Cambridgeshire Constabulary. Data protection audit report

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Cambridgeshire Constabulary. Data protection audit report"

Transcription

1 Cambridgeshire Constabulary Data protection audit report Executive summary November 2014

2 1. Background The Information Commissioner is responsible for enforcing and promoting compliance with the Data Protection Act 1998 (the DPA). Section 51 (7) of the DPA contains a provision giving the Information Commissioner power to assess any organisation s processing of personal data for the following of good practice, with the agreement of the data controller. This is done through a consensual audit. The Information Commissioner s Office (ICO) sees auditing as a constructive process with real benefits for data controllers and so aims to establish a participative approach. Cambridgeshire Constabulary (the Constabulary) has agreed to a consensual audit by the ICO of its processing of personal data. An introductory meeting was held on 18 June 2014 with representatives of the Constabulary to identify and discuss the scope of the audit. ICO data protection audit report executive summary 2 of 7

3 2. Scope of the audit Following pre-audit discussions with the Constabulary, it was agreed that the audit would focus on the following areas: Records management The processes in place for managing both manual and electronic records containing personal data. This will include controls in place to monitor the creation, maintenance, storage, movement, retention and destruction of personal data records. Subject access requests - The procedures in operation for recognising and responding to individuals requests for access to their personal data. Data sharing - The design and operation of controls to ensure the sharing of personal data complies with the principles of the Data Protection Act 1998 and the good practice recommendations set out in the Information Commissioner s Data Sharing Code of Practice. ICO data protection audit report executive summary 3 of 7

4 3. Audit opinion The purpose of the audit is to provide the Information Commissioner and the Constabulary with an independent assurance of the extent to which the Constabulary, within the scope of this agreed audit, is complying with the DPA. The recommendations made are primarily around enhancing existing processes to facilitate compliance with the DPA. Overall Conclusion Limited assurance There is a limited level of assurance that processes and procedures are in place and delivering data protection compliance. The audit has identified considerable scope for improvement in existing arrangements to reduce the risk of non-compliance with the DPA. We have made two limited and one reasonable assurance assessments where controls could be enhanced to address the issues which are summarised below. ICO data protection audit report executive summary 4 of 7

5 4. Summary of audit findings Areas of good practice The Constabulary has appointed a single point of contact for the development of Information Sharing Agreements (ISAs) who is responsible for conducting an adequacy check prior to final sign off of each agreement, ensuring that ISAs are regularly reviewed, and for maintaining an up to date record of all ISAs. Further to this an electronic system is used to aid the ISA review process which sends automated reminders to the owner of each ISA one month prior to the schedule due date. The Constabulary s website contains a comprehensive privacy notice with a dedicated subject access request (SAR) section which provides further information for individuals and a link to the SAR Application Form. It also includes the process document for national PNC requests via the ACPO Criminal Records Office. The Constabulary maintains a robust information risk management framework which includes a process to ensure that all information risks are reviewed regularly and that appropriate risk owners have been identified for all information management risks. The Constabulary has procedures in place to control access to IT systems for starters, movers and leavers which combine manual and automated processes such as Active Directory and completion of a Security Operating Procedures User Agreement and System User Training. Areas for improvement The Constabulary does not currently have a performance framework or key performance indicators in place for measuring its data protection compliance. There is limited reporting of performance information in relation to SAR processing and data sharing and the effectiveness of, and performance against, records management processes and policies. Neither are they being formally monitored by the Information Management Strategy Group or other appropriate forum. In addition, the Constabulary does not currently feature records management audits as part of its regular audit cycle. Despite having some effective controls in place the Constabulary is aware that information sharing is taking place that is not supported by formal ISAs that have been approved by the relevant individual(s). Further to this the Information Security Officer, who serves three forces, Cambridgeshire, Bedfordshire and Hertfordshire has no involvement in ensuring the security section of ISAs is compliant with the force s information security requirements. A process for dip sampling responses to requests for information has been established, however these checks are only conducted post disclosure, which significantly reduces their effectiveness. Of the records sampled in ICO data protection audit report executive summary 5 of 7

6 the quarter before the audit several were found to contain errors after this information had been disclosed. The Constabulary has outlined its position in relation to the management of information in both paper and electronic form in a Joint Information Management Strategy with Bedfordshire and Hertfordshire Constabularies. However, compliance with this Strategy is not being mandated across the organisation and operational staff are largely unaware of this document or any guidance outlining the Constabulary s position in relation to records management. The Constabulary does not have a training strategy in place that incorporates information management training. Further to this there has been no analysis or assessment of the training requirements of roles with specific duties in relation to records management, and job descriptions for some of these roles are out of date. In some instances training requirements have been outlined within policy or procedure documents but these requirements have not been met. Staff are not required to complete any refresher training in any information assurance topics such as data protection, information security or records management. ICO data protection audit report executive summary 6 of 7

