Webinar Questions Local Government Data Security Help Improve Your Compliance, 30 July 2015

Transcription

1 Webinar Questions Local Government Data Security Help Improve Your Compliance, 30 July 2015 Here are the answers to the questions we were asked during the webinar. There are a few questions we are still looking at we will be contacting the people who made them directly. European Union Data Protection Regulation How will the upcoming changes to data protection legislation (GDPR) effect the ICO's formal powers and role? We expect some significant changes to the ICO s powers, but our role as an independent regulator with appropriate tools available for taking action to change the behaviour of organisations and individuals that collect, use and keep personal information will not change. While the negotiations in Brussels continue we cannot comment on the detail of the draft law as this is still being finalised. Current predictions are that the legislative process at European level will be complete by the end of this year. However, we will be issuing guidance in due course when the final law has been published - for example an update when appropriate to our Data Protection Regulatory Action Policy. EU Member States are likely to have two years to implement the law after the draft is agreed and forthcoming changes will be widely publicised. Technical Failings When conducting investigations how does the ICO interpret technical failings? For example, with rapid technological changes the security guidance/updates offered e.g. by the

2 Cabinet Office or a Manufacturer, often doesn't keep pace. How would the ICO view this if procedural, organisational and technological best practises are followed? The seventh principle states that appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental destruction of, or damage to, personal data. The interpretation of the seventh principle, to be found in part II of schedule 1, states that having regard to the state of technological development and the cost of implementing any measures, the measures must ensure a level of security appropriate to (a) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and (b) the nature of the data to be protected. Therefore, the ICO will take into account factors such as developments in technology, the cost of implementing such measures and alternative measures taken to mitigate the risk of a breach (if a technological solution isn t possible). Cloud Computing Where a data Controller uses a Cloud Services what security should the controller look to verify? A data controller should assess and verify the technical and organisational security measures of the cloud provider. Our cloud computing guidance has some useful information on this matter at pages 13 and 14: Data Processors As a commissioner would a local authority be responsible for organisational and technical measures deployed by a provider of services notwithstanding contractual safeguards. The vast majority of local government private sector partners, in our experience, do not have even the most basic of controls in place. Is this an area the ICO has concerns about?

3 As explained during the webinar, if a private sector partner is considered to be a data processor, processing data on behalf of the local government organisation as data controller, then it will be the council s responsibility to ensure the processor has appropriate measures in place. The ICO would not be able to take action against data processors in these circumstances. Example breaches Can you give some examples of breaches? There are many examples of breaches by data controllers, and the action we ve taken, on our website: Data retention What does legislation say around reducing the amount of data held by local goverments? What data can be deleted and after how long? What is the legislation/regulation of removing the data? The fifth data protection principle states personal data shall be accurate and, where necessary, kept up to date. The Act provides no further guidance on what data can be deleted, or how long it should be kept for. Instead, we would expect organisations to consider industry guidelines and to develop their own retention and disposal schedules. Sports car case study Wasn t the theft from a sports car from the director of the company - possibly a one man band? The driver of the sports car was a temporary social worker, working for a local authority at the time of the theft. The local authority was

4 considered to be the data controller in respect of the data on the laptop. Paper files Surely evaluation of whether there was an alternative to carrying paper would be carried out? Yes, we would firstly expect organisations to consider whether taking personal data, in the form of paper records, out of the office was necessary. Then, we would expect them to minimise any personal data, perhaps by anonymising it. If personal data still needed to be transported externally, we would expect this to be done securely, for example by using lockable bags. Examples of good practice Has any local authority been able to demonstrate a good way of reducing human errors. Such as ideas over and above mandatory training, awareness s, posters etc? Some points of good practice arising from cases are as follows: Organisations developing local procedures specific to jobs ie not just relying on their overarching data protection policy. Implementing measures such: end port control; removing autocomplete; secure printing; configuring Outlook so that the sender is required to confirm addresses twice before sending; regularly reviewing contact lists to make sure they are up to date, deferring the sending of s for a short time (which allows the organisation to correct a mistake if the sender realises they have clicked on the wrong ); only using addresses from contact lists.

5 The ICO often sends sensitive information to my organisation via non-secure so just wondered what the ICO approach is? The ICO abides by the Government Security Classification guidance when transmitting information at the level of Official: Information sent to other government or trusted organisations is sent using the PSN or protected using encryption. Subject to local business policies and procedures, information may be ed or shared unprotected to external organisations/individuals. Where more sensitive information is shared with individuals or organisations, we take steps to ensure appropriate levels of security. This is in line with GSC guidance: ta/file/251480/government-security-classifications-april-2014.pdf (page 23).