Schedule 13 Security Incident and Data Breach Policy. January 2015 v2.1
|
|
- Virgil Bates
- 7 years ago
- Views:
Transcription
1 Schedule 13 Security Incident and Data Breach Policy January 2015 v2.1
2 Document History Purpose Document Purpose Document developed by Document Location To provide a corporate policy for the management of any Security Incidents and Data Breaches Principal Information Governance Officer This document is located on the council s web site and on the network at: Revision Revision date January 2015 Version Final v2.1 Status Summary of changes Awaiting approval by the II&VFM board Addition made to section 9 to inform the relevant Caldicott Guardian of breaches in either Social Services or Public Health. Approvals Head of Information Management Assistant Director, Business Support Improvement & VFM Group Cabinet Lead the review of the framework and policies Oversee the document through the council s approval process Approve the Framework and the Freedom of Information Act Policy and any changes made, recommending adoption to the Cabinet Member Approve the review of the framework and policies Page 2 of 19
3 Contents Page Document History... 2 Contents... 3 Introduction Policy Statement Purpose Scope Implementation and Review Schedule Legislation Types of Security Incident... 5 Reporting Serious Security Incidents (Including potential or actual data breaches) - Responsibility of Council Departments Identification and Classification of serious security incidents... 6 Other Policies - Joint Responsibility between Departments & the Investigation Lead Links to other Departments... 7 Data Breach Management Plan - Responsibility of Information Governance Breach Management Plan Containment and Recovery Assessment of Ongoing Risk / Investigation Notification Review and Evaluation Information Governance Contact Details Serious Security Incident (Non Data Breach) - Responsibility of Security Incident Team Serious Security Incident Management Plan Containment and Recovery Assessment of Ongoing Risk / Investigation Review and Evaluation Serious Security Incident Group Appendices Page 3 of 19
4 Introduction 1. Policy Statement North Lincolnshire Council is responsible for protecting the information it holds and is legally required under the Data Protection Act 1998 to ensure the security and confidentiality of personal information processed. These responsibilities also apply to other organisations working on behalf of the council. Every care is taken to protect information and to avoid a security incident, especially where the result is a data breach when personal information is lost or disclosed inappropriately to an unauthorised person. In the unlikely event of such a security incident it is vital that appropriate action is taken to minimise any associated risk as soon as possible. We will investigate all security incidents classified as serious using a set plan and follow a Breach Management Plan in the event of a data breach. 2. Purpose The purpose of this policy is to ensure a standardised management approach throughout the council in the event of a serious security incident, including the handling of a data breach. Security incident management is the process of handling security incidents in a structured and controlled way ensuring security incidents are dealt with:- Speedily and efficiently; Consistently; To ensure damage is kept to a minimum; To ensure the likelihood of recurrence is reduced by the implementation of appropriate measures. 3. Scope This policy applies to all information held by the council and to organisations working on behalf of the council who have access to our information. Schools may choose to adopt this policy but where this is not the case it is expected that they will have their own appropriate policy. Page 4 of 19
5 4. Implementation and Review Schedule This policy takes effect immediately and all managers should ensure employees are aware of security incident requirements. If employees have any queries they should discuss these with their line manager or the Information Governance Team. This policy may need to be reviewed after a security incident or data breach or after legislative changes, new case law or new guidance. Ordinarily an annual review should take place. 5. Legislation The council has an obligation to abide by all relevant UK and European legislation. The acts that apply include but are not limited to: - Data Protection Act Computer Misuse Act Criminal Damages Act The Data Protection Act 1998 provides a regulatory framework for the processing of personal information, including the holding, use or disclosure of such information. Principal seven of this Act requires that an organisation complies with the following for personal information: - Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal information and against accidental loss or destruction of, or damage to, personal information. 6. Types of Security Incident This policy addresses the reporting and handling of serious security incidents, including those involving a data breach. A security incident is classified as serious when the incident: Involves actual or potential failure to meet the requirements information legislation such as the Data Protection Act 1998; Potentially involves or could lead to a data breach. Some examples of serious security incidents are:- Loss or theft of IT equipment or information; Disclosing personal information to someone not authorised to have it; Unauthorised access to information; Breach of physical building security; Uploading personal information to a website in error; Page 5 of 19
6 Human error resulting for example in personal information being left in an insecure location; Unforeseen circumstances such as fire or flood; Hacking into IT systems; Blagging offences where information is obtained by deception. Reporting Serious Security Incidents (Including potential or actual data breaches) - Responsibility of Council Departments 7. Identification and Classification of serious security incidents This section is about reporting the serious security incident (including a data breach) to the Security Incident Group, classifying the incident and taking appropriate mitigating action. The Security Incident Group is made up of the following employees: Principal Information Governance Officer; Unified Communications Manager; IT Customer Quality Manager; Senior Auditor. 7.1 The person who discovers/receives a report of a serious security incident must inform a manager. This should ideally be the manager responsible for the department in which the incident has occurred, but if this is not possible another manager should be informed. If the incident occurs or is discovered outside normal working hours this should be done as soon as practicable. The manager must then report the serious security incident to the Security Incident Group, as soon as possible. 7.2 The manager should identify into which of the following three categories the incident fits: - a) An actual or suspected data breach. b) An IT serious security incident that is not a data breach. c) Another type of serious security incident that puts personal information at risk but is not a data breach. Appendix A provides further information to assist with categorisation of serious security incidents. 7.3 The manager should accurately record details of the incident and provide the following information to the Security Incident Group, using the form shown as Appendix B: - Date and time of security incident / period of time occurred. Date and time security incident detected. Who reported the security incident? Description of the security incident. Page 6 of 19
