Presentation is loading. Please wait.

Presentation is loading. Please wait.

DATA HANDLING AND INFORMATION SECURITY LONDON BOROUGH OF BEXLEY Dr. C. N. M. Pounder Amberhawk Training Limited 1.

Published bySharyl Wright Modified over 8 years ago

Similar presentations

Presentation on theme: "DATA HANDLING AND INFORMATION SECURITY LONDON BOROUGH OF BEXLEY Dr. C. N. M. Pounder Amberhawk Training Limited 1."— Presentation transcript:

1 DATA HANDLING AND INFORMATION SECURITY LONDON BOROUGH OF BEXLEY Dr. C. N. M. Pounder Amberhawk Training Limited 1

2 CONTENT OF THE SESSION Review over ICO’s “concern” re Local Government security in general. Data Protection obligations towards the security. The Information Commissioner forthcoming audit. The Local Government Data Handling Guidelines; compliance requires Bexley to appoint IAOs and a SIRO. ABOVE ALL: a focus on your role and responsibilities 2

3 RISK OF FINES - COUNCILS £70K Hounslow Council and £80K Ealing Council: loss of unencrypted laptop containing personal data. (Barnet Council: £70K laptop stolen from staff’s home) £100K Croydon Council: bag containing papers relating to the care of a child sex abuse victim stolen from a pub. £100K, Hertfordshire County Council; £80K, Cheshire East Council; £80K, Norfolk County Council; £140K Midlothian Council; £130K, Powys County Council; £60K, North Somerset Council; £80K, Worcestershire County Council; £120K, Surrey County Council (These are cases which are ALL variants of sensitive personal data being sent to the wrong recipients by email, post or fax) 3

4 4 Now you know why Bexley is using this poster

5 RISK OF UNDERTAKINGS OR AUDIT London Boroughs: Barnet, Croydon, Greenwich, Lewisham and Southwark County Councils: Buckinghamshire, Cambridgeshire, Somerset Hertfordshire, Leicestershire and West Sussex Other Councils: Basingstoke and Deane; Brighton and Hove; City of York; Doncaster Metropolitan; Dumfries and Galloway; Eastleigh; Isle of Anglesey County; Kirklees Metropolitan; Luton Borough; Manchester City; North Lanarkshire; Poole; Portsmouth City; Rochdale Metropolitan; Stoke-on-Trent City; Walsall and Wolverhampton City. COUNCILS SHOULD EXPECT A FOLLOW UP AUDIT 5

6 WORSE CASE RISK (ISLINGTON; 2012) 6

7 DATA LOSS IS A RISKY BUSINESS Poor information management has become; a political risk a legal/regulatory risk a question of trust (e.g. will your clients risk you?) linked to competence (a reputation risk – press interest) a financial risk (Monetary Penalty Notice) Managing risk is the name of the game – that is why you have a SIRO. Risk extends to suppliers – Bexley responsible if suppliers do not handle your personal data properly. 7

8 RANGE OF REPORTED ISSUES (May 2010 – Nothing later) Disclosed in Error 254......(r1) Lost Data/ Hardware233......(r2) Lost in Transit 59 Non-secure Disposal 23 Stolen Data/ Hardware 307......(r3) Technical/Procedural Failure 83 Other 48 Grand Total 1007 Note that risks 1,2 and 3 account for 80% of the problems http://www.ico.gov.uk/upload/documents/library/corporate/research_and_reports/breach_notification_spreadsheet_may2010.pdf 8

9 LEGAL REQUIREMENTS SEVENTH PRINCIPLE “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”. 9

10 SEVENTH PRINCIPLE (Obligations) Appropriate organisational and technical measures: unlawful processing (this is wider than security and links to First Principle concept of lawful processing) unauthorised processing (mainstream security) accidental factors (e.g. business continuity planning) The Principle has a very important Interpretation which expands on these obligations 10

11 Keep security procedures up to date (state of the art & cost of implementing measures) Approach based on risk analysis the nature of the personal data to be protected the resulting harm which might arise from a breach the effectiveness of existing measures Reliability of all staff who access personal data Train staff in all procedures and policies Part of induction (e.g. IA training) Take up references, vetting and validate qualifications SEVENTH PRINCIPLE (Must do) 11

12 SEVENTH PRINCIPLE (Must do) Contractor considerations: Formal agreement of security standards to be adopted by the contractor prior to contract (e.g. the security standards adopted by the Data Controller) Security standards have to be imposed via contracts with contractor; contracts evidenced in writing Contractor to follow Data Controller’s instructions Contractor obliged to undertake all the obligations of the Seventh Principle (e.g. Risk assessment, train staff etc). 12

