AUDIT COMMITTEE
THURSDAY 16 DECEMBER 2010 AT 10.00 AM / Agenda Item No:
2
INFORMATION GOVERNANCE AND DATA PROTECTION AT HERTFORDSHIRE COUNTY COUNCIL
Report of the Director of Resources and Performance
[Authors: Stuart Campbell, Assistant Director Performance and Improvement
Tel: 01992 588397]
1. Purpose of Report
1.1 To update the Audit Committee on the approach to the management of data protection at Hertfordshire County Council.
2. Summary
2.1 The Data Protection (DP) Act contains a series of principles with which organisations and individuals need to comply in their handling of personal data. There are 8 principles -see section 5 ‘Background’ for full details. The principle which is most relevant to this report is Principle 7 – that sensitive personal information should be held securely (and by implication not disclosed to unauthorised individuals).
2.2 As with any large organisation, the management of data protection at Hertfordshire County Council requires a devolved approach, with nominated managers (data controllers) in departments responsible for the datasets they hold. Data Protection is effectively the business of everyone in the organisation who has a responsibility for the management of the personal and sensitive data which we require to perform our functions effectively as a County Council.
2.3 Departments are supported in their responsibilities by staff within the corporate Information Governance Team. This team is also responsible for Freedom of Information response coordination; subject access request responses; and the general awareness/expertise required to update the organisation on latest learning / changes in law etc.
2.4 The corporate Information Governance team works with departments and their managers to raise awareness of policy and best practice, develop advice and training materials, and manage investigations. Data Protection compliance is managed as a corporate risk via the Hertfordshire County Council risk register.
2.5 The corporate team has had a good relationship with the Information Commissioner’s Office (ICO) over the past three years, and provides the link to ICO at times of potential or actual breach of the DP Act, for notification and investigation purposes. This is acknowledged by the ICO through their correspondence. We also seek and implement advice from the ICO in relation to issues concerning Freedom of Information enquiries.
2.6 The authority has generally very high levels of security in relation to the way it stores and manages data electronically (see ‘Background’ section for detail).
2.7 There have been recent failings in data protection compliance. These issues relate in particular to human error in the use of fax for transmission of sensitive data. The ICO has served a penalty notice on Hertfordshire County Council in relation to these matters. In doing so, they do recognise that Hertfordshire County Council has subsequently taken ‘substantial remedial action’ and is ‘fully cooperating with the Commissioner’s office’ in this regard.
2.8 There are ongoing challenges that organisations face with delivering effective Data Protection Management. An organisation must put in place effective steps to prevent breaches and release of sensitive data to reduce the likelihood of inadvertent release. However, human error or deliberate release of information by disgruntled employees always remains a possibility. The ICO Deputy Commissioner reports that ‘human error is behind a high proportion of security breaches that have been reported to us.‘[i] Effective management of Data Protection issues therefore has to be an ongoing vigilant process, with the culture of the organisation being alert to and aware of the risks.
2.9 If processes fail despite the precautions taken, then the organisation needs to be able to respond quickly to ensure that any potential harm or further spread of the information is minimised.
3. Conclusion
3.1 There is in place an appropriate risk-managed approach to Data Protection at Hertfordshire County Council, and remedial actions taken in relation to recent breaches are being followed through to seek to ensure that such disclosure should not happen again.
3.2 The organisation needs to remain vigilant and proactive in its management of data protection issues. This should include the ongoing updating and awareness raising of the responsibilities of individuals and teams in the management of sensitive data, and the application of best practice across departments.
4. Recommendation
4.1 That the committee notes the report and the actions being taken.
5. Background
5.1 The 8 Data Protection Principles are as follows:-
1) That personal data must be processed fairly and lawfully – that is you must:-
· have legitimate grounds for collecting and using the personal data;
· not use the data in ways that have unjustified adverse effects on the individuals concerned;
· be transparent about how you intend to use the data, and give individuals appropriate privacy notices when collecting their personal data;
· handle people’s personal data only in ways they would reasonably expect;
· make sure you do not do anything unlawful with the data.
2) Only process data for specified purposes- that is:-
· be clear from the outset about why you are collecting personal data and what you intend to do with it;
· comply with the Act’s fair processing requirements – including the duty to give privacy notices to individuals when collecting their personal data;
· comply with what the Act says aboutnotifying the Information Commissioner; and ensure that if you wish to use or disclose the personal data for any purpose that is additional to or different from the originally specified purpose, the new use or disclosure is fair.
3) 4) and 5) That information held should comply with specified standards in terms of volumes, accuracy and length of time held.
6) That individuals have certain rights in relation to the data held on them, such as :-
· a right of access to a copy of the information comprised in their personal data;
· a right to object to processing that is likely to cause or is causing damage or distress;
· a right to prevent processing for direct marketing;
· a right to object to decisions being taken by automated means;
· a right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed;
· a right to claim compensation for damages caused by a breach of the Act.
7) That information should be held securely. That is you must :-
· design and organize your security to fit the nature of the personal data you hold and the harm that may result from a security breach;
· be clear about who in your organization is responsible for ensuring information security;
· make sure you have the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff; and be ready to respond to any breach of security swiftly and effectively.
8) That personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
5.2 The Information Governance Unit at Hertfordshire County Council supports Departments in their Data Protection responsibilities. Their responsibilities include:-
· Supporting the County Council's Data Protection, Freedom of Information and Records Management activity.
· Processing Data Protection Subject Access Requests relating to CSF files to legal timescales.