7 Type of security incident (See section 6.0). Approximate number of data subjects affected. Details of any council ICT systems or third party systems involved. Details of any action taken to minimise / mitigate the effect on data subjects. Details of anyone who is aware of the security incident. Brief details of supporting material held by the service material which either confirms the security incident or is related to the security incident. Details of any contractors or sub contractors involved. 7.4 Details of serious security incidents can be very sensitive and any sensitive information must be handled with discretion and only disclosed to those who need to know the details. 7.5 Employees or others working on behalf of the council must not attempt to deal with a security incident (other than reporting the incident). 7.6 The Security Incident Group will determine who should lead an investigation and the lead will appoint an Investigation Team. Employees must not attempt to conduct their own investigations, unless authorised to do so, to ensure evidence is not destroyed. 7.7 The council s Senior Information Risk Owner (SIRO) and the relevant director are ultimately responsible for making any decisions. 7.8 In some circumstances security incidents should also be reported to GovCertUK and the NHS Information Governance Team, using the details shown in Appendix D and by following published procedures from these other organisations. Other Policies - Joint Responsibility between Departments & the Investigation Lead 8. Links to other Departments Sometimes a security incident will be identified during an internal investigation under another council policy. Alternatively during a security incident investigation it may be found necessary to inform another council department of the incident. 8.1 Officers who identify a serious security incident, as part of another policy investigation, should complete the Security Incident form shown in Appendix B and forward to the relevant lead from the Security Incident Group. When this other investigation is complete relevant details should be provided to Security Incident Group lead. Page 7 of 19
8 8.2 Where a security incident occurs that may affect another department or a school, the Security Incident Group lead will contact the relevant senior manager or school. 8.3 Any decision to take disciplinary action will be in line with the council s Disciplinary Policy. 8.4 The data breach or serious security incident report will be concluded when all other relevant investigations are complete. Data Breach Management Plan - Responsibility of Information Governance 9. Breach Management Plan The Information Governance Team will lead all data breach investigations and will follow the Information Commissioner s Office (ICO) suggested Breach Management Plan: - 1. Containment and recovery. 2. Assessment of ongoing risk. 3. Notification of breach. 4. Evaluation and response. 9.1 Containment and Recovery Containment and recovery involves limiting the scope and impact of the data breach, and stemming it as quickly as possible A senior member of the Information Governance Team will inform the relevant Director(s) and Legal Services A senior member of the Information Governance Team will ascertain who should contact whom, both within the council and externally. If illegal activity is known or is believed to have occured, or where there is a risk that illegal activity might occur in the future a Director in conjunction with a senior member of the Information Governance Team and the Head of Audit, Risk and Insurance must consider whether the police need to be informed. An example of illegal activity is theft A senior member of the Information Governance Team will lead an investigation and to do so will create an Investigation Team, made up of key officers, including Internal Audit. Where the breach involves social service or health information the relevant Caldicott Guardian will be informed. Where contractual arrangements with other organisations are involved advice will be sought from Legal Services about how to proceed and the investigation will be led in conjunction with the Contract Manager. Page 8 of 19
9 9.1.4 A senior member of the Information Governance Team will lead the Investigation Team to quickly take appropriate steps to ascertain full details of the breach, determine whether the breach is still occuring, recover any losses and limit the damage. Steps might include: - Attempting to recover any lost equipment or personal information. Shutting down an IT system. Contacting the council s Contact Centre and other key departments so that they are prepared for any potentially inappropriate enquiries about the affected data subjects. If an inappropriate enquiry is received staff should attempt to obtain the enquirer s name/contact details and confirm that they will ring the enquirer back. The Information Governance Team organising, with the approval of the Communications Team, for a council-wide to be sent. Contacting the Communications Team so they can be prepared to handle any press enquiries or to make any press releases. The use of back-ups to restore lost, damaged or stolen information. If bank details have been lost/stolen consider contacting banks directly for advice on preventing fraudulent use. If the data breach includes any entry codes or passwords then these codes must be changed immediately, and the relevant organisations and members of staff informed. 9.2 Assessment of Ongoing Risk / Investigation The next stage of the management plan is for the Investigation Team to investigate the breach and assess the risks arising from it The Investigation Team should ascertain whose information was involved in the breach, the potential effect on the data subjects and what further steps are required to remedy the situation The investigation should consider: - The type of information. Its sensitivity. How many individuals are affected by the breach? What protections are in place (e.g. encryption)? What happened to the information? Whether the information could be put to any illegal or inappropriate use. What could the information tell a third party about the individual? Page 9 of 19
