Police Service of Scotland Data protection audit report. Executive summary

Transcription

1 Police Service of Scotland Data protection audit report Executive summary September 2017

2 1. Background The Information Commissioner is responsible for enforcing and promoting compliance with the Data Protection Act 1998 (the DPA). Section 51 (7) of the DPA contains a provision giving the Information Commissioner power to assess any organisation s processing of personal data for the following of good practice, with the agreement of the data controller. This is done through a consensual audit. The Information Commissioner s Office (ICO) sees auditing as a constructive process with real benefits for data controllers and so aims to establish a participative approach. Police Service of Scotland (PSoS) has agreed to a consensual audit by the ICO of its processing of personal data. An initial telephone call was held on 7 December with representatives of PSoS to discuss the agreed scope and to agree the schedule of interviews. ICO data protection audit report executive summary 2 of 6

3 2. Scope of the audit Following pre-audit discussions with PSoS, it was agreed that the audit would focus on the following areas: a. Security of personal data The technical and organisational measures in place to ensure that there is adequate security over personal data held in manual or electronic form. b. Training and awareness The provision and monitoring of staff data protection training and the awareness of data protection requirements relating to their roles and responsibilities. ICO data protection audit report executive summary 3 of 6

4 3. Audit opinion The purpose of the audit is to provide the Information Commissioner and PSoS with an independent assurance of the extent to which PSoS, within the scope of this agreed audit, is complying with the DPA. The recommendations made are primarily around enhancing existing processes to facilitate compliance with the DPA. Due to the geographical size of PSoS and the number of staff employed, the site visit alone was limiting in allowing the ICO to be able to gain assurance across the organisation. A staff survey would have provided an opportunity to review and evidence the application and consistency of procedures, and assisted us in assessing specific areas of weakness/risk across the whole organisation, not just those staff/departments we interviewed during the on-site audit. The audit would have benefitted from further access to key staff and documents. Overall Conclusion Limited Assurance There is a limited level of assurance that processes and procedures are in place and delivering data protection compliance. The audit has identified considerable scope for improvement in existing arrangements to reduce the risk of non-compliance with the DPA. We have made one limited and one very limited assurance assessments, where controls could be enhanced to address the issues which are summarised below. ICO data protection audit report executive summary 4 of 6

5 4. Summary of audit findings Areas of good practice PSoS has implemented a Nessus vulnerability management system to log new technical vulnerability updates. In addition, PSoS also use hacking tools to identify any additional technical vulnerability. There is a vulnerability assessment and penetration testing process to identify, test and apply solutions to vulnerabilities. PSoS have an internal audit programme in place which takes a risk based approach. These include audits for key systems and processes such as transaction monitoring of the Police National Database and the Driver Validation Service database to ensure compliance with their use. Areas for improvement PSoS does not currently have a force-wide Information Asset Register in place for ensuring that all information assets are identified, logged and continually risk assessed. Information Asset Owners have only been established for some information assets held by PSoS. The current PSoS data protection and information security training programme provided to police staff and officers as part of their induction training is not regularly reviewed and evaluated to ensure the content is up-to-date, relevant and fit for purpose. Data protection and information security training is not refreshed and it is possible for a member of staff to be employed for over 25 years and not receive any additional training in data protection or information security following the induction course. PSoS does not conduct training needs analysis for staff responsible for processing personal data which poses a risk that staff groups have not received an appropriate level of data protection and information security training. ICO data protection audit report executive summary 5 of 6

6 The matters arising in this report are only those that came to our attention during the course of the audit and are not necessarily a comprehensive statement of all the areas requiring improvement. The responsibility for ensuring that there are adequate risk management, governance and internal control arrangements in place rest with the management of PSoS. We take all reasonable care to ensure that our audit report is fair and accurate but cannot accept any liability to any person or organisation, including any third party, for any loss or damage suffered or costs incurred by it arising out of, or in connection with, the use of this report, however such loss or damage is caused. We cannot accept liability for loss occasioned to any person or organisation, including any third party, acting or refraining from acting as a result of any information contained in this report. ICO data protection audit report executive summary 6 of 6