· Providing advice / guidance to managers / members on fair processing (privacy notice) requirements and appropriate sharing of personal data with third parties.
· Providing support / guidance to managers investigating breaches / undertaking remedial action.
· Co-ordinating the organisation's response to serious data protection breaches.
· Notifying the ICO, where appropriate (and in line with their guidance) of potential / actual breach situations, advising of remedial action.
· Linking with the ICO to manage DP / FOI enquiries / complaints.
· Incorporating ICO guidance / decisions into working practices.
· Undertaking detailed DPA Section 29 investigations on behalf of external agencies (e.g. police, DWP, Immigration and Nationality Directorate, HM Revenue and Customs, other LAs).
· Managing changes to / renewal of Hertfordshire County Council's Data Protection Registration.
· Supporting compliance with ICT Acceptable Use Policies
The Team has:
· Introduced improved security arrangements for the processing of CSF Subject Access Requests (electronic preparation / redaction of files, staff based in secure office at County Hall, paperwork no longer taken off site).
· Eliminated the CSF Subject Access Request waiting list and compliance with 40 day DPA deadline for all new requests is at 100% despite increased volumes.
· Developed Privacy Impact Assessment processes, as part of an Information Sharing Toolkit for Hertfordshire County Council and partner / external agenciesto underpin responsible processing of personal data / data sharing.
· Implemented a Data Protection Helpline (including email account), raising the profile of Data Protection Team as a support resource.
· Revised Hertfordshire County Council’s processes regarding Section 29 verification / disclosure.
· Created guide to breach management for HCC managers, in line with ICO standards.
· Produced training session onSection 29 legislation / HCC's processes for Child Abuse Investigation Unit (Herts Constabulary).
· Published articles on DP responsibilities / data security.
· Implemented a standard approach to responding to ICO enquiries, to safeguard confidentiality of material passed to them.
5.3 Hertfordshire County Council has a number of policies which enforce compliance with data protection principles. It has, for example, a data protection policy, an ‘acceptable use’ policy relating to use of data on computers and standard data protection clauses for inclusion and management in contracts with providers.
5.4 The principles of data protection and the acceptable use of data are introduced to all new staff in the ICT section of the HCC induction programme. Staff are taken through the ICT acceptable use policy which we require all data users to sign up to.
5.5 The Information Governance Team provide focussed training for departments on matters relating to data protection. This includes the section 29 training outlined above and DP awareness sessions for departments. In addition they are working on the delivery of an online Data Protection module of i-learn which will be released this month.
5.6 Hertfordshire County Council has carried out much effective work in the area of ICT data security. All systems that hold personal data are secured using appropriate measures, the authorities technical infrastructure has been assessed to effectively comply with the rigorous Government Code of Compliance (CoCo) for the past three years. Effective firewalls and protection measures are in place to prevent inappropriate access or damage to our data. Encryption of data on laptops is a standard feature to prevent disclosure of sensitive data should laptops be lost or stolen.
5.7 The organisation has listed the potential for unintended release of sensitive data as a corporate risk on the Hertfordshire County Council risk register. This raises awareness of the issues at senior management levels and ensures that corporate lessons are learned, thought about organisation wide and communicated effectively.
5.8 The Information Governance Unit carries out awareness raising communications to staff either corporately via Compass or through targeted action with departments. When there are lessons to be learned either internally or from cases in other organisations etc, the unit works with the Corporate Communications Unit to ensure staff are appraised of the issues.
5.9 Hertfordshire County Council is not obliged to notify the ICO of all data protection breaches. However, we choose to do so in line with the guidance published by the ICO office. We look to be open with the ICO on such matters and share data to permit the ICO to comment and recommend action alongside our own internal investigations. This has resulted in a good working relationship with their office which is recognised in the correspondence between us.
5.10 Over the past three years there have been a total of 7 notifications to the ICO by Hertfordshire County Council. These incidents are of varying severity, and the ICO has been satisfied by Hertfordshire County Council’s action on all of them leading up to the most recent fax incidents. There have been a further 4 incidents (of which we are aware) that were reported directly to the ICO, with Hertfordshire County Council fully cooperating on the issues raised. The ICO has closed 3 of these cases, and was satisfied with Hertfordshire County Council's action. One case is outstanding, with the ICO yet to make a decision.
5.11 The 7 breaches reported break down as follows:-
Pensions statement details sent to wrong staff in error – Serco addressed the systems/people issues responsible and offered Equifax protection to affected staff.
Subject Access Request Data not fully redacted when supplied to requestor. ICO satisfied with Hertfordshire County Council’s action regarding future processing and checks.
Subject Access Request – data had been archived prematurely. This was not a Data Protection breach, but Hertfordshire County Council notified the ICO in the spirit of openness whilst it was investigating.
Human error when using redaction software allowed details of a Subject Access request to be viewed through software conversion (though not directly viewable when released). ICO satisfied with Hertfordshire County Council action. £350 compensation payment.
Legal fax transmission (two occurrences) – subject to ICO investigation and subsequent action. Also investigated by Internal Audit with series of recommendations to be met by the Legal department.
Theft of case file from Barristers car – under investigation.
Background information referred to by the author whilst compiling this report:
HCC Data Protection Policy – 18 Dec 2009
ICT Acceptable Use Policy – November 2009
[i] Human error ‘causes most data security breaches’ Dermott Calpin LocalGov.co.uk 4 June 2010.
For more information about the issues referred to in this report, please contact Stuart Campbell (Tel: 01992 588397).
101216 Audit Committee
Item 2 - Information Governance and Data Protection at Hertfordshire County Council
6