10 How many people are affected? What types of people have been affected (the public, suppliers, staff etc)? Whether there are wider consequences to the breach A senior member of the Information Governance Team should keep a clear report detailing the nature of the breach, steps to preserve evidence, the assessment of risk/investigation, and the actions taken to mitigate the breach, any notifications made and recommendations for future work/actions. See Appendix C for more information about preserving evidence The initial investigation should be completed urgently and wherever possible within 24 hours of the breach being discovered/reported. A further review of the causes of the breach and recommendations for future improvements can be done once the matter has been resolved 9.3 Notification A senior member of the Information Governance Team, after seeking legal advice and working with the Investigation Team should decide whether anyone, such as the Information Commissioner s Office (ICO) or the data subjects, should be notified of the breach. A senior member of the Information Governance Team will make any notifications to the ICO. The Investigation Team will decide whether and how anybody else should be notified. Directorates must not make any notifications directly Every incident will be considered on a case-by-case basis but if the breach is significant and involves personal information the ICO should be notified. There is guidance on the ICO website about how and when to notify - The following points will be used to assist in deciding whether to notify an organisation such as the ICO or the data subjects: - Do we have any legal/contractual obligations in relation to notification? Would notification help prevent the unauthorised or unlawful use of the personal information? Could notification make the unauthorised or unlawful use of the personal information more likely? Could notification help the data subject could they act on the information to mitigate risks? If the information is personal or sensitive personal in nature and there are large numbers of data subjects involved or possible serious consequences we should notify the ICO. Page 10 of 19
11 The dangers of over notifying, which may cause disproportionate enquiries and work Notifications should include a description of how and when the breach occurred, what information was involved and what has already been done to mitigate the risks When notifying data subjects, specific and clear advice should be given on what individuals can do to protect themselves and what the council can do to assist them Details should be provided of how to make a complaint to the council and how to appeal to the Information Commissioner. 9.4 Review and Evaluation Once the initial after effects of the breach are over a senior member of the Information Governance Team should fully review both the causes of the breach and the effectiveness of the response to it, and work with Internal Audit to determine if any further control improvements are required The Head of Information Governance will write a report for the Council Management Team (CMT) The Principal Information Governance Officer will inform the Information Security Forum of high level details of the breach If issues are identified an action plan must be drawn up to put these right. 10. Information Governance Contact Details Please do not leave a voic or an to report a data breach. Always speak with somebody in the Information Governance Team. The main contacts are: - Principal Information Governance Officer Phillipa Thornley Telephone: phillipa.thornley@northlincs.gov.uk Strategy and Information Governance Manager Rachel Johnson Telephone: Rachel.johnson@northlincs.gov.uk Head of Information Management Chris Daly Telephone: chris.daly@northlincs.gov.uk Page 11 of 19
12 Serious Security Incident (Non Data Breach) - Responsibility of Security Incident Team 11. Serious Security Incident Management Plan The most relevant member of the Security Incident Group or an employee appointed by the team would lead a serious security incident investigation that did not involve a data breach. The following Management Plan should be followed: - 1. Containment and recovery. 2. Assessment of ongoing risk. 3. Evaluation and response. 12. Containment and Recovery Containment and recovery involves limiting the scope and impact of the serious security incident, and stemming it as quickly as possible The lead officer from the Security Incident Group will ascertain who should contact whom, both within the council and externally. If illegal activity is known or is believed to have occurred or where there is a risk that illegal activity might occur in the future a Director in conjunction with a senior Manager and the Head of Audit, Risk and Insurance must consider whether the police need to be informed. An example of illegal activity is theft The appointed lead of the serious security incident investigation will lead an investigation and to do so will create an Investigation Team, made up of key officers, including Internal Audit. Where contractual arrangements with other organisations are involved advice will be sought from Legal Services about how to proceed and the investigation will be led in conjunction with the Contract Manager Full details of the incident should be determined and migrating action such as the following should be taken to limit the impact of the incident: Attempting to recover any lost equipment or personal information. Shutting down an IT system. The use of back-ups to restore lost, damaged or stolen information. Making a building secure. If the incident involves any entry codes or passwords then these codes must be changed immediately, and the relevant organisations and members of staff informed. Page 12 of 19
13 13. Assessment of Ongoing Risk / Investigation The next stage of the management plan is for the Investigation Team to investigate the serious security incident and assess the risks arising from it The Team should ascertain what information was involved in the serious security incident and what steps are required to remedy the situation The investigation should consider: - The type of information. Its sensitivity. What protections are in place (e.g. encryption)? What happened to the information? Whether there are wider consequences to the incident The appointed lead of the Security Incident Investigation should keep a clear report detailing the nature of the incident, steps taken to preserve evidence, the assessment of risk/investigation, any migrating actions taken and any recommendations for future work/actions. See Appendix C for more information about preserving evidence The initial investigation should be completed within an agreed timeframe. 14. Review and Evaluation Once the initial after effects of the serious security incident are over the Information Security Forum should fully review both the causes of the incident and the effectiveness of the response to it and work with Internal Audit to determine if any further control improvements are required The Security Incident Group lead should update the Information Security Forum with details of the incident If issues are identified an action plan must be drawn up to put these right. Page 13 of 19
