Southampton City Council Data protection audit report Executive summary March 2016
1. Background The Information Commissioner is responsible for enforcing and promoting compliance with the Data Protection Act 1998 (the DPA). Section 51 (7) of the DPA contains a provision giving the Information Commissioner power to assess any organisation s processing of personal data for the following of good practice, with the agreement of the data controller. This is done through a consensual audit. The Information Commissioner s Office (ICO) sees auditing as a constructive process with real benefits for data controllers and so aims to establish a participative approach. Southampton City Council (SCC) has agreed to a consensual audit by the ICO of its processing of personal data. An introductory meeting was held on 13 November 2015 with representatives of SCC to identify and discuss the scope of the audit.
2. Scope of the audit Following pre-audit discussions with SCC it was agreed that the audit would focus on the following areas: Data protection governance The extent to which data protection responsibility, policies and procedures, performance measurement controls, and reporting mechanisms to monitor DPA compliance are in place and in operation throughout the organisation. Records management (manual and electronic) The processes in place for managing both manual and electronic records containing personal data. This will include controls in place to monitor the creation, maintenance, storage, movement, retention and destruction of personal data records. Data sharing - The design and operation of controls to ensure the sharing of personal data complies with the principles of the Data Protection Act 1998 and the good practice recommendations set out in the Information Commissioner s Data Sharing Code of Practice. ICO data protection audit report executive summary 3 of 7
3. Audit opinion The purpose of the audit is to provide the Information Commissioner and SCC with an independent assurance of the extent to which SCC within the scope of this agreed audit is complying with the DPA. The recommendations made are primarily around enhancing existing processes to facilitate compliance with the DPA. Overall Conclusion Limited Assurance There is a limited level of assurance that processes and procedures are in place and are delivering data protection compliance. The audit has identified considerable scope for improvement in existing arrangements to reduce the risk of noncompliance with the DPA. ICO data protection audit report executive summary 4 of 7
4. Summary of audit findings Areas of good practice SCC has established an annual audit plan addressing key areas such as information governance, records management and information technology. This plan is reviewed, monitored and updated on a regular basis by the Head of Internal Audit in consultation with the Corporate Management Team (CMT). The CMT has worked with SCC s communications department to deliver an awareness-raising communications campaign on the Data Protection Act 1998 during summer 2015. SCC have developed a Global Privacy Policy which is layered, as recommended by the ICO s Privacy Notices Code of Practice, providing hyperlinks to more detailed information as to how SCC will use, store and share personal information. There is an Annual Records Review Procedure which is designed to ensure that records are managed in accordance with their relevant retention periods. This procedure is overseen by the Senior Records Officer (SRO) and, ultimately, the Information Governance Board (IGB). ICO data protection audit report executive summary 5 of 7
Areas for improvement A process for Privacy Impact Assessments (PIA s) is implemented at the council and completed PIAs were evidenced as part of the audit. However as a relatively new process, this is something that now needs to be fully embedded across SCC. Only 67% of staff at SCC have currently completed the mandatory Information Governance (IG) training. This means that there is a risk that individuals are not sufficiently well trained in the handling of personal information. The process for reporting information security incidents is currently under review and there is a risk that not all personal data related incidents are being reported from service areas and that, as a result, management do not have sufficient oversight in this area. SCC has an Information Asset Register (IAR) in place but it is currently incomplete and does not include, or link to, information on relevant retention periods. Mechanisms for logging and tracking the movement of records to and from storage facilities are not sufficiently robust. There is a risk that existing audit trails will not allow for missing records to be tracked. There is a lack of consistency in contractual arrangements with third parties who are required to process personal data on behalf of SCC. Some arrangements appeared to have no contract in place while others had contracts that did not appear to be sufficiently robust and were not in line with the corporate template. ICO data protection audit report executive summary 6 of 7
The matters arising in this report are only those that came to our attention during the course of the audit and are not necessarily a comprehensive statement of all the areas requiring improvement. The responsibility for ensuring that there are adequate risk management, governance and internal control arrangements in place rest with the management of Southampton City Council. We take all reasonable care to ensure that our audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. We cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report. ICO data protection audit report executive summary 7 of 7