The Scottish Government

« Previous | Contents | Next »

Listen

Appendices

A1 - Logistics of Data Collection, Storage and Collation

Please note:

This appendix provides some information to support the collection, storage and collation of management information. Some of this information relates to current legislation regarding data protection. This information was correct at the time of developing this report. Legislation and associated requirements may change and those responsible for systems should ensure they remain up-to-date with any changes to ensure compliance with the law.

This appendix provides suggestions for how to collect, store and collate information. It also provides useful information relating to data protection. It is not intended to replace individual organisation policies or practice relating to data collection and storage which may be more sophisticated. It also does not cover all aspects related to general administration or good IT practice, e.g. arrangements for backing up data.

Each organisation will have different facilities for collecting and recording user information. There will be different IT facilities and some areas will only have provision for paper filing, as such there will need to be systems in place for storing this data and bringing all of this information together in order to extract management information.

Paper filing

It is likely that the information will initially be in the format of a paper form to be completed by participants. The data will be stored in this format onsite.

It is important to ensure the information is securely stored (i.e. in a locked filing cabinet that can only be accessed by staff) and filed in an ordered manner so data can be retrieved.

Where no IT facilities are available onsite this data will remain in hard copy until they are collected to be input centrally.

Database/Spreadsheet on a PC/network/laptop

If there are IT facilities onsite it may be worth transferring the data onto a database or spreadsheet. It is worth ensuring that any data that is stored can easily be transferred into the central database for analysis. Any data stored digitally must be password protected and only accessible by relevant members of staff.

Where the information held on a laptop or other portable device could be used to cause an individual damage or distress, in particular where it contains financial or medical information, they should be encrypted.

The level of protection provided by the encryption should be reviewed and updated periodically to ensure that it is sufficient if the device was lost or stolen, you may need to seek specialist technical advice on this.

In addition to technical security, organisations must have policies on the appropriate use and security of portable devices and ensure staff members are properly trained in these.

Online database/website

If there is a situation where all people have access to the internet or a central network it would be easiest to devise a way of everyone feeding into the same database. In this case, where remote access is involved, security of the system would be paramount.

How will this information be collated

Paper copies sent to be entered in a central location to a secure database. If data has already been collated onto compatible database/spreadsheet document it must be transferred via a secure email network and preferably in a password protected or encrypted document.

Again the central database must be secure and password protected and only accessible by relevant members of staff.

Managing Data

First and foremost it is important to identify all relevant statutory, regulatory and contractual obligations for your organisation.

Some areas that might be relevant include:

1. Data Protection
2. Intellectual Property Rights
3. Software licensing
4. Regulation of cryptographic controls
5. Safeguarding organisational records

You may find the following websites useful in looking into these in greater detail:

You may find the following websites useful in looking into these in greater detail:

• Data protection Act Legislation - http://www.opsi.gov.uk/acts/acts1998/19980029.htm
• Scottish Executive Freedom of Information (Scotland) Act 2002 - Open Learning workbook - http://www.scotland.gov.uk/Publications/2004/02/18961/33482
• Scottish Information Commissioner - http://www.itspublicknowledge.info/home/ScottishInformationCommissioner.asp
• Welcome to the Department for Business, Enterprise and Regulatory Reform (previously DTI) - http://www.berr.gov.uk/

The Freedom of information Act gives people the right to access any other recorded information that you hold that does not relate to other individuals. Although the Freedom of Information Act applies primarily to Public Organisations it also applies to organisations wholly funded by Public Organisations. Organisations partly funded my also be accountable under the Freedom of Information Act but this is a grey area and depends on the organisation and nature of enquiry - for further clarification you can contact the Scottish Information Commissioner on 01334 464610 or by email enquiries@itspublicknowledge.info.

The Data Protection Act will usually apply to your organisation unless you are an individual holding personal information for your own domestic use, e.g. an address book.

If you are required to comply with the Act, you have a number of legal responsibilities:

• to notify the Information Commissioner you are processing information, unless you are an organisation who has personal information only for:
• • staff administration (including payroll);
  • advertising, marketing and public relations for your own business; or
  • accounts and records (some not-for-profit organisations)
• to process the personal information in accordance with the eight principles of the Act; and
• to answer subject access requests received from individuals.

A subject access request is a request from an individual, using their right under the Data Protection Act. You must decide taking any exemptions into consideration what information needs to be given. You have 40 calendar days to respond to the request and you may request a fee of up to £10.

A breach of any of these requirements is a breach of the Data Protection Act and could lead to legal action.

The Freedom of Information (Scotland) Act includes procedures to destroy information when it is no longer required for business purposes - it may be worth considering how long you will need to store information on individuals i.e. up until 1 year after they have stopped using your services. The specification for gathering information about individuals who use CLD provides a field for 'individual attendance'. This will assist you to identify when a year has passed.

The Data Protection Act

The eight principles of the Data Protection Act:

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless at least one of the conditions in Schedule 2 is met.

