Top Banner
Information Commissioner’s Office Data protection audits, outcomes and lessons learnt John-Pierre Lamb, Group Manager, Good Practice October, 2014
31

Information Commissioner’s Office

Jan 04, 2016

Download

Documents

bailey

Information Commissioner’s Office. Data protection audits, outcomes and lessons learnt John-Pierre Lamb, Group Manager, Good Practice October, 2014. Our Mission: - PowerPoint PPT Presentation
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Information Commissioner’s Office

Information Commissioner’s OfficeData protection audits, outcomes and lessons learnt

John-Pierre Lamb, Group Manager, Good Practice

October, 2014

Page 2: Information Commissioner’s Office

Our Mission:The ICO is the UK’s independent authority set up to uphold

information rights in the public interest, promoting openness by

public bodies and data privacy for individuals.

Our role:• Encourage good practice

• Assess eligible complaints

• Advise individuals and organisations

• Take appropriate action on non-compliance

Page 3: Information Commissioner’s Office

What is Good Practice?

Section 51 (7) of the DPA 1998:

Gives the Information Commissioner power to assess any organisation’s processing of personal data for the following of ‘good practice’, with the agreement of the data controller.

Good practice is defined very generally in the Act as “practices for processing personal data which appear to be desirable. This includes, but is not limited to, compliance with the requirement of the Act”.

Page 4: Information Commissioner’s Office

Good Practice TeamOur aim:To help organisations understand how to comply with the DPA.

Who we work with:A wide range of organisations from small charities andvoluntary organisations through to high profile governmentdepartments and household name companies.

How we do this:• DPA & PECR audits• Advisory visits• Workshops• Self assessment questionnaires• Outcomes reporting

Page 5: Information Commissioner’s Office

What is personal data?

Data which relate to a living individual who can be identified

(a)from those data, or

(b)from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller

and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual

Page 6: Information Commissioner’s Office

What is sensitive personal data? Personal data relating to:

• racial or ethnic origin• political opinions• religious beliefs or other beliefs of a similar nature • trade union membership• physical or mental health or condition• sexual life• any offence - the commission, or alleged commission of• any court proceedings or sentence relating to any

offence committed or alleged to have been committed

Page 7: Information Commissioner’s Office

Data Protection Act 1998 The eight principles

Page 8: Information Commissioner’s Office

Audit Process

Page 9: Information Commissioner’s Office

Audit approach – process overview • Consensual engagement, then agree a scope of work with

the organisation plus LoE and interview schedule – one to two months before the audit

• Carry out an off-site adequacy review of an organisation’s documented policies and procedures

• Carry out an on-site review of the procedures in practice for processing personal data – 3 days, 2/3 auditors

• Provide a report with recommendations and assurance opinion – 8 weeks from first draft to final report

• Draft an executive summary for publication on our website, with the consent of the organisation

• Carry out a follow-up review – depends on assurance level

Page 10: Information Commissioner’s Office

Benefits of an ICO DP audit• helps to raise awareness of data protection and what the ICO

considers appropriate to enable compliance with DPA

• identifies data protection risks and provides practical, pragmatic, organisational-specific recommendations

• shows an organisation’s commitment to, and recognition of, the importance of data protection

• opportunity to use the ICO’s experience & resources (at no expense) to provide an independent assurance of the existence and effectiveness of data protection controls

• sharing knowledge with trained, experienced, qualified staff and an improved working relationship with the ICO

Page 11: Information Commissioner’s Office

Key scope areas

• Data protection governance: structure, roles and responsibilities, policies and procedures, risk management, compliance reviews and audit, performance monitoring and reporting

• Records management: roles and responsibilities, policies and procedures, collection of data/fair processing, storage and maintenance, retention and disposal of data plus monitoring and reporting

• Security of personal data: structure, roles & responsibilities, policies & procedures, asset management, physical security, identity access management, network access controls, system monitoring and incident reporting, remote working and web/cloud based applications

Page 12: Information Commissioner’s Office

Key scope areas

• Training & awareness: induction, specific and role based, refresher training, and performance and reporting

• Requests for personal data: accountability, training, records, performance monitoring, compliance monitoring including correct use of redaction and DPA exemptions plus third party request handling

• Data sharing: roles and responsibility, fair processing, risk and legality assessment, formal data sharing agreements, monitoring and reporting, data quality, security

Page 13: Information Commissioner’s Office

Security – scope and risk

The technical and organisational measures in place to ensure that there is adequate security over personal data held in manual or electronic form.

 Risk: Without robust controls to ensure that personal data

records, both manual and electronic, are held securely in compliance with the DPA, there is a risk that they may be lost or used inappropriately, resulting in regulatory action against, and/or reputational damage to, the organisation, and damage and distress to individuals.

Page 14: Information Commissioner’s Office

ICO audit - Security controls

Page 15: Information Commissioner’s Office

Sectors audited: Apr 2011 to Sep 2014

8%

31%

21%11%

23%

5%

Central govtLocal govtNHSPrivateCriminal JusticeOther

Page 16: Information Commissioner’s Office

Scope area analysis: Jan 2011-Dec 2013Local government only

17%

15%

24%22%

18%3% Data protection

governanceTraining and awarenessRecords man-agement Security of personal dataRequests for personal dataData sharing

Page 17: Information Commissioner’s Office

Scope area analysis: Feb 2010-Jan 2014Health only

22%

16%

18%

29%

8%7% Data protection

governance

Training and awareness

Records man-agement

Security of personal data

Requests for personal data

Data sharing

Page 18: Information Commissioner’s Office

Assurance opinion analysis:Data Protection Governance in local government and health authorities

