Renfrewshire Council. Data protection audit report. Executive summary January 2013



Similar documents
Cambridgeshire Constabulary. Data protection audit report

Cleveland Police. Data protection audit report. Executive summary November 2014

Data Protection Audit Report - Southampton City Council

Birmingham Women s NHS Foundation Trust

Criminal Injuries Compensation Authority. Data protection audit report

Nottinghamshire County Council. Data protection audit report

Central London Community Healthcare NHS Trust. Data protection audit report

Cardiff Council. Data protection audit report. Executive summary June 2014

Auditing data protection a guide to ICO data protection audits

Information Commissioner's Office

Security breaches: A regulatory overview. Jonathan Bamford Head of Strategic Liaison

West Dunbartonshire Council. Follow-up data protection audit report

NHS DORSET CLINICAL COMMISSIONING GROUP GOVERNING BODY INFORMATION GOVERNANCE TOOLKIT REPORT

How To Protect School Data From Harm

Privacy and Electronic Communications Regulations

A practical guide to IT security

Governance. Information. Bulletin. Welcome to the nineteenth edition of the information governance bulletin

Dealing With Information Rights Concerns

We then give an overall assurance rating (as described below) indicating the extent to which controls are in place and are effective.

Health and Safety Policy Part 1 Policy and organisation

Data protection for commissioners

Cloud Software Services for Schools

ISO Information Security Management Systems Professional

VIDEO SURVEILLANCE GUIDELINES

Data Security and Extranet

Data Protection Breach Management Policy

Data controllers and data processors: what the difference is and what the governance implications are

Notification of data security breaches to the Information Commissioner s

Information Governance Training Plan v13

Little Marlow Parish Council Registration Number for ICO Z

The CPS incorporates RCPO. CPS Data Protection Policy

Web Site Download Carol Johnston

Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom

ICO SME data protection workshop 25 September, NEC

PAPER RECORDS SECURE HANDLING AND TRANSIT POLICY

Committees Date: Subject: Public Report of: For Information Summary

Data Protection Policy

Lauren Hamill, Information Governance Officer. Version Release Author/Reviewer Date Changes (Please identify page no.) 1.0 L.

The potential legal consequences of a personal data breach

Please Note: This guidance is for information only and is not intended to replace legal advice when faced with a risk decision.

How To Choose A Cloud Service From One Team Logic

Further to reports to EAG in February and March 2014, the purpose of this report is to;

Cloud Software Services for Schools

EXECUTIVE DECISION NOTICE. ICT, Communications and Media. Councillor John Taylor. Deputy Executive Leader

E-commerce and Legal Compliance

DATA AND PAYMENT SECURITY PART 1

Corporate ICT & Data Management. Data Protection Policy

Information governance strategy

Information Governance Standards in Relation to Third Party Suppliers and Contractors

NHS Newcastle Gateshead Clinical Commissioning Group. Information Governance Strategy 2015/16

Cloud Software Services for Schools

Information Governance Strategy 2015/16

Cloud Software Services for Schools. Supplier self-certification statements with service and support commitments. SafeGuard Software Limited

Internal audit report Information Security / Data Protection review

BCS Professional Certification. May Copyright BCS 2013 Page 1 of 5. Subject Access Request Policy

Information Governance Policy

Cloud Software Services for Schools. Supplier self-certification statements with service and support commitments

Data Protection and Community Councils Briefing Note

How to Monitor Employee Web Browsing and Legally

AGENDA ITEM: SUMMARY. Author/Responsible Officer: John Worts, ICT Team Leader

Identity & Access Management The Cloud Perspective. Andrea Themistou 08 October 2015

Information Commissioner's Office

INFORMATION GOVERNANCE STAFF HANDBOOK

Cloud Software Services for Schools

Bring your own device (BYOD)

Experian supporting compliant practices in debt collection. Guidance Note

Data Protection Policy

IT asset disposal for organisations

Guidance on data security breach management

Information Governance Policy

Traffic Management Plan - Depot Procedure

UNIVERSITY OF ABERDEEN POLICY ON DATA PROTECTION

So the security measures you put in place should seek to ensure that:

CLOUD-BASED BIM AND SMART ASSET MANAGEMENT: ADOPTING A SECURITY-MINDED APPROACH

Information Governance Policy

Information Security Incident Management Policy

Cloud Software Services for Schools

Data Protection Policy

The Cyber Attack and Hacking Epidemic A Legal and Business Survival Guide

Originator: Chris Parkin Date: 4 March 2015 Approved by: Senior Management Team Type: Policy. Computer Security Policy

