Review Date: September 2017

Next Review Date: September 2018

 

DATA PROTECTION POLICY 

Issue by the Managing Director – 15 February 2011

1. Purpose and objectives

This policy forms part of Free to Learn’s (Free2Learn) commitment to the safeguarding of personal data processed by its staff and students. (Processing has a very broad definition, and includes activities such as creating, storing, consulting, amending, disclosing and destroying data.) Its objectives are:

To help staff and students recognise personal data

To help them understand their rights and obligations with respect to personal data.

2. Introduction

Free2Learn processes the personal data of living individuals such as its staff, students, contractors and customers. This processing is regulated by the Data Protection Act 1998 (DPA). The UK‟s regulator for the DPA is the Information Commissioner’s Office.

It is the duty of data controllers such as Free2Learn to comply with the data protection principles (see the Annex to this Policy) with respect to personal data. This policy describes how Free2Learn will discharge its duties in order to ensure continuing compliance with the DPA in general and the data protection principles and rights of data subjects in particular. The principles are listed in the Annex to this Policy.

3. Scope

This policy is a supporting policy of Free2Learn Information Security Policy. Its scope is as defined in section 1.4 of that Policy:

“The policy applies to all staff and students of Free2Learn (FTL) and all other computer, network or information users authorized by the Free2Learn or any department thereof. It relates to their use of any Free2Learn -owned facilities (and those leased by or rented or on loan to Free2Learn), centrally managed or otherwise; to all private systems (whether owned, leased, rented or on loan) when connected to the FTL network; to all FTL-owned or licensed data and programs (wherever stored); and to all data and programs provided to FTL by sponsors or external agencies (wherever stored). The policy also relates to paper files and records created for the purposes of FTL business.”

4. Definitions

Personal Data [1]

“Personal data” means data which relate to a living individual who can be identified—

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual”

Sensitive personal data [2]

Information about:

The racial or ethnic origin of data subjects their political opinions

Their religious beliefs or other beliefs of a similar nature whether they are members of a trade union

Their physical or mental health or condition their sexual life

The commission or alleged commission by them of any offence, and any proceedings for such offences.

 

Although the DPA does not define „health‟, the term should be understood broadly, to include preventative medicine, medical diagnosis, DNA sequences, medical research, provision of care and treatment and the management of healthcare services.

Personal demographic data, such as personal addresses and financial data (including salaries) are not sensitive personal data, but should be treated with similar care.

Manual Personal Data

Personal data recorded as part of a relevant filing system in paper or other non-electronic format.

Processing [3]

Obtaining, recording or holding personal data. This includes organisation, adaptation or alteration; retrieval, consultation or use; disclosure; and alignment, combination, blocking, erasure or destruction.

Relevant Filing System [3]

Manual personal data structured by reference to individuals in such a way that information relating to a particular individual is readily accessible.

Data Holding

A collection of one or more data sets or files that are being processed for permitted purposes under the direction of a clearly identified member of FTL staff – the Data Owner.

Data Controller

As the organisation which determines the purposes of the processing, FTL is the Data Controller for the personal data that it manages.

Data Protection Officer

The FTL member of staff with lead responsibility for FTL‟s compliance with the DPA.

Data Owner

The FTL member of staff with lead responsibility for permitting and managing the retention and processing of a data holding for which FTL is the Data Controller. Data Owners delegate responsibility for personal data elements to Data Custodians.

Data Custodian

The individual unit or person identified by the data owner to be responsible for the collection, creation, modification and deletion of specified personal data element(s)

System Custodian

A person appointed by a Head of Department or Division with responsibility and authority to implement the Information Security Policy and supporting policies in respect of a FTL-wide or departmental system, to ensure that the security measures adopted for systems under his/her control meet the requirements of these policies and to carry out the duties as set out in the associated Codes of Practice. In the case of a large system some duties may be delegated, to named persons whose particular duties are set out in writing, although the Custodian retains overall responsibility for the security of that system.