7 The matters arising in this report are only those that came to our attention during the course of the audit and are not necessarily a comprehensive statement of all the areas requiring improvement. The responsibility for ensuring that there are adequate risk management, governance and internal control arrangements in place rest with the management of Cambridgeshire Constabulary. We take all reasonable care to ensure that our audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. We cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report. ICO data protection audit report executive summary 7 of 7

Renfrewshire Council. Data protection audit report. Executive summary January 2013

Renfrewshire Council. Data protection audit report. Executive summary January 2013 Renfrewshire Council Data protection audit report Executive summary January 2013 1. Background The Information Commissioner is responsible for enforcing and promoting compliance with the Data Protection

More information

Cleveland Police. Data protection audit report. Executive summary November 2014

Cleveland Police. Data protection audit report. Executive summary November 2014 Cleveland Police Data protection audit report Executive summary November 2014 1. Background The Information Commissioner is responsible for enforcing and promoting compliance with the Data Protection Act

More information

Southampton City Council

Southampton City Council Southampton City Council Data protection audit report Executive summary March 2016 1. Background The Information Commissioner is responsible for enforcing and promoting compliance with the Data Protection

More information

Birmingham Women s NHS Foundation Trust

Birmingham Women s NHS Foundation Trust Birmingham Women s NHS Foundation Trust Data protection audit report Executive summary January 2015 1. Background The Information Commissioner is responsible for enforcing and promoting compliance with

More information

Criminal Injuries Compensation Authority. Data protection audit report

Criminal Injuries Compensation Authority. Data protection audit report Criminal Injuries Compensation Authority Data protection audit report Executive summary January 2016 1. Background The Information Commissioner is responsible for enforcing and promoting compliance with

More information

Cardiff Council. Data protection audit report. Executive summary June 2014

Cardiff Council. Data protection audit report. Executive summary June 2014 Cardiff Council Data protection audit report Executive summary June 2014 1. Background The Information Commissioner is responsible for enforcing and promoting compliance with the Data Protection Act 1998

More information

Central London Community Healthcare NHS Trust. Data protection audit report

Central London Community Healthcare NHS Trust. Data protection audit report Central London Community Healthcare NHS Trust Data protection audit report Executive Summary July 2014 1. Background The Information Commissioner is responsible for enforcing and promoting compliance with

More information

Nottinghamshire County Council. Data protection audit report

Nottinghamshire County Council. Data protection audit report Nottinghamshire County Council Data protection audit report Executive summary October 2015 1. Background The Information Commissioner is responsible for enforcing and promoting compliance with the Data

More information

Auditing data protection a guide to ICO data protection audits

Auditing data protection a guide to ICO data protection audits Auditing data protection a guide to ICO data protection audits Contents Executive summary 3 1. Audit programme development 5 Audit planning and risk assessment 2. Audit approach 6 Gathering evidence Audit

More information

Information Commissioner's Office

Information Commissioner's Office Information Commissioner's Office Internal Audit 2013-14: Follow up Last updated 4 July 2014 Distribution For action Senior Corporate Governance Manager Timetable Fieldwork completed 21 May 2014 Draft

More information

Information Commissioner's Office

Information Commissioner's Office Phil Keown Engagement Lead T: 020 7728 2394 E: philip.r.keown@uk.gt.com Will Simpson Associate Director T: 0161 953 6486 E: will.g.simpson@uk.gt.com Information Commissioner's Office Internal Audit 2015-16:

More information

NHS DORSET CLINICAL COMMISSIONING GROUP GOVERNING BODY INFORMATION GOVERNANCE TOOLKIT REPORT

NHS DORSET CLINICAL COMMISSIONING GROUP GOVERNING BODY INFORMATION GOVERNANCE TOOLKIT REPORT NHS DORSET CLINICAL COMMISSIONING GROUP GOVERNING BODY INFORMATION GOVERNANCE TOOLKIT REPORT 9.7 Date of the meeting 15/07/2015 Author Sponsoring Clinician Purpose of Report Recommendation J Green - Head

More information

technical factsheet 176

technical factsheet 176 technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection

More information

Data Protection Act 1998. Guidance on the use of cloud computing

Data Protection Act 1998. Guidance on the use of cloud computing Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered

