32. Data Protection Acts 1988 and 2003 and Data storage
Last updated: Wed, Sep 21st, 2016 8:53:35 am
32.1 The Data Protection Acts are designed to protect the rights of individuals with regard to personal data. The law defines personal data as “data relating to a living individual who is or can be identified from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller”. The Data Protection Amendment Act 2003 brought manual records into the scope of the legislation whereas the 1988 Act referred only to computer files.
The Acts give a right to every individual, irrespective of nationality or residence, to establish the existence of personal data, to have access to any such data relating to him or her and to have inaccurate data rectified or erased. It requires data controllers to make sure that the data they keep are collected fairly, are accurate and up-to-date, are kept for lawful purposes, and are not used or disclosed in any manner incompatible with those purposes. It also requires both data controllers duty of care in relation to the individuals about whom they keep such data.
All Board minutes and other school records and data must be maintained in compliance with the Data Protection Acts. The responsibility for compliance with the Acts rests with each school. The Board must therefore be cognisant of its obligations in relation to the confidentiality, accuracy and security of all records and data held by the school. This includes records/data relating to staff and pupils and records/data relating to the business of the Board.
A “Data Protection in Schools” website http://www.dataprotectionschools.ie was launched by the primary and post-primary Management Bodies in September 2014. The aim of this website is to provide an overview of data protection legislation and how it applies to schools.
Schools are exempted from the requirements to register as data controllers under the Data Protection Acts 1988 and 2003.
32.2 Schools generally keep their accounting and other records on computer. The Board must ensure that there are procedures in place to ensure the completeness and accuracy of the accounting records and the validity of entries.
Appropriate back-up arrangements and security strategies should also be put in place including the following:
Computer systems should only access the internet through an approved internet firewall or other security device. Firewall and anti-virus software should be regularly updated, and routinely renewed before licences expire.
Access to computer systems should be password protected with other factors of authentication as appropriate to the sensitivity of the information.
Passwords must not be shared among staff to access IT systems/applications
Record access security involving passwords/anti-virus software
Have a back-up procedure in operation for computer held data (which may include off-site back-up) to minimise data loss and disruption in the event of system failure or disk crash
Secure storage of Disks for security and fire purposes
Where the school’s back-up data is held (or “hosted”) off site, it is required by law to have a written contract in place (a “data Processing agreement”). The contract/data processing agreement must specify the conditions under which the data may be processed, the security conditions attaching to the processing of the data, and that the data must be deleted or returned upon completion or termination of the contract.
A designated person should be responsible for security, and for periodic reviews of the measures and practices in place.