Summary

Data protection is the practice of safeguarding important information from corruption, compromise, or loss.

WarningYou are breaking the law if you do not meet this standard.

Categories

The categories applicable to this standard are:

Information and Data Management
  • Data Protection
  • Data Governance

Purpose

Data protection involves implementing measures and controls to ensure that personal or sensitive data is collected, stored, used, and shared in a way that complies with legal regulations and respects individual privacy. This includes using secure systems and encryption to prevent unauthorised access, ensuring data accuracy and integrity, and having backup and recovery procedures in place to restore data in case of a loss.

The Data Protection Act 2018 controls how personal information is used by UK organisations, businesses or the government. The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (UK GDPR).

The goal of data protection is to balance the need for information accessibility with the need to protect the rights and privacy of individuals or entities.

How to meet this standard

To be compliant, you need ensure data is handled securely and in line with the Data Protection regulations.

What all DfE staff, including consultants, contractors and third-party suppliers must do

  1. Ensure relevant data policies and standards are read and complied with.
  2. Only have access to personal data needed for their work. Review and update the data they are responsible for regularly. If data is no longer required, it shall be deleted and disposed of.
  3. Complete the mandatory annual training to help understand their responsibilities when handling personal data and complying with data protection law - see the DP Compliance Framework (DfE Intranet) for details.
  4. Keep all personal data secure, by taking sensible precautions and following the Departmental policies, standards and procedures.

What the Information Asset Owners (IAO) / Senior Responsible Owner (SRO) must do where an activity is assessed to be potentially high risk to the privacy of data subjects

  1. Complete a Data Protection Impact Assessment. See the DP Compliance Framework (DfE Intranet) for details.
  2. Ensure that they have identified, applied and documented the correct lawful basis to all personal data collected.
  3. Ensure that they have completed a Record of Processing Activity (RoPA).
  4. Ensure DfE privacy notices cover processing activities and are made available to all data subjects at the point of processing.
  5. Apply retention periods to data and information.
  6. Regularly test privacy measures that have been implemented and conduct periodic reviews/audits to assess compliance with data management policies.

What the DfE Data Protection Officer must do

  1. Develop and implement a communication plan to embed a culture of privacy and data management.
  2. Ensure a board structure responsible for the overview and governance of data and information is in place, making recommendations to the Senior Information Risk Owner (SIRO).
  3. Ensure subject access requests and other information rights requests are handled within UK GDPR deadlines.
  4. Raise awareness, provide support and training on how to comply with Data Protection Law and keep a record of training completed.
  5. Ensure privacy notices are published on the DfE website.

Declaring conformance with this standard

Conformance with the standard must be recorded every 12 months.

Owner and contacts

Standard owner
Saheel Sankriwala
Chief Technology and Data Officer
Other point of contact
DDT Standards
Team