Data Subject [4]

A living individual who is the subject of personal data

Data Processor [4]

Any third party (other than FTL staff and students) who processes personal data on behalf of and on the instructions of the Data Controller.

5. Roles and responsibilities

Information Strategy Committee

The Committee is responsible for defining FTL‟s information security policy and for ensuring it is discharged by all academic and administrative departments and divisions through Heads of Departments.

ICT Infrastructure Sub-Committee

ICT Infrastructure Sub-Committee advises the ISC on matters related to compliance with this policy, and is responsible for regularly reviewing it for completeness, effectiveness and usability.

Data Protection Officer

The Data Protection Officer has primary responsibility for FTL‟s compliance with the DPA. This comprises:

Maintaining FTL’s notification with the Information Commissioner’s Office

Ensuring completion of the Annual Survey of Personal Data Holdings

Handling subject access requests and requests from third parties for personal data

Promoting and maintaining awareness of the DPA and regulations, including training

Investigating losses and unauthorised disclosures of personal data.

The DPO is FTL’s main contact for the Information Commissioner’s Office.

Heads of Department / Division

Heads of Department / Division are responsible for ensuring their staff understand the role of the data protection principles in their day-to-day work, through induction, training and performance monitoring, and for monitoring compliance within their own areas of responsibility. They should also ensure Data Protection Coordinators are designated for their departments or divisions, and provided with appropriate training and support.

Data Protection Coordinators

Coordinators are required to:

Advise staff and students in their departments on the implementation of and compliance with this policy and any associated guidance / codes of practice ensure appropriate technical and organisational measures are taken within their departments to ensure against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data support FTL‟s notification with the Information Commissioner’s Office by maintaining the register of holdings of personal data, including databases and relevant filing systems, and the purposes of processing

Keep the Data Protection Officer informed of changes in the collection, use, and security of personal data within their department

Report any loss of personal data to the Head of Department / Division and the Data Protection Officer

Ensure the proper completion of applications for the data protection registration of new research projects before they are submitted to the Records Office

Confirm compliance with the PCI Data Security Standard in relation to the records of credit card payments made through the department.

Data Owner

Data Owners are responsible for:

Establishing and monitoring measures, in accordance with this policy and the information security policy, to protect any holdings of personal data for which they are responsible

Ensuring that those holdings are registered as part of the annual survey of personal data holdings

Ensuring that any transfer of personal data to third parties is authorised, lawful and uses appropriate safe transport mechanisms such as encryption.

Authorising the downloading of electronic personal data on to portable devices or the removal of manual personal data from FTL premises

Informing their departmental Data Protection Coordinator when new holdings of personal data are established or when the purposes of processing change.

Data Custodians

Data Custodians should ensure that their processing of personal data is compatible with the data protection principles, including the security and integrity of data sets.

Data Processors

Data processors have a contractual responsibility to act only on FTL‟s instructions and to ensure that their processing of personal data provided by FTL is carried out in compliance with this policy and in accordance with the eight data protection principles. There should be a written agreement with data processors which adequately addresses these responsibilities.

Staff and students

All staff and students are responsible for:

Ensuring that their processing of personal data, including research data, in all formats (e.g. electronic, microfiche, paper, etc.) is compatible with the data protection principles

Raising any concerns in respect of the processing of personal data with the Data Protection Officer

Promptly passing on to the Data Protection Officer all subject access requests and requests from third parties for personal data

Reporting losses or unauthorised disclosures of personal data to the Data Protection Coordinator.

In order that FTL can continue to comply with the fourth data protection principle, staff and students should ensure the personal data they provide about themselves is up to date.

6. Security of personal data

All staff and students processing personal data should ensure that the data are secure: appropriate measures must be taken to prevent unauthorised access, disclosure and loss. Staff whose work includes responsibility for supervision of students have a duty to ensure that students observe the eight principles of the Act.

