Cambridgeshire Constabulary. Data protection audit report

Transcription

1 Cambridgeshire Constabulary Data protection audit report Executive summary November 2014

2 1. Background The Information Commissioner is responsible for enforcing and promoting compliance with the Data Protection Act 1998 (the DPA). Section 51 (7) of the DPA contains a provision giving the Information Commissioner power to assess any organisation s processing of personal data for the following of good practice, with the agreement of the data controller. This is done through a consensual audit. The Information Commissioner s Office (ICO) sees auditing as a constructive process with real benefits for data controllers and so aims to establish a participative approach. Cambridgeshire Constabulary (the Constabulary) has agreed to a consensual audit by the ICO of its processing of personal data. An introductory meeting was held on 18 June 2014 with representatives of the Constabulary to identify and discuss the scope of the audit. ICO data protection audit report executive summary 2 of 7

3 2. Scope of the audit Following pre-audit discussions with the Constabulary, it was agreed that the audit would focus on the following areas: Records management The processes in place for managing both manual and electronic records containing personal data. This will include controls in place to monitor the creation, maintenance, storage, movement, retention and destruction of personal data records. Subject access requests - The procedures in operation for recognising and responding to individuals requests for access to their personal data. Data sharing - The design and operation of controls to ensure the sharing of personal data complies with the principles of the Data Protection Act 1998 and the good practice recommendations set out in the Information Commissioner s Data Sharing Code of Practice. ICO data protection audit report executive summary 3 of 7

4 3. Audit opinion The purpose of the audit is to provide the Information Commissioner and the Constabulary with an independent assurance of the extent to which the Constabulary, within the scope of this agreed audit, is complying with the DPA. The recommendations made are primarily around enhancing existing processes to facilitate compliance with the DPA. Overall Conclusion Limited assurance There is a limited level of assurance that processes and procedures are in place and delivering data protection compliance. The audit has identified considerable scope for improvement in existing arrangements to reduce the risk of non-compliance with the DPA. We have made two limited and one reasonable assurance assessments where controls could be enhanced to address the issues which are summarised below. ICO data protection audit report executive summary 4 of 7

5 4. Summary of audit findings Areas of good practice The Constabulary has appointed a single point of contact for the development of Information Sharing Agreements (ISAs) who is responsible for conducting an adequacy check prior to final sign off of each agreement, ensuring that ISAs are regularly reviewed, and for maintaining an up to date record of all ISAs. Further to this an electronic system is used to aid the ISA review process which sends automated reminders to the owner of each ISA one month prior to the schedule due date. The Constabulary s website contains a comprehensive privacy notice with a dedicated subject access request (SAR) section which provides further information for individuals and a link to the SAR Application Form. It also includes the process document for national PNC requests via the ACPO Criminal Records Office. The Constabulary maintains a robust information risk management framework which includes a process to ensure that all information risks are reviewed regularly and that appropriate risk owners have been identified for all information management risks. The Constabulary has procedures in place to control access to IT systems for starters, movers and leavers which combine manual and automated processes such as Active Directory and completion of a Security Operating Procedures User Agreement and System User Training. Areas for improvement The Constabulary does not currently have a performance framework or key performance indicators in place for measuring its data protection compliance. There is limited reporting of performance information in relation to SAR processing and data sharing and the effectiveness of, and performance against, records management processes and policies. Neither are they being formally monitored by the Information Management Strategy Group or other appropriate forum. In addition, the Constabulary does not currently feature records management audits as part of its regular audit cycle. Despite having some effective controls in place the Constabulary is aware that information sharing is taking place that is not supported by formal ISAs that have been approved by the relevant individual(s). Further to this the Information Security Officer, who serves three forces, Cambridgeshire, Bedfordshire and Hertfordshire has no involvement in ensuring the security section of ISAs is compliant with the force s information security requirements. A process for dip sampling responses to requests for information has been established, however these checks are only conducted post disclosure, which significantly reduces their effectiveness. Of the records sampled in ICO data protection audit report executive summary 5 of 7

6 the quarter before the audit several were found to contain errors after this information had been disclosed. The Constabulary has outlined its position in relation to the management of information in both paper and electronic form in a Joint Information Management Strategy with Bedfordshire and Hertfordshire Constabularies. However, compliance with this Strategy is not being mandated across the organisation and operational staff are largely unaware of this document or any guidance outlining the Constabulary s position in relation to records management. The Constabulary does not have a training strategy in place that incorporates information management training. Further to this there has been no analysis or assessment of the training requirements of roles with specific duties in relation to records management, and job descriptions for some of these roles are out of date. In some instances training requirements have been outlined within policy or procedure documents but these requirements have not been met. Staff are not required to complete any refresher training in any information assurance topics such as data protection, information security or records management. ICO data protection audit report executive summary 6 of 7

7 The matters arising in this report are only those that came to our attention during the course of the audit and are not necessarily a comprehensive statement of all the areas requiring improvement. The responsibility for ensuring that there are adequate risk management, governance and internal control arrangements in place rest with the management of Cambridgeshire Constabulary. We take all reasonable care to ensure that our audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. We cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report. ICO data protection audit report executive summary 7 of 7