Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Commissioner’s Office Data protection audits, outcomes and lessons learnt John-Pierre Lamb, Group Manager, Good Practice October, 2014.

Similar presentations

Presentation on theme: "Information Commissioner’s Office Data protection audits, outcomes and lessons learnt John-Pierre Lamb, Group Manager, Good Practice October, 2014."— Presentation transcript:

1 Information Commissioner’s Office Data protection audits, outcomes and lessons learnt John-Pierre Lamb, Group Manager, Good Practice October, 2014

2 Our Mission: The ICO is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. Our role: Encourage good practice Assess eligible complaints Advise individuals and organisations Take appropriate action on non-compliance

3 What is Good Practice? Section 51 (7) of the DPA 1998: Gives the Information Commissioner power to assess any organisation’s processing of personal data for the following of ‘good practice’, with the agreement of the data controller. Good practice is defined very generally in the Act as “practices for processing personal data which appear to be desirable. This includes, but is not limited to, compliance with the requirement of the Act”.

4 Good Practice Team Our aim: To help organisations understand how to comply with the DPA. Who we work with: A wide range of organisations from small charities and voluntary organisations through to high profile government departments and household name companies. How we do this: DPA & PECR audits Advisory visits Workshops Self assessment questionnaires Outcomes reporting

5 What is personal data? Data which relate to a living individual who can be identified (a)from those data, or (b)from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual

6 What is sensitive personal data? Personal data relating to: racial or ethnic origin political opinions religious beliefs or other beliefs of a similar nature trade union membership physical or mental health or condition sexual life any offence - the commission, or alleged commission of any court proceedings or sentence relating to any offence committed or alleged to have been committed

7 Data Protection Act 1998 The eight principles

8 Audit Process

9 Audit approach – process overview Consensual engagement, then agree a scope of work with the organisation plus LoE and interview schedule – one to two months before the audit Carry out an off-site adequacy review of an organisation’s documented policies and procedures Carry out an on-site review of the procedures in practice for processing personal data – 3 days, 2/3 auditors Provide a report with recommendations and assurance opinion – 8 weeks from first draft to final report Draft an executive summary for publication on our website, with the consent of the organisation Carry out a follow-up review – depends on assurance level

10 Benefits of an ICO DP audit helps to raise awareness of data protection and what the ICO considers appropriate to enable compliance with DPA identifies data protection risks and provides practical, pragmatic, organisational-specific recommendations shows an organisation’s commitment to, and recognition of, the importance of data protection opportunity to use the ICO’s experience & resources (at no expense) to provide an independent assurance of the existence and effectiveness of data protection controls sharing knowledge with trained, experienced, qualified staff and an improved working relationship with the ICO

11 Key scope areas Data protection governance: structure, roles and responsibilities, policies and procedures, risk management, compliance reviews and audit, performance monitoring and reporting Records management: roles and responsibilities, policies and procedures, collection of data/fair processing, storage and maintenance, retention and disposal of data plus monitoring and reporting Security of personal data: structure, roles & responsibilities, policies & procedures, asset management, physical security, identity access management, network access controls, system monitoring and incident reporting, remote working and web/cloud based applications

12 Key scope areas Training & awareness: induction, specific and role based, refresher training, and performance and reporting Requests for personal data: accountability, training, records, performance monitoring, compliance monitoring including correct use of redaction and DPA exemptions plus third party request handling Data sharing: roles and responsibility, fair processing, risk and legality assessment, formal data sharing agreements, monitoring and reporting, data quality, security

13 Security – scope and risk The technical and organisational measures in place to ensure that there is adequate security over personal data held in manual or electronic form. Risk: Without robust controls to ensure that personal data records, both manual and electronic, are held securely in compliance with the DPA, there is a risk that they may be lost or used inappropriately, resulting in regulatory action against, and/or reputational damage to, the organisation, and damage and distress to individuals.

