Accountability and governance in place for data protection and data security (1.3)

You must provide evidence that your organisation has data security and information governance (IG) policies in place. As a minimum, your policies should cover:

• data protection and confidentiality, including: data protection by design, data protection impact assessment, transparency and data subject rights
• Freedom of Information and Environmental Information Regulations (if applicable)
• data security
• records management
• acceptable use of IT
• data quality
• re-use of public sector information (if applicable)
• arrangements for any of your staff members who work from home such as remote working policies, network access, video conferencing

The size and complexity of your organisation will determine your approach. An all-encompassing policy might be sufficient in smaller organisations, whereas larger organisations may require multiple policies supported by standards and procedures.

The policies should be board approved. The process for this will depend on your organisation’s governance structure. For example, the policies may be sponsored at board level by the senior information risk owner (SIRO), and ratified at a steering group with delegated authority. Alternatively, in a smaller organisation, the policy may be approved by the IG lead and ratified by the senior management team, with representation from the board. It is important the policies are effective, acknowledged and understood.

In addition, your policies should:

• be reviewed at regular intervals
• be your 'live' policies and finalised (not draft)
• be version controlled
• detail the last and next review date, which should not be exceeded
• provide an explanation for why they have not been updated in the last three years, where this is the case
• link to other corporate policies where appropriate (such as an acceptable use for IT policy linking to a disciplinary policy)
• be available to staff and the public

Assigning responsibility

The responsibility for monitoring and auditing access to confidential information should be assigned to an appropriate staff member, such as the Caldicott Guardian, IG lead or equivalent.

This member of staff is responsible for ensuring that confidentiality audit procedures are developed and communicated to all staff who can access confidential information. The procedures should include:

• how access to confidential information will be monitored
• who will carry out the monitoring of access
• reporting processes and escalation processes
• disciplinary processes

Spot checks

Your organisation should undertake spot checks to ensure that your staff understand and adhere to policies and procedures on data protection. Examples of events that you should audit for frequency, circumstances and location for example, are:

• failed attempts to access confidential information
• repeated attempts to access confidential information
• attempts to access confidential information from outside the system, particularly from overseas locations (where technically feasible)
• successful access of confidential information by unauthorised persons
• evidence of shared login sessions/passwords
• disciplinary actions taken
• devices are locked when not in use
• cupboards and areas with confidential data are locked and access is restricted
• confidential waste is disposed of appropriately (shredded or put into confidential waste bins)

Development and improvement

The feedback you learn from staff awareness audits, inductions and spot checks should be used to refine your procedures and further raise staff awareness of key issues around confidential information.

You should have a board-level individual who has overall accountability for the security of networks, information systems and IG and drives regular discussion at board-level. They should be the board champion on data security and protection matters. Their responsibilities as SIRO should be included in their job description and responsibilities document.

See section 1.1.5 for more information about the responsibilities and role of the SIRO.

You should be able to evidence clear lines of accountability and responsibility between your organisation’s named individuals for data security and data protection. The lines should be transparent, well-defined and documented.

An example of how this could work is shown below:

Board:

• SIRO
• Caldicott Guardian

Information Assurance Group:

• Head of IT (accountable to SIRO)
• IS/Cyber Manager (accountable to Head of IT)
• DPO or IG Lead (accountable to Caldicott Guardian)

Information Assurance Working Party:

• Cyber apprentice (accountable to IS/Cyber Manager
• FOI Lead (accountable to DPO or IG Lead)

Risk management should be a key component of your organisation’s data security and protection framework. It should be treated as a continuous cycle. Your organisation should hold two levels of risk register:

There is not a single adopted information security risk management framework mandated by the Data Security and Protection Toolkit. However, the framework adopted by your organisation should be a recognised and acceptable information security risk management framework that covers both cyber security and IG aspects.

Some of the more common frameworks are detailed in The National Cyber Security Centre (NCSC) risk management collection.

As part of your risk management approach, you should analyse your top risks and their underlying causes.

For example, for a risk of not being able to recruit and retain data security and protection staff, the underlying cause may be issues with a lower salary range in a large urban city, with a number of nearby large private enterprises paying significantly more.

Another example may be an inability to replace all legacy unsupported operating systems. This may be caused by complications with some being classified as medical devices, an IT estate not fully controlled by one group, or a lack of resources either financial or staff.

Whatever your top three risks are, they should be discussed by the leaders of your organisation, who should put plans in place to mitigate and reduce them. Senior management should not just have visibility of the top three risks but any significant risks (especially those data security and protection risks on the corporate risk register). This may be achieved by discussing the risks at your information assurance group or equivalent, with outcomes and actions reported into the board by the SIRO, who will sit on both the information assurance group and the board. Alternatively, it may be reported to the board as part of a regular (at least annual) SIRO-sponsored written report on IG and cyber activities and risks. Actions and information arising from this should be cascaded to all management levels as appropriate.

As set out by the Information Commissioner's Office (ICO): 

The UK General Data Protection Regulation (UK GDPR) requires you to put in place appropriate technical and organisational measures to implement the data protection principles effectively and safeguard individual rights. This is ‘data protection by design and by default’.

In essence, this means you have to integrate or ‘bake in’ data protection into your processing activities and business practices, from the design stage right through the lifecycle.

Data access

It is important that staff are only allowed to see, access, modify and delete data if their job requires them to do it. There are generally two ways of achieving this: technical controls and physical access controls.