More information

West Dunbartonshire Council. Follow-up data protection audit report

West Dunbartonshire Council. Follow-up data protection audit report West Dunbartonshire Council Follow-up data protection audit report Auditors: Lee Taylor (Audit Team Manager) Jonathan Kay (Engagement Lead Auditor) Data controller contacts: Michael Butler (Data Protection/Information

More information

A Best Practice Guide

A Best Practice Guide A Best Practice Guide Contents Introduction [2] The Benefits of Implementing a Privacy Management Programme [3] Developing a Comprehensive Privacy Management Programme [3] Part A Baseline Fundamentals

More information

We then give an overall assurance rating (as described below) indicating the extent to which controls are in place and are effective.

We then give an overall assurance rating (as described below) indicating the extent to which controls are in place and are effective. Good Practice Audit outcomes analysis Police Forces April 2013 to April 2014 This report is based on the final audit reports the ICO completed in the Criminal Justice sector, specifically of Police forces,

More information

CODE OF PRACTICE ON THE MANAGEMENT OF POLICE INFORMATION

CODE OF PRACTICE ON THE MANAGEMENT OF POLICE INFORMATION CODE OF PRACTICE ON THE MANAGEMENT OF POLICE INFORMATION Made by the Secretary of State for the Home Department under sections 39 and 39A of the Police Act 1996 and sections 28, 28A, 73 and 73A of the

More information

Information Commissioner's Office

Information Commissioner's Office Information Commissioner's Office Internal Audit 2010-11: Visit Four March 2011 Report distribution Timetable For action: Head of Good Practice Scoping meeting: 5 January 2011 Good Practice Group Fieldwork

More information

EU Data Protection and Information Security for Banking & Financial Service sectors 4 th December 2014

EU Data Protection and Information Security for Banking & Financial Service sectors 4 th December 2014 EU Data Protection and Information Security for Banking & Financial Service sectors 4 th December 2014 Janine Regan, Associate George Willis, Associate charlesrussellspeechlys.com Janine Regan Associate

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Version: V1 Ratified by: Operational Management Executive Committee Date ratified: 26 September 2013 Name and Title of originator/author(s): Chris Brady, FOI, Data Protection and

More information

Data Protection Policy

Data Protection Policy London Borough of Enfield Data Protection Policy Author Mohi Nowaz Classification UNCLASSIFIED Date of First Issue 10/08/2012 Owner IGB Issue Status DRAFT Date of Latest Re-Issue 12/09/2012 Version 0.6

More information

Data controllers and data processors: what the difference is and what the governance implications are

Data controllers and data processors: what the difference is and what the governance implications are ICO lo : what the difference is and what the governance implications are Data Protection Act Contents Introduction... 3 Overview... 3 Section 1 - What is the difference between a data controller and a

More information

Data protection issues on an EU outsourcing

Data protection issues on an EU outsourcing Data protection issues on an EU outsourcing Saam Golshani, Alastair Gorrie and Diego Rigatti, Orrick Herrington & Sutcliffe www.practicallaw.com/8-380-8496 Outsourcing can mean subcontracting a process

More information

CORK INSTITUTE OF TECHNOLOGY

CORK INSTITUTE OF TECHNOLOGY CORK INSTITUTE OF TECHNOLOGY DATA PROTECTION POLICY APPROVED BY GOVERNING BODY ON 30 APRIL 2009 INTRODUCTION Cork Institute of Technology is committed to a policy of protecting the rights and privacy of

More information

Statutory Instruments 2007: No. 2199

Statutory Instruments 2007: No. 2199 Statutory Instruments 2007: No. 2199 Data Retention (EC Directive) Regulations SI 2007/2199 ELECTRONIC COMMUNICATIONS Made: 26th July 2007 Coming into force: 1st October 2007 The Secretary of State, being

More information

Privacy and Electronic Communications Regulations

Privacy and Electronic Communications Regulations ICO lo Notification of PECR security breaches Privacy and Electronic Communications Regulations Contents Introduction... 2 Overview... 2 Relevant security breaches... 3 What is a service provider?... 3

More information

Data Protection Policy

Data Protection Policy Data Protection Policy 1. Introduction and purpose 1.1 Children s Hearings Scotland (CHS) is required to maintain certain personal data about individuals for the purposes of satisfying our statutory, operational

