When things go wrong: information governance breaches and the role of the ICO. David Evans, Senior Policy Officer

Similar documents
Security breaches: A regulatory overview. Jonathan Bamford Head of Strategic Liaison

Data protection for commissioners

Dealing With Information Rights Concerns

BYOD BRING YOUR OWN DISASTER?

So the security measures you put in place should seek to ensure that:

Workshop: Data protection in the digital office. ICO Foundation SME Workshop Technology

Central London Community Healthcare NHS Trust. Data protection audit report

Notification of data security breaches to the Information Commissioner s

IT asset disposal for organisations

Privacy and Electronic Communications Regulations

Data Protection Avoiding Information Commissioner Fines. Caroline Egan 5 June 2014

View the Replay on YouTube. The ICO s take on Information Sharing in the NHS. FairWarning Ready Executive Webinar Series 27 June 2013

Human Resources Policy documents. Data Protection Policy

Information Governance in Commissioning. Mental Health Commissioners Collaborative

DATA PROTECTION POLICY

Cardiff Council. Data protection audit report. Executive summary June 2014

Data Protection Policy

Case Handling Workshop The Data Cycle Unsolicited marketing and lead generation

technical factsheet 176

Cleveland Police. Data protection audit report. Executive summary November 2014

PAPER RECORDS SECURE HANDLING AND TRANSIT POLICY

Data Protection Act. Privacy & Security in the Information Age. April 26, Ministry of Communications, Ghana

Merthyr Tydfil County Borough Council. Data Protection Policy

Data Security and Extranet

Information Management Handbook for Schools. Information Management Handbook for Schools London Borough of Barnet

OFFICIAL. NCC Records Management and Disposal Policy

MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY

Data Protection Act Bring your own device (BYOD)

NIGB. Information Governance Untoward Incident Reporting and Management Advice for Local Authorities

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY

ICO SME data protection workshop 25 September, NEC

DATA AND PAYMENT SECURITY PART 1

Hacks, apps and espionage - how protected are you against cyber crime? Top 10 Legal Need-to-Knows

Information Governance in Dental Practices. Summary of findings from ICO reviews. September 2015

DATA PROTECTION CORPORATE POLICY

The Data Protection Landscape. Before and after GDPR: General Data Protection Regulation

UK Data Risks Incident RoadMap

NHS DORSET CLINICAL COMMISSIONING GROUP GOVERNING BODY INFORMATION GOVERNANCE TOOLKIT REPORT

Information and Data Security

Data Protection Act. Conducting privacy impact assessments code of practice

Data Protection Policy

Data Protection Policy

DATA PROTECTION ACT 1998 COUNCIL POLICY

Corporate ICT & Data Management. Data Protection Policy

Birmingham Women s NHS Foundation Trust

INFORMATION GOVERNANCE STRATEGY NO.CG02

Data Protection in Ireland

2. Scope 2.1 This policy covers all the activities and processes of the University that uses personal information in whatever format.

Criminal Injuries Compensation Authority. Data protection audit report

Web Site Download Carol Johnston

INFORMATION GOVERNANCE POLICY

Data controllers and data processors: what the difference is and what the governance implications are

Once more unto the breach... Dealing with Personal Data Security Breaches. Helen Williamson Information Governance Officer

Data Protection and Information Security. Procedure for reporting a breach of data security. April 2013

Data Breach Trends October 2015

PROTECTING DATA, PROTECTING PEOPLE

TERMS & CONDITIONS of SERVICE for MSKnote. Refers to MSKnote Limited. Refers to you or your organisation

Data Protection Policy

Privacy and data breaches how information governance minimises the risk

Data Protection Audit Report - Southampton City Council

Webinar Questions Local Government Data Security Help Improve Your Compliance, 30 July 2015

The U.K. Information Commissioner s Office Report on Big Data and Data Protection

Records Retention and Disposal Schedule. Information Management

Rick Parsons Information Governance Officer County Hall

Cloud (educational apps) software services and the Data Protection Act

Information Incident Management and Reporting Procedures

Policy: IG01. Information Governance Incident Reporting Policy. n/a. Date ratified: 16 th April 2014

We then give an overall assurance rating (as described below) indicating the extent to which controls are in place and are effective.

Little Marlow Parish Council Registration Number for ICO Z

DATA PROTECTION POLICY

Data Protection Policy

CERTIFICATE IN DATA PROTECTION DATA SECURITY & DATA PROTECTION. Presented by Sophie More O Ferrall 9 February 2015

Corporate Policy and Strategy Committee

Information Incident Management and Reporting Procedures

DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE

Final Version 1.0 December 2015

UNIVERSITY OF ABERDEEN POLICY ON DATA PROTECTION

A practical guide to IT security

University of Limerick Data Protection Compliance Regulations June 2015

What NHS staff need to know

Information Incident Management. and Reporting Policy

Caedmon College Whitby

Data Protection Policy

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

Information Governance Policy

Everyone in the workplace has a legal duty to protect the privacy of information about individuals. AEP/BELB/LJ/2010 Awareness Session