It is rarely necessary to store electronic personal data on portable devices such as laptops, USB flash drives, portable hard drives, CDs, DVDs, or any computer not owned by FTL. Similarly, manual personal data should not be regularly removed from FTL premises. In the case of electronic data, to minimise the risk of loss or disclosure, a secure remote connection to FTL should be used wherever possible.

Downloading personal data on to portable devices or taking manual personal data off-site must be authorised in writing by the Data Owner, who must explain and justify the operational need in relation to the volume and sensitivity of the data. The data must be strongly encrypted. Users should only store the data necessary for their immediate needs and should remove the data as soon as possible. To avoid loss of encrypted data, or in case of failure of the encryption software, an unencrypted copy of the data must be held in a secure environment. The Computer Security Team’s guidance on encryption should be followed: www.sherr.co.uk/helpdesk@sherr.co.uk

Manual personal data and portable electronic devices should be stored in locked units, and they should not be left on desks overnight or in view of third parties.

In order to comply with the fifth data protection principle personal data should be securely destroyed when no longer required, with consideration for the format of the data. The Computer Security Team’s guidance should be followed for electronic data:

www.sherr.co.uk/helpdesk@sherr.co.uk

Personal data must not be disclosed unlawfully to any third party. Transfers of personal data to third parties must be authorised in writing by the data owner and protected by adequate contractual provisions or data processor agreements, agree with FTL’s notification and must use safe transport mechanisms.

All losses of personal data must be reported to the Departmental Data Protection Coordinator and the Data Protection Officer. Negligent loss or unauthorised disclosure of personal data, or failure to report such events, may be treated as a disciplinary matter and could be considered gross misconduct.

 

  1. Publication of staff information

FTL will make public as much corporate information as possible. The following types of personal information will usually be published:

Names of members of the Stakeholders and the Provost’s Senior Management Team

Lists and directories of staff, including name, internal telephone number and FTL email address

Work expertise and work related achievements of staff.

Publication of funding, grants and awards

However, there are circumstances in which, for security and other reasons, agreed subsets of the above data about FTL staff will not be published. This is not within the scope of the Data Protection Act but is subject to FTL’s ex-directory policy.

  1. Access to personal data

8.1 Subject access rights

Data subjects have a right of access to their personal data, including some unstructured manual personal data. Subject access requests must be made in writing or otherwise and sent to the Data Protection Officer. Data subjects must prove their identity.

Copies will be provided in permanent form promptly and in any event within 40 days. In the case of a request made in relation to examination marks or results, the timescale is extended to the earlier of:

  • five months from the day on which the request was received; or
  • 40 days from the announcement of the examination results.

Some personal data are exempt from the right of subject access, including confidential references provided by FTL, examination scripts.

FTL does not charge a fee for subject access requests.

Although the DPA applies only to living individuals, data about deceased persons who at the time of processing would be under 100 years old should be treated as personal data, unless the information is the subject of a valid request under Freedom of Information legislation.

8.2 Monitoring

It is sometimes necessary for FTL to monitor information and communications. This may include personal data. The circumstances in which monitoring may be carried out, and procedures for doing so, are described in the FTL Policy on Monitoring Computer and Network Use:

See annex 1

8.3 Third party access

In certain circumstances the DPA provides for disclosure of personal data, without the consent of the data subject, to certain organisations. Requests for such disclosures from third parties, such as the police, UK Border Agency, local authorities or sponsors, should be made in writing and handled by the Data Protection Officer. This will ensure the validity of the request and any warrants or orders of court can be checked. Staff disclosing personal data may not be protected by an invalid warrant.

9. Records Management

Records in all formats containing personal data must be created, stored and disposed of in accordance with FTL‟s Records Management Policy and any associated procedures and codes of practice. They must be authentic, reliable and usable and capable of speedy and efficient retrieval. They must be retained for no longer than the periods permitted in FTL‟s retention schedule and, when no longer required for operational reasons, must be transferred to FTL‟s in-house records storage facility or institutional archive (if selected for permanent preservation) or disposed of securely and confidentially.

