entry include a proper, comprehensive statement of our purpose Remember, if you are using personal data for a purpose not listed on your register entry, you may be committing an offence.
- Veri assigned for maintaining a list of all data sets and the purpose associated with each
Rule 3: Use and disclosure of information
Automated communication to Tutor with User ID and Password includes rules
- Are there defined rules about the use and disclosure of information
Are all staff aware of these rules
Are the individuals aware of the uses and disclosures of their personal data? Would they be surprised if they learned about them? Consider whether the consent of the individuals should be obtained for these uses and disclosures.
If we are required to register with the Data Protection Commissioner, does our register entry include a full list of persons to whom we may need to disclose personal data Remember, if you disclose personal data to someone not listed on your register entry, you may be committing an offence.
Rule 4: Security
Cloud-based hosted by Amazon one of the worlds biggest hosting companies with guaranteed 99.99% uptime,fully secure SSL cert in place and all user passwords are fully encrypted with latest security
- Is there a list of security provisions in place for each data set
Veri is responsible for the development and review of these provisions
Are these provisions appropriate to the sensitivity of the personal data we keep
Are our computers and our databases password-protected, and encrypted if appropriate
Are our computers, servers, and files securely locked away from unauthorised people
Rule 5: Adequate, relevant and not excessive
- Do we collect all the information we need to serve our purpose effectively, and to deal with individuals in a fair and comprehensive manner
Have we checked to make sure that all the information we collect is relevant, and not excessive, for our specified purpose
If an individual asked us to justify every piece of information we hold about him or her, could we do so
Does a policy exist in this regard
Rule 6: Accurate and up-to-date
Real time data that can be archived and deleted
- Do we check our data for accuracy
Do we know how much of our personal data is time-sensitive, i.e. likely to become inaccurate over time unless it is updated
Do we take steps to ensure our databases are kept up-to-date
Rule 7: Retention time
Purge Information from Veri when course completed
- Do we regularly purge our databases of data which we no longer need, such as data relating to former customers or staff members
Do we have a policy on deleting personal data as soon as the purpose for which we obtained the data has been completed
Rule 8: The Right of Access
Veri Admin handles all of this
- Is a named individual responsible for handling access requests
Are there clear procedures in place for dealing with such requests
Do these procedures guarantee compliance with the Act’s requirements