13 LOCAL GOVERNMENT DATA HANDLING GUIDELINES Covers: understanding the legislation in your business area. naming individuals who “own” the risk. effective incident reporting mechanisms. monitoring and auditing of processes/ procedures. establishing Corporate Information Governance training and updating staff on their responsibilities. regular risk reviews of all processes and procedures. key information assets classified and resilient. robust risk driven processes in case of the “ad hoc” documented policies, processes and procedures clear lines of management and reporting structures. 13

14 LOCAL GOVERNMENT GUIDELINES (Detail of organisational measures) Main board recognition of the importance of the issue Appointment of Senior Information Risk Officer (SIRO) Information risk policy in place Annual risk assessment Identification of Information Asset Owners and their responsibilities Compliance regime in place Training of staff in relevant procedures (e.g. Data sharing; homeworking; data loss reporting; contractors)

15 FUNCTIONS – SIRO SIRO’s roleSIRO’s responsibilities (Bexley) Lead and foster a culture that values, protects and uses information for the public good Ensures each Department has a plan to achieve and monitor the right culture, across each Department and its suppliers Takes visible steps to support and participate in that plan (including completing own training) Ensures each Department has IAOs who are skilled, focussed on the issues, and supported, plus the specialists that it needs Own the overall information risk policy and risk assessment process, test its outcome, and ensure it is used Ensures that risk policy is complete – covering how each Department implements the required security measures and how compliance will be monitored (includes supply chain) Ensures that risk assessment is completed Based on the risk assessment, understands what information risks there are to each Department through its delivery chain, and ensures that they are addressed, and that they inform investment decisions Ensures that risk assessment and actions taken benefit from an adequate level of independent scrutiny. Advise the senior management board on information risk and aspects of established internal controls (if needed). Receives annual assessment of performance, including material from the IAOs and specialists, covering minimum mandatory measures as well as actions planned for each Department’s own circumstances Provide advice to Senior Management Board on the information risk parts of their statement on internal control 15

16 FUNCTIONS – SIRO Asset owner roleAsset Owner responsibilities (Bexley) Lead and foster a culture that values, and protects information for the public good Understands the Department’s plans to achieve and monitor the right culture, across the Department and its partners Takes visible steps to support and participate in that plan (including completing own training) Knows what information the asset holds, and who uses it and why Understands the assets and how they are used Approves and minimises data transfers; approves arrangements for use of removable media, laptops and homeworking Approves the disposal mechanisms for assets and related data Knows who has access and why, and ensures their use of it is monitored Understands the Council’s policy on use of the information Checks that access provided is the minimum necessary to achieve the business purpose Receives records of use of assets and is satisfied that procedures/policies are properly conducted Understands and addresses risks to the asset, and provides assurance to the SIRO Contributes to the Department’s risk assessment Involved in any case or new investment to secure assets Provides reports to the SIRO about risks to the assets Ensures the asset is fully used for the public good, including responding to requests for access from others Considers whether better use of the information could be made Receives and logs access requests from others Ensures decisions on access are taken accordingly 16

17 ICO WILL LOOK FOR EVIDENCE OF IAO AND SIRO ACTIVITY Minutes and staff meetings Evidence of decisions, actions and appointments Top level policies issued Activity of the SIRO/IAO network Details of training received Details of monitoring, audit and incident reporting

18 FORTHCOMING ICO AUDIT ICO first looks at evidence in the controller’s documentation: Strategies, Policies, Procedures Guidance and Codes of Practice Protocols, Frameworks & Memoranda of Understanding Training Materials Contracts (e.g. Data processor, employee) Privacy Statements (Fair processing notice) Privacy Impact Assessments Control Data Job Descriptions and Terms of Reference Note: most of the above relate to management issues 18

19 ICO: “RED LINES” IN AN AUDIT Data Protection Governance: identify, implement and monitor the controls by which compliance can be measured and reported to management provide and monitor staff training and awareness regarding the correct use & management of personal data implement security measures which adequately protect personal data including on mobile and portable devices appropriately control and secure manual personal data both within and outside the ‘data controllers’ premises ensure Subject Access Requests are dealt with appropriately within the 40 day period; increasingly looking at FOIA 19

