ICO SME data protection workshop 25 September, NEC

Transcription

1 ICO SME data protection workshop 25 September, NEC Information security & working with government Amanda Hillman Data Sharing & Data Protection Manager Claire Francis Supply Chain Information Assurance Team

2 Part 1: Intro - why we care about the DPA About us: Alan Harriman Data Sharing & Data Protection Policy Team Claire Francis Supply Chain Information Assurance Team 2

3 Part 1: Intro - why we care about the DPA About the Department for Work and Pensions: DWP is very big, and does a lot of different things each year we: All of which generates an awful lot of personal data DWP is data controller for one of the largest sets of citizen data in Europe. 3

4 Part 1: Intro - why we care about the DPA DWP and contracted services: One of the things we do a lot of is contracting which is why we are here: Drive across government to increase opportunities for SMEs in delivering services; We are a big data controller, it really is important to us do data protection well; If you have a good understanding of DPA issues, it makes it easier for us to deal with you, and vice versa. 4

5 Part 1: Intro - why we care about the DPA DWP and contracting: DWP has a diverse supply base With large numbers of suppliers to deal with, Various types of contracts, We rely on suppliers to protect the millions of DWP data assets out there. Therefore DWP must build requirements into contracts In order to avoid the following 5

6 Part 1: Intro - why we care about the DPA Risk impact data loss is a headline favourite: DATA CONTROLLERSHIP can be shared but for our data DWP would usually be the target of the headline. 6

7 Part 1: Intro - why we care about the DPA What are we trying to protect and why? any premises, systems, information or data which is owned, occupied, used by or in the possession of the Authority. The public are entitled to expect that Government will protect their privacy and use and handle information professionally. Departments are best placed to understand their information and to protect it, but need to do so within a context of clear minimum standards ensuring protection of personal information. SPF - MANDATORY REQUIREMENT 2 Departments must ensure that their Agencies and main delivery partners are compliant with this framework, and must consider the extent to which those providing other goods and /or services to them, or carrying out functions on their behalf, are required to comply. 7

8 Part 2: Why you should care about the DPA In the good old days, life was simple: We outsourced simple departmental activities; Personal data processed only as the contract specified; DWP was the data controller, contractors were data processors; DPA compliance = do what the contract says; Liability was also simple if it went wrong, it was our fault as the data controller. 8

9 Part 2: Why you should care about the DPA In the good old days, life was simple: DWP We specified the purpose and manner of processing, and pays for it. data flow Contractor Provider does what the contract requires. Simple liability 9

10 Part 2: Why you should care about the DPA In these exciting and innovative times: Complex funding models, payment by results; Common or shared goals, and purposes; Services used by multiple departments (and data controllers) using the same contract; Mix of off the peg and bespoke services; Data being processed for multiple/overlapping purposes; 10

11 Part 2: Why you should care about the DPA So exciting we need two slides: Management through third parties; Delivery by organisations (third sector etc) that exist to do this kind of thing anyway; Devolution Lots of joint controllership going on; 11

12 Part 2: Why you should care about the DPA What exciting and innovative looks like: EU DWP Other central govt Local govt Nongovt Funding Defines purpose Requires data Manage contract Uses service Uses partner orgs Liability????? 12

13 Part 2: Why you should care about the DPA Compliance and liability: DPA compliance with our contractors used to mean trying to make sure contracts were being followed to the letter Now it s more about building a relationship, making sure that all parties are doing the right thing, have the necessary capability Liability used to be pretty straightforward if we were paying for service, most likely it s our problem if it goes wrong In more complex services, it will depend what goes wrong, who dropped the ball, how things came to be done that way 13

14 Part 2: Why you should care about the DPA DWP accountabilities: DWP s maturity in Data Protection and information assurance is tested and measured against the Governments Information Assurance Maturity Model. DWP manages internal through year reporting to ensure that evidence of activities with and by supplier organisations are real and present. Subject areas include:- 14 Leadership and Governance Training, Education and Awareness Information Risk Management Through-life Measures Compliance

15 Part 3 Practical advice Liability and the basics: DWP is a large organisation and data controller for a huge amount of personal data, which enables/requires us to have a lot of DPA resources in place. If you re working with DWP, even in a simple controller/processor relationship, we ll expect you to know what you re doing and have the basics in place. Staff training, key roles, plans for dealing with DPA problems, being clear about how you handle personal data There are plenty of resources to help you do this: Our provider guidance, ICO website, BIS, ask that nice Mr Google 15

16 Part 3 Practical advice DWP Contracting provisions: Data Handling terms and conditions Specific security schedule Requirement for a supplier security plan Bearing in mind: Risk and Proportionality Value of contract not an indicator 16

17 Part 3 Practical advice Why robustness within contracts matters: Supplier responsibility to protect data we are entrusting with them. Cannot ensure protection without our suppliers Suppliers are our Data processors (most of the time)/ sometimes joint data controllers The questions and requirements within contracts are important however we do aim for proportionality. Sometimes the level of data and volumes do not allow for this. 17

