Neath Port Talbot County Borough Council. Data protection audit report

Transcription

1 Neath Port Talbot County Borough Council Data protection audit report Executive summary January 2014

2 1. Background The Information Commissioner is responsible for enforcing and promoting compliance with the Data Protection Act 1998 (the DPA). Section 51(7) of the DPA contains a provision giving the Information Commissioner power to assess any organisation s processing of personal data for the following of good practice, with the agreement of the data controller. This is done through a consensual audit. The Information Commissioner s Office (ICO) sees auditing as a constructive process with real benefits for data controllers and so aims to establish a participative approach. The ICO originally contacted the Chief Executive of Neath Port Talbot County Borough Council (NPTCBC) to offer a data protection audit. Consequently, NPTCBC agreed in January 2012 to a consensual audit by the ICO of its processing of personal data. An introductory teleconference was held on 16 August 2013 with representatives of NPTCBC to identify and discuss the scope of the audit and after that on 10 September 2013 to agree the schedule of interviews. ICO data protection audit report executive summary 2 of 6

3 2. Scope of the audit Following pre-audit discussions with NPTCBC, it was agreed that the audit would focus on the following areas: Data protection governance The extent to which data protection responsibility, policies and procedures, performance measurement controls, and reporting mechanisms to monitor DPA compliance are in place and in operation throughout the organisation. Training and awareness The provision and monitoring of staff data protection training and the awareness of data protection requirements relating to their roles and responsibilities. Requests for personal data The processes in place to respond to any requests for personal data. This will include requests by individuals for copies of their data (subject access requests) as well as those made by third parties. Data sharing - The design and operation of controls to ensure the sharing of personal data complies with the principles of the DPA and the good practice recommendations set out in the Information Commissioner s Data Sharing Code of Practice. ICO data protection audit report executive summary 3 of 6

4 3. Audit opinion The purpose of the audit is to provide the Information Commissioner and NPTCBC with an independent assurance of the extent to which NPTCBC, within the scope of this agreed audit is complying with the DPA. The recommendations made are primarily around enhancing existing processes to facilitate compliance with the DPA. Overall Conclusion Limited assurance There is a limited level of assurance that processes and procedures are in place and delivering data protection compliance. The audit has identified considerable scope for improvement in existing arrangements to reduce the risk of non-compliance with the DPA. We have made one very limited assurance assessment in respect of training and awareness and three limited assurance assessments in respect of data protection governance, requests for personal data and data sharing, where controls could be enhanced to address the issues which are summarised below. ICO data protection audit report executive summary 4 of 6

5 4. Summary of audit findings Areas of good practice Internal Audit consider notification, data classification, data retention, availability of data, password protection, identity access management and access to manual records when conducting their annual systems review. Privacy Impact Assessments, in respect of new data processing systems, have been introduced over the past year. The Corporate Solicitor is consulted prior to Head of Service authorisation and sign off in respect of subject access redactions and / or exemptions. Records about data sharing decisions are maintained as an audit trail for approved Information Sharing Agreements (ISAs). Records include minutes and action plans from the ISA working group. ICO data protection audit report executive summary 5 of 6

6 Areas for improvement There is lack of corporate oversight of data protection compliance as groups such as the Corporate Directors Group (CDG) and the Corporate Governance Group (CGG) lack clearly defined roles in this area. In addition, there are no Key Performance Indicators (KPIs) in respect of data protection compliance. There is no requirement for documented data protection policies to follow an agreed format or version control process. There is no corporate data protection training programme for all employees processing personal data. This leads to an increased risk that personal data will not be processed in accordance with the DPA. The central database of requests for information records their due dates and is capable of producing reports against this information, however there is no reporting of Subject Access Request (SAR) figures or compliance, and therefore no monitoring of performance. No monitoring or quality assurance checks are carried out to ensure that disclosures to third parties are appropriate. There is currently no formalised central NPTCBC policy or procedural guidance for employees to follow in order to set up a new ISA. This leads to an increased risk that employees will not be aware of data sharing requirements and may share data without appropriate safeguards or authority in place. NPTCBC do not hold a central register of ISAs, this results in a lack of oversight of such agreements and resulting risks, such as that ISAs may not be reviewed on time. The matters arising in this report are only those that came to our attention during the course of the audit and are not necessarily a comprehensive statement of all the areas requiring improvement. The responsibility for ensuring that there are adequate risk management, governance and internal control arrangements in place rest with the management of Neath Port Talbot County Borough Council. We take all reasonable care to ensure that our audit report is fair and accurate, but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. We cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report. ICO data protection audit report executive summary 6 of 6