East Riding of Yorkshire Council Data protection audit report. Executive summary March 2014

Transcription

1 East Riding of Yorkshire Council Data protection audit report Executive summary March 2014

2 1. Background The Information Commissioner is responsible for enforcing and promoting compliance with the Data Protection Act 1998 (the DPA). Section 51 (7) of the DPA contains a provision giving the Information Commissioner power to assess any organisation s processing of personal data for the following of good practice, with the agreement of the data controller. This is done through a consensual audit. The Information Commissioner s Office (ICO) sees auditing as a constructive process with real benefits for data controllers and so aims to establish a participative approach. The ICO was provided with reports of two separate incidents occurring during April/May 2012 when sensitive personal data was mistakenly released to the wrong party. As a consequence of this the ICO issued the East Riding of Yorkshire Council (the Council) with an Undertaking in March 2013 to improve data protection. The Council has agreed to a consensual audit by the ICO of its processing of personal data. An introductory teleconference was held on 10 October 2013 with representatives of the Council to identify and discuss the scope of the audit and after that through and telephone correspondence to agree the schedule of interviews. ICO data protection audit report executive summary 2 of 6

3 2. Scope of the audit Following pre-audit discussions with the Council it was agreed that the audit would focus on the following areas: Training and awareness The provision and monitoring of staff data protection training and the awareness of data protection requirements relating to their roles and responsibilities. Security of personal data The technical and organisational measures in place to ensure that there is adequate security over personal data held in manual or electronic form. Requests for personal data The processes in place to respond to any requests for personal data. This will include requests by individuals for copies of their data (subject access requests) as well as those made by third parties. ICO data protection audit report executive summary 3 of 6

4 3. Audit opinion The purpose of the audit is to provide the Information Commissioner and the Council with an independent assurance of the extent to which the Council within the scope of this agreed audit is complying with the DPA. The recommendations made are primarily around enhancing existing processes to facilitate compliance with the DPA. Overall Conclusion Reasonable assurance There is a reasonable level of assurance that processes and procedures are in place and delivering data protection compliance. The audit has identified some scope for improvement in existing arrangements to reduce the risk of non-compliance with the Data Protection Act. We have made two reasonable assurance and one limited assurance assessments where controls could be enhanced to address the issues which are summarised below. ICO data protection audit report executive summary 4 of 6

5 4. Summary of audit findings Areas of good practice There is an appropriate governance framework in place, approved at senior level, for overseeing information security. This comprises of the Information Governance Management Board (IGMB), a defined strategy, policies and procedures and assigned roles and responsibilities, including a Senior Information Risk Officer (SIRO) and a trained IT Security Officer (ITSO). Considerable resource and effort has been put into ensuring staff have adequate data protection training. All staff are required to complete a DP e-learning module and advanced DP training has been developed for staff identified through a training needs analysis. Take-up of training is monitored and reported monthly at the IGMB. A documented process and clear guidance is provided to staff to ensure the Council fulfils its obligation under the DPA s right of subject access. There are assigned officers in each department who liaise with the Subject Access Request Co-ordinator. Additional safeguards to the process have been developed by the Children and Young People s service to manage the complex nature of their requests. Areas for improvement Heads of Service have been designated as Information Asset Owners (IAOs) but they are not regularly assessing and reporting on the risk to information in their business areas. This may result in the SIRO not having an accurate overview of information risk across the Council. It is important that IAOs are clear about their role and responsibilities and regularly review the electronic and manual data they own to ensure they are clear about how it is being used and shared and who has access to it and why. There is no overarching Information Asset Register to ensure the Council has a mechanism for understanding and managing risks to their information. It should link assets to dependencies including risk assessments, retention schedules and owners. Risks should be monitored and responsibility for mitigating risk assigned to an owner. The register should be maintained and regularly updated, with a named owner responsible for overseeing this. Although the Council are aware of Privacy Impact Assessments (PIAs) they have not been used on any projects. The introduction of robust PIAs and embedding them into the Council s project development and system design processes will help provide assurance that personal data risks are ICO data protection audit report executive summary 5 of 6

6 being assessed in advance of new systems processing personal data being developed/implemented. The matters arising in this report are only those that came to our attention during the course of the audit and are not necessarily a comprehensive statement of all the areas requiring improvement. The responsibility for ensuring that there are adequate risk management, governance and internal control arrangements in place rest with the management of East Riding of Yorkshire Council. We take all reasonable care to ensure that our audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. We cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report. ICO data protection audit report executive summary 6 of 6