Criminal Injuries Compensation Authority. Data protection audit report

Transcription

1 Criminal Injuries Compensation Authority Data protection audit report Executive summary January 2016

2 1. Background The Information Commissioner is responsible for enforcing and promoting compliance with the Data Protection Act 1998 (the DPA). Section 51 (7) of the DPA contains a provision giving the Information Commissioner power to assess any organisation s processing of personal data for the following of good practice, with the agreement of the data controller. This is done through a consensual audit. The Information Commissioner s Office (ICO) sees auditing as a constructive process with real benefits for data controllers and so aims to establish a participative approach. The Criminal Injuries Compensation Authority (CICA) has agreed to a consensual audit by the ICO of its processing of personal data. A meeting was held on 17 September 2015 with representatives of the ICO and CICA to identify and discuss the scope of the audit. executive summary 2 of 6

3 2. Scope of the audit Following pre-audit discussions with CICA, it was agreed that the audit would focus on the following areas: a. Security of personal data The technical and organisational measures in place to ensure that there is adequate security over personal data held in manual or electronic form. b. Subject access requests (SAR) - The procedures in operation for recognising and responding to individuals requests for access to their personal data. c. Freedom of information (FOI) The processes in place to respond to any requests for information and the extent to which FOI responsibilities, policies and procedures, training, performance controls, and compliance reporting mechanisms are in place and in operation throughout the organisation. executive summary 3 of 6

4 3. Audit opinion The purpose of the audit is to provide the Information Commissioner and CICA with an independent assurance of the extent to which CICA, within the scope of this agreed audit is complying with the DPA. The recommendations made are primarily around enhancing existing processes to facilitate compliance with the DPA. Overall Conclusion Reasonable assurance There is a reasonable level of assurance that processes and procedures are in place and are delivering data protection compliance. The audit has identified some scope for improvement in existing arrangements to reduce the risk of non compliance with the DPA. executive summary 4 of 6

5 4. Summary of audit findings 4.1 Areas of good practice CICAs protocols are reviewed on an annual basis to ensure they are up to date and fit for purpose. A review schedule is maintained and relevant managers are contacted when reviews are due. Protocols are published and made available to staff via the intranet. Information champions have been identified and act as a point of contact within departments to provide data protection advice. Their responsibilities are set out within a terms of reference document and include raising staff awareness and establishing a culture of good information handling, identifying and assessing disclosure issues and risks and reviewing emerging issues and incidents for escalation. All staff complete a mandatory annual Civil Service Learning (CSL) e-learning module on managing information. In addition, staff attend sessions and workshops on Subject Access Requests (SAR) as part of the CICA information handling awareness programme. Further workshops on the data protection principles are planned as part of this ongoing programme. CICA staff had a good understanding of how to recognise both a SAR and Freedom of Information (FOI) request. In addition they demonstrated an awareness of the importance of ensuring these requests are passed to the correct department promptly due to the legal response times. 4.2 Areas for improvement CICA should review and update their website in order to guide requesters on how to make a SAR. In addition CICA should create a standard fair processing notice that must be shared with new clients, either verbally or in writing, and make this available on their website to outline the type of personal data that may be shared and the circumstances when this would occur. A quality assurance process for SARs should be developed to include a proportion of responses to be reviewed on a regular basis. This will ensure the accuracy of redactions and a correct and consistent application of the exemptions. Third party contracts and agreements with CICA should be reviewed to ensure staff, contractors, clients, and customers are aware of how the FOIA may affect them. CICA should make it clear that as a public body they are subject to the FOIA and must consider any request received. executive summary 5 of 6

6 The matters arising in this report are only those that came to our attention during the course of the audit and are not necessarily a comprehensive statement of all the areas requiring improvement. The responsibility for ensuring that there are adequate risk management, governance and internal control arrangements in place rest with the management of the Criminal Injuries Compensation Authority. We take all reasonable care to ensure that our audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. We cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report. executive summary 6 of 6