Schedule 13 Security Incident and Data Breach Policy. January 2015 v2.1

Schedule 13 Security Incident and Data Breach Policy January 2015 v2.1

Document History Purpose Document Purpose Document developed by Document Location To provide a corporate policy for the management of any Security Incidents and Data Breaches Principal Information Governance Officer This document is located on the council s web site and on the network at: www.northlincs.gov.uk Revision Revision date January 2015 Version Final v2.1 Status Summary of changes Awaiting approval by the II&VFM board Addition made to section 9 to inform the relevant Caldicott Guardian of breaches in either Social Services or Public Health. Approvals Head of Information Management Assistant Director, Business Support Improvement & VFM Group Cabinet Lead the review of the framework and policies Oversee the document through the council s approval process Approve the Framework and the Freedom of Information Act Policy and any changes made, recommending adoption to the Cabinet Member Approve the review of the framework and policies Page 2 of 19

Contents Page Document History... 2 Contents... 3 Introduction... 4 1. Policy Statement... 4 2. Purpose... 4 3. Scope... 4 4. Implementation and Review Schedule... 5 5. Legislation... 5 6. Types of Security Incident... 5 Reporting Serious Security Incidents (Including potential or actual data breaches) - Responsibility of Council Departments... 6 7. Identification and Classification of serious security incidents... 6 Other Policies - Joint Responsibility between Departments & the Investigation Lead... 7 8. Links to other Departments... 7 Data Breach Management Plan - Responsibility of Information Governance... 8 9. Breach Management Plan... 8 9.1 Containment and Recovery... 8 9.2 Assessment of Ongoing Risk / Investigation... 9 9.3 Notification... 10 9.4 Review and Evaluation... 11 10. Information Governance Contact Details... 11 Serious Security Incident (Non Data Breach) - Responsibility of Security Incident Team... 12 11. Serious Security Incident Management Plan... 12 12. Containment and Recovery... 12 13. Assessment of Ongoing Risk / Investigation... 13 14. Review and Evaluation... 13 15. Serious Security Incident Group... 14 Appendices... 15 Page 3 of 19

Introduction 1. Policy Statement North Lincolnshire Council is responsible for protecting the information it holds and is legally required under the Data Protection Act 1998 to ensure the security and confidentiality of personal information processed. These responsibilities also apply to other organisations working on behalf of the council. Every care is taken to protect information and to avoid a security incident, especially where the result is a data breach when personal information is lost or disclosed inappropriately to an unauthorised person. In the unlikely event of such a security incident it is vital that appropriate action is taken to minimise any associated risk as soon as possible. We will investigate all security incidents classified as serious using a set plan and follow a Breach Management Plan in the event of a data breach. 2. Purpose The purpose of this policy is to ensure a standardised management approach throughout the council in the event of a serious security incident, including the handling of a data breach. Security incident management is the process of handling security incidents in a structured and controlled way ensuring security incidents are dealt with:- Speedily and efficiently; Consistently; To ensure damage is kept to a minimum; To ensure the likelihood of recurrence is reduced by the implementation of appropriate measures. 3. Scope This policy applies to all information held by the council and to organisations working on behalf of the council who have access to our information. Schools may choose to adopt this policy but where this is not the case it is expected that they will have their own appropriate policy. Page 4 of 19

4. Implementation and Review Schedule This policy takes effect immediately and all managers should ensure employees are aware of security incident requirements. If employees have any queries they should discuss these with their line manager or the Information Governance Team. This policy may need to be reviewed after a security incident or data breach or after legislative changes, new case law or new guidance. Ordinarily an annual review should take place. 5. Legislation The council has an obligation to abide by all relevant UK and European legislation. The acts that apply include but are not limited to: - Data Protection Act 1998. Computer Misuse Act 1990. Criminal Damages Act 1971. The Data Protection Act 1998 provides a regulatory framework for the processing of personal information, including the holding, use or disclosure of such information. Principal seven of this Act requires that an organisation complies with the following for personal information: - Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal information and against accidental loss or destruction of, or damage to, personal information. 6. Types of Security Incident This policy addresses the reporting and handling of serious security incidents, including those involving a data breach. A security incident is classified as serious when the incident: Involves actual or potential failure to meet the requirements information legislation such as the Data Protection Act 1998; Potentially involves or could lead to a data breach. Some examples of serious security incidents are:- Loss or theft of IT equipment or information; Disclosing personal information to someone not authorised to have it; Unauthorised access to information; Breach of physical building security; Uploading personal information to a website in error; Page 5 of 19

