We then give an overall assurance rating (as described below) indicating the extent to which controls are in place and are effective.

Similar documents
Information governance strategy

Newcastle University Information Security Procedures Version 3

How To Protect School Data From Harm

Cardiff Council. Data protection audit report. Executive summary June 2014

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Governance Strategy. Version No 2.0

Information Governance Policy

Information Governance Strategy. Version No 2.1

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

INFORMATION RISK MANAGEMENT POLICY

Highland Council Information Security Policy

INFORMATION GOVERNANCE AND DATA PROTECTION POLICY

AGENDA ITEM: SUMMARY. Author/Responsible Officer: John Worts, ICT Team Leader

Auditing data protection a guide to ICO data protection audits

INFORMATION GOVERNANCE POLICY & FRAMEWORK

INFORMATION GOVERNANCE OPERATING POLICY & FRAMEWORK

INFORMATION GOVERNANCE POLICY

West Dunbartonshire Council. Follow-up data protection audit report

INFORMATION GOVERNANCE POLICY

Information Governance and Data Protection Policy

Information Governance Strategy & Policy

JOB DESCRIPTION. Information Governance Manager

Information Governance Policy

Information Governance Policy

The CPS incorporates RCPO. CPS Data Protection Policy

Web Site Download Carol Johnston

Policy Document Control Page

Closed Circuit Television (CCTV) code of practice. Based on the publication A Code of Practice for CCTV

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS

Small businesses: What you need to know about cyber security

Information Governance Policy

HMG Security Policy Framework

National Approach to Information Assurance

Information Governance Policy

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK

Information Security Policies. Version 6.1

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014

Information Governance Framework and Strategy. November 2014

Caedmon College Whitby

RECORDS MANAGEMENT POLICY

Information & ICT Security Policy Framework

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY

Information Management Policy

Information Governance Strategy

Information Governance Policy A council-wide information management policy. Version 1.0 June 2013

Human Resources Policy documents. Data Protection Policy

All CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid.

Information Security Assurance Plan 2015/16

Lauren Hamill, Information Governance Officer. Version Release Author/Reviewer Date Changes (Please identify page no.) 1.0 L.

Document No: IG10f. Version: 1.0. Information Governance Contracts Guidance. Name of Procedure: Version Control

Somerset County Council - Data Protection Policy - Final

Central London Community Healthcare NHS Trust. Data protection audit report

Data controllers and data processors: what the difference is and what the governance implications are

INFORMATION GOVERNANCE STRATEGY NO.CG02

Data Protection Policy June 2014

MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY

Information Security Incident Management Policy September 2013

University of Aberdeen Information Security Policy

Data Protection Policy

Information Governance Policy Version - Final Date for Review: 1 October 2017 Lead Director: Performance, Quality and Cooperate Affairs

Template for Automatic Number Plate Recognition (ANPR) Infrastructure Development Privacy Impact Assessment

Barnsley Clinical Commissioning Group. Information Governance Policy and Management Framework

KEELE UNIVERSITY IT INFORMATION SECURITY POLICY

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom

Cambridgeshire Constabulary. Data protection audit report

DATA PROTECTION AND DATA STORAGE POLICY

Data Protection and Information Security. Data Security - Guidelines for the use of Personal Data

Policy on Public and School Bus Closed Circuit Television Systems (CCTV)

AUDIT COMMITTEE 10 DECEMBER 2014

Information Governance in Dental Practices. Summary of findings from ICO reviews. September 2015

Information Governance Standards in Relation to Third Party Suppliers and Contractors

Version Number Date Issued Review Date V1 25/01/ /01/ /01/2014. NHS North of Tyne Information Governance Manager Consultation

Service Definition Document

Further to reports to EAG in February and March 2014, the purpose of this report is to;

A practical guide to IT security

Development / Monitoring / Review of this Policy. Schedule for Development / Monitoring / Review

Information Governance Management Framework

Information Security Programme

Data Transfer Policy. Data Transfer Policy London Borough of Barnet

Information Security Policy London Borough of Barnet

Information Governance Framework

THE MORAY COUNCIL. Guidance on data security breach management DRAFT. Information Assurance Group. Evidence Element 9 appendix 31

Information Governance Framework. June 2015

06100 POLICY SECURITY AND INFORMATION ASSURANCE

Information Security and Governance Policy

Remote Working and Portable Devices Policy

Dacorum Borough Council Final Internal Audit Report

CCG: IG06: Records Management Policy and Strategy

Scottish Rowing Data Protection Policy

INFORMATION GOVERNANCE POLICY

Dean Bank Primary and Nursery School. Data Protection Policy

DATA AND PAYMENT SECURITY PART 1

1.1 An initial request to enter into a contractual arrangement may be initiated by either Massey University or another party (Other Party).