More information

UNIVERSITY OF ABERDEEN POLICY ON DATA PROTECTION

UNIVERSITY OF ABERDEEN POLICY ON DATA PROTECTION UNIVERSITY OF ABERDEEN POLICY ON DATA PROTECTION The Data Protection Act 1998 (DPA) was passed in order to implement the EU Data Protection Directive (95/46/EC) and applies to all data relating to, and

More information

Gloucestershire Information Sharing Partnership Agreement (GISPA) Version 2.0

Gloucestershire Information Sharing Partnership Agreement (GISPA) Version 2.0 Review date: April 2016 Gloucestershire Information Sharing Partnership Agreement (GISPA) Version 2.0 Gloucestershire Authorities Information Management Forum Gloucestershire Information Sharing Partnership

More information

DATA PROTECTION ACT 1998 SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER ENFORCEMENT NOTICE. DATED: 5 January 2016

DATA PROTECTION ACT 1998 SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER ENFORCEMENT NOTICE. DATED: 5 January 2016 DATA PROTECTION ACT 1998 SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER ENFORCEMENT NOTICE DATED: 5 January 2016 To: of: Alzheimer s Society Devon House 58 St Katharine s Way London E1W 1LB 1. Alzheimer

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY Reference number Approved by Information Management and Technology Board Date approved 14 th May 2012 Version 1.1 Last revised N/A Review date May 2015 Category Information Assurance Owner Data Protection

More information

BHCC Policy Summary. This policy outlines BHCC s obligations and responsibilities in relation to the Data Protection Act 1998.

BHCC Policy Summary. This policy outlines BHCC s obligations and responsibilities in relation to the Data Protection Act 1998. BHCC Policy Summary 1 Policy Name Data Protection Policy. 2 Purpose of Policy To define the standards expected of all Brighton & Hove City Council employees, and any third parties, when processing information

More information

Template for Automatic Number Plate Recognition (ANPR) Infrastructure Development Privacy Impact Assessment

Template for Automatic Number Plate Recognition (ANPR) Infrastructure Development Privacy Impact Assessment Template for Automatic Number Plate Recognition (ANPR) Infrastructure Development Privacy Impact Assessment This template is provided to support the police service and other law enforcement agencies (LEA)

More information

Data Protection Policy

Data Protection Policy Internal Ref: NELC 16.60 Review date December 2016 Version No. V04 Data Protection Policy 1 Data Protection Statement Data Protection Policy 1.1 North East Lincolnshire Council recognises that in order

More information

AML / CFT Anti-money laundering and countering financing of terrorism. Guideline for audits of risk assessments and AML/CFT programmes

AML / CFT Anti-money laundering and countering financing of terrorism. Guideline for audits of risk assessments and AML/CFT programmes AML / CFT Anti-money laundering and countering financing of terrorism Guideline for audits of risk assessments and AML/CFT programmes Introduction 1. This guideline is to help reporting entities manage

More information

Corporate ICT & Data Management. Data Protection Policy

Corporate ICT & Data Management. Data Protection Policy 90 Corporate ICT & Data Management Data Protection Policy Classification: Unclassified Date Created: January 2012 Date Reviewed January Version: 2.0 Author: Owner: Data Protection Policy V2 1 Version Control

More information

INFORMATION GOVERNANCE HANDBOOK

INFORMATION GOVERNANCE HANDBOOK INFORMATION GOVERNANCE HANDBOOK SECTION ONE Author Tracey Burrows Role Information Governance Manager (CSCSU) Date / Version February 2015 Version FINAL V1.0 Approved by IM&T Board Date 27 February 2015

More information

Findings from ICO advisory visits to social housing organisations

Findings from ICO advisory visits to social housing organisations Findings from ICO advisory visits to social housing organisations February 2014 Contents Background..3 Housing associations (HAs)...3 Arms-length management organisations (ALMOs).....3 Typical processing

More information

Focus on Subject Access Requests for insurance purposes. August 2015 (updated further to July 2015 guidance)

Focus on Subject Access Requests for insurance purposes. August 2015 (updated further to July 2015 guidance) Focus on Subject Access Requests for insurance purposes August 2015 (updated further to July 2015 guidance) Focus on Subject Access Requests for insurance purposes August 2015 Introduction The BMA has

More information

Data Security and Extranet

Data Security and Extranet Data Security and Extranet Derek Crabtree Schools ICT Support Manager derek.crabtree@merton.gov.uk Target Operating Model 2011 Merton Audit Organisation name: London Borough of Merton Periodic plan date:

More information

Data Protection Policy. Leeds City Council. Information Governance team, Intelligence & Performance - 1 -