14 15. Serious Security Incident Group Please do not leave a voic or an to report a serious security incident. Always speak with somebody from the following list of contacts: - Unified Comms Manager Paul Smith Telephone: paul.smith@northlincs.gov.uk IT Customer Quality Manager Carl Render Telephone: carl.render@northlincs.gov.uk Senior Auditor - Stuart Anderson Telephone: stuart.anderson@northlincs.gov.uk Principal Information Governance Officer Phillipa Thornley Telephone: phillipa.thornley@northlincs.gov.uk Page 14 of 19
15 Appendices Appendix A: Guidelines for the Categorisation of Serious Security Incidents Actual or Suspected Data Breach Examples include: - Use of viruses or spyware software; Use of illegal or unauthorised software or information; Fraud or forgery; Unauthorised use of the council IT network or systems; Unauthorised use of another user s profile (masquerading of user identity); Divulging a password to another user without authority; Unauthorised access to council information classified as personal or confidential; Unauthorised alteration or deletion of council information; Unauthorised copying of council information; Wilful damage to council IT equipment or property; Unauthorised access to council offices; Unauthorised removal of council property or information; Theft or loss of IT equipment containing council information. IT Serious Security Incident (Not a Data Breach) - Examples include: - IT network attack; Use of viruses or spyware; Unauthorised access to the council s IT network and systems; Theft or damage to IT equipment. Other Serious Security Incident (Not a Data Breach) - Examples include: - Fire; Flood; Storm damage; Power supply failures & fluctuations; Terrorist and bomb attacks, including suspicious packages; Unauthorised access to council premises; Theft of or damage to council property. Page 15 of 19
16 Appendix B Serious Security Incident and Data Breach Form Contact details of person submitting form 1. Name 2. Job Title Address Telephone Number Address Incident Information 3. Date / Time of Breach or Period of Time Date / Time Breach Detected Who / What Reported the Breach? Description of the Breach Type of breach see section 6.0 for list: - Approximate number of Data Subjects affected Page 16 of 19
17 Details of Council ICT / 3 rd Party ICT Systems Involved Details of any action taken to minimise / mitigate the effect on the data subjects 4. Who is aware of this data breach? Brief Details of Supporting Information held by Department Details of any Contractors / Sub Contractors Involved Page 17 of 19
18 Appendix C: Guidelines for Preserving Evidence Where appropriate the Investigation Team must follow these steps to preserve evidence: - Keep a log of all events showing how evidence was collected, analysed, transported and preserved; Where possible mark evidence with the date, time and name of the collector and witnesses; If relevant, dump computer contents from memory to a file and take a back-up of the file; If relevant, make an image (copy) of the computer hard drive(s), which will be used for further analysis to ensure that the evidence on the original system is unharmed; If relevant, IT system logs (both current and archived) should be preserved to provide evidence of the incident discovered, as well as any previous incidents. Page 18 of 19
19 Appendix D: Guidelines for Reporting Information Security Incidents GovCert UK Follow the link to report a suspected incident within the submission process. In the event of the internet not being available the following details should be used: CESG s Incident Response Team The CESG GovCertUK Incident Response team provides a 24/7 (24 hours 7 days a week) operation, and can be contacted on the following: - Telephone: Fax: General Enquiries: - Enquiries@govcertuk.gov.uk or govcertuk@cesg.gsi.gov.uk Incidents and alerts: - Incidents@govcertuk.gov.uk or govcertuk@cesg.gsi.gov.uk During office hours ( hrs) the GovCertUK response team will handle any queries or incidents. Outside office hours, at weekends and on public holidays a duty officer will monitor correspondence and respond to telephone calls, supported by on-call GovCertUK response personnel. GovCertUK provides CESG s CERT function to UK government, assists public sector organisations in the response to computer security incidents and provides advice to reduce exposure to threat. NHS Information Governance 03&uid=57915&cb=bf5c0062-1c6a-4a69-8b82- a146fe33ec9d&lnv=12&clnav=yes %20Checklist%20Guidance%20V2%200%201st%20June% pdf Follow the link to report a data breach. The NHS Information Governance Self Assessment requires organisations, such as the council who are required to complete the assessment, to report all data breaches occurring within Adult Social Care. Page 19 of 19
DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE
DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE 1. INTRODUCTION Annex C 1.1 Surrey Heath Borough Council (SHBC) processes personal data and must respond appropriately against unauthorised or unlawful
More informationGuidance on data security breach management
Guidance on data security breach management Organisations which process personal data must take appropriate measures against unauthorised or unlawful processing and against accidental loss, destruction
More informationGuidance on data security breach management
ICO lo Guidance on data security breach management Data Protection Act Contents... 1 Data Protection Act... 1 Overview... 1 Containment and recovery... 2 Assessing the risks... 3 Notification of breaches...
More informationTHE MORAY COUNCIL. Guidance on data security breach management DRAFT. Information Assurance Group. Evidence Element 9 appendix 31
THE MORAY COUNCIL Guidance on data security breach management Information Assurance Group DRAFT Based on the ICO Guidance on data security breach management under the Data Protection Act 1 Document Control
More informationData Security Breach Incident Management Policy
Data Security Breach Incident Management Policy Contents 1. Background... 1 2. Aim... 1 3. Definition... 2 4. Scope... 2 5. Responsibilities... 2 6. Data Classification... 2 7. Data Security Breach Reporting...
More informationProcedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom
Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom Indirani 02/11/2009 Draft 2 Include JG s comments Jackie Groom
More informationData Security Breach Management - A Guide
DATA PROTECTION (JERSEY) LAW 2005 GUIDANCE ON DATA SECURITY BREACH MANAGEMENT GD21 2 DATA PROTECTION (JERSEY) LAW 2005: GUIDANCE ON DATA SECURITY BREACH MANAGEMENT Introduction Organisations which process
More informationInformation Incident Management Policy
Information Incident Management Policy Change History Version Date Description 0.1 04/01/2013 Draft 0.2 26/02/2013 Replaced procedure details with broad principles 0.3 27/03/2013 Revised following audit
More informationData Protection Breach Management Policy
Data Protection Breach Management Policy Please check the HSE intranet for the most up to date version of this policy http://hsenet.hse.ie/hse_central/commercial_and_support_services/ict/policies_and_procedures/policies/
More informationThe potential legal consequences of a personal data breach
The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.