10. Research using personal data

Personal data processed for research, statistical and historical purposes must not be used to support decisions with respect to data subjects or processed so as to cause them substantial damage or distress. Notwithstanding the fifth data protection principle, such data may be kept indefinitely. They may also be further processed for other research purposes and are exempt from the right of subject access as long as the results of the research do not identify data subjects.

Staff and students using personal data in research must:

Understand how personal data may be used in research

Use the minimum data necessary for the research, including, wherever possible, anonymised or pseudonymised data

Ensure their processing complies with all the data protection principles

Inform Data Protection Coordinators about research before processing of personal data begins

Register all research projects involving personal data with the Records Office before processing begins

Where relevant, inform data subjects about the purposes of the processing and ensure valid written consent is obtained

Ensure all personal data collected are necessary for the purpose(s) of the research keep the data securely

Ensure personal data are destroyed confidentially, stored with the Records Office or otherwise disposed of in compliance with agreements with funders.

11. Status

This document is a part of FTL’s information security policy and has been approved by FTL’s Information Strategy Committee. It is a condition of employment that employees will abide by the regulations and policies made by FTL. Likewise, these latter are an integral part of the regulations for students.

ANNEX

THE DATA PROTECTION PRINCIPLES

It is the duty of data controllers and data processors to comply with all the data protection principles. These are set out in Schedule 1 of the Data Protection Act 1998, from which the following extract is taken:

  1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless—

(a) At least one of the conditions in Schedule 2 is met, and

(b) In the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

  1. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
  2. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
  3. Personal data shall be accurate and, where necessary, kept up to date.
  4. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
  5. Personal data shall be processed in accordance with the rights of data subjects under this Act.
  6. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  7. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

[1] DPA section 1

[2] DPA section 2

[3] DPA section 1

[4] DPA section 1

 

FTL POLICY ON MONITORING COMPUTER AND NETWORK USE

Endorsed by the Information Strategy Committee 1 March 2007

1 Introduction

There are circumstances where FTL may monitor or record communications made using its computer and telecommunication systems, or examine material stored on those systems. This document sets out FTL’s policy in respect of such activity.

It is important to be aware of the distinction made between:

intercepting information in transit – email messages being sent, for example, or watching the web pages visited – here the relevant law is found in the Regulation of Investigatory Powers Act 2000 (RIPA) and the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (LBPR); examination of material stored on a computer – the law applicable here may vary according to variables such as who owns the computer, what material is being examined, and how the material is examined. However, the Human Rights Act 1998 and the Data Protection Act 1998 provide an over-arching framework to protect the individual’s right to privacy (1).

Under the Regulation of Investigatory Powers Act 2000, unlawful interception of communications on the UCL computer network may lead to criminal proceedings against an individual operating without the institution’s authority; unlawful interception may also lead to civil action against the institution where the institution authorized the interception. The RIPA and LBPR do, however, allow for legitimate interceptions of communications by organisations on their private computer and telecommunications networks – in other words, they provide ‘lawful authority’.

2 Scope

The part of this policy covering the interception of information applies to any communication on or through Free2Learn’s computer systems – the latter term being taken to include all components of the network as well as the computers (whether or not they are owned by FTL) attached to it.

Policy concerned with the examination of stored material applies to any computer facility provided by FTL.

3 In what circumstances can monitoring occur?

Provisions in the LBPR permit FTL to intercept and record information which can be associated with an individual’s communications via FTL services (whether made for purposes associated with FTL’s business or activities or otherwise). This may only be done where FTL has made reasonable efforts to inform potential users that such interceptions may be made, and in order to achieve the following aims:

To prevent or detect crime;

To investigate or detect unauthorized use, including the use of systems outside FTL;

To ensure the effective and authorized operation of systems;

To establish the existence of facts necessary to ascertain compliance with regulatory or self-regulatory procedures, or to ascertain or demonstrate standards

For other lawful purposes as set out in the relevant legislation;

Stored material (including electronic mail) may also be examined for these purposes. In addition, FTL may access stored material in the event of an urgent need (see section 7).