Human error resulting for example in personal information being left in an insecure location; Unforeseen circumstances such as fire or flood; Hacking into IT systems; Blagging offences where information is obtained by deception. Reporting Serious Security Incidents (Including potential or actual data breaches) - Responsibility of Council Departments 7. Identification and Classification of serious security incidents This section is about reporting the serious security incident (including a data breach) to the Security Incident Group, classifying the incident and taking appropriate mitigating action. The Security Incident Group is made up of the following employees: Principal Information Governance Officer; Unified Communications Manager; IT Customer Quality Manager; Senior Auditor. 7.1 The person who discovers/receives a report of a serious security incident must inform a manager. This should ideally be the manager responsible for the department in which the incident has occurred, but if this is not possible another manager should be informed. If the incident occurs or is discovered outside normal working hours this should be done as soon as practicable. The manager must then report the serious security incident to the Security Incident Group, as soon as possible. 7.2 The manager should identify into which of the following three categories the incident fits: - a) An actual or suspected data breach. b) An IT serious security incident that is not a data breach. c) Another type of serious security incident that puts personal information at risk but is not a data breach. Appendix A provides further information to assist with categorisation of serious security incidents. 7.3 The manager should accurately record details of the incident and provide the following information to the Security Incident Group, using the form shown as Appendix B: - Date and time of security incident / period of time occurred. Date and time security incident detected. Who reported the security incident? Description of the security incident. Page 6 of 19

Type of security incident (See section 6.0). Approximate number of data subjects affected. Details of any council ICT systems or third party systems involved. Details of any action taken to minimise / mitigate the effect on data subjects. Details of anyone who is aware of the security incident. Brief details of supporting material held by the service material which either confirms the security incident or is related to the security incident. Details of any contractors or sub contractors involved. 7.4 Details of serious security incidents can be very sensitive and any sensitive information must be handled with discretion and only disclosed to those who need to know the details. 7.5 Employees or others working on behalf of the council must not attempt to deal with a security incident (other than reporting the incident). 7.6 The Security Incident Group will determine who should lead an investigation and the lead will appoint an Investigation Team. Employees must not attempt to conduct their own investigations, unless authorised to do so, to ensure evidence is not destroyed. 7.7 The council s Senior Information Risk Owner (SIRO) and the relevant director are ultimately responsible for making any decisions. 7.8 In some circumstances security incidents should also be reported to GovCertUK and the NHS Information Governance Team, using the details shown in Appendix D and by following published procedures from these other organisations. Other Policies - Joint Responsibility between Departments & the Investigation Lead 8. Links to other Departments Sometimes a security incident will be identified during an internal investigation under another council policy. Alternatively during a security incident investigation it may be found necessary to inform another council department of the incident. 8.1 Officers who identify a serious security incident, as part of another policy investigation, should complete the Security Incident form shown in Appendix B and forward to the relevant lead from the Security Incident Group. When this other investigation is complete relevant details should be provided to Security Incident Group lead. Page 7 of 19

8.2 Where a security incident occurs that may affect another department or a school, the Security Incident Group lead will contact the relevant senior manager or school. 8.3 Any decision to take disciplinary action will be in line with the council s Disciplinary Policy. 8.4 The data breach or serious security incident report will be concluded when all other relevant investigations are complete. Data Breach Management Plan - Responsibility of Information Governance 9. Breach Management Plan The Information Governance Team will lead all data breach investigations and will follow the Information Commissioner s Office (ICO) suggested Breach Management Plan: - 1. Containment and recovery. 2. Assessment of ongoing risk. 3. Notification of breach. 4. Evaluation and response. 9.1 Containment and Recovery Containment and recovery involves limiting the scope and impact of the data breach, and stemming it as quickly as possible. 9.1.1 A senior member of the Information Governance Team will inform the relevant Director(s) and Legal Services. 9.1.2 A senior member of the Information Governance Team will ascertain who should contact whom, both within the council and externally. If illegal activity is known or is believed to have occured, or where there is a risk that illegal activity might occur in the future a Director in conjunction with a senior member of the Information Governance Team and the Head of Audit, Risk and Insurance must consider whether the police need to be informed. An example of illegal activity is theft. 9.1.3 A senior member of the Information Governance Team will lead an investigation and to do so will create an Investigation Team, made up of key officers, including Internal Audit. Where the breach involves social service or health information the relevant Caldicott Guardian will be informed. Where contractual arrangements with other organisations are involved advice will be sought from Legal Services about how to proceed and the investigation will be led in conjunction with the Contract Manager. Page 8 of 19

