Measures put in place by the Government to better protect individuals’ personal data have been successful but more work is needed, according to the first annual internal report due under the new regime.
After a series of embarrassing losses of personal information, including the 2007 loss of discs containing the names, addresses and bank details of 25 million child benefit claimants, the Government conducted a Data Handling Review (DHR).
Read more in Out-Law.com
From the report:
Specific Minimum Measures to Protect Personal Information
- Identify All Holdings of Protect Personal Data: Achieved – Departments have identified the protected personal information that they or their delivery partners and 3rd party suppliers hold.
- Handle Data as PROTECT throughout the Delivery Chain: Established and Ongoing – All the DHR mandated measures are routinely being applied to protected personal data while it is processed or stored within departments or their delivery chains.
- Apply Suffolk Matrix: Established and Ongoing – Training on the correct handling of protected information has taken place and is ongoing in all Departments.
- Secure Remote Access to Protected Data: Established and Ongoing – Departments have established processes for secure remote access to data using agreed standards and approved products.
- Protection of Removable Media: Established and Ongoing – Departments have implemented the DHR requirements to encrypt personal information when in transit on removable media.
- Strong Protection for Unencrypted Media: Established and Ongoing – In situations where encryption is not practical, i.e. full system back-up tapes used for disaster recovery or business continuity, Departments have instituted strong controls and monitoring on their movement, access and storage.
- Controlled Disposal of Paper & Media: Established and Ongoing – Departments have implemented policies for the secure disposal of media and paper.
- Review of Measures for Handling Protected Information: Established and Ongoing – Departments have reported on the effectiveness of the DHR measures. Further compliance testing is ongoing.
- Penetration Testing of ICT Systems: Established and Ongoing – Departments have conducted more than 650 Penetration Tests, and continue to work to ensure that testing is in place for existing and new systems.
- Information Risk Awareness Training: Established and Ongoing – All Departments have trained those handling personal information in IA awareness. In the majority of cases departments have chosen to go further and extend this training to all their staff.
- Define Access Controls to Protected Information: Achieved – Access rights to protected personal data have been defined to, where possible, minimise the number of records viewed unnecessarily.
- Log & Monitor Access to Protected Information: Established and Ongoing – Managers are now required to check on a regular basis the logged activity of data users accessing protected personal information.
- Have a Forensic Readiness Policy: Achieved – Departments have produced forensic readiness policies describing processes for preserving and analysing data generated by an ICT system that may be required for legal or management purposes as part of the information asset audit process.
See:
- The report (30-page / 850KB PDF)
- The Data Handling Review (46-page / 218KB PDF)