4

28

60

813

57

26

4

Local Govern-mentHealth Au-thorities

%

Page 19: Information Commissioner’s Office

Assurance opinion analysis:Records Management in local government and health authorities

0

5044

65

63

32

0

Local Govern-mentHealth Au-thorities

%

Page 20: Information Commissioner’s Office

Assurance opinion analysis:Security in local government and health authorities

6

61

33

00

67

33

0

Local Govern-mentHealth Au-thorities

%

Page 21: Information Commissioner’s Office

Assurance opinion analysis:Training & Awareness in local government and health authorities

9

4136

1419

50

31

0

Local Govern-mentHealth Au-thorities

%

Page 22: Information Commissioner’s Office

Assurance opinion analysis:Requests for personal data in local government and health authorities

15

41 41

40

63

38

0

Local Govern-mentHealth Au-thorities

%

Page 23: Information Commissioner’s Office

Assurance opinion analysis:Data sharing in local government and health authorities

0

80

20

00

43

29 29

Local Govern-mentHealth Au-thorities

%

Page 24: Information Commissioner’s Office

Common areas for improvement:Records Management

• Lack of regular internal audit (IS & data handling), compliance monitoring and reporting; plus use of independent external assurance

• Lack of formal records management framework including strategy, roles and responsibility plus policies and procedures

• Lack of effective, formal training programme incorporating RM which comprises of mandatory induction and periodic refresher training; plus the monitoring and enforcement of training attendance against corporate KPIs

• Absence of Information Asset Registers (IARs) and associated risk assessment procedure plus ineffective/poorly trained IAOs

• Lack of effective controls concerning retention, weeding and secure destruction of both electronic and manual records

• Lack of effective security and control for manual records especially when being transported or transferred

Page 25: Information Commissioner’s Office
Page 26: Information Commissioner’s Office

Common areas for improvement:Security of personal data

• Lack of regular internal audit, compliance monitoring and reporting; plus use of independent external assurance

• Lack of effective control of IT system access rights, including starters, movers and leavers protocols (permanent and contract staff) plus automated reconciliation with HR / payroll systems

• Lack of effective network endpoint controls and mobile device encryption, plus password control and enforcement

• Lack of security controls for remote access and home working

• Absence of 3rd party monitoring – confidential waste disposal, IT hardware disposal, storage and disposal of records

Page 27: Information Commissioner’s Office

Other common areas for improvement:• Lack of effective monitoring and reporting mechanisms concerning subject

access requests, plus performance against corporate KPIs

• Lack of use of PIA/PBD for projects and system changes involving processing of personal data

• Absence of effective, specialised training programmes for key roles including periodic refresher training; plus the monitoring and enforcement of training attendance against corporate KPIs

• Lack of centralised control, monitoring and review of data sharing agreements

Page 28: Information Commissioner’s Office

Look familiar ???

Page 29: Information Commissioner’s Office

Sensitive information mixed up and given to wrong person Halton Borough Council £70,000 May 2013 Devon County Council £90,000 December 2012 Plymouth City Council £60,000 November 2012 Telford & Wrekin District Council £90,000 May 2012 Norfolk County Council £80,000 February 2012 Midlothian Council £140,000 January 2012 Powys County Council £130,000 December 2011

Sensitive information sent to wrong address North Staffordshire Combined Healthcare Trust £55,000 fax June 2013 Leeds City Council £95,000 post November 2012 St George’s Healthcare NHS Trust £60,000 post July 2012 Aneurin Bevan Health Board £70,000 post April 2012 Stoke-on-Trent City Council £120,000 email October 2012 Cheshire East Council £80,000 email February 2012 North Somerset Council £60,000 email November 2011 Worcestershire County Council £80,000 email November 2011 Surrey County Council £120,000 email June 2011 Central London Community Healthcare NHS Trust £90,000 fax April 2012 Hertfordshire County Council £100,000 fax November 2010 Ministry of Justice £140,000 email October 2013

When things go wrong – civil monetary penalties

Page 30: Information Commissioner’s Office

When things go wrong – civil monetary penalties

Sensitive information lost or stolen Sony Computer Entertainment Europe Ltd£250,000 network hacked February 2013 Nursing and Midwifery Council £150,000DVD lost February 2013 Greater Manchester Police £150,000unencrypted USB September 2012 London Borough of Lewisham £70,000 papers December 2012 London Borough of Barnet £70,000 papers May 2012 Lancashire Constabulary £70,000 papers March 2012 Croydon Council £100,000papers February 2012 Ealing Borough Council £80,000 unencrypted laptop February 2011 Hounslow Borough Council £70,000 unencrypted laptop February 2011 Glasgow City Council £150,000unencrypted laptop June 2013 Ministry of Justice £180,000portable hard driveAugust 2014

Inadequate disposal of old files or computer hard drives NHS Surrey £200,000hard drives June 2013 Stockport Primary Care Trust £100,000paper files June 2013 Scottish Borders Council £250,000paper files September 2012 Belfast Health & Social Care Trust £225,000paper files June 2012 Brighton & Sussex Univ Hosp NHS Trust £325,000hard drives May 2012 Department of Justice (NI) £185,000paper files January 2014

Sensitive information taken from websites Aberdeen City Council £100,000 online disclosure August 2013 Islington Borough Council £70,000 online disclosure August 2013 Torbay Care Trust £175,000online disclosure July 2012 British Pregnancy Advisory Service £200,000hacking February 2014 Think W3 £150,000hacking July 2014

Page 31: Information Commissioner’s Office

www.twitter.com/iconews

Keep in touchSubscribe to news feeds, blogs or our e-newsletter at

www.ico.gov.uk and find us on…