9.1.4 A senior member of the Information Governance Team will lead the Investigation Team to quickly take appropriate steps to ascertain full details of the breach, determine whether the breach is still occuring, recover any losses and limit the damage. Steps might include: - Attempting to recover any lost equipment or personal information. Shutting down an IT system. Contacting the council s Contact Centre and other key departments so that they are prepared for any potentially inappropriate enquiries about the affected data subjects. If an inappropriate enquiry is received staff should attempt to obtain the enquirer s name/contact details and confirm that they will ring the enquirer back. The Information Governance Team organising, with the approval of the Communications Team, for a council-wide email to be sent. Contacting the Communications Team so they can be prepared to handle any press enquiries or to make any press releases. The use of back-ups to restore lost, damaged or stolen information. If bank details have been lost/stolen consider contacting banks directly for advice on preventing fraudulent use. If the data breach includes any entry codes or passwords then these codes must be changed immediately, and the relevant organisations and members of staff informed. 9.2 Assessment of Ongoing Risk / Investigation The next stage of the management plan is for the Investigation Team to investigate the breach and assess the risks arising from it. 9.2.1 The Investigation Team should ascertain whose information was involved in the breach, the potential effect on the data subjects and what further steps are required to remedy the situation. 9.2.2 The investigation should consider: - The type of information. Its sensitivity. How many individuals are affected by the breach? What protections are in place (e.g. encryption)? What happened to the information? Whether the information could be put to any illegal or inappropriate use. What could the information tell a third party about the individual? Page 9 of 19

How many people are affected? What types of people have been affected (the public, suppliers, staff etc)? Whether there are wider consequences to the breach. 9.2.3 A senior member of the Information Governance Team should keep a clear report detailing the nature of the breach, steps to preserve evidence, the assessment of risk/investigation, and the actions taken to mitigate the breach, any notifications made and recommendations for future work/actions. See Appendix C for more information about preserving evidence. 9.2.4 The initial investigation should be completed urgently and wherever possible within 24 hours of the breach being discovered/reported. A further review of the causes of the breach and recommendations for future improvements can be done once the matter has been resolved 9.3 Notification 9.3.1 A senior member of the Information Governance Team, after seeking legal advice and working with the Investigation Team should decide whether anyone, such as the Information Commissioner s Office (ICO) or the data subjects, should be notified of the breach. A senior member of the Information Governance Team will make any notifications to the ICO. The Investigation Team will decide whether and how anybody else should be notified. Directorates must not make any notifications directly. 9.3.2 Every incident will be considered on a case-by-case basis but if the breach is significant and involves personal information the ICO should be notified. There is guidance on the ICO website about how and when to notify - www.ico.gov.uk. The following points will be used to assist in deciding whether to notify an organisation such as the ICO or the data subjects: - Do we have any legal/contractual obligations in relation to notification? Would notification help prevent the unauthorised or unlawful use of the personal information? Could notification make the unauthorised or unlawful use of the personal information more likely? Could notification help the data subject could they act on the information to mitigate risks? If the information is personal or sensitive personal in nature and there are large numbers of data subjects involved or possible serious consequences we should notify the ICO. Page 10 of 19