Data Protection Policy. Leeds City Council. Information Governance team, Intelligence & Performance - 1 - Leeds City Council Data Protection Policy - 1 - Document Control Organisation Leeds City Council Title Data Protection Policy Author Mark Turnbull, Legal Services Filename DPA policyvr1.doc Owner Assistant

More information

Data Protection Policy

Data Protection Policy Data Protection Policy 1. INTRODUCTION 1.1. The Data Protection Act gives you as an individual the right to know what information is held about you. It provides a framework to ensure that personal information

More information

Data Compliance. And. Your Obligations

Data Compliance. And. Your Obligations Information Booklet Data Compliance And Your Obligations What is Data Protection? It is the safeguarding of the privacy rights of individuals in relation to the processing of personal data. The Data Protection

More information

So the security measures you put in place should seek to ensure that:

So the security measures you put in place should seek to ensure that: Guidelines This guideline offers an overview of what the Data Protection Act requires in terms of information security and aims to help you decide how to manage the security of the personal data you hold.

More information

Data Protection Policy

Data Protection Policy Data Protection Policy 1. Introduction to the Data Protection Policy Everyone who works for Chorley Council uses personal data in the course of their duties. Chorley Council must gather and process personal

More information

Cloud (educational apps) software services and the Data Protection Act

Cloud (educational apps) software services and the Data Protection Act Cloud (educational apps) software services and the Data Protection Act Departmental advice for local authorities, school leaders, school staff and governing bodies October 2014 Contents 1. Summary 3 About

More information

Data Protection Policy

Data Protection Policy Data Protection Policy September 2015 Contents 1. Scope 2. Purpose 3. Data protection roles 4. Staff training and guidance 5. About the Data Protection Act 1998 6. Policy 7. The Information Commissioner's

More information

Ethical Investment Advisory Group

Ethical Investment Advisory Group Ethical Investment Advisory Group CONSTITUTION & TERMS OF REFERENCE Glossary CBF Church of England Funds: Any funds approved by CBF Funds Trustee Limited CBFFT: CBF Funds Trustee Limited Chair: Non-Executive

More information

QA Work Paper Analysis

QA Work Paper Analysis QA Work Paper Analysis Part 1 Summary Audit No. 1 Audit No. 2 Audit No. 3 Audit No. 4 Audit No. 5

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY Approval date: June 2014 Approved by: Board Responsible Manager: Executive Director of Resources Next Review June 2016 Data Protection Policy 1. Introduction Data Protection Policy

More information

DATA PROTECTION ACT 2002 The Basics

DATA PROTECTION ACT 2002 The Basics DATA PROTECTION ACT 2002 The Basics Purpose of the Act Balance the rights of an individual with an organisation s legitimate need to process personal data Promote openness and transparency Establish and

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY 1 Document history, consultation and approval Title SCRA Information Governance Policy Version Version 1 Other relevant approved document SCRA Case Information Policy SCRA

More information

Preparing for the General Data Protection Regulation (GDPR)

Preparing for the General Data Protection Regulation (GDPR) Data protection Preparing for the General Data Protection Regulation (GDPR) 12 steps to take now Preparing for the General Data Protection Regulation (GDPR) 12 steps to take now 7 Consent You should review

More information

The CPS incorporates RCPO. CPS Data Protection Policy

The CPS incorporates RCPO. CPS Data Protection Policy The CPS incorporates RCPO CPS Data Protection Policy Contents Introduction 3 Scope 4 Roles and Responsibilities 4 Processing Criminal Cases 4 Information Asset Owners 5 Information Asset Register 5 Information

More information

Terms of Engagement For Compilation of Financial Statements And Privacy Act Authority Between TFS Chartered Accountants Limited TFS And.

Terms of Engagement For Compilation of Financial Statements And Privacy Act Authority Between TFS Chartered Accountants Limited TFS And. Terms of Engagement For Compilation of Financial Statements And Privacy Act Authority Between TFS Chartered Accountants Limited TFS And You Objective The purpose of this document is to confirm and set

More information

Final. Internal Audit Report. Creditors System

Final. Internal Audit Report. Creditors System Final Internal Audit Report Creditors System Document Details: Reference: 1.2 / 2014-15 Senior Manager, Internal Audit & Assurance: David Jenkins ext 6567 Date: 7 th January 2015 This report is not for

More information

Data Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk

Data Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk Data Protection Act 1998 The for the Borough Council of King's Lynn & West Norfolk 1 Contents Introduction 3 1. Statement of Intent 4 2. Fair Obtaining I Processing 5 3. Data Uses and Processes 6 4. Data