FTL may also monitor but not record: received communications to determine whether they are business or personal communications;

Authorized use of FTL facilities is defined in section 2 of the FTL Computing Regulations (see references below). It should be noted that although reasonable personal use of facilities is permitted, excessive use that disrupts or distracts an individual from the efficient conduct of FTL business, or involves accessing or sending unlawful or offensive material (for example, obscene, discriminatory or abusive material), is prohibited; and, consequently, monitoring may take place to detect or investigate such behaviour.

Note that the law distinguishes between monitoring for operational and policy reasons, both classes of activity must be authorised. Note that the authorisation mechanisms are different for the two cases.

3.1 Monitoring for operational reasons

Most providers of IT services within FTL routinely monitor their systems to ensure that they are performing properly. This reflects standard good practice, and normally involves only aggregate anonymous data that does not identify individuals or the contents of their communications. Information Systems, for example, records the number of email messages passing through its servers each day, and the time it takes to deliver messages, to help with capacity planning. This type of monitoring does not fall within the RIPA, as it does not involve interception, and by virtue of not identifying individuals, it does not trigger laws relating to personal privacy.

However, a general exemption in the RIPA permits FTL to intercept certain communications where the interception is by an authorised person for purposes connected with the provision or operation of a service, for example:

  • Email postmasters may examine mis-addressed messages in order to redirect them as necessary, or check email subject lines for malicious code;
  • System operators may monitor system traffic to determine its source, where this is necessary to ensure the effective performance of their mail servers, for example to eliminate unsolicited commercial email (UCE or ‘spam’).
  • System and network managers may investigate which system and/or individual is the source of a denial of service attack.

The RIPA LBPR requires that persons carrying out routine monitoring under this exemption must be properly authorized either through their job description or by written authorisation from their Head of Department or Division Head (see section 4 below).

Persons carrying out monitoring for operational reasons must be alert to the focus of their investigation changing. If, at any stage, monitoring or access to stored material is required to investigate matters of policy (or legal) compliance the appropriate authorisation must be obtained as described in sections 3.2 & 4.2.

3.2 Monitoring for policy (and legal) compliance

All other activities falling under the exemptions within the LBPR will constitute monitoring for policy or (legal) compliance. Each individual act of monitoring for this purpose must be specifically authorized and documented as described in sections 4 and 5.2, respectively.

4 Who can authorize monitoring of computer or network use?

The law distinguishes between monitoring for operational and policy reasons. However, both classes of activity must be authorised. Note that authorisation mechanisms are different in the two cases.

4.1 Routine monitoring for operational reasons may be authorized through staff job descriptions or by written authorisation from one of the following (or their deputies) as appropriate:

The Head of the Computer Security Team (in pursuance of security issues)

The Head of Department/Division or Dean of Faculty (in relation to systems under his/her authority).

4.2 Monitoring or access to stored material to investigate policy (or legal) compliance may only be carried out with written authorisation from one of the following (or their deputies) as appropriate:

The Director of Human Resources (in pursuance of staff disciplinary matters)

The Registrar (in pursuance of student disciplinary matters)

The Head of Department/Division or Managing Director (in relation to systems under his/her authority).

In addition, written authorisation must be obtained from the Head of the FTL Computer Security Team and the FTL Data Protection Officer. Note that authorisation covers an individual act of monitoring and only for the purposes and scope indicated on the authorisation form.

4.3 The Information Strategy Committee will oversee monitoring. All results of monitoring user communications or stored data must be reported to the Head of the FTL Computer Security Team as soon as the monitoring is completed.

4.4 Attempts by any member of staff to implement monitoring without proper authorisation will be in breach of this policy and may be the subject of disciplinary proceedings. Unauthorized monitoring may also attract civil or criminal liability.