More informationCorporate Information Security Policy
Corporate Information Security Policy. A guide to the Council s approach to safeguarding information resources. September 2015 Contents Page 1. Introduction 1 2. Information Security Framework 2 3. Objectives
More informationInformation Security Policy
Information Security Policy Author: Responsible Lead Executive Director: Endorsing Body: Governance or Assurance Committee Alan Ashforth Alan Lawrie ehealth Strategy Group Implementation Date: September
More informationData Protection Breach Reporting Procedure
Central Bedfordshire Council www.centralbedfordshire.gov.uk Data Protection Breach Reporting Procedure October 2015 Security Classification: Not Protected 1 Approval History Version No Approved by Approval
More informationSomerset County Council - Data Protection Policy - Final
Organisation Title Author Owner Protective Marking Somerset County Council Data Protection Policy - Final Peter Grogan Information Governance Manager Unclassified POLICY ON A PAGE Somerset County Council
More informationHuman Resources Policy documents. Data Protection Policy
Policy documents Aims of the Policy apetito is committed to meeting its obligations under data protection law. As a business, apetito handles a range of Personal Data relating to its customers, staff and
More informationInformation Security Incident Management Policy September 2013
Information Security Incident Management Policy September 2013 Approving authority: University Executive Consultation via: Secretary's Board REALISM Project Board Approval date: September 2013 Effective
More informationData Security Breach Management Procedure
Academic Services Data Security Breach Management Procedure Document Reference: Data Breach Procedure 1.1 Document Type: Document Status: Document Owner: Review Period: Procedure v1.0 Approved by ISSG
More informationNIGB. Information Governance Untoward Incident Reporting and Management Advice for Local Authorities
Information Governance Untoward Incident Reporting and Management Advice for Local Authorities March 2013 Contents Page 1. The Role of the NIGB.....3 2. Introduction...4 3. Background Information...6 4.
More informationSECURITY INCIDENT REPORTING AND MANAGEMENT. Standard Operating Procedures
SECURITY INCIDENT REPORTING AND MANAGEMENT Standard Operating Procedures Notice: This document has been made available through the Police Service of Scotland Freedom of Information Publication Scheme.
More informationHow To Protect Decd Information From Harm
Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the
More informationWEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY
WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4
More informationDocument Control. Version Control. Sunbeam House Services Policy Document. Data Breach Management Policy. Effective Date: 01 October 2014
Document Control Policy Title Data Breach Management Policy Policy Number 086 Owner Information & Communication Technology Manager Contributors Information & Communication Technology Team Version 1.0 Date
More informationCAVAN AND MONAGHAN EDUCATION AND TRAINING BOARD. Data Breach Management Policy. Adopted by Cavan and Monaghan Education Training Board
CAVAN AND MONAGHAN EDUCATION AND TRAINING BOARD Data Breach Management Policy Adopted by Cavan and Monaghan Education Training Board on 11 September 2013 Policy Safeguarding personally identifiable information
More informationInformation Security Policy September 2009 Newman University IT Services. Information Security Policy
Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms
More informationUniversity of Sunderland Business Assurance Information Security Policy
University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant
More informationSecurity Incident Management Policy
Security Incident Management Policy January 2015 Document Version 2.4 Document Status Owner Name Owner Job Title Published Martyn Ward Head of ICT Business Delivery Document ref. Approval Date 27/01/2015
More informationData Protection Policy
Data Protection Policy CONTENTS Introduction...2 1. Statement of Intent...2 2. Fair Processing or Privacy Statement...3 3. Data Uses and Processes...4 4. Data Quality and Integrity...4 5. Technical and
More informationData Breach Management Policy and Procedures for Education and Training Boards
Data Breach Management Policy and Procedures for Education and Training Boards POLICY on DATA BREACHES in SCHOOLS/COLLEGES and OTHER EDUCATION and ADMINISTRATIVE CENTRES UNDER the REMIT of TIPPERARY EDUCATION
More informationSo the security measures you put in place should seek to ensure that:
Guidelines This guideline offers an overview of what the Data Protection Act requires in terms of information security and aims to help you decide how to manage the security of the personal data you hold.