2. http://www.opsi.gov.uk/acts/acts1998/80029--n.htm#sch2 (schedule 2)

   and in the case of sensitive personal data, at least one of the conditions set out in the following:

   http://www.opsi.gov.uk/acts/acts1998/80029--o.htm#sch3

3. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
4. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
5. Personal data shall be accurate and, where necessary, kept up to date.
6. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
7. Personal data shall be processed in accordance with the rights of data subjects under this Act.
8. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
9. Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

The legislation is available here:

http://www.opsi.gov.uk/acts/acts1998/80029--m.htm#sch1ptII

Fair Processing Notice

To use personal data lawfully you must comply with all UK laws, and meet one condition from the list of conditions set out in the Data Protection Act. The Act also identifies a category of information called 'sensitive personal data'. To process this lawfully not only must you comply with all UK laws and meet one condition from a list, but you must also meet a further condition from a second list. The conditions are listed at http://www.hmso.gov.uk/acts/acts1998/80029--n.htm#sch2 and http://www.hmso.gov.uk/acts/acts1998/80029--o.htm#sch3.

Example Fair Processing Notice:

This information will be held and processed for the following purpose(s): (list purposes)

No identifiable personal data will be published. The identifiable data will not be shared with any other organisation/(or) shared with (list organisations) and have made a written agreement with the (organisation name) to abide by the Data Protection Principles

By submitting this form you consent to processing of personal data (and where appropriate sensitive personal data) about you. You have the right to obtain a copy of your information (on payment of a statutory fee) and to have any inaccuracies corrected.

I agree to (organisation name) recording and processing this information about me. I understand that this information will be used only for the purpose(s) set out in this statement and my consent is conditional on (organisation name) complying with its duties and obligations under the Data Protection Act 1998.

Signed

Date

All employees (and where relevant, third parties), should receive appropriate training. This should include security requirements, legal responsibilities, business controls as well as training in the correct use of IT facilities and applications, e.g. log-on procedures, e-mail use etc.

Additional Considerations for IT Systems

Business requirements for Access Control/User Access Management

While it is necessary for a data storage system to adequately manage data it is also important to focus on the medium to long term requirements on the systems. For example, if there is an inability to delete data this could affect the reliability of data retrieved and could jeopardise compliance with the Data Protection Act. It is better to consider records management functions before the system is in place than to undergo the time-consuming and possible expensive process of implementing them at a later date.

It is important that access rights for system users (staff who will be accessing and entering data) are based on a defined policy. This should consider factors such as the security requirements of individual applications, the need to know principle, classification of information and relevant legislation. It is important that any access control policies are managed properly.

Ongoing management considerations:

1. Registration and de-registration of users (i.e. if a staff member leaves they should be removed from the user list)
2. Allocation of passwords should be controlled
3. Users should be required to maintain their own passwords
4. Users' access rights should be regularly reviewed

User Responsibilities

If passwords are not securely maintained or they are chosen on the basis of personal names or well known phrases, their overall effectiveness is dramatically reduced. With this in mind it is recommended:

1. Passwords should be of a minimum length.
2. Passwords should be changed on a regular basis.
3. Passwords should not be shared.
4. Passwords should be changed if it is thought that they may have been compromised.
5. Paper records of passwords should not be kept.
6. Passwords should be kept confidential.

Business Continuity Management

These plans should take account of the consequences of disasters, security failures and loss of service. Contingency plans should be developed and implemented to ensure that processes can be restored within required timescales.

Quality of your data: Validation of Data?

Data validation is the process of ensuring that the data entered is in the correct format and should help minimise data entry errors. For example, if names are to be entered in a database, the program will only allow letters to be entered into that section and not numbers; or in a survey collecting data in the form of "yes" or "no" questions, the program would ensure that only those responses are used and not some other word.

Validation checks should be incorporated into systems to detect deliberate corruption or human error in data entry. Data output from an application system should also be validated to ensure that the processing of stored information is correct and appropriate to the circumstances.

Quality of your data: How often will it be updated?

It is wise to put systems in place to allow regular updates to files. You will have to consider how often details are likely to change and how the data will be kept up-to-date. For example, will you encourage participants to have responsibility for notifying you when their details need updated or will you contact them on an annual basis to ensure that their details are still correct or will you ask participants to register for CLD activity annually and check details are still accurate?

It is essential that you ensure that all information is erased if it is no longer required for business purposes - to keep data longer than required is a breach of the Data Protection Act and FOI - the Freedom of Information (Scotland) Act includes procedures on disposal arrangements for information - you can find further information on this at the link below:

http://www.scotland.gov.uk/Resource/Doc/1066/0003775.pdf - Freedom of Information Act Code of Practice on Records Management

Security Requirements of Systems

When purchasing packaged software, security issues should be considered.

It may be worth bringing on board an IT specialist when considering what type of programme is most suitable. If this is not possible then it would be worthwhile thoroughly researching any software you plan to buy and checking that it has been evaluated and certified by an external source (there should be information on the product website).

Checklist

Data Protection Checklist - ensure the answer to all of-- these questions is 'YES'

« Previous | Contents | Next »