FTL recognises that, due to the nature of computer systems, data held on its computer systems, passing across its networks, or printed out on FTL equipment, may at times be visible in readable form. In such circumstances, that data may well be viewed by FTL staff. Such incidental/inadvertent viewing will not constitute a breach of this policy, even where such viewing leads to the implementation of authorized monitoring and/or disciplinary procedures against the user concerned.

5 Procedures for monitoring computer or network use

5.1 In most circumstances where communications are to be intercepted, the RIPA and LBPR require that for the interception to be lawful, users of the service must have been informed in advance that interception may occur. Failure to adequately inform the users of the possibility of interception may result in their having a legitimate expectation of privacy in their communications on the service, and make the interception unlawful. This might render the material intercepted useless for the purpose of disciplinary or legal proceedings, and could render FTL liable to a civil lawsuit.

The following message should be displayed wherever FTL systems are used (e.g. labels on screens):

Communications, including personal communications, made on or through Free2Learn’s computing and telecommunications systems may be monitored or recorded to secure effective system operation and for other lawful purposes.

The following should be used as part of the login banner of all FTL systems (capable of supporting a customizable banner) so that it is displayed to and acknowledged by users:

Use of this system is limited to authorised individuals only. You are committing a criminal offence under the Computer Misuse Act 1990 sect. 1 if you attempt to gain unauthorized access either to this system or any others at this site.

Communications, including personal communications, made on or through Free2Learn’s computing and telecommunications systems may be monitored or recorded to secure effective system operation and for other lawful purposes.

By using this system, you accept that monitoring may take place.

Similarly, it is important to remind users of the limits on their privacy in connection with stored material. The above URL includes a reference to this policy, but in addition explicit mention of the policy should be made in documentation given to staff or students when they are granted access to any IT facilities, or during their induction.

5.2 The application form for authorizing specific monitoring for policy (and legal) compliance (section 4.2) should document: The reason for monitoring, including any internal disciplinary offence or suspected or alleged civil or criminal act which may have been committed and an indication of why this is felt to be a proportionate approach the scope of the monitoring the intended duration the names or job titles of those who will be carrying out the monitoring. A witness must always be present and steps taken to protect the privacy of the person or persons being monitored.

5.3 If there is any likelihood that an internal disciplinary offence or suspected or alleged civil or criminal act may have been committed which may result in disciplinary or legal action resulting from an investigation, specialist advice on the preservation of evidence should be sought before proceeding. FTL’s Computer Security Team (Tel 020 8387 1385) should be contacted in the first instance, and will act as liaison with law enforcement agencies as necessary.

6 Examples of monitoring

The following scenarios are intended to illustrate some of the foregoing discussions. The first two examples are based closely on material taken from the JISC senior management briefing paper (see below).

6.1 Ms C, a staff member of FTL, illicitly uses the FTL computer network to record the web sites visited by Mr D, a student at FTL. Ms C does not have the express or implied consent of FTL to do this. This interception is intentional and without lawful authority. It is a criminal offence.

6.2 Mr C, a staff member of FTL, acting on a memo from an officer of the College, uses the FTL computer network to intercept emails sent by Mr D, a member of FTL. Mr C has the express or implied consent of the person with a right to control the relevant private telecommunications network (the relevant officer of FTL). This is not a criminal offence. However, the officer of FTL must have a lawful purpose for requiring the intercept, such as suspicion of unauthorized use. If the intercept is made without a lawful purpose, both the officer of the College and FTL may face civil liability.

6.3 A complaint is received that a FTL email address is being misused to send unsolicited commercial email. This is a violation of the FTL Computing Regulations. It is decided to investigate by monitoring messages sent from this email address. Having previously informed users of the relevant email system that monitoring/recording may take place (section 5), the relevant person (as set out in section 4 above) should issue written instructions authorizing the monitoring.

6.4 A member of staff is suspected of spending large amounts of time downloading inappropriate material on their computer, to the point where there is an adverse impact on their ability to perform their duties. As an investigation is likely to lead to disciplinary action, the Director of Human Resources should provide instruction on how the matter is to be pursued, and specialist advice may be required on how to preserve evidence. The success of any action may depend on whether it can be shown that the individual concerned had been properly made aware of what constitutes acceptable use’.