The dangers of over notifying, which may cause disproportionate enquiries and work. 9.3.3 Notifications should include a description of how and when the breach occurred, what information was involved and what has already been done to mitigate the risks. 9.3.4 When notifying data subjects, specific and clear advice should be given on what individuals can do to protect themselves and what the council can do to assist them. 9.3.5 Details should be provided of how to make a complaint to the council and how to appeal to the Information Commissioner. 9.4 Review and Evaluation Once the initial after effects of the breach are over a senior member of the Information Governance Team should fully review both the causes of the breach and the effectiveness of the response to it, and work with Internal Audit to determine if any further control improvements are required. 9.4.1 The Head of Information Governance will write a report for the Council Management Team (CMT). 9.4.2 The Principal Information Governance Officer will inform the Information Security Forum of high level details of the breach. 9.4.3 If issues are identified an action plan must be drawn up to put these right. 10. Information Governance Contact Details Please do not leave a voicemail or an email to report a data breach. Always speak with somebody in the Information Governance Team. The main contacts are: - Principal Information Governance Officer Phillipa Thornley Telephone: 01724 296302 Email: phillipa.thornley@northlincs.gov.uk Strategy and Information Governance Manager Rachel Johnson Telephone: 01724 296391 Email: Rachel.johnson@northlincs.gov.uk Head of Information Management Chris Daly Telephone: 01724 296161 Email: chris.daly@northlincs.gov.uk Page 11 of 19

Serious Security Incident (Non Data Breach) - Responsibility of Security Incident Team 11. Serious Security Incident Management Plan The most relevant member of the Security Incident Group or an employee appointed by the team would lead a serious security incident investigation that did not involve a data breach. The following Management Plan should be followed: - 1. Containment and recovery. 2. Assessment of ongoing risk. 3. Evaluation and response. 12. Containment and Recovery Containment and recovery involves limiting the scope and impact of the serious security incident, and stemming it as quickly as possible. 12.1 The lead officer from the Security Incident Group will ascertain who should contact whom, both within the council and externally. If illegal activity is known or is believed to have occurred or where there is a risk that illegal activity might occur in the future a Director in conjunction with a senior Manager and the Head of Audit, Risk and Insurance must consider whether the police need to be informed. An example of illegal activity is theft. 12.2 The appointed lead of the serious security incident investigation will lead an investigation and to do so will create an Investigation Team, made up of key officers, including Internal Audit. Where contractual arrangements with other organisations are involved advice will be sought from Legal Services about how to proceed and the investigation will be led in conjunction with the Contract Manager. 12.3 Full details of the incident should be determined and migrating action such as the following should be taken to limit the impact of the incident: Attempting to recover any lost equipment or personal information. Shutting down an IT system. The use of back-ups to restore lost, damaged or stolen information. Making a building secure. If the incident involves any entry codes or passwords then these codes must be changed immediately, and the relevant organisations and members of staff informed. Page 12 of 19

13. Assessment of Ongoing Risk / Investigation The next stage of the management plan is for the Investigation Team to investigate the serious security incident and assess the risks arising from it. 13.1 The Team should ascertain what information was involved in the serious security incident and what steps are required to remedy the situation. 13.2 The investigation should consider: - The type of information. Its sensitivity. What protections are in place (e.g. encryption)? What happened to the information? Whether there are wider consequences to the incident. 13.3 The appointed lead of the Security Incident Investigation should keep a clear report detailing the nature of the incident, steps taken to preserve evidence, the assessment of risk/investigation, any migrating actions taken and any recommendations for future work/actions. See Appendix C for more information about preserving evidence. 13.4 The initial investigation should be completed within an agreed timeframe. 14. Review and Evaluation Once the initial after effects of the serious security incident are over the Information Security Forum should fully review both the causes of the incident and the effectiveness of the response to it and work with Internal Audit to determine if any further control improvements are required. 14.1 The Security Incident Group lead should update the Information Security Forum with details of the incident. 14.2 If issues are identified an action plan must be drawn up to put these right. Page 13 of 19

15. Serious Security Incident Group Please do not leave a voicemail or an email to report a serious security incident. Always speak with somebody from the following list of contacts: - Unified Comms Manager Paul Smith Telephone: 01724 296893 Email: paul.smith@northlincs.gov.uk IT Customer Quality Manager Carl Render Telephone: 01724 296886 Email: carl.render@northlincs.gov.uk Senior Auditor - Stuart Anderson Telephone: 01724 296377 Email: stuart.anderson@northlincs.gov.uk Principal Information Governance Officer Phillipa Thornley Telephone: 01724 296302 Email: phillipa.thornley@northlincs.gov.uk Page 14 of 19

