Information
Commissioner’s Office
Data protection audits,
outcomes and lessons learnt
John-Pierre Lamb, Group Manager, Good Practice
October, 2014
Our Mission:
The ICO is the UK’s independent authority set up to uphold
information rights in the public interest, promoting openness
by public bodies and data privacy for individuals.
Our role:
• Encourage good practice
• Assess eligible complaints
• Advise individuals and organisations
• Take appropriate action on non-compliance
What is Good Practice?
Section 51 (7) of the DPA 1998:
Gives the Information Commissioner power to assess any
organisation’s processing of personal data for the following of ‘good
practice’, with the agreement of the data controller.
Good practice is defined very generally in the Act as “practices for
processing personal data which appear to be desirable. This includes,
but is not limited to, compliance with the requirement of the Act”.
Good Practice Team
Our aim:
To help organisations understand how to comply with the DPA.
Who we work with:
A wide range of organisations from small charities and
voluntary organisations through to high profile government
departments and household name companies.
How we do this:
• DPA & PECR audits
• Advisory visits
• Workshops
• Self assessment questionnaires
• Outcomes reporting
What is personal data?
Data which relate to a living individual who can be identified
(a)from those data, or
(b)from those data and other information which is in the
possession of, or is likely to come into the possession of, the
data controller
and includes any expression of opinion about the individual
and any indication of the intentions of the data controller or
any other person in respect of the individual
What is sensitive personal data?
Personal data relating to:
•
•
•
•
•
•
•
•
racial or ethnic origin
political opinions
religious beliefs or other beliefs of a similar nature
trade union membership
physical or mental health or condition
sexual life
any offence - the commission, or alleged commission of
any court proceedings or sentence relating to any
offence committed or alleged to have been committed
Data Protection Act 1998
The eight principles
Audit Process
Audit approach – process overview
• Consensual engagement, then agree a scope of work with
the organisation plus LoE and interview schedule – one to
two months before the audit
• Carry out an off-site adequacy review of an organisation’s
documented policies and procedures
• Carry out an on-site review of the procedures in practice for
processing personal data – 3 days, 2/3 auditors
• Provide a report with recommendations and assurance
opinion – 8 weeks from first draft to final report
• Draft an executive summary for publication on our website,
with the consent of the organisation
• Carry out a follow-up review – depends on assurance level
Benefits of an ICO DP audit
• helps to raise awareness of data protection and what the ICO
considers appropriate to enable compliance with DPA
• identifies data protection risks and provides practical, pragmatic,
organisational-specific recommendations
• shows an organisation’s commitment to, and recognition of, the
importance of data protection
• opportunity to use the ICO’s experience & resources (at no
expense) to provide an independent assurance of the existence
and effectiveness of data protection controls
• sharing knowledge with trained, experienced, qualified staff and an
improved working relationship with the ICO
Key scope areas
• Data protection governance:
structure, roles and responsibilities,
policies and procedures, risk management, compliance reviews and audit,
performance monitoring and reporting
• Records management:
roles and responsibilities, policies and
procedures, collection of data/fair processing, storage and maintenance,
retention and disposal of data plus monitoring and reporting
• Security of personal data:
structure, roles & responsibilities, policies
& procedures, asset management, physical security, identity access
management, network access controls, system monitoring and incident
reporting, remote working and web/cloud based applications
Key scope areas
• Training & awareness:
induction, specific and role based, refresher
training, and performance and reporting
• Requests for personal data:
accountability, training, records,
performance monitoring, compliance monitoring including correct use of
redaction and DPA exemptions plus third party request handling
• Data sharing:
roles and responsibility, fair processing, risk and legality
assessment, formal data sharing agreements, monitoring and reporting,
data quality, security
Security – scope and risk
The technical and organisational measures in place to ensure
that there is adequate security over personal data held in
manual or electronic form.
Risk: Without robust controls to ensure that personal data
records, both manual and electronic, are held securely in
compliance with the DPA, there is a risk that they may be
lost or used inappropriately, resulting in regulatory action
against, and/or reputational damage to, the organisation,
and damage and distress to individuals.
ICO audit - Security controls
Sectors audited: Apr 2011 to Sep 2014
5%
9%
Central govt
23%
31%
Local govt
NHS
Private
11%
Criminal Justice
21%
Other
Scope area analysis: Jan 2011-Dec 2013
Local government only
Data protection
governance
4%
18%
17%
15%
22%
24%
Training and
awareness
Records
management
Security of personal
data
Requests for
personal data
Data sharing
Scope area analysis: Feb 2010-Jan 2014
Health only
8%
7%
22%
29%
16%
18%
Data protection
governance
Training and
awareness
Records
management
Security of personal
data
Requests for
personal data
Data sharing
Assurance opinion analysis:
Data Protection Governance in local government and health authorities
57
%
28
13
4
60
Local
Government
26
Health
Authorities
8
4
High
Reasonable Limited Very limited
assurance assurance assurance assurance
Assurance opinion analysis:
Records Management in local government and health authorities
63
50
%
44
Local
Government
32
Health
Authorities
0
5
6
0
High
Reasonable Limited Very limited
assurance assurance assurance assurance
Assurance opinion analysis:
Security in local government and health authorities
61
67
Local
Government
33 33
%
Health
Authorities
6
0
0
0
High
Reasonable Limited Very limited
assurance assurance assurance assurance
Assurance opinion analysis:
Training & Awareness in local government and health authorities
50
41
%
19
9
36
Local
Government
31
Health
Authorities
14
0
High
Reasonable Limited Very limited
assurance assurance assurance assurance
Assurance opinion analysis:
Requests for personal data in local government and health authorities
63
41
%
41
Local
Government
38
Health
Authorities
15
0
4
0
High
Reasonable Limited Very limited
assurance assurance assurance assurance
Assurance opinion analysis:
Data sharing in local government and health authorities
80
%
Local
Government
43
29
29
20
0
0
0
High
Reasonable Limited Very limited
assurance assurance assurance assurance
Health
Authorities
Common areas for improvement:
Records Management
•
Lack of regular internal audit (IS & data handling), compliance monitoring
and reporting; plus use of independent external assurance
•
Lack of formal records management framework including strategy, roles
and responsibility plus policies and procedures
•
Lack of effective, formal training programme incorporating RM which
comprises of mandatory induction and periodic refresher training; plus the
monitoring and enforcement of training attendance against corporate KPIs
•
Absence of Information Asset Registers (IARs) and associated risk
assessment procedure plus ineffective/poorly trained IAOs
•
Lack of effective controls concerning retention, weeding and secure
destruction of both electronic and manual records
•
Lack of effective security and control for manual records especially when
being transported or transferred
Common areas for improvement:
Security of personal data
•
Lack of regular internal audit, compliance monitoring and reporting; plus
use of independent external assurance
•
Lack of effective control of IT system access rights, including starters,
movers and leavers protocols (permanent and contract staff) plus
automated reconciliation with HR / payroll systems
•
Lack of effective network endpoint controls and mobile device encryption,
plus password control and enforcement
•
Lack of security controls for remote access and home working
•
Absence of 3rd party monitoring – confidential waste disposal, IT hardware
disposal, storage and disposal of records
Other common areas for improvement:
•
Lack of effective monitoring and reporting mechanisms concerning subject
access requests, plus performance against corporate KPIs
•
Lack of use of PIA/PBD for projects and system changes involving
processing of personal data
•
Absence of effective, specialised training programmes for key roles
including periodic refresher training; plus the monitoring and enforcement
of training attendance against corporate KPIs
•
Lack of centralised control, monitoring and review of data sharing
agreements
Look familiar ???
When things go wrong – civil monetary penalties