More informationData Protection Policy
Internal Ref: NELC 16.60 Review date December 2016 Version No. V04 Data Protection Policy 1 Data Protection Statement Data Protection Policy 1.1 North East Lincolnshire Council recognises that in order
More informationFINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
More informationCaedmon College Whitby
Caedmon College Whitby Data Protection and Information Security Policy College Governance Status This policy was re-issued in June 2014 and was adopted by the Governing Body on 26 June 2014. It will be
More informationMONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY
MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY Page 1 of 16 Contents Policy Information 3 Introduction 4 Responsibilities 7 Confidentiality 9 Data recording and storage 11 Subject Access 12 Transparency
More informationRECORDS MANAGEMENT POLICY
[Type text] RECORDS MANAGEMENT POLICY POLICY TITLE Academic Year: 2013/14 onwards Target Audience: Governing Body All Staff and Students Stakeholders Final approval by: CMT - 1 October 2014 Governing Body
More informationInformation Security Policy London Borough of Barnet
Information Security Policy London Borough of Barnet DATA PROTECTION 11 Document Control POLICY NAME Document Description Information Security Policy Policy which sets out the council s approach to information
More informationInformation Governance Framework. June 2015
Information Governance Framework June 2015 Information Security Framework Janice McNay June 2015 1 Company Thirteen Group Lead Manager Janice McNay Date of Final Draft and Version Number June 2015 Review
More informationDBC 999 Incident Reporting Procedure
DBC 999 Incident Reporting Procedure Signed: Chief Executive Introduction This procedure is intended to identify the actions to be taken in the event of a security incident or breach, and the persons responsible
More informationInformation Governance Strategy & Policy
Information Governance Strategy & Policy March 2014 CONTENT Page 1 Introduction 1 2 Strategic Aims 1 3 Policy 2 4 Responsibilities 3 5 Information Governance Reporting Structure 4 6 Managing Information
More informationPRIVACY POLICY. comply with the Australian Privacy Principles ("APPs"); ensure that we manage your personal information openly and transparently;
PRIVACY POLICY Our Privacy Commitment Glo Light Pty Ltd A.C.N. 099 730 177 trading as "Lighting Partners Australia of 16 Palmer Parade, Cremorne, Victoria 3121, ( LPA ) is committed to managing your personal
More informationSTFC Monitoring and Interception policy for Information & Communications Technology Systems and Services
STFC Monitoring and Interception policy for Information & Communications Technology Systems and Services Issue 1.0 (Effective 27 June 2012) This document contains a copy of the STFC policy statements outlining
More informationCork ETB Data Breach Management Policy and Procedures
Cork ETB Data Breach Management Policy and Procedures POLICY ON THE MANAGEMENT OF DATA BREACHES IN SCHOOLS/COLLEGES AND OTHER EDUCATION AND ADMINISTRATIVE CENTRES UNDER THE REMIT OF CORK EDUCATION AND
More informationDATA PROTECTION POLICY
Reference number Approved by Information Management and Technology Board Date approved 14 th May 2012 Version 1.1 Last revised N/A Review date May 2015 Category Information Assurance Owner Data Protection
More informationCorporate ICT & Data Management. Data Protection Policy
90 Corporate ICT & Data Management Data Protection Policy Classification: Unclassified Date Created: January 2012 Date Reviewed January Version: 2.0 Author: Owner: Data Protection Policy V2 1 Version Control
More informationINFORMATION SECURITY POLICY
INFORMATION SECURITY POLICY Rev Date Purpose of Issue/ Description of Change Equality Impact Assessment Completed 1. June 2011 Initial Issue 2. 29 th March 2012 Second Version 3. 15 th April 2013 Third
More informationSecurity & Data Protection Incident Management Policy London Borough of Barnet
Security & Data Protection Incident Management Policy London Borough of Barnet DATA PROTECTION 11 POLICY NAME Document Description Security and Data Protection Incident Management Policy Policy which sets
More informationSecurity Incident Policy
Organisation Title Author Owner Protective Marking Somerset County Council Security Incident Policy Peter Grogan Information Governance Manager Unclassified POLICY ON A PAGE Somerset County Council will
More informationPolicy Document Control Page
Policy Document Control Page Title Title: Data Protection Policy Version: 3 Reference Number: CO59 Keywords: Data, access, principles, protection, Act. Data Subject, Information Supersedes Supersedes:
More informationIslington Security Incident Policy A council-wide information technology policy. Version 0.7.1 July 2013
A council-wide information technology policy Version 0.7.1 July 2013 Copyright Notification Copyright London Borough of Islington 2014 This document is distributed under the Creative Commons Attribution
More informationColáiste Pobail Bheanntraí
Coláiste Pobail Bheanntraí Seskin Bantry, Co. Cork. Principal: Dr. Kevin Healy B.A, H.D.E, M.Ed, Ed.D Deputy Principal: Mr. Denis O Sullivan, BSc. (Ed.), H.D.E Phone: 027 56434 Fax: 027 56439 E-mail: admin@colaistepobailbheanntrai.com
More informationRHONDDA CYNON TAF COUNTY BOROUGH COUNCIL INFORMATION SECURITY INCIDENT MANAGEMENT POLICY Version 2.0.1
RHONDDA CYNON TAF COUNTY BOROUGH COUNCIL INFORMATION SECURITY INCIDENT MANAGEMENT POLICY Version 2.0.1 Revised and effective from 1st April 2012 Document Control Organisation Title Author Filename Owner
More informationLEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction
LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed
More informationDATA PROTECTION POLICY
DATA PROTECTION POLICY Version 1.3 April 2014 Contents 1 POLICY STATEMENT...2 2 PURPOSE....2 3 LEGAL CONTEXT AND DEFINITIONS...2 3.1 Data Protection Act 1998...2 3.2 Other related legislation.....4 3.3
More informationPRIVACY BREACH MANAGEMENT POLICY