18 Part 3 Practical advice Key requirements supplier security measures: Appropriate technical and organisational measures to keep data safe in accordance with the principles of the Data Protection Act. Need to understand suppliers around the following for example: Personnel Security staff vetting, access control, training, awareness, organisational culture and incident management. Premises and Physical Environment Security building security, perimeter, access controls, secure areas. Communications Management and Security use of office systems, encryption, retention, storage, archiving and destruction, monitoring, business continuity. Portable Media Security encryption, policies, guidance on usage, asset management. IT system Security IT architecture, backup, hardware, anti-virus measures, patching, audit and testing. 18

19 Part 3 Practical advice Security policies vs technical security measures: If your security relies on your employees getting things right 100% of the time, how much confidence can you (and we) have in that? Does your security response plan look like this? In general, if there s a technical fix, use it or expect to be asked why you didn t in the event that someone makes a mistake. Examples USB devices, links and URLs, laptop encryption 19

20 Part 3 Practical advice Security incidents if things go wrong: Tell us (if it s us you re working for) Tell us soon, as soon as practicality permits and before you start telling other people But don t let that stop you putting it right, or stopping it happening (eg fixing the website, replacing the window etc) Why? So we can agree handling, what needs doing about the incident, who needs to be told, agree press lines if necessary, stop us falling out unnecessarily. And we might actually be able to help, it s in our interest to if we can! 20

21 Part 3 Practical advice Security incidents how to avoid things going wrong: There s a lot of focus and attention on cyber, BIS have already talked about that sexy cyber stuff But actually most of what gives people headaches is around good oldfashioned mistakes; putting the wrong address on an envelope or the electronic equivalent, losing laptops Think about how much of your security is based on telling your staff to do/not do things? Breaking news: People don t always do what they re told; People sometimes make mistakes. 21

22 Part 3 Practical advice How to stay out of the headlines: Standards and requirements fully understood and adhered to. Practice robust security measures and plans. DWP has assurance of that. As new threats emerge - suppliers maintain appropriate countermeasures to protect assets. Talk to the Department if you have any uncertainty. Lost DWP data? Act without delay contact DWP first. We have a relationship with, and will contact, the ICO 22

23 Part 3 Practical advice Security standards and guidance: Government security standards can be pretty demanding. Don t expect it to be easy. We have to require the same kind of standards of you that we would apply ourselves if you are handling our customers info. But this does offer you some benefits as well, both in protecting your business itself, and being in a better position to handle other government contracts once you have the knowledge and capability. 23

24 Part 3 Practical advice Security standards and guidance: Most of our provider guidance and info from previous contract tenders is on the internet that makes it pretty clear what kind of things we expect and require by way of security The bidding process gives plenty of opportunities to ask questions, use it if you want clarification on something Much of this isn t new, solutions are already out there, unless you are working in defence the kind of measures needed are just good industry practice. 24

25 Part 4 Closing thoughts DPA snagging list things that can be complicated: The cloud & offshoring non-ea hosted Cross-government services and contracts Lack of clarity about who is doing what for whom Use of consent, confusion with fair processing 25

26 Part 4 Closing thoughts Useful links: Cabinet Office Supplier Assurance Framework Good Practice Guide: ile/255915/supplier_assurance_framework_good_practice_guide.pdf DWP internet pages on Data Protection: Contains Data protection and information security DWP Security Policy for Contractors Data security training and awareness slide pack for DWP suppliers and their employees delivering DWP contracts 26

27 Part 4 Closing thoughts Cabinet Office CESG Data Protection Act DWP Supply Chain Information Assurance Team Commercial Directorate team set up to assist DWP in meeting the requirements of the Govt Data Handling Review Has specific policy and coordinating responsibilities to guide and develop DWP Information Assurance activities with regard to ALL of DWP s commercial Supply Chain To work across and within DWP commercial work streams aiming to meet requirements of the Cabinet Office Security Policy Framework and the Information Assurance Maturity Model

28 Part 4 Closing thoughts Communications and other considerations: Internet Supplier Assurance Framework Workshops and awareness sessions with staff and suppliers Supplier visits 28

29 Part 4 Closing thoughts How we can help: Good context and understanding of DWP commercial business as well as security requirements. Can link to relevant DWP experts and stakeholders. Run guidance pages, advice and aide memoirs, training packages. Often contacted by other departments for support Proportionality a key facet. 29

30 Part 4 Closing thoughts Key points: Look at our provider guidance don t just read the DPA section Look at the ICO s guidance, and their enforcement news Look at Privacy Impact Assessment info on the internet, that gives a pretty good idea of the kind of questions/issues we will focus on Most DPA issues aren t rocket science, they are what most people would expect as good practice anyway If it feels wrong, it probably is wrong - ask if you have problems! 30

31 Part 4 Closing thoughts Er that s it: Thanks for your time! Questions? 31

32 Keep in touch Subscribe to our e-newsletter at or find us on