Sensitive information mixed up and given to wrong person








Halton Borough Council
Devon County Council
Plymouth City Council
Telford & Wrekin District Council
Norfolk County Council
Midlothian Council
Powys County Council
£70,000
£90,000
£60,000
£90,000
£80,000
£140,000
£130,000
May 2013
December 2012
November 2012
May 2012
February 2012
January 2012
December 2011
Sensitive information sent to wrong address












North Staffordshire Combined Healthcare Trust
Leeds City Council
St George’s Healthcare NHS Trust
Aneurin Bevan Health Board
Stoke-on-Trent City Council
Cheshire East Council
North Somerset Council
Worcestershire County Council
Surrey County Council
Central London Community Healthcare NHS Trust
Hertfordshire County Council
Ministry of Justice
£55,000
£95,000
£60,000
£70,000
£120,000
£80,000
£60,000
£80,000
£120,000
£90,000
£100,000
£140,000
fax
post
post
post
email
email
email
email
email
fax
fax
email
June 2013
November 2012
July 2012
April 2012
October 2012
February 2012
November 2011
November 2011
June 2011
April 2012
November 2010
October 2013
When things go wrong – civil monetary penalties

Sensitive information lost or stolen












network hacked
DVD lost
unencrypted USB
papers
papers
papers
papers
unencrypted laptop
unencrypted laptop
unencrypted laptop
portable hard drive
Inadequate disposal of old files or computer hard drives







Sony Computer Entertainment Europe Ltd £250,000
Nursing and Midwifery Council
£150,000
Greater Manchester Police
£150,000
London Borough of Lewisham
£70,000
London Borough of Barnet
£70,000
Lancashire Constabulary
£70,000
Croydon Council
£100,000
Ealing Borough Council
£80,000
Hounslow Borough Council
£70,000
Glasgow City Council
£150,000
Ministry of Justice
£180,000
NHS Surrey
Stockport Primary Care Trust
Scottish Borders Council
Belfast Health & Social Care Trust
Brighton & Sussex Univ Hosp NHS Trust
Department of Justice (NI)
£200,000
£100,000
£250,000
£225,000
£325,000
£185,000
Sensitive information taken from websites





Aberdeen City Council
Islington Borough Council
Torbay Care Trust
British Pregnancy Advisory Service
Think W3
£100,000
£70,000
£175,000
£200,000
£150,000
February 2013
February 2013
September 2012
December 2012
May 2012
March 2012
February 2012
February 2011
February 2011
June 2013
August 2014
hard drives
paper files
paper files
paper files
hard drives
paper files
June 2013
June 2013
September 2012
June 2012
May 2012
January 2014
online disclosure
online disclosure
online disclosure
hacking
hacking
August 2013
August 2013
July 2012
February 2014
July 2014
Keep in touch
Subscribe to news feeds, blogs or our e-newsletter at
www.ico.gov.uk and find us on…
www.twitter.com/iconews