INFORMATION GOVERNANCE POLICY

Cloud Software Services for Schools

Template for Automatic Number Plate Recognition (ANPR) Infrastructure Development Privacy Impact Assessment

How To Audit Health And Care Professions Council Security Arrangements

Data Protection Policy June 2014

Date: 30 th May Agenda Item: 5.5. Ian Mackenzie Director of Information and Estates REPORT AUTHOR:

Information Governance in Commissioning. Mental Health Commissioners Collaborative

UK Data Risks Incident RoadMap

Vodafone New Zealand Microsoft Privacy Statement Dated: August 2013

Findings from ICO audits and reviews of community healthcare providers. June 2013 to December 2014

Name: Position held: Company Name: Is your organisation ISO27001 accredited:

Bring Your Own Devices (BYOD) Information Governance Guidance

Business Continuity Access to Personally Stored Corporate Electronic Data (CED) Policy

Assessment Notices under the Data Protection Act 1998 Extension of the Information Commissioner s Powers

DRAFT. Anti-Bribery and Anti-Corruption Policy. Introduction. Scope. 1. Definitions

Data Protection Act Bring your own device (BYOD)

TIPS, GRATUITIES, COVER AND SERVICE CHARGES. Call for evidence SEPTEMBER 2015

Information Governance in Dental Practices. Summary of findings from ICO reviews. September 2015

When things go wrong: information governance breaches and the role of the ICO. David Evans, Senior Policy Officer

Transcription:

Renfrewshire Council Data protection audit report Executive summary January 2013

1. Background The Information Commissioner is responsible for enforcing and promoting compliance with the Data Protection Act 1998 (the DPA). Section 51 (7) of the DPA contains a provision giving the Information Commissioner power to assess any organisation s processing of personal data for the following of good practice, with the agreement of the data controller. This is done through a consensual audit. The Information Commissioner s Office (ICO) sees auditing as a constructive process with real benefits for data controllers and so aims to establish a participative approach. Renfrewshire Council (RC) has agreed to a consensual audit by the ICO of its processing of personal data. An introductory meeting was held on 13 September 2012 with representatives of RC to identify and discuss the scope of the audit. ICO data protection audit report executive summary 2 of 6

2. Scope of the audit Following pre-audit discussions with RC, it was agreed that the audit would focus on the following areas: Data protection governance The extent to which data protection responsibility, policies and procedures, performance measurement controls, and reporting mechanisms to monitor DPA compliance are in place and in operation throughout the organisation. Security of personal data The technical and organisational measures in place to ensure that there is adequate security over personal data held in manual or electronic form. Requests for personal data - The processes in place to respond to any requests for personal data. This will include requests by individuals for copies of their data (subject access requests) as well those made by third parties and sharing agreements. ICO data protection audit report executive summary 3 of 6

3. Audit opinion The purpose of the audit is to provide the Information Commissioner and RC with an independent assurance of the extent to which RC, within the scope of this agreed audit is complying with the DPA. The recommendations made are primarily around enhancing existing processes to facilitate compliance with the DPA. Overall Conclusion Reasonable Assurance The arrangements for data protection compliance with regard to governance and controls provide a reasonable assurance that processes and procedures are in place and being adhered to. The audit has identified some scope for improvement in existing arrangements. We have made 1 limited and 2 reasonable assurance assessments of scope areas where controls could be enhanced to address the issues which are summarised below and presented fully in the detailed findings and action plan at section 7 of this report ICO data protection audit report executive summary 4 of 6

4. Summary of audit findings Areas of good practice There are local risk registers in place that incorporate information risk and are used to drive the Internal Audit plan. The Council security controls in place surrounding identity access management include complex passwords and monitoring of starters, leavers and movers. There are appropriate network access controls in place including the encryption of mobile devices. Data Protection Officers in each service receive additional training that includes the handling of requests. There is a central log of SARs which includes details of key dates and who is responsible for completing the request. Areas for improvement There are few reporting measures in relation to data protection reported through the governance structure. Reporting of compliance does not routinely inform the Annual Statement of Governance. There are no corporate logs for security incidents. There is no mandatory refresher training for data protection in place. Third party requests are not recorded or reported corporately. ICO data protection audit report executive summary 5 of 6

The matters arising in this report are only those that came to our attention during the course of the audit and are not necessarily a comprehensive statement of all the areas requiring improvement. The responsibility for ensuring that there are adequate risk management, governance and internal control arrangements in place rest with the management of Renfrewshire Council. We take all reasonable care to ensure that our audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. We cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report. ICO data protection audit report executive summary 6 of 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information