Security, Mobile Devices and Data Protection

Use of technology

Increasingly teaching staff are using technology to enhance learning and teaching on their courses.  The Adult Learning Service provides tutors with equipment for teaching and for planning and  record keeping. Providing staff with laptops and other mobile devices reinforces the expectation  and assumption that staff members will be working out of the office with the knowledge and  approval of the learning provider. This places an obligation onto the organisation to have  procedures in place to meet the requirements of the Data Protection Act (1998) and, as of 25th May  2018, the General Data Protection Regulation (GDPR). In addition all NALS laptops used for  teaching have had filters installed to monitor inappropriate use by learners and these are checked  weekly for any breaches and investigated further as necessary by the ILT coordinator.  

The definition of mobile devices is broad and includes memory sticks, mobile phones, including  smart phones, tablet technologies, netbooks and laptops, internet enabled games consoles.  

Areas of use include:  

• Learning activities on fieldtrips, work placements and ongoing professional training  Information provision – assessments, results, course changes, appointments  

• Information gathering for research purposes – e.g. recording of face to face interviews, including  information advice and guidance (IAG) interviews  

• Staff copying central service files to work on at home or note taking in an external meeting  

This is not an exhaustive list. All of the activities listed above may lead to inadvertent or deliberate  obtaining of personal information, often for reasons of convenience or ease of use. At times you  may also be provided with personal information about our learners as part of your teaching  resources. This also raises issues of consent and confidentiality.  

UK GDPR Obligations and Mobile Devices  

The purpose of the UK GDPR is to protect the rights and privacy of identifiable living individuals  and to ensure that the data held about these individuals, which is processed and used by an  organisation, is managed properly. It places legal obligation on those who process personal  information to process it fairly and with the knowledge of the individual. It allows individuals to be  aware of and exercise some control over how information about them is to be used.  

The General Data Protection Regulation covers ‘personal data’ and ‘sensitive personal data’.  

‘Personal data is any information relating to an identifiable person who can be directly or indirectly  identified by such information. This includes name, identification number, location data or online  identifier 

41  

‘Sensitive personal data’ comprises information including an individual’s race or ethnic  origin, political opinion, religious beliefs, trade union membership, physical or mental  health, sex life, criminal proceedings or convictions.  

It should be noted here that the DPA applies to confidential information about learners which  contains personal data. The DPA doesn’t distinguish between data on-site (in an office base) and  data taken off-site (in the teaching venue or local community) and the obligation on the data  controller (i.e. the learning provider) is to ensure appropriate security is maintained. Tutors should  be conscious of their responsibility to ensure that learners’ personal data is confidential and secure  at all times. Breaches of security must be reported immediately to the line manager who should  then record this with NNC’s Information Governance team using the data breach reporting form,  which can be found on the NNC Intranet. Personal email addresses of staff must not be used to  send information about learners to the Business Support Team or other members of staff in the  organisation.  

ALS staff should also take care to ensure that learner information is not shared with any third party  without individual consent and an established data sharing agreement  

ALS Staff who are paid by invoice must ensure they have provided a sign GDPR compliance  agreement confirming either that they are registered with the ICO or are exempt from registering.  For more information please contact your line manager.  

An example of a situation when security may be breached 

An Information Advice and Guidance (IAG) advisor is conducting a series of personal interviews  in her local community. She will be collecting personal data and has an encrypted laptop with her onto  which she will record the interviews, supplied by her organisation. She has assured the interviewees that  the information collected will be held securely and will be anonymous for publication. On the day, the  technology lets her down but she has five interviews lined up and a deadline to meet. She decides to use  the recording facility on her mobile phone which later then falls out of her pocket as she is picking up  some papers she has dropped. 

Tutor Communication with Learners and UK GDPR  

Support for learners is important whilst they are attending ALS courses, all communication  between ALS teaching staff and learners should be kept strictly within the GDPR guidelines and  personal information should be used in accordance with these guidelines.  

Please follow the guidance below when contacting learners:  

When emailing groups of learners always use the Bcc field  

Never share attachments that may include learner’s information such as a register or a  contact list  

Only contact learners regarding their enrolment on your course, unless the learner has  given permission to have further contact from you  

42  

Do not keep learner contact information after the course has finished, unless you have  clear consent from the learner to do so.  

Never use learner’s contact information to promote a service or product that is not  supported or offered by ALS.  

It is also important to ensure that all staff uses their work email address allocated to them when  dealing with any information that would be considered confidential