Appendices Appendix A: Guidelines for the Categorisation of Serious Security Incidents Actual or Suspected Data Breach Examples include: - Use of viruses or spyware software; Use of illegal or unauthorised software or information; Fraud or forgery; Unauthorised use of the council IT network or systems; Unauthorised use of another user s profile (masquerading of user identity); Divulging a password to another user without authority; Unauthorised access to council information classified as personal or confidential; Unauthorised alteration or deletion of council information; Unauthorised copying of council information; Wilful damage to council IT equipment or property; Unauthorised access to council offices; Unauthorised removal of council property or information; Theft or loss of IT equipment containing council information. IT Serious Security Incident (Not a Data Breach) - Examples include: - IT network attack; Use of viruses or spyware; Unauthorised access to the council s IT network and systems; Theft or damage to IT equipment. Other Serious Security Incident (Not a Data Breach) - Examples include: - Fire; Flood; Storm damage; Power supply failures & fluctuations; Terrorist and bomb attacks, including suspicious packages; Unauthorised access to council premises; Theft of or damage to council property. Page 15 of 19

Appendix B Serious Security Incident and Data Breach Form Contact details of person submitting form 1. Name 2. Job Title Address Telephone Number Email Address Incident Information 3. Date / Time of Breach or Period of Time Date / Time Breach Detected Who / What Reported the Breach? Description of the Breach Type of breach see section 6.0 for list: - Approximate number of Data Subjects affected Page 16 of 19

Details of Council ICT / 3 rd Party ICT Systems Involved Details of any action taken to minimise / mitigate the effect on the data subjects 4. Who is aware of this data breach? Brief Details of Supporting Information held by Department Details of any Contractors / Sub Contractors Involved Page 17 of 19

Appendix C: Guidelines for Preserving Evidence Where appropriate the Investigation Team must follow these steps to preserve evidence: - Keep a log of all events showing how evidence was collected, analysed, transported and preserved; Where possible mark evidence with the date, time and name of the collector and witnesses; If relevant, dump computer contents from memory to a file and take a back-up of the file; If relevant, make an image (copy) of the computer hard drive(s), which will be used for further analysis to ensure that the evidence on the original system is unharmed; If relevant, IT system logs (both current and archived) should be preserved to provide evidence of the incident discovered, as well as any previous incidents. Page 18 of 19

Appendix D: Guidelines for Reporting Information Security Incidents GovCert UK http://www.govcertuk.gov.uk Follow the link to report a suspected incident within the submission process. In the event of the internet not being available the following details should be used: CESG s Incident Response Team The CESG GovCertUK Incident Response team provides a 24/7 (24 hours 7 days a week) operation, and can be contacted on the following: - Telephone: - 01242 709311 Fax: - 01242 709113 General Enquiries: - Enquiries@govcertuk.gov.uk or govcertuk@cesg.gsi.gov.uk Incidents and alerts: - Incidents@govcertuk.gov.uk or govcertuk@cesg.gsi.gov.uk During office hours (0830 1700 hrs) the GovCertUK response team will handle any queries or incidents. Outside office hours, at weekends and on public holidays a duty officer will monitor correspondence and respond to telephone calls, supported by on-call GovCertUK response personnel. GovCertUK provides CESG s CERT function to UK government, assists public sector organisations in the response to computer security incidents and provides advice to reduce exposure to threat. NHS Information Governance https://www.igt.hscic.gov.uk/incidentreportingmenu.aspx?tk=4150357326675 03&uid=57915&cb=bf5c0062-1c6a-4a69-8b82- a146fe33ec9d&lnv=12&clnav=yes https://www.igt.hscic.gov.uk/knowledgebasenew/hscic%20ig%20siri%20 %20Checklist%20Guidance%20V2%200%201st%20June%202013.pdf Follow the link to report a data breach. The NHS Information Governance Self Assessment requires organisations, such as the council who are required to complete the assessment, to report all data breaches occurring within Adult Social Care. Page 19 of 19