14 ICO audit - Security controls

15 Sectors audited: Apr 2011 to Sep 2014

16 Scope area analysis: Jan 2011-Dec 2013 Local government only

17 Scope area analysis: Feb 2010-Jan 2014 Health only

18 Assurance opinion analysis: Data Protection Governance in local government and health authorities

19 Assurance opinion analysis: Records Management in local government and health authorities

20 Assurance opinion analysis: Security in local government and health authorities

21 Assurance opinion analysis: Training & Awareness in local government and health authorities

22 Assurance opinion analysis: Requests for personal data in local government and health authorities

23 Assurance opinion analysis: Data sharing in local government and health authorities

24 Common areas for improvement: Records Management Lack of regular internal audit (IS & data handling), compliance monitoring and reporting; plus use of independent external assurance Lack of formal records management framework including strategy, roles and responsibility plus policies and procedures Lack of effective, formal training programme incorporating RM which comprises of mandatory induction and periodic refresher training; plus the monitoring and enforcement of training attendance against corporate KPIs Absence of Information Asset Registers (IARs) and associated risk assessment procedure plus ineffective/poorly trained IAOs Lack of effective controls concerning retention, weeding and secure destruction of both electronic and manual records Lack of effective security and control for manual records especially when being transported or transferred


26 Common areas for improvement: Security of personal data Lack of regular internal audit, compliance monitoring and reporting; plus use of independent external assurance Lack of effective control of IT system access rights, including starters, movers and leavers protocols (permanent and contract staff) plus automated reconciliation with HR / payroll systems Lack of effective network endpoint controls and mobile device encryption, plus password control and enforcement Lack of security controls for remote access and home working Absence of 3rd party monitoring – confidential waste disposal, IT hardware disposal, storage and disposal of records

27 Other common areas for improvement: Lack of effective monitoring and reporting mechanisms concerning subject access requests, plus performance against corporate KPIs Lack of use of PIA/PBD for projects and system changes involving processing of personal data Absence of effective, specialised training programmes for key roles including periodic refresher training; plus the monitoring and enforcement of training attendance against corporate KPIs Lack of centralised control, monitoring and review of data sharing agreements

28 Look familiar ???

29 Sensitive information mixed up and given to wrong person Halton Borough Council£70,000May 2013 Devon County Council£90,000December 2012 Plymouth City Council£60,000November 2012 Telford & Wrekin District Council£90,000May 2012 Norfolk County Council £80,000February 2012 Midlothian Council £140,000January 2012 Powys County Council £130,000December 2011 Sensitive information sent to wrong address North Staffordshire Combined Healthcare Trust£55,000 faxJune 2013 Leeds City Council£95,000postNovember 2012 St George’s Healthcare NHS Trust£60,000postJuly 2012 Aneurin Bevan Health Board£70,000postApril 2012 Stoke-on-Trent City Council£120,000emailOctober 2012 Cheshire East Council £80,000emailFebruary 2012 North Somerset Council £60,000emailNovember 2011 Worcestershire County Council £80,000emailNovember 2011 Surrey County Council £120,000emailJune 2011 Central London Community Healthcare NHS Trust£90,000faxApril 2012 Hertfordshire County Council £100,000faxNovember 2010 Ministry of Justice£140,000email October 2013 When things go wrong – civil monetary penalties

30 Sensitive information lost or stolen Sony Computer Entertainment Europe Ltd£250,000 network hackedFebruary 2013 Nursing and Midwifery Council£150,000DVD lostFebruary 2013 Greater Manchester Police£150,000unencrypted USBSeptember 2012 London Borough of Lewisham£70,000papersDecember 2012 London Borough of Barnet£70,000papers May 2012 Lancashire Constabulary £70,000papersMarch 2012 Croydon Council £100,000papersFebruary 2012 Ealing Borough Council £80,000unencrypted laptopFebruary 2011 Hounslow Borough Council £70,000unencrypted laptopFebruary 2011 Glasgow City Council£150,000unencrypted laptopJune 2013 Ministry of Justice£180,000portable hard driveAugust 2014 Inadequate disposal of old files or computer hard drives NHS Surrey£200,000hard drivesJune 2013 Stockport Primary Care Trust£100,000paper filesJune 2013 Scottish Borders Council£250,000paper filesSeptember 2012 Belfast Health & Social Care Trust£225,000paper filesJune 2012 Brighton & Sussex Univ Hosp NHS Trust£325,000hard drivesMay 2012 Department of Justice (NI)£185,000paper filesJanuary 2014 Sensitive information taken from websites Aberdeen City Council£100,000 online disclosureAugust 2013 Islington Borough Council£70,000online disclosureAugust 2013 Torbay Care Trust£175,000online disclosureJuly 2012 British Pregnancy Advisory Service£200,000hackingFebruary 2014 Think W3£150,000hackingJuly 2014

31 Keep in touch Subscribe to news feeds, blogs or our e-newsletter at and find us on…

Download ppt "Information Commissioner’s Office Data protection audits, outcomes and lessons learnt John-Pierre Lamb, Group Manager, Good Practice October, 2014."

Similar presentations

Ads by Google