Information Commissioner - PowerPoint PPT Presentation

1 / 31
About This Presentation
Title:

Information Commissioner

Description:

Audit approach process overview . Consensual engagement, then agree a scope of work with the organisation plus LoE and interview schedule one to two months ... – PowerPoint PPT presentation

Number of Views:162
Avg rating:3.0/5.0
Slides: 32
Provided by: cip92
Learn more at: https://www.cipfa.org
Category:

less

Transcript and Presenter's Notes

Title: Information Commissioner


1
Information Commissioners Office
Data protection audits, outcomes and lessons
learnt John-Pierre Lamb, Group Manager, Good
Practice October, 2014
2
Our Mission The ICO is the UKs independent
authority set up to uphold information rights in
the public interest, promoting openness by public
bodies and data privacy for individuals.
  • Our role
  • Encourage good practice
  • Assess eligible complaints
  • Advise individuals and organisations
  • Take appropriate action on non-compliance

3
What is Good Practice?
  • Section 51 (7) of the DPA 1998
  • Gives the Information Commissioner power to
    assess any organisations processing of personal
    data for the following of good practice, with
    the agreement of the data controller.
  • Good practice is defined very generally in the
    Act as practices for processing personal data
    which appear to be desirable. This includes, but
    is not limited to, compliance with the
    requirement of the Act.

4
Good Practice Team
  • Our aim
  • To help organisations understand how to comply
    with the DPA.
  • Who we work with
  • A wide range of organisations from small
    charities and
  • voluntary organisations through to high profile
    government
  • departments and household name companies.
  • How we do this
  • DPA PECR audits
  • Advisory visits
  • Workshops
  • Self assessment questionnaires
  • Outcomes reporting

5
What is personal data?
  • Data which relate to a living individual who can
    be identified
  • (a)from those data, or
  • (b)from those data and other information which is
    in the possession of, or is likely to come into
    the possession of, the data controller
  • and includes any expression of opinion about the
    individual and any indication of the intentions
    of the data controller or any other person in
    respect of the individual

6
What is sensitive personal data?
  • Personal data relating to
  • racial or ethnic origin
  • political opinions
  • religious beliefs or other beliefs of a similar
    nature
  • trade union membership
  • physical or mental health or condition
  • sexual life
  • any offence - the commission, or alleged
    commission of
  • any court proceedings or sentence relating to any
    offence committed or alleged to have been
    committed

7
Data Protection Act 1998 The eight principles
8
Audit Process
9
Audit approach process overview
  • Consensual engagement, then agree a scope of work
    with the organisation plus LoE and interview
    schedule one to two months before the audit
  • Carry out an off-site adequacy review of an
    organisations documented policies and procedures
  • Carry out an on-site review of the procedures in
    practice for processing personal data 3 days,
    2/3 auditors
  • Provide a report with recommendations and
    assurance opinion 8 weeks from first draft to
    final report
  • Draft an executive summary for publication on our
    website, with the consent of the organisation
  • Carry out a follow-up review depends on
    assurance level

10
Benefits of an ICO DP audit
  • helps to raise awareness of data protection and
    what the ICO considers appropriate to enable
    compliance with DPA
  • identifies data protection risks and provides
    practical, pragmatic, organisational-specific
    recommendations
  • shows an organisations commitment to, and
    recognition of, the importance of data protection
  • opportunity to use the ICOs experience
    resources (at no expense) to provide an
    independent assurance of the existence and
    effectiveness of data protection controls
  • sharing knowledge with trained, experienced,
    qualified staff and an improved working
    relationship with the ICO

11
Key scope areas
  • Data protection governance structure, roles and
    responsibilities, policies and procedures, risk
    management, compliance reviews and audit,
    performance monitoring and reporting
  • Records management roles and responsibilities,
    policies and procedures, collection of data/fair
    processing, storage and maintenance, retention
    and disposal of data plus monitoring and
    reporting
  • Security of personal data structure, roles
    responsibilities, policies procedures, asset
    management, physical security, identity access
    management, network access controls, system
    monitoring and incident reporting, remote working
    and web/cloud based applications

12
Key scope areas
  • Training awareness induction, specific and
    role based, refresher training, and performance
    and reporting
  • Requests for personal data accountability,
    training, records, performance monitoring,
    compliance monitoring including correct use of
    redaction and DPA exemptions plus third party
    request handling
  • Data sharing roles and responsibility, fair
    processing, risk and legality assessment, formal
    data sharing agreements, monitoring and
    reporting, data quality, security

13
Security scope and risk
  • The technical and organisational measures in
    place to ensure that there is adequate security
    over personal data held in manual or electronic
    form.
  •  
  • Risk Without robust controls to ensure that
    personal data records, both manual and
    electronic, are held securely in compliance with
    the DPA, there is a risk that they may be lost or
    used inappropriately, resulting in regulatory
    action against, and/or reputational damage to,
    the organisation, and damage and distress to
    individuals.