More information

INFORMATION GOVERNANCE POLICY & FRAMEWORK

INFORMATION GOVERNANCE POLICY & FRAMEWORK INFORMATION GOVERNANCE POLICY & FRAMEWORK Version 1.2 Committee Approved by Audit Committee Date Approved 5 March 2015 Author: Responsible Lead: Associate IG Specialist, YHCS Corporate & Governance Manger

More information

Data Protection Policy

Data Protection Policy Data Protection Policy CONTENTS Introduction...2 1. Statement of Intent...2 2. Fair Processing or Privacy Statement...3 3. Data Uses and Processes...4 4. Data Quality and Integrity...4 5. Technical and

More information

FORUM ON TAX ADMINISTRATION

FORUM ON TAX ADMINISTRATION ORGANISATION FOR ECONOMIC CO-OPERATION AND DEVELOPMENT FORUM ON TAX ADMINISTRATION Information Note: Tax Compliance and Tax Accounting Systems April 2010 CENTRE FOR TAX POLICY AND ADMINISTRATION TABLE

More information

Report 7 Appendix 1d Final Internal Audit Report Sundry Income and Debtors (inc. Fees and Charges) Greater London Authority February 2010

Report 7 Appendix 1d Final Internal Audit Report Sundry Income and Debtors (inc. Fees and Charges) Greater London Authority February 2010 Report 7 Appendix 1d Final Internal Audit Report Sundry Income and Debtors (inc. Fees and Charges) Greater London Authority February 2010 This report has been prepared on the basis of the limitations set

More information

Date: 30 th May 2013. Agenda Item: 5.5. Ian Mackenzie Director of Information and Estates REPORT AUTHOR:

Date: 30 th May 2013. Agenda Item: 5.5. Ian Mackenzie Director of Information and Estates REPORT AUTHOR: TRUST BOARD IN PUBLIC Date: 30 th May 2013 Agenda Item: 5.5 REPORT TITLE: Information Governance Annual Report EXECUTIVE SPONSOR: Ian Mackenzie Director of Information and Estates REPORT AUTHOR: Sarah

More information

Information Governance Strategy & Policy

Information Governance Strategy & Policy Information Governance Strategy & Policy March 2014 CONTENT Page 1 Introduction 1 2 Strategic Aims 1 3 Policy 2 4 Responsibilities 3 5 Information Governance Reporting Structure 4 6 Managing Information

More information

Putting Consumers First. Code of Practice. 2014 The Professional Financial Claims Association. All rights reserved.

Putting Consumers First. Code of Practice. 2014 The Professional Financial Claims Association. All rights reserved. Putting Consumers First Code of Practice 2014 The Professional Financial Claims Association. All rights reserved. Introduction The members of the Professional Financial Claims Association (PFCA) wish to

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Version: 1.0 Date: October 2013 Table of Contents 1 Introduction The need for a Data Protection Policy... 3 2 Scope... 3 3 Principles... 3 4 Staff Roles & Responsibilities... 4 5

More information

The potential legal consequences of a personal data breach

The potential legal consequences of a personal data breach The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.

More information

AUDIT COMMITTEE 10 DECEMBER 2014

AUDIT COMMITTEE 10 DECEMBER 2014 AUDIT COMMITTEE 10 DECEMBER 2014 AGENDA ITEM 8 Subject Report by MANAGEMENT OF INFORMATION RISKS DIRECTOR OF CORPORATE SERVICES Enquiries contact: Tony Preston, Ext 6541, email tony.preston@chelmsford.gov.uk

More information

Merthyr Tydfil County Borough Council. Data Protection Policy

Merthyr Tydfil County Borough Council. Data Protection Policy Merthyr Tydfil County Borough Council Data Protection Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of the

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Version 1.1 Responsible Person Information Governance Manager Lead Director Head of Corporate Services Consultation Route Information Governance Steering Group Approval Route

More information

Cayman Islands Compliance Officer and the Role of the Money Laundering Reporting Officer

Cayman Islands Compliance Officer and the Role of the Money Laundering Reporting Officer Cayman Islands Compliance Officer and the Role of the Money Laundering Reporting Officer Introduction Money laundering is the process by which the direct or indirect benefit of crime is channelled through

More information

Revised Code of Practice for Disclosure and Barring Service Registered Persons. November 2015

Revised Code of Practice for Disclosure and Barring Service Registered Persons. November 2015 Revised Code of Practice for Disclosure and Barring Service Registered Persons November 2015 Revised Code of Practice for Disclosure and Barring Service Registered Persons Presented to Parliament pursuant