6.5 Mr E, who administers a computer system used by a number of departments, discovers that the system disk is almost full. To ensure effective system operation, Mr E checks users’ quotas, and finds that one member of staff has filled up the disk with what appear to be MP3 music files. The presence of these files is likely to represent a violation of the FTL Computing Regulations. However, before investigating further, Mr E should seek authorisation from the appropriate person (c.f. sections 5.1 and 5.2 above).

7 Access to stored documents (including email) for business purposes

There are occasions when FTL needs to access information held by a member of FTL within electronic mail, elsewhere on his/her computer, or in other filestore or backup media. This will usually occur when an employee is absent, either ill or on leave, and a situation arises which requires a rapid response. Members of FTL must be made aware that the FTL reserves the right to obtain access to files held on/in equipment owned by FTL, and that the privacy of personal material stored on/in such equipment in the event of authorized access cannot be guaranteed.

Persons facilitating such access (e.g. IT support staff) must on each occasion obtain written authorisation from a person listed in section 4.2. The authorisation must identify the material to be accessed, its location and why a delay in access would be detrimental to FTL’s interests. If the location of the material is not precisely known the application must describe the proposed search methodology. The request must be authorized by the FTL Data Protection Officer. A log of operations carried out and material accessed must be maintained and signed by the person facilitating access and a witness. A copy of this log and the completed authorisation form must be given to the owner of the material accessed. Advice on appropriate methods for carrying out this work is available from FTL Computer Security Team.

It is intended that these arrangements are for exceptional circumstances only: applications will only be considered if they demonstrate that delay will cause disproportionate damage to FTL’s interests. Normal business processes should avoid their necessity through use of role email addresses or lists, appropriate file access control, etc.

Persons facilitating access must take all reasonable measures to respect privacy. However, difficulties may arise when searching for material, as there is no guaranteed method of distinguishing between business and personal items. Users are advised to minimize the risk of inadvertent viewing of private material by placing appropriate messages or files in folders (or directories) whose name includes “Personal”. (Mail filters can be set up to move messages automatically into folders according to sender or destination address, etc.)

  1. Exceptional Modification of User Files

In exceptional circumstances, system custodians may need to make changes to user filestore. Examples include disabling programs which may adversely affect system or network performance, disabling software which is being used contrary to licensing arrangements or removing from public view confidential files or offensive material.

The permission of the file owner should be obtained unless the situation is of such urgency as to make this impracticable. Each filestore change and the associated justification must be logged. The file owner must be informed of the change and the justification as soon as possible.

The custodian may not, without specific authorisation from the appropriate authority, modify the contents of any file in such a way as to damage or destroy information. If necessary, files should be moved to a secure off-line archive.

9 Status of this document

This document is a part of FTL’s information security policy and has been endorsed by FTL’s Information Strategy Committee.

10 References

A very clear document containing examples of how the legislation applies in practice has been produced by the Joint Information Systems Committee, which promotes the use of information systems and information technology in Higher and Further education across the UK. It can be downloaded from:

http://www.jisclegal.ac.uk/LegalAreas/InterceptionandMonitoring/InterceptionandMonitoringLawEssentials.aspx

Relevant legislation includes:

  1. The Regulation of Investigatory Powers Act 2000

http://www.hmso.gov.uk/acts/acts2000/20000023.htm

  1. The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000.

http://www.hmso.gov.uk/si/si2000/20002699.htm

  1. The Human Rights Act 1998

http://www.hmso.gov.uk/acts/acts1998/19980042.htm

  1. The Data Protection Act 1998

http://www.hmso.gov.uk/acts/acts1998/19980029.htm

  1. The Employment Practices Data Protection Code Part 3 Monitoring at work

http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/coi_html/english/employment_practices_code/part_3-monitoring_at_work_1.html

(1)A list of the relevant legislation is provided at the end of this document.