14
ICO audit - Security controls
15
Sectors audited Apr 2011 to Sep 2014
16
Scope area analysis Jan 2011-Dec 2013Local
government only
17
Scope area analysis Feb 2010-Jan 2014Health only
18
Assurance opinion analysisData Protection
Governance in local government and health
authorities
19
Assurance opinion analysisRecords Management in
local government and health authorities
20
Assurance opinion analysisSecurity in local
government and health authorities
21
Assurance opinion analysisTraining Awareness
in local government and health authorities
22
Assurance opinion analysisRequests for personal
data in local government and health authorities
23
Assurance opinion analysisData sharing in local
government and health authorities
24
Common areas for improvementRecords Management
  • Lack of regular internal audit (IS data
    handling), compliance monitoring and reporting
    plus use of independent external assurance
  • Lack of formal records management framework
    including strategy, roles and responsibility plus
    policies and procedures
  • Lack of effective, formal training programme
    incorporating RM which comprises of mandatory
    induction and periodic refresher training plus
    the monitoring and enforcement of training
    attendance against corporate KPIs
  • Absence of Information Asset Registers (IARs) and
    associated risk assessment procedure plus
    ineffective/poorly trained IAOs
  • Lack of effective controls concerning retention,
    weeding and secure destruction of both electronic
    and manual records
  • Lack of effective security and control for manual
    records especially when being transported or
    transferred

25
(No Transcript)
26
Common areas for improvementSecurity of
personal data
  • Lack of regular internal audit, compliance
    monitoring and reporting plus use of independent
    external assurance
  • Lack of effective control of IT system access
    rights, including starters, movers and leavers
    protocols (permanent and contract staff) plus
    automated reconciliation with HR / payroll
    systems
  • Lack of effective network endpoint controls and
    mobile device encryption, plus password control
    and enforcement
  • Lack of security controls for remote access and
    home working
  • Absence of 3rd party monitoring confidential
    waste disposal, IT hardware disposal, storage and
    disposal of records

27
Other common areas for improvement
  • Lack of effective monitoring and reporting
    mechanisms concerning subject access requests,
    plus performance against corporate KPIs
  • Lack of use of PIA/PBD for projects and system
    changes involving processing of personal data
  • Absence of effective, specialised training
    programmes for key roles including periodic
    refresher training plus the monitoring and
    enforcement of training attendance against
    corporate KPIs
  • Lack of centralised control, monitoring and
    review of data sharing agreements

28
Look familiar ???
29
When things go wrong civil monetary penalties
  • Sensitive information mixed up and given to wrong
    person
  • Halton Borough Council 70,000 May 2013
  • Devon County Council 90,000 December 2012
  • Plymouth City Council 60,000 November 2012
  • Telford Wrekin District Council 90,000 May
    2012
  • Norfolk County Council 80,000 February 2012
  • Midlothian Council 140,000 January 2012
  • Powys County Council 130,000 December 2011
  • Sensitive information sent to wrong address
  • North Staffordshire Combined Healthcare
    Trust 55,000 fax June 2013
  • Leeds City Council 95,000 post November 2012
  • St Georges Healthcare NHS Trust 60,000 post Jul
    y 2012
  • Aneurin Bevan Health Board 70,000 post April
    2012
  • Stoke-on-Trent City Council 120,000 email Octob
    er 2012
  • Cheshire East Council 80,000 email February
    2012
  • North Somerset Council 60,000 email November
    2011
  • Worcestershire County Council 80,000 email Nove
    mber 2011
  • Surrey County Council 120,000 email June 2011

30
When things go wrong civil monetary penalties
  • Sensitive information lost or stolen
  • Sony Computer Entertainment Europe Ltd 250,000
    network hacked February 2013
  • Nursing and Midwifery Council 150,000 DVD
    lost February 2013
  • Greater Manchester Police 150,000 unencrypted
    USB September 2012
  • London Borough of Lewisham 70,000 papers Decemb
    er 2012
  • London Borough of Barnet 70,000 papers May
    2012
  • Lancashire Constabulary 70,000 papers March
    2012
  • Croydon Council 100,000 papers February 2012
  • Ealing Borough Council 80,000 unencrypted
    laptop February 2011
  • Hounslow Borough Council 70,000 unencrypted
    laptop February 2011
  • Glasgow City Council 150,000 unencrypted
    laptop June 2013
  • Ministry of Justice 180,000 portable hard
    drive August 2014
  • Inadequate disposal of old files or computer hard
    drives
  • NHS Surrey 200,000 hard drives June 2013
  • Stockport Primary Care Trust 100,000 paper
    files June 2013
  • Scottish Borders Council 250,000 paper
    files September 2012
  • Belfast Health Social Care Trust 225,000 paper
    files June 2012

31
Keep in touch
Subscribe to news feeds, blogs or our
e-newsletter at www.ico.gov.uk and find us on
  • www.twitter.com/iconews
Write a Comment
User Comments (0)
About PowerShow.com