Data protection for commissioners

Transcription

1 Data protection for commissioners Vicky Cetinkaya, Senior Policy Officer, Strategic Liaison Katie Hanrahan, Lead Auditor, Good Practice 2 July 2015

2 The Information Commissioner s Office

3 What does the DPA cover? The DPA is concerned with the processing of personal data. Obligation to comply with the DPA rests with the data controller. Provides a framework that data controllers processing personal data must comply with.

4 The eight data protection principles

5 Background Sector chosen due to significant volumes of SPD - high risk Project initially designed to identify and highlight common problems, themes and issues as well as good practice 20 agencies invited, mainly in NW & London - 10 took part Organisations identified via Consortium for Voluntary Adoption Agencies/BAAF websites or previous ICO contact Follow-up survey of 100 LAs 17 took part

6 Typical information & processing Organisations process and retain sensitive personal data relating to foster carers, adoptive parents, looked after children & their families and third parties Information used to assess suitability to foster / adopt Other personal information also used by local authorities and agencies to match carers with children, facilitate placements and assess the success of placements

7 IFP key findings/issues Insecure exchange of personal data Highly sensitive unencrypted personal information routinely ed between IFPs and local authorities and vice versa. Contributing factors: Local authorities reluctant to deal with encrypted s due to technical concerns. IFPs often send foster carer information without encryption to prevent delays that might jeopardise their commercial relationship with local authorities.

8 IFP key findings/issues (cont ) Mobile device encryption Extensive use of unencrypted mobile devices to store / process / transport sensitive personal data. Carer reports/diaries - Processing of information by carers about looked after children on home computers and in the cloud. Homeworking Staff using home computers for business purposes and lack of suitable controls. Training - Data protection/information security training is often lacking.

9 Other findings Passwords controls are not robust Secure printing procedures not widely adopted Endpoint restrictions often not in place Majority did not have data protection/information security policies Only a few had security incident/breach reporting and management procedures Retention and disposal procedures/schedules are not in place or not operating effectively

10 LA survey results 47% Said their employer either didn t record whether DP/IG policies had been read or they didn t know

11 LA survey results 31% Received DP/IG refresher training less frequently than every two years 17% never received it

12 LA survey results 59% Didn t receive any role-specific DP training

13 LA survey results 57% Never checked manual records out or in

14 LA survey results 50% Potentially hold sensitive personal data of parents deemed unsuitable for placements for longer than necessary 28% retain it indefinitely!

15 LA survey results 31% Either could not accept encrypted s or did not know if they could

16 Recommendations for LA fostering & adoption teams Encrypt s/attachments containing SPD Anonymise children s data initially when matching Maintain DP/IG policies; ensure staff read & understand them DP training is timely, monitored, refreshed & role specific Records removed from office are tracked and monitored Retention & disposal schedules for manual & electronic files

17

18

19 Telford & Wrekin Council 90, Foster Care Assessment provided to the wrong family member. Names and address of foster carers provided to mother in Placement Information record.

20 Norwood Ravenswood Ltd 70, Background reports regarding children in care left on prospective adopter s door step. Reports disappeared and were not recovered

21 Devon County Council 90, Social worker printed wrong adoption panel report and sent to a family with no connection to the case Report contained highly SPD concerning a disabled couple whose child was being considered for adoption.

22 Halton Borough Council 70, Clerical officer sent letter to birth mother containing the name and address of birth parents. Birth grandparents contacted adoptive parents

23 Moray Council Undertaking Detailed reports relating to adoption of two children plus less detailed reports on other children left in café.

24 Enforcement case - no further action Local authority Letter containing adoptive parents address sent to birth family in error resulted in family having to be rehoused

25 Enforcement case - no further action Local authority Adoption report sent to incorrect address as an attachment it wasn t encrypted.

26 Organisational Measures Technical measures Awareness HUMAN ERROR

27 Summary Consistent findings Support our concerns Improvements necessary Advice and support

28 How the ICO can help The Guide to data protection Subject access code of practice Data sharing code of practice and checklists Advisory visit outcomes reports

29 ICO advice and guidance - ICO guidance - ICO helpline ICO casework@ico.org.uk

30 Keep in touch Subscribe to our e-newsletter at or find us on