20 DATA SECURITY DOES NOT RESTRICT DATA SHARING (Refer to Data Sharing Code of Practice ) 20

21 DATA SHARING Data sharing has two legal components: Whether you can share personal data? How to share personal data? Whether ≡ lawful, vires, powers, proportionality How ≡ securely, transparently etc YOU NEED TO HAVE BOTH 21

22 SOME BASIC RULES OF DATA SHARING (CODE OF PRACTICE) Find out whether you are obliged to share? Check whether you have power to share Stick to any statutory limits Consider confidentiality requirements before disclosure Disclose the minimum that you need to disclose Find out about any on ward disclosure Disclose in a secure manner Consider whether you have to inform the data subject Keep records of the disclosure If routine data sharing, then have a formal agreement (e.g. Contract or data sharing protocol) 22

23 OTHER LEGISLATION FOIA – anticipate requests to access to your security policies and procedures and disclosure logs; ICO includes handling of FOI requests with Subject Access EIR/FOIA – requires compliance with the Code of Practice on Records Management; if data quality is an issue, ICO could include this aspect in an audit RIPA – new procedures for access to RIPA powers; follow them Local Government legislation usually has restrictions on use and disclosure of personal data. 23

24 CONCLUDING COMMENTS Inadequate data handling procedures/policies create a significant risk Too many Councils are drinking at the “last chance saloon” because of a data loss, undertaking or other regulatory issue – Councils are in the firing line! Penalties are not financial or political; it’s also a loss of trust by those who you serve Need to embed a culture of security and data protection so it becomes second nature 24

25 CONCLUDING COMMENTS SO.... YOU ALL have an important role in ensuring that security policy is effectively implemented. All staff to be made reliable through training; IAO’s are to be involved Sweeps of offices to identify issues (e.g. Information assets left insecure; yellow/red card system). 25

26 AND A POSTER CAMPAIGN 26

27 THE END Hawktalk and Amberhawk Training Ltd chris.pounder@amberhawk.com ©Chris Slane

28 DATA HANDLING AND INFORMATION SECURITY London Borough of Bexley info@amberhawk.cominfo@amberhawk.com; sue.cullen@amberhawk.com; chris.pounder@amberhawk.comsue.cullen@amberhawk.com chris.pounder@amberhawk.com www.amberhawk.com © Amberhawk Training Ltd.

Download ppt "DATA HANDLING AND INFORMATION SECURITY LONDON BOROUGH OF BEXLEY Dr. C. N. M. Pounder Amberhawk Training Limited 1."

Similar presentations

Organizational Governance

Organizational Governance
Data Security Breach Code of Practice. Data Security Concerns Exponential growth in personal data holdings Increased outsourcing 3 rd countries cloud.

Data Security Breach Code of Practice. Data Security Concerns Exponential growth in personal data holdings Increased outsourcing 3 rd countries cloud.
Auditing, Assurance and Governance in Local Government

Auditing, Assurance and Governance in Local Government
Child Safeguarding Standards

Child Safeguarding Standards
SEMINAR NAIC/ASSAL/SVS REGULATION & SUPERVISION OF MARKET CONDUCT © 2014 National Association of Insurance Commissioners Overview and Purpose of Market.

SEMINAR NAIC/ASSAL/SVS REGULATION & SUPERVISION OF MARKET CONDUCT © 2014 National Association of Insurance Commissioners Overview and Purpose of Market.
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
Health and Safety - an update Ian Gillett Safety Director.

Health and Safety - an update Ian Gillett Safety Director.
Data Protection webinar: Data Protection & Volunteers 19 th June 2014 Welcome. We’re just making the last few preparations for the webinar to start at.

Data Protection webinar: Data Protection & Volunteers 19 th June 2014 Welcome. We’re just making the last few preparations for the webinar to start at.
AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.

AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.
Www.oaic.gov.au Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.

Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
ISO General Awareness Training

ISO General Awareness Training
Purpose of the Standards

Purpose of the Standards
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Property of Common Sense Privacy - all rights reserved 01875340890 THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.

Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.
Audit Committees in Local Government FinPro Professional Development Seminar Linda MacRae Local Solutions Pty Ltd 25 October 2012 11.

Audit Committees in Local Government FinPro Professional Development Seminar Linda MacRae Local Solutions Pty Ltd 25 October
Protection Against Occupational Exposure

Protection Against Occupational Exposure
Audiences NI Data Protection Workshop

Audiences NI Data Protection Workshop
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection for Church of Scotland Congregations

Data Protection for Church of Scotland Congregations
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing

Similar presentations

Ads by Google