1 / 31

Information Commissioner’s Office

Information Commissioner’s Office. Data protection audits, outcomes and lessons learnt John-Pierre Lamb, Group Manager, Good Practice October, 2014. Our Mission:

bailey
Download Presentation

Information Commissioner’s Office

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Commissioner’s Office Data protection audits, outcomes and lessons learnt John-Pierre Lamb, Group Manager, Good Practice October, 2014

  2. Our Mission: The ICO is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. • Our role: • Encourage good practice • Assess eligible complaints • Advise individuals and organisations • Take appropriate action on non-compliance

  3. What is Good Practice? • Section 51 (7)of the DPA 1998: • Gives the Information Commissioner power to assess any organisation’s processing of personal data for the following of ‘good practice’, with the agreement of the data controller. • Good practice is defined very generally in the Act as “practices for processing personal data which appear to be desirable. This includes, but is not limited to, compliance with the requirement of the Act”.

  4. Good Practice Team • Our aim: • To help organisations understand how to comply with the DPA. • Who we work with: • Awide range of organisations from small charities and • voluntary organisations through to high profile government • departments and household name companies. • How we do this: • DPA & PECR audits • Advisory visits • Workshops • Self assessment questionnaires • Outcomes reporting

  5. What is personal data? • Data which relate to a living individual who can be identified • (a)from those data, or • (b)from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller • and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual

  6. What is sensitive personal data? • Personal data relating to: • racial or ethnic origin • political opinions • religious beliefs or other beliefs of a similar nature • trade union membership • physical or mental health or condition • sexual life • any offence -the commission, or alleged commission of • anycourt proceedings or sentence relating to any offence committed or alleged to have been committed

  7. Data Protection Act 1998 The eight principles

  8. Audit Process

  9. Audit approach – process overview • Consensual engagement, then agree a scope of work with the organisation plus LoE and interview schedule – one to two months before the audit • Carry out an off-site adequacy review of an organisation’s documented policies and procedures • Carry out an on-site review of the procedures in practice for processing personal data – 3 days, 2/3 auditors • Provide a report with recommendations and assurance opinion – 8 weeks from first draft to final report • Draft an executive summary for publication on our website, with the consent of the organisation • Carry out a follow-up review – depends on assurance level

  10. Benefits of an ICO DP audit • helps to raise awareness of data protection and what the ICO considers appropriate to enable compliance with DPA • identifies data protection risks and provides practical, pragmatic, organisational-specific recommendations • shows an organisation’s commitment to, and recognition of, the importance of data protection • opportunity to use the ICO’s experience & resources (at no expense) to provide an independent assurance of the existence and effectiveness of data protection controls • sharing knowledge with trained, experienced, qualified staff and an improved working relationship with the ICO

  11. Key scope areas • Data protection governance: structure, roles and responsibilities, policies and procedures, risk management, compliance reviews and audit, performance monitoring and reporting • Records management: roles and responsibilities, policies and procedures, collection of data/fair processing, storage and maintenance, retention and disposal of data plus monitoring and reporting • Security of personal data: structure, roles & responsibilities, policies & procedures, asset management, physical security, identity access management, network access controls, system monitoring and incident reporting, remote working and web/cloud based applications

  12. Key scope areas • Training & awareness: induction, specific and role based, refresher training, and performance and reporting • Requests for personal data: accountability, training, records, performance monitoring, compliance monitoring including correct use of redaction and DPA exemptions plus third party request handling • Data sharing: roles and responsibility, fair processing, risk and legality assessment, formal data sharing agreements, monitoring and reporting, data quality, security

  13. Security – scope and risk • The technical and organisational measures in place to ensure that there is adequate security over personal data held in manual or electronic form. • Risk: Without robust controls to ensure that personal data records, both manual and electronic, are held securely in compliance with the DPA, there is a risk that they may be lost or used inappropriately, resulting in regulatory action against, and/or reputational damage to, the organisation, and damage and distress to individuals.