Technical controls

Technical controls can include, but are not limited to:

Individual user logins: staff have their own logins to systems to allow effective auditing and access controls. Shared logins, including admin accounts not tied to one individual make it difficult to identify inappropriate access and to restrict access efficiently.

Role-based access: staff only have access to relevant information required for their roles. This may be achieved by granting folder or file access to a limited number of staff.

Smartcard enabled access: smartcards and other forms of physical certification are used as an extra authentication factor for accessing systems.

Two factor authentication (2FA): staff must confirm their identity via an additional method, such as the use of a password and a code received by text message to their registered device.

Encryption: data is encrypted. This includes data that is stored and data being transferred.

Endpoint port control: access to USB (and other ports) is controlled, restricting who is able to use them and what data they are permitted to copy. This is particularly important on end points.

Pseudonymisation/anonymisation techniques: anonymised or pseudonymised datasets are used whenever possible.

Using test data: data that is completely unrelated to live data is used in situations such as training, where real data is not needed.

Data loss prevention: a system that inspects data going outside the organisation and can report or block it.

Control of personal web-based email systems: access to web-based mail is controlled to protect against the use of commercial web-based email systems which upload corporate data in a way which is not secure.

Effective audit logging: audit logging and monitoring is used as a deterrent to inappropriate use and helps inform development of new technical controls.

Physical controls

Physical controls can include, but are not limited to:

• lockable doors, windows and cupboards
• privacy screens
• dedicated spaces to have confidential conversations
• sound-proofing of meeting rooms
• clear desk procedures
• identification IDs
• key card access
• code locks for secure areas

A data protection impact assessment (DPIA) is a process which has been designed to help you systematically analyse, identify and minimise the data protection risks of specific projects or plans within your organisation. 

An effective DPIA will help you assess and demonstrate compliance with your data protection obligations. Additionally, it will allow you to identify and fix problems at an early stage, reducing the associated costs and damage to your reputation which might otherwise occur.

When you should conduct a DPIA

You must legally do a DPIA before you begin any type of processing which is “likely to result in a high risk to the rights and freedoms” of individuals. This means that although you have not yet assessed the actual level of risk, you need to screen for factors that point to the potential for a widespread or serious impact on individuals.

In particular, the UK GDPR says you must do a DPIA if you plan to: 

• use systematic and extensive profiling with significant effects
• process special category data on a large scale, such as health and care information
• systematically monitor publicly accessible places on a large scale (such as CCTV)

More specifically, situations in which you must undertake a DPIA include when your organisation is planning to:

• use new technologies, such as remote monitoring, or a new care planning tool
• use profiling or special category data to decide on access to services, such as for risk stratification or for eligibility screening tools
• profile individuals on a large scale, such as for risk stratification and some types of population health management
• process biometric data, such as to use fingerprint or facial recognition to allow access to an app
• process genetic data, such as using DNA sequencing to predict rare disease risk
• match data or combine datasets from different sources, such as combining GP and social care data to build up a fuller picture of vulnerable individuals
• collect personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’), such as for health and care system planning
• track individuals’ location or behaviour, such as for a food logging and exercising app
• profile children or target marketing or online services at them, such as apps or websites to support children with their mental health
• process data that might endanger the individual’s physical health or safety in the event of a security breach, such as for data relating to domestic violence and safeguarding

It is, however, best practice to conduct a DPIA for all processing, as the process will enable you to identify whether the processing is actually high risk or not. This may result in you only conducting the screening question process, but it is necessary so that you can justify your decision not to complete a full DPIA.

How to conduct a DPIA

Before and during the DPIA process, you should consult with your data protection officer (DPO) or IG Lead. The process should be agreed and signed-off at board or equivalent level. The steps in a typical process for a DPIA which is compatible with ICO guidelines is stated below:

1. Identify need for a DPIA
2. Describe how the data will be used, shared and stored
3. Consider consultation
4. Ensure your proposed use is necessary and only uses relevant data
5. Identify and assess risks
6. Identify measures to mitigate the risks
7. Sign off and record outcomes
8. Integrate outcomes into plan
9. Keep under review

For practical guidance on each of the steps described above, please refer to the ICO’s guidance on how to do a DPIA. A template data protection impact assessment (DPIA) produced by NHS England will be made available on the Transformation Directorate’s information governance guidance page in 2023.

Processing likely to result in high risk

If you have carried out a DPIA that identifies a high risk, and you cannot take any measures to reduce this risk, you need to consult the ICO. You cannot go ahead with the processing until you have done so. The ICO has stated that written advice will be provided within eight weeks, or 14 weeks in complex cases.

For examples of processing likely to result in high risk, see the ICO’s guidance on processing ‘likely to result in high risk’.

Transparency 

It is good practice to publish DPIAs, particularly those for which there is a significant public interest. A DPIA will make it easier for people to understand how and why you are using their information. It can also reassure people that you are protecting their interests and meeting their expectations of privacy.

You should redact any commercial, personal or sensitive information that may lead to a security risk before publishing a DPIA. Alternatively, you may wish to publish a summary of the DPIA.

The board should provide direction on data security and data protection, which should then be disseminated throughout the organisation through its policies, projects and procedures.

Example scenario

How this might be practically applied:

The results of the campaign will then be fed into the information assurance group for review, with outcomes and any further recommendations filtered by to the board through the SIRO, who also attends (or chairs) the information assurance group.

For more information on how to establish standards for accountability in your organisation, please refer to the ICO’s Accountability Framework.