Office 365 Data Processing Agreement with Model Clauses

Information Governance and Assurance Framework Version 1.0

DATA PROTECTION POLICY

Corporate Policy and Strategy Committee

Criminal Injuries Compensation Authority. Data protection audit report

Data Protection Breach Reporting Procedure

Transcription:

Good Practice Audit outcomes analysis Police Forces April 2013 to April 2014 This report is based on the final audit reports the ICO completed in the Criminal Justice sector, specifically of Police forces, during the above period. No individual organisation is named in the report. Assurance ratings When conducting an audit, we assess the arrangements an organisation has in place for complying with the Data Protection Act 1998 (DPA) and the extent to which they are being adhered to. We then give an overall rating (as described below) indicating the extent to which controls are in place and are effective. Assurance rating High Reasonable Limited Very limited Description Limited scope for improving existing arrangements. Significant action unlikely to be required. Some scope for improvement in existing arrangements. Scope for improvement in existing arrangements Substantial risk of non compliance with DPA. Immediate action required. Overall audit ratings During the period, we audited 17 police forces and gave the following ratings. Year Audits completed High Reasonable Limited Very limited Apr 2013 Apr 2014 17 1 10 6 0 59% fell within the reasonable range. 35% fell within the limited range There was 1 high rating awarded during the period.

Scope area ratings ICO audits usually cover three of the six key scope areas (described below). We give an level of the performance in each scope area which combines to form the overall rating. During the period, we gave the following ratings in the individual scope areas. Scope area Rating Total DP Governance Reasonable 4 The arrangements and controls in place to ensure Limited compliance with the DPA. 2 Records management The processes in place for managing both electronic and manual records containing personal data. Requests for personal data The procedures in place to deal with any requests for personal data. Security of personal data The technical and organisational measures in place to ensure that there is adequate security over personal data held in manual or electronic form. Training and awareness The provision and monitoring of staff DPA training and the awareness of DPA requirements relating to their roles and responsibilities. Reasonable 3 Limited 7 Very limited 1 Reasonable 4 Limited 1 High 0 Reasonable 8 Limited 2 High 0 Reasonable 6 Limited 2 Data sharing The design and operation of controls to ensure the sharing of personal data complies with the principles of the Data Protection Act 1998 and the Information Commissioner s Data Sharing Code of Practice. Reasonable 4 Limited 1 Very Limited 1 Audit observations of good practice For the audits completed during the period, we made the following observations focusing on areas of good practice. Data protection governance A formal governance framework is in place to cover information security, records management and data sharing. The framework is supported by a series of organisational arrangements and roles. There are regular Strategic Security Board meetings, chaired by the SIRO, feeding upwards into the Force Leadership Group. An autonomous Corporate Information Management Department has been established which is staffed by specialists, many of whom have an appropriate data protection qualification. There is a governance

structure in place to support and promote information security with roles within the department allocated to Data Protection, Records Management, Data Quality and Information Requests. There is a rolling 5 year plan of audit which incorporates information management audits. The audit plan is agreed through meetings between the risk adviser and SIRO with the Policing Committee. In order to ensure the implementation of audit recommendations, approved action plans are incorporated as objectives into directorate performance plans. A comprehensive policy process is embedded to ensure that new policies are risk assessed against force objectives to inform whether they should become policy or procedure. The assessment also affects the frequency of the policy review. When policies are archived, a further consultation is carried out to ensure all departments are aware that the document is being withdrawn. Self-assessment / tools are in place to enhance information governance controls. Records management Fair processing notices are in place on various mediums such as online websites and paper based forms to ensure the public are informed how their data will be processed and shared when applicable. There is a dedicated records management team, led by an experienced Records Manager (RM), who has responsibility for the force s manual and electronic records. The team are actively engaged in ensuring the accuracy of current records, reviewing retention and disposal of legacy records and weeding of information no longer required for operational procedures. A two-tier system of information asset ownership has been adopted. Senior Information Asset Owners (SIAOs) have been assigned at Directorate Head level and these are supported by Information Assets Owners (IAOs) responsible for operational control over assigned assets. Security of personal data Information Security strategies reflect both ACPO/ACPOS and UK Government good practice frameworks and guidance and there are processes in place to apply both external and internal assessments to determine compliance with these. Security awareness programmes are in place including the use of security and GPMS pocket guides, mouse mats and regularly changed

PC wallpaper splash screens are used for security initiatives. A team of security officers are in place, each responsible for assets, both physical and records, within their designated operational Districts as well as providing security advice. These officers carry out regular announced and un-announced visits to carry out unauthorised access breach tests. These visits also include checks on clear desk / clear screen compliance and confidential waste procedures. Encrypted biometric USB sticks are issued upon receipt of the appropriate authority. The security applied to Force USB sticks means that the information contained within can only be accessed with the assigned finger/ thumb print. The Force has developed and implemented a Security Aspects Letter which sets out the security requirements that third party contractors must adhere to at the tendering stage. In addition, the Force aims to seek s from third party organisations prior to, and during, the tendering process through the completion of questionnaires which cover areas including data protection and information security. Individual information security incidents are investigated and analysed by the Force Information Security Officer, with the relevant department conducting remedial actions where appropriate. Lessons learned are placed on the weekly orders for dissemination to all staff where necessary. IT health checks are carried out each year as per the requirement of the cjx code of connection. These include mandatory testing of firewalls along with testing of other systems. Issues identified are assigned to an owner with defined completion dates and monitored by the Information Compliance Manager. Requests for personal data There are well-defined and centralised processes for handling subject access requests and disclosures. Staff who handle these requests understand the importance of proportionality, relevance and adequacy when disclosing personal data in response to requests. A traffic light system is used for managing the progress of subject access requests through the disclosure procedure ensuring that requests approaching the deadline for response are highlighted to Disclosures staff.

