Nottinghamshire County Council. Data protection audit report



Similar documents
Renfrewshire Council. Data protection audit report. Executive summary January 2013

Central London Community Healthcare NHS Trust. Data protection audit report

Cleveland Police. Data protection audit report. Executive summary November 2014

Criminal Injuries Compensation Authority. Data protection audit report

Cardiff Council. Data protection audit report. Executive summary June 2014

Data Protection Audit Report - Southampton City Council

Cambridgeshire Constabulary. Data protection audit report

Birmingham Women s NHS Foundation Trust

Information Commissioner's Office

Auditing data protection a guide to ICO data protection audits

Information Governance Policy

West Dunbartonshire Council. Follow-up data protection audit report

Information Governance Standards in Relation to Third Party Suppliers and Contractors

NHS DORSET CLINICAL COMMISSIONING GROUP GOVERNING BODY INFORMATION GOVERNANCE TOOLKIT REPORT

Template for Automatic Number Plate Recognition (ANPR) Infrastructure Development Privacy Impact Assessment

Further to reports to EAG in February and March 2014, the purpose of this report is to;

Policy Document Control Page

IT asset disposal for organisations

Date: 30 th May Agenda Item: 5.5. Ian Mackenzie Director of Information and Estates REPORT AUTHOR:

INFORMATION GOVERNANCE POLICY

Information Governance Plan

Focus on Subject Access Requests for insurance purposes. August 2015 (updated further to July 2015 guidance)

Health and Safety Policy Part 1 Policy and organisation

Derbyshire Trading Standards Service Quality Manual

Information Commissioner's Office

Information Governance Policy

Standard Operating Procedure for the Management of Information Governance Serious Incidents Requiring Investigation (IG SIRI)

Data controllers and data processors: what the difference is and what the governance implications are

Data Protection Policy

Data Protection Policy

INFORMATION SHARING AGREEMENT. Multi-Disciplinary Team (MDT): Service Information Sharing

Summary of feedback on Big data and data protection and ICO response

Professional Competence. Guidelines for Doctors

Barnsley Clinical Commissioning Group. Information Governance Policy and Management Framework

NHS Newcastle Gateshead Clinical Commissioning Group. Information Governance Strategy 2015/16

OFFICIAL. NCC Records Management and Disposal Policy

2. This report should be considered at the HSB meeting on 29 June 2011.

Little Marlow Parish Council Registration Number for ICO Z

Information Governance Strategy

INFORMATION GOVERNANCE STRATEGY NO.CG02

BRACKNELL FOREST COUNCIL ADULT SOCIAL CARE & HEALTH DEBT RECOVERY POLICY & PROCEDURES

Experian supporting compliant practices in debt collection. Guidance Note

IT REVIEW OF THE DISASTER RECOVERY ARRANGEMENTS

Information Governance Framework

Putting Consumers First. Code of Practice The Professional Financial Claims Association. All rights reserved.

Dealing With Information Rights Concerns

LSCB Self-Assessment Tool

DATA PROTECTION ACT 1998 COUNCIL POLICY

Data Protection Act. Conducting privacy impact assessments code of practice

Information Governance and Assurance Framework Version 1.0

LEAD INTRODUCERS AND COMPLIANCE

Audit of Business Continuity Planning

Corporate ICT & Data Management. Data Protection Policy

HAAD Standard for Complaints Management in Healthcare Facilities. Document Ref. Number: HAAD/CMHF/SD/1.2 Version 1.2

We then give an overall assurance rating (as described below) indicating the extent to which controls are in place and are effective.

INFORMATION GOVERNANCE HANDBOOK

Data Protection Policy

Safe Harbour Agreement no longer a valid basis for EEA to US transfers of personal data

INFORMATION GOVERNANCE STRATEGY

INFORMATION RISK MANAGEMENT POLICY

SUBJECT ACCESS REQUEST

Corporate. Security Management Policy. Document Control Summary. Contents

technical factsheet 176

Information Governance in Commissioning. Mental Health Commissioners Collaborative

Self assessment tool. Using this tool

AUDIT COMMITTEE 10 DECEMBER 2014

CLINICAL GOVERNANCE POLICY

Information Governance Management Framework

RISK MANAGEMENT STRATEGY

BEFORE USING THIS GUIDANCE, MAKE SURE YOU HAVE THE MOST UP TO DATE VERSION GUIDANCE 2 POLICY AREA: INFORMATION GOVERNANCE

The Information Commissioner s Office response to HM Treasury s Call for Evidence on Data Sharing and Open Data in Banking

DATA PROTECTION POLICY

INFORMATION GOVERNANCE POLICY

INFORMATION GOVERNANCE POLICY & FRAMEWORK

Information Governance Strategy & Policy

NHS Commissioning Board: Information governance policy

Lauren Hamill, Information Governance Officer. Version Release Author/Reviewer Date Changes (Please identify page no.) 1.0 L.