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Document Number 01 Version Number 2.0 Approved by / Date approved Effective Authority Customer Services & ICT Authorised by Assistant Director Customer Services & ICT Contact

More information

2015 No. 0000 FINANCIAL SERVICES AND MARKETS. The Small and Medium Sized Business (Finance Platforms) Regulations 2015

2015 No. 0000 FINANCIAL SERVICES AND MARKETS. The Small and Medium Sized Business (Finance Platforms) Regulations 2015 Draft Regulations to illustrate the Treasury s current intention as to the exercise of powers under clause 5 of the Small Business, Enterprise and Employment Bill. D R A F T S T A T U T O R Y I N S T R

More information

TERMS AND CONDITIONS for MANAGED ACCOUNTS IN SHEFFIELD (V: 040912)

TERMS AND CONDITIONS for MANAGED ACCOUNTS IN SHEFFIELD (V: 040912) Smart Support (Sheffield) Ltd. & Managed Accounts A wealth of experience in health & social care TERMS AND CONDITIONS for MANAGED ACCOUNTS IN SHEFFIELD (V: 040912) This is for information and only Smart

More information

Biometric Data Policy

Biometric Data Policy Biometric Data Policy Contents Key Points Page 3 Biometric Data and Processing Page 4 Frequently Asked Questions Page 5 Associated Resources. Page 8 2 Key Points Schools and colleges that use pupils biometric

More information

Derbyshire Constabulary UNMANAGEABLE DEBT PROCEDURE POLICY REFERENCE 10/300. This procedure is suitable for Public Disclosure

Derbyshire Constabulary UNMANAGEABLE DEBT PROCEDURE POLICY REFERENCE 10/300. This procedure is suitable for Public Disclosure Derbyshire Constabulary UNMANAGEABLE DEBT PROCEDURE POLICY REFERENCE 10/300 This procedure is suitable for Public Disclosure Owner of Doc: Head of Department, Professional Standards Date Approved: September

More information

Data Protection for Schools Compliance Checklist

Data Protection for Schools Compliance Checklist Data Protection for Schools Compliance Checklist Here is a simple bullet point list of actions your school should take to work towards compliance with the Data Protection Act. It is a non - exhaustive

More information

Trust Board Meeting: Wednesday 12 November 2014 TB

Trust Board Meeting: Wednesday 12 November 2014 TB Trust Board Meeting: Wednesday 12 November 2014 Title Update on Information Governance: Mid-Year Selfassessment against Information Governance Toolkit Status History For discussion Bi-annual Update Board

More information

Information governance strategy 2014-16

Information governance strategy 2014-16 Information Commissioner s Office Information governance strategy 2014-16 Page 1 of 16 Contents 1.0 Executive summary 2.0 Introduction 3.0 ICO s corporate plan 2014-17 4.0 Regulatory environment 5.0 Scope

More information

Human Resources and Data Protection

Human Resources and Data Protection Human Resources and Data Protection Contents 1. Policy Statement... 1 2. Scope... 2 3. What is personal data?... 2 4. Processing data... 3 5. The eight principles of the Data Protection Act... 4 6. Council

More information

Final Version 1.0 December 2015

Final Version 1.0 December 2015 Final Version 1.0 December 2015 Contents Page 1 Introduction...2 2 Charter Principles...2 3 Scope...2 4 Partner Commitment...3 5 Governance...4 6 The Lawful basis and Legal Requirements...5 7 Personal

More information

Internal Audit Report Payment Card Industry Data Security Standard

Internal Audit Report Payment Card Industry Data Security Standard REPORT TO: Audit and Governance Committee MEETING DATE: 18 September 2012 BY: SUBJECT: Internal Audit Report Payment Card Industry Data Security Standard 1 PURPOSE 1.1 To inform the Audit and Governance

More information

IT asset disposal for organisations

IT asset disposal for organisations ICO lo Data Protection Act Contents Introduction... 1 Overview... 2 What the DPA says... 3 Create an asset disposal strategy... 3 How will devices be disposed of when no longer needed?... 3 Conduct a risk

More information

DATA AND PAYMENT SECURITY PART 1

DATA AND PAYMENT SECURITY PART 1 STAR has teamed up with Prevention of Fraud in Travel (PROFiT) and the Fraud Intelligence Network (FIN) to offer our members the best advice about fraud prevention. We recognise the increasing threat of