Data sharing Information sharing logs are in place and maintained to ensure effective tracking of data disclosures and bulk sharing of information. Data sharing agreements have been agreed with all parties with whom personal data is routinely shared, are reviewed on a regular basis and there is a log of the sharing taking place. A new tiered system has been implemented in order to structure data sharing within the force. Tier 1 is an overarching agreement between the force and its partner organisation while Tier 2 is more granular, tailored to the specific organisational departments who are sharing data. Audit observations of areas for improvement Overall controls within the scope areas covered could be enhanced in some instances with the introduction or development of the following: Data protection governance The inclusion of Privacy Impact Assessments in any project to ensure a risk assessment is undertaken for significant changes to ICT systems or data handling processes in order to determine any impact on the processing of personal data and its effect in complying with the DPA. The insertion of data protection clauses within data processor / procurement contracts that have been implemented at a regional level. Policies and procedures being reviewed in line with the standard review cycle outlined and version control applied to policies and procedures that have been subject to review. In addition, the documentation of how compliance with the key requirements of the policies will be measured and by whom, to mitigate the potential risk that policies adopted may not be adhered to in practice. Records management The development of a comprehensive Information Asset Register to provide an overview of all non- system based records. A location inventory of paper records to mitigate the risk of paper files being held in unknown, incorrect or disused locations. The introduction of a system or process for staff to update the whereabouts of any paper records.

The introduction and embedding of Information Asset Owners (IAO) for all information assets. Specialised role based training provided to all IAO and roles and responsibilities reflected in their job descriptions. The establishment of periodic reporting by IAO to the SIRO on all risks relating to their information assets. The documentation of system or security operating procedures for key systems in line with the ACPO Data Protection Manual guidance standard 8.6. The completion and documentation of formal Risk Management Accreditation Document Sets (RMADS) for restricted systems or those storing or processing sensitive information in line with HMG Information Risk Standards 1&2; which requires accreditation specifically for all systems connected to force networks. Security of personal data The implementation of appropriate end point controls to prevent users potentially plugging in and using a non-authorised device on force systems or downloading unauthorised content onto or from force networks. The establishment of compliance monitoring and spot checks for staff with certain security privileges such as home, offsite and agile working to provide additional s of security arrangements in place. The introduction of regular workplace security and clear desk compliance monitoring to ensure that crime records or paper based personal data files are securely stored as appropriate and not left unattended. Regular proactive information systems security audits executed and plans put in place to raise awareness of information security and related risks. Strengthening of current controls relating to the current process for staff moving roles, or leaving employment to mitigate the risk of staff accruing access rights whilst not having any removed. Periodic reconciliation checks with HR records and inactivity reporting. With the move towards the full use of Body Worn Cameras and given the significant risks involved in the use, storage and deletion of data on these devices there should be a security review of the proposed controls around these devices to ensure the fundamental threats have been mitigated.

Data sharing The improvement of security arrangements for third party direct access to police systems to prevent unauthorised or inappropriate access to sensitive personal data held on those systems. The documentation of all DPA compliance issues and advice given prior to the implementation of a proposed Information Sharing Agreement (ISA) in order to provide evidence of the reasoning behind decisions made. The inclusion of retention and security requirements for all signatories within any ISA and the establishment of compliance checks to ensure these requirements are fulfilled. Training and awareness Delivery of a centralised annual data protection training programme/plan and completion of specific training needs analysis to identify staff and third parties requiring specific role based training in relation to data protection, information security, information sharing or records management. Audit Feedback comments received At the conclusion of each audit we request feedback in the form of a questionnaire. From the surveys returned for the period, we received the following comments. Data Protection has a higher profile and staff are more aware of the importance of Data Protection. I found the audit informative and very beneficial. Lessons have been learnt and action taken to improve our compliance. We had plans to deliver on many of the recommendations in the report, but I feel the report itself has focused the mind and I am sure it will be easier to implement the recommendations with the backing of the ICO Audit. I would just like to thank all the ICO staff involved in the audit. They were absolutely excellent and really supportive throughout the whole process. The audit raised some issues for the Constabulary to progress into the future. It has certainly raised the profile of DP at senior management level and the recommendations will be the subject of on-going reporting at the Force's Information Assurance Board, chaired by an ACC.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information