SOMERSET PARTNERSHIP NHS FOUNDATION TRUST RECORDS MANAGEMENT STRATEGY. Report to the Trust Board 22 September Information Governance Manager

Senior Social Worker - Children & Young People s Services (CYPS) Various throughout Devon. Effective date of JD 1 November 2010 JE Job Number 561

Data Protection Policy

Data Protection Policy

Information Governance Policy

Final Version 1.0 December 2015

Information Governance Framework

BIG LOTTERY FUND Document archive and retention policy

Policy Document Control Page

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

A GUIDE TO COMPLETING THE RIP(S)A FORMS FOR COVERT SURVEILLANCE AND CHIS

Office of Compliance and Ethics Introductory Report. Lynette Fons, Chief Compliance Officer

NHS North Durham Clinical Commissioning Group. Information Governance Strategy 2015/16

Glyncoed Primary School. Data Protection Policy

Information and Data Security

INFORMATION GOVERNANCE AND DATA PROTECTION POLICY

P.M Brennan L.A.C Ltd T/A Irish Health Insurance is regulated by the Central Bank of Ireland.

Information Governance Strategy 2015/16

ATHENA Ethical Framework (Version 1- February 2014)

Liberty 2000 Limited. CURRENT STATUS: 27-Jun-13

Information Governance Policy

Information Governance and Data Protection Policy

MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY

Transcription:

Nottinghamshire County Council Data protection audit report Executive summary October 2015

1. Background The Information Commissioner is responsible for enforcing and promoting compliance with the Data Protection Act 1998 (the DPA). Section 51 (7) of the DPA contains a provision giving the Information Commissioner power to assess any organisation s processing of personal data for the following of good practice, with the agreement of the data controller. This is done through a consensual audit. The Information Commissioner s Office (ICO) sees auditing as a constructive process with real benefits for data controllers and so aims to establish a participative approach. In January 2015, following a data security incident reported to the ICO, Nottinghamshire County Council (NCC) agreed to a consensual audit by the ICO of its processing of personal data. An introductory meeting was held on 24 June 2015 with representatives of Nottinghamshire County Council to identify and discuss the scope of the audit. ICO data protection audit report executive summary 2 of 7

2. Scope of the audit Following pre-audit discussions with Nottinghamshire County Council it was agreed that the audit would focus on the following areas: Training and awareness The provision and monitoring of staff data protection training and the awareness of data protection requirements relating to their roles and responsibilities. Subject access requests - The procedures in operation for recognising and responding to individuals requests for access to their personal data. Data sharing - The design and operation of controls to ensure the sharing of personal data complies with the principles of the Data Protection Act 1998 and the good practice recommendations set out in the Information Commissioner s Data Sharing Code of Practice. ICO data protection audit report executive summary 3 of 7

3. Audit opinion The purpose of the audit is to provide the Information Commissioner and Nottinghamshire County Council with an independent assurance of the extent to which Nottinghamshire County Council, within the scope of this agreed audit, is complying with the DPA. The recommendations made are primarily around enhancing existing processes to facilitate compliance with the DPA. Overall Conclusion Limited assurance There is a limited level of assurance that processes and procedures are in place and delivering data protection compliance. The audit has identified considerable scope for improvement in existing arrangements to reduce the risk of non compliance with the DPA. We have made three limited assurance assessments where controls could be enhanced to address the issues which are summarised below and presented fully in the detailed findings and action plan section 7 of this report. ICO data protection audit report executive summary 4 of 7

4. Summary of audit findings Areas of good practice Information Asset Owners (IAOs) and the Senior Information Risk Owner (SIRO) have undertaken specialist role-based training, which was sourced by the Information Manager. The Council ensures that Subject Access Requests (SARs) are valid by verifying requesters identities and ensuring that those who make requests on behalf of another individual have a legal basis for doing so; e.g. they have the data subject s consent to request information or a legal power to do so, such as a power of attorney. Complaints Information and Mediation Officers (CIMOs) peer review each other s SAR responses and Senior Practitioners conduct ad-hoc cold case reviews on SAR responses to ensure that they are appropriate. The Multi Agency Safeguarding Hub (MASH) that the Council is involved in, has an appropriate Information Sharing Agreement setting out information sharing arrangements and responsibilities and an Information Security Protocol setting out the means by which information should be shared to ensure it is done in a secure way. ICO data protection audit report executive summary 5 of 7

Areas for improvement Information Governance training does not sufficiently cover key aspects of the Data Protection Act 1998 such as the eight principles, the recognition and handling of SARs and data sharing. For many staff, Information Governance training is not carried out before they are granted access to personal data. Key staff responsibilities in relation to SARs handling and corporate SAR response procedures have not been formalised within a corporate policy. KPI s relating to SAR compliance are not currently reported to Board level to provide oversight and drive improvement. The Council do not have a clearly defined corporate approach to data sharing; this is reflected in its lack of a corporate data sharing policy. There is insufficient oversight of current data sharing arrangements and the Council has not identified all of the data sharing arrangements that are ongoing. ICO data protection audit report executive summary 6 of 7

The matters arising in this report are only those that came to our attention during the course of the audit and are not necessarily a comprehensive statement of all the areas requiring improvement. The responsibility for ensuring that there are adequate risk management, governance and internal control arrangements in place rest with the management of Nottinghamshire County Council. We take all reasonable care to ensure that our audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. We cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report. ICO data protection audit report executive summary 7 of 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information