PRIVACY BREACH MANAGEMENT POLICY DM Approval: Effective Date: October 1, 2014 GENERAL INFORMATION Under the Access to Information and Protection of Privacy Act (ATIPP Act) public bodies such as the Department
More informationData Protection Policy
Data Protection Policy Responsible Officer Author Date effective from July 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended December 2012 Review
More informationInformation Security Incident Management Policy and Procedure
Information Security Incident Management Policy and Procedure Version Final 1.0 Document Control Organisation Title Author Filename Owner Subject Protective Marking North Dorset District Council IT Infrastructure
More informationHERTSMERE BOROUGH COUNCIL
HERTSMERE BOROUGH COUNCIL DATA PROTECTION POLICY October 2007 1 1. Introduction Hertsmere Borough Council ( the Council ) is fully committed to compliance with the requirements of the Data Protection Act
More informationInformation Security Incident Management Policy
Information Security Incident Management Policy Version: 1.1 Date: September 2012 Unclassified Version Control Date Version Comments November 2011 1.0 First draft for comments to IT Policy & Regulation
More informationBOARD OF DIRECTORS PAPER COVER SHEET. Meeting date: 22 February 2006. Title: Information Security Policy
BOARD OF DIRECTORS PAPER COVER SHEET Meeting date: 22 February 2006 Agenda item:7 Title: Purpose: The Trust Board to approve the updated Summary: The Trust is required to have and update each year a policy
More informationPARLIAMENTARY AND HEALTH SERVICE OMBUDSMAN
PARLIAMENTARY AND EALT SERVICE OMBUDSMAN Information Security Breach Policy Version 2.0 Document Control Title: Original Author(s): Owner: Reviewed by: Quality Assured by: Meridio Location: Approval Body:
More informationGUIDE TO MANAGING DATA BREACHES
8 MAY 2015 CONTENT PURPOSE OF THE GUIDE 3 INTRODUCTION 4 HOW DATA BREACHES COULD OCCUR 5 RESPONDING TO A DATA BREACH 6 i. DATA BREACH MANAGEMENT PLAN 6 ii. CONTAINING THE BREACH 7 iii. ASSESSING RISK AND
More informationLittle Marlow Parish Council Registration Number for ICO Z3112320
Data Protection Policy Little Marlow Parish Council Registration Number for ICO Z3112320 Adopted 2012 Reviewed 23 rd February 2016 Introduction The Parish Council is fully committed to compliance with
More informationData Protection Policy
Data Protection Policy Owner : Head of Information Management Document ID : ICT-PL-0099 Version : 2.0 Date : May 2015 We will on request produce this Policy, or particular parts of it, in other languages
More informationData Protection and Information Security. Procedure for reporting a breach of data security. April 2013
Data Protection and Information Security Procedure for reporting a breach of data security April 2013 Page 1 of 6 Created on: 01/04/2009 Contents 1 Introduction... 3 2 Data Classification... 3 3 What Is
More informationData Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk
Data Protection Act 1998 The for the Borough Council of King's Lynn & West Norfolk 1 Contents Introduction 3 1. Statement of Intent 4 2. Fair Obtaining I Processing 5 3. Data Uses and Processes 6 4. Data
More informationDISASTER RECOVERY PLAN
DISASTER RECOVERY PLAN Data breaches are a threat faced by every business, regardless of size or sector. Whether such an incident is the result of human error or a malicious act, every company needs a
More informationProtection. Code of Practice. of Personal Data RPC001147_EN_D_19
Protection of Personal Data RPC001147_EN_D_19 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Rules Responsibility
More informationDATA PROTECTION POLICY
DATA PROTECTION POLICY Approval date: June 2014 Approved by: Board Responsible Manager: Executive Director of Resources Next Review June 2016 Data Protection Policy 1. Introduction Data Protection Policy
More informationUniversity of Liverpool
University of Liverpool Information Security Policy Reference Number Title CSD-003 Information Security Policy Version Number 3.0 Document Status Document Classification Active Open Effective Date 01 October
More informationHead of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2
Policy Procedure Information security policy Policy number: 442 Old instruction number: MAN:F005:a1 Issue date: 24 August 2006 Reviewed as current: 11 July 2014 Owner: Head of Information & Communications
More informationINFORMATION GOVERNANCE AND DATA PROTECTION POLICY
INFORMATION GOVERNANCE AND DATA PROTECTION POLICY WN CCG Information Governance & Data Protection Policy July 2013 1 Document Control Sheet Name of Document: Information Governance & Data Protection Policy
More informationKEELE UNIVERSITY IT INFORMATION SECURITY POLICY
Contents 1. Introduction 2. Objectives 3. Scope 4. Policy Statement 5. Legal and Contractual Requirements 6. Responsibilities 7. Policy Awareness and Disciplinary Procedures 8. Maintenance 9. Physical
More informationInformation Security: Business Assurance Guidelines
Information Security: Business Assurance Guidelines The DTI drives our ambition of prosperity for all by working to create the best environment for business success in the UK. We help people and companies
More informationDATA AND PAYMENT SECURITY PART 1
STAR has teamed up with Prevention of Fraud in Travel (PROFiT) and the Fraud Intelligence Network (FIN) to offer our members the best advice about fraud prevention. We recognise the increasing threat of
More informationData Protection Policy June 2014
Data Protection Policy June 2014 Approving authority: Consultation via: Court Audit and Risk Committee, University Executive, Secretary's Board, Information Governance and Security Group Approval date:
More informationHuman Resources and Data Protection
Human Resources and Data Protection Contents 1. Policy Statement... 1 2. Scope... 2 3. What is personal data?... 2 4. Processing data... 3 5. The eight principles of the Data Protection Act... 4 6. Council
More informationInformation Incident Management and Reporting Procedures
` Information Incident Management and Reporting Procedures Compliance with all CCG policies, procedures, protocols, guidelines, guidance and standards is a condition of employment. Breach of policy may