  14. ICO audit - Security controls

  15. Sectors audited: Apr 2011 to Sep 2014

  16. Scope area analysis: Jan 2011-Dec 2013Local government only

  17. Scope area analysis: Feb 2010-Jan 2014Health only

  18. Assurance opinion analysis:Data Protection Governance in local government and health authorities

  19. Assurance opinion analysis:Records Management in local government and health authorities

  20. Assurance opinion analysis:Security in local government and health authorities

  21. Assurance opinion analysis:Training & Awareness in local government and health authorities

  22. Assurance opinion analysis:Requests for personal data in local government and health authorities

  23. Assurance opinion analysis:Data sharing in local government and health authorities

  24. Common areas for improvement:Records Management • Lack of regular internal audit (IS & data handling), compliance monitoring and reporting; plus use of independent external assurance • Lack of formal records management framework including strategy, roles and responsibility plus policies and procedures • Lack of effective, formal training programme incorporating RM which comprises of mandatory induction and periodic refresher training; plus the monitoring and enforcement of training attendance against corporate KPIs • Absence of Information Asset Registers (IARs) and associated risk assessment procedure plus ineffective/poorly trained IAOs • Lack of effective controls concerning retention, weeding and secure destruction of both electronic and manual records • Lack of effective security and control for manual records especially when being transported or transferred

  25. Common areas for improvement:Security of personal data • Lack of regular internal audit, compliance monitoring and reporting; plus use of independent external assurance • Lack of effective control of IT system access rights, including starters, movers and leavers protocols (permanent and contract staff) plus automated reconciliation with HR / payroll systems • Lack of effective network endpoint controlsand mobile device encryption, plus password control and enforcement • Lack of security controls for remote access and home working • Absence of 3rd party monitoring – confidential waste disposal, IT hardware disposal, storage and disposal of records

  26. Other common areas for improvement: • Lack of effective monitoring and reporting mechanisms concerning subject access requests, plus performance against corporate KPIs • Lack of use of PIA/PBD for projects and system changes involving processing of personal data • Absence of effective, specialised training programmes for key roles including periodic refresher training; plus the monitoring and enforcement of training attendance against corporate KPIs • Lack of centralised control, monitoring and review of data sharing agreements

  27. Look familiar ???

  28. Sensitive information mixed up and given to wrong person • Halton Borough Council £70,000 May 2013 • Devon County Council £90,000 December 2012 • Plymouth City Council £60,000 November 2012 • Telford & Wrekin District Council £90,000 May 2012 • Norfolk County Council £80,000 February 2012 • Midlothian Council £140,000 January 2012 • Powys County Council £130,000 December 2011 • Sensitive information sent to wrong address • North Staffordshire Combined Healthcare Trust £55,000 fax June 2013 • Leeds City Council £95,000 post November 2012 • St George’s Healthcare NHS Trust £60,000 post July 2012 • Aneurin Bevan Health Board £70,000 post April 2012 • Stoke-on-Trent City Council £120,000 email October 2012 • Cheshire East Council £80,000 email February 2012 • North Somerset Council £60,000 email November 2011 • Worcestershire County Council £80,000 email November 2011 • Surrey County Council £120,000 email June 2011 • Central London Community Healthcare NHS Trust £90,000 fax April 2012 • Hertfordshire County Council £100,000 fax November 2010 • Ministry of Justice £140,000 email October 2013 When things go wrong – civil monetary penalties

  29. Sensitive information lost or stolen • Sony Computer Entertainment Europe Ltd £250,000 network hacked February 2013 • Nursing and Midwifery Council £150,000 DVD lost February 2013 • Greater Manchester Police £150,000 unencrypted USB September 2012 • London Borough of Lewisham £70,000 papers December 2012 • London Borough of Barnet £70,000 papers May 2012 • Lancashire Constabulary £70,000 papers March 2012 • Croydon Council £100,000 papers February 2012 • Ealing Borough Council £80,000 unencrypted laptop February 2011 • Hounslow Borough Council £70,000 unencrypted laptop February 2011 • Glasgow City Council £150,000 unencrypted laptop June 2013 • Ministry of Justice £180,000 portable hard drive August 2014 • Inadequate disposal of old files or computer hard drives • NHS Surrey £200,000 hard drives June 2013 • Stockport Primary Care Trust £100,000 paper files June 2013 • Scottish Borders Council £250,000 paper files September 2012 • Belfast Health & Social Care Trust £225,000 paper files June 2012 • Brighton & Sussex UnivHosp NHS Trust £325,000 hard drives May 2012 • Department of Justice (NI) £185,000 paper files January 2014 • Sensitive information taken from websites • Aberdeen City Council £100,000 online disclosure August 2013 • Islington Borough Council £70,000 online disclosure August 2013 • Torbay Care Trust £175,000 online disclosure July 2012 • British Pregnancy Advisory Service £200,000 hacking February 2014 • Think W3 £150,000 hacking July 2014 When things go wrong – civil monetary penalties

  30. Keep in touch • Subscribe to news feeds, blogs or our e-newsletter atwww.ico.gov.uk and find us on… • www.twitter.com/iconews

More Related