Portable Devices and Removable Media Acceptable Use Policy v1.0

TERRITORY RECORDS OFFICE BUSINESS SYSTEMS AND DIGITAL RECORDKEEPING FUNCTIONALITY ASSESSMENT TOOL

Cloud Software Services for Schools

How To Save Money On Health Care Through A Computer System

Islington Data Protection Policy. A council-wide information policy Version 1.1 June 2014

Auditing data protection a guide to ICO data protection audits

Data Protection Policy June 2014

Helping to protect your business and your customers in the event of a data breach

How to Monitor Employee Web Browsing and Legally

Data Protection Act Guidance on the use of cloud computing

Multi-Jurisdictional Study: Cloud Computing Legal Requirements. Julien Debussche Associate January 2015

Policy Document Control Page

Proposed guidance for firms outsourcing to the cloud and other third-party IT services

Cloud Software Services for Schools

Transcription:

When things go wrong: information governance breaches and the role of the ICO David Evans, Senior Policy Officer

Where it did go wrong NHS Surrey 200,000 MPN June 2013 The events leading up to the MPN - the actions of the data controller - what the data processor said & what the data processor did The consequences - individual - corporate

The data controller PCT - budget of + 1.7bn Contacted by an IT Asset Disposal company Provided with certification Took them on trial with some supervision but not of the destruction process Further engaged them for hard drive destruction despite existing arrangement with approved contractor

The data processor Service free of charge Claimed other high profile customers Provided Environment Agency waste management and authorised treatment facility license Said destruction would be by industrial guillotine Collected 1570 PCs with HDs March 2010 May 2012 Provided certification saying hard drives had been wiped/destroyed/recycled

What happened Member of the public purchased PC with HD from an internet auction site Found sensitive personal data records of 900 adults and 2,000 children More sold PCs came to light Checked PC & HD serial numbers with destruction certificates and found more sensitive personal data

What the ICO found Over 1570 PCs with HDs offered for sale DC did not choose a DP that provided sufficient guarantees about the security of the process Lead IG individual NOT involved No written contract between DC and DP No risk assessment nor individual certificates of destruction No monitoring of the DP s processes Failure to take appropriate organisational measures likely to cause individuals substantial distress.

What the ICO concluded Large amount of patient and staff data on PCs Large project over 1500 PCs over 2 years required highest security level DC knew or should have known and failed to act Vague destruction certificates wiped, destroyed/recycled were an early warning Obvious that tighter controls were appropriate risk assessment, monitoring the destruction, individual PC destruction certificates

Reporting to the ICO The type of information and number of records The circumstances of the loss / release / corruption Action taken to minimise / mitigate effect on individuals involved including whether they have been informed Details of how the breach is being investigated Whether any other regulatory body has been informed and their response Remedial action taken to prevent future occurrence Any other information you feel may assist us in making an assessment

The role of the Information Commissioner It shall be the duty of the Commissioner to promote the following of good practice by data controllers and, in particular, so to perform his functions under this Act to promote the observance of the requirements of this Act by data controllers. S 51 (1) DPA It shall be the duty of the Commissioner to promote the following of good practice by public authorities and, in particular, so to perform his functions under this Act as to promote observance of a) the requirements of this Act, and b) the provisions of the codes of practice under sections 45 and 46. S 47 (1) FOIA

Complying with the Data Protection Act the Principles Processing needs to be fair and lawful Schedule 2 and Schedule 3 conditions Purposes Adequate, relevant and not excessive Accurate and kept up to date Kept for no longer than necessary Observe the rights of individuals Keep secure Keep the data within the EEA or ensure an adequate level of protection

How the ICO can help - Codes of Practice CCTV Code of Practice (2008) Assessment Notices Code of Practice (2010) Data Sharing Code of Practice (2011) Employment Code of Practice (revised 2011) Personal Information Code of Practice (2010) Privacy Notices Code of Practice (2010) Anonymisation Code of Practice (2012)

How the ICO can help - Guidance The Guide to Data Protection Guide to ICO data protection audits Identifying data controllers and data processors Training checklist for small and medium size organisations Monetary penalties statutory guidance Subject access to health records by members of the public Privacy by design - Privacy impact assessments - Privacy enhancing technologies Bring your own device (BYOD) guidance Cloud computing IT asset disposal

IT asset disposal

IG Review comment The ICO told the review panel that no civil monetary penalties had been served for a breach of the Data Protection Act due to data sharing which had been appropriately shared and which had a legitimate data sharing agreement.

and another one The Review Panel concludes that individuals should not be discouraged from sharing simply through fear of doing this incorrectly. With the help of the ICO s data sharing code, and tools such a privacy impact assessments, data sharing can be achieved, where appropriate, in a secure and proper way.

Contact us Helpline - 0303 123 1113 or 01625 545745 Textphone and translation service - 01625 545860 Website - http://www.ico.org.uk/ and websitefeedback@ico.org.uk Advice about the law - casework@ico.org.uk Notification queries - notification@ico.org.uk

Keep in touch Subscribe to our e-newsletter at www.ico.org.uk or find us on /iconews @iconews

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information