More informationInformation Governance Policy
Information Governance Policy Reference: Information Governance Policy Date Approved: April 2013 Approving Body: Board of Trustees Implementation Date: April 2013 Version: 6 Supersedes: 5 Stakeholder groups
More informationInformation Circular
Information Circular Enquiries to: Brooke Smith Senior Policy Officer IC number: 0177/14 Phone number: 9222 0268 Date: March 2014 Supersedes: File No: F-AA-23386 Subject: Practice Code for the Use of Personal
More informationIslington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014
Islington ICT Physical Security of Information Policy A council-wide information technology policy Version 0.7 June 2014 Copyright Notification Copyright London Borough of Islington 2014 This document
More informationHow To Protect School Data From Harm
43: DATA SECURITY POLICY DATE OF POLICY: FEBRUARY 2013 STAFF RESPONSIBLE: HEAD/DEPUTY HEAD STATUS: STATUTORY LEGISLATION: THE DATA PROTECTION ACT 1998 REVIEWED BY GOVERNING BODY: FEBRUARY 2013 EDITED:
More informationINFORMATION TECHNOLOGY SECURITY STANDARDS
INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL
More informationINFORMATION GOVERNANCE POLICY
INFORMATION GOVERNANCE POLICY Including the Information Governance Strategy Framework and associated Information Governance Procedures Last Review Date Approving Body N/A Governing Body Date of Approval
More informationThe CPS incorporates RCPO. CPS Data Protection Policy
The CPS incorporates RCPO CPS Data Protection Policy Contents Introduction 3 Scope 4 Roles and Responsibilities 4 Processing Criminal Cases 4 Information Asset Owners 5 Information Asset Register 5 Information
More informationInformation Governance Management Framework
Information Governance Management Framework Responsible Officer Author Business Planning & Resources Director Governance Manager Date effective from October 2015 Date last amended October 2015 Review date
More informationCorporate Information Security Management Policy
Corporate Information Security Management Policy Signed: Chief Executive. 1. Definition of Information Security 1.1. Information security means safeguarding information from unauthorised access or modification
More informationData Protection Policy. Information Security Review Group. Version Date Author Notes on Revisions
Document Control Table Document Title: Author(s) (name, job title and Division): Version Number: Document Status: Date Approved: Approved By: Effective Date: Date of Next Review: Superseded Version: Data
More informationBurton Hospitals NHS Foundation Trust. On: 16 January 2014. Review Date: December 2015. Corporate / Directorate. Department Responsible for Review:
POLICY DOCUMENT Burton Hospitals NHS Foundation Trust INFORMATION SECURITY POLICY Approved by: Executive Management Team On: 16 January 2014 Review Date: December 2015 Corporate / Directorate Clinical
More informationData Protection Policy
Data Protection Policy Document Ref: DPA20100608-001 Version: 1.3 Classification: UNCLASSIFIED (IL 0) Status: ISSUED Prepared By: Ian Mason Effective From: 4 th January 2011 Contact: Governance Team ICT
More informationMike Casey Director of IT
Network Security Developed in response to: Contributes to HCC Core Standard number: Type: Policy Register No: 09037 Status: Public IG Toolkit, Best Practice C7c Consulted With Post/Committee/Group Date
More informationINFORMATION GOVERNANCE POLICY
INFORMATION GOVERNANCE POLICY Version: 3.2 Authorisation Committee: Date of Authorisation: May 2014 Ratification Committee Level 1 documents): Date of Ratification Level 1 documents): Signature of ratifying
More informationData Protection Policy
Data Protection Policy September 2015 Contents 1. Scope 2. Purpose 3. Data protection roles 4. Staff training and guidance 5. About the Data Protection Act 1998 6. Policy 7. The Information Commissioner's
More informationProcedure for Managing a Privacy Breach
Procedure for Managing a Privacy Breach (From the Privacy Policy and Procedures available at: http://www.mun.ca/policy/site/view/index.php?privacy ) A privacy breach occurs when there is unauthorized access
More informationInformation Security Policies. Version 6.1
Information Security Policies Version 6.1 Information Security Policies Contents: 1. Information Security page 3 2. Business Continuity page 5 3. Compliance page 6 4. Outsourcing and Third Party Access
More informationInformation Governance Policy (incorporating IM&T Security)
(incorporating IM&T Security) ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the
More informationData Protection and Information Security Policy and Procedure
Data Protection and Information Security Policy and Procedure Document Detail Category: Data Protection Authorised By: Full Governing Body Author: School Business Manager Version: 1 Status: Approved May
More informationAUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN. 1250 Siskiyou Boulevard Ashland OR 97520
AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN 1250 Siskiyou Boulevard Ashland OR 97520 Revision History Revision Change Date 1.0 Initial Incident Response Plan 8/28/2013 Official copies
More informationUniversity of Liverpool
University of Liverpool Information Security Incident Response Policy Reference Number Title CSD-012 Information Security Incident Response Policy Version Number 1.2 Document Status Document Classification
More informationInformation security incident reporting procedure
Information security incident reporting procedure Responsible Officer Author Date effective from 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended
More informationInformation Incident Management and Reporting Procedures
Information Incident Management and Reporting Procedures Compliance with all policies, procedures, protocols, guidelines, guidance and standards is a condition of employment. Breach of policy may result
More informationMerthyr Tydfil County Borough Council. Data Protection Policy
Merthyr Tydfil County Borough Council Data Protection Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of the
More information