More information

Review of Internal Audit. Ribble Valley Borough Council Audit 2008/09 Date June 2009

Review of Internal Audit. Ribble Valley Borough Council Audit 2008/09 Date June 2009 Review of Internal Audit Ribble Valley Borough Council Audit 2008/09 Date June 2009 Contents Introduction 3 Background 4 Audit approach 5 Main conclusions 6 Detailed report 7 The Way Forward 13 Appendix

More information

Information Governance Standards in Relation to Third Party Suppliers and Contractors

Information Governance Standards in Relation to Third Party Suppliers and Contractors Information Governance Standards in Relation to Third Party Suppliers and Contractors Document Summary Ensure staff members are aware of the standards that should be in place when considering engaging

More information

Little Marlow Parish Council Registration Number for ICO Z3112320

Little Marlow Parish Council Registration Number for ICO Z3112320 Data Protection Policy Little Marlow Parish Council Registration Number for ICO Z3112320 Adopted 2012 Reviewed 23 rd February 2016 Introduction The Parish Council is fully committed to compliance with

More information

Cumbria Constabulary. Business Continuity Planning

Cumbria Constabulary. Business Continuity Planning Cumbria Constabulary Business Continuity Planning 0 Cumbria Shared Internal Audit Service Images courtesy of Carlisle City Council except: Parks (Chinese Gardens), www.sjstudios.co.uk, Monument (Market

More information

Data Protection HEADLINE PART Developments: Implications HEADLINE for the PART Insurance 2 Sector Strategies for Compliance

Data Protection HEADLINE PART Developments: Implications HEADLINE for the PART Insurance 2 Sector Strategies for Compliance Data Protection HEADLINE PART Developments: 1 Implications HEADLINE for the PART Insurance 2 Sector Strategies for Compliance Sub-headline Arial 18pt dark gray Optional Name Arial 13pt italic white Venue

More information

Data Protection for the Guidance Counsellor. Issues To Plan For

Data Protection for the Guidance Counsellor. Issues To Plan For Data Protection for the Guidance Counsellor Issues To Plan For Author: Hugh Jones Data Protection Specialist Longstone Management Ltd. Published by the National Centre for Guidance in Education (NCGE)

More information

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS Mat Wright www.britishcouncil.org CONTENTS Purpose of the code 1 Scope of the code 1 The British Council s data protection commitment and

More information

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY INFORMATION GOVERNANCE POLICY Page 1 of 46 Policy Title: Executive Summary: Information Governance Policy This policy seeks to identify the actions required to ensure that information is appropriately

More information

Internal audit report Information Security / Data Protection review

Internal audit report Information Security / Data Protection review Audit Committee 29 September 2011 Internal audit report Information Security / Data Protection review Executive summary and recommendations Introduction Mazars have undertaken a review of Information Security

More information

Information Security Policy

Information Security Policy Information Security Policy Version 2 Date Approved by Board 8 March 2016 Date of previous approval 4 February 2014 Date of next Review February 2018 You may also be interested in the following policies:

More information

Police and Crime Commissioner for Avon and Somerset and Avon and Somerset Constabulary

Police and Crime Commissioner for Avon and Somerset and Avon and Somerset Constabulary Avon and Somerset Constabulary Traffic Accidents Internal Audit Report (10.12/13) 12 February 2013 Overall Opinion: Amber/Green CONTENTS Section Page Executive Summary 1 Action Plan 5 Findings and Recommendations

More information

Appendix 11 - Swiss Data Protection Act

Appendix 11 - Swiss Data Protection Act GLEIF- LOU Restricted Appendix 11 - Swiss Data Protection Act GLEIF Revision Version: 1.0 2015-09-23 Master Copy page 2 of 11 Applicable Provisions of the Swiss Data Protection Act (DPA) including the

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Policy Details Produced by Assistant Principal Information Systems Date produced Approved by Senior Leadership Team (SLT) Date approved July 2011 Linked Policies and Freedom of Information

More information

Cloud Software Services for Schools

Cloud Software Services for Schools Request for information on the document re: cloud and secure storage posted on the DfE website, response provided by DfE and Schools Commercial team: The focus of the project is on data security/safety

More information

Arizona State University. HIPAA Compliance. Audit Report Number 15-08. May 7, 2015

Arizona State University. HIPAA Compliance. Audit Report Number 15-08. May 7, 2015 This page left blank intentionally. Summary The Health Insurance Portability and Accountability Act of 1996 (HIPAA) audit was included on the Arizona State University (ASU) FY 2015 annual audit plan approved

More information