Information Security January 2016

What is Information Security?  Information Security is about the physical security of our equipment and networks as well as safeguarding the information (data) that we hold.  Councillors’ responsibilities As processors of personal information, Councilors are data controllers having responsibility for the data you process / store All councillors are register with the ICO, the authority pays the annual £35 fee.

UK data breach examples Prison fined £180K for losing portable hard drive 644.gov.uk, websites hacked since 2004 Sensitive Social care documents found on internet Council fined for USB stick data loss

Data breaches – ICO figures  1,665 UK data breaches investigated in 2014  £5,823,500 issued in Monetary Penalty Notices  25 Million people affected by breaches  Reporting is still not mandatory in many sectors e.g. Private sector This may change with a new EU directive  Actual breaches will be much higher  ICO can issue an undertaking which ensures improvement Criminal offence if breached Can also issue Monetary Penalty up to £500K

Council Data breaches  Payroll data lost in car park Consultant stored payroll data on unencrypted memory stick Member of public found them and handed them in  Children’s services ICO breach Sensitive data posted to wrong person No procedural controls existed to prevent this ICO fined the Council £60,000  Direct Payments containing financial details for 511 people sent to 395 people Incident reported to ICO Featured on Herald front page, several complaints received from public  Council compromised using Outlook Web Access Used to send phishing s to external recipients

Council Data breaches - Trend 2015 Statistics

Recent improvements made  Secure print has reduced the number of printing errors 75% reduction in 2014  80% of staff have completed the data safe eLearning course  Incident reporting process has been improved  Information Commissioners Office (ICO) engaged to perform data security audit 70% of recommendations implemented  Management Information Security Forum, (MISF) Relaunched Attendees at initial meeting from Chief Execs, Finance, Public Health, Dem Support, CareFirst, Legal, Children’s Services, Youth Service, ELAFS, Customer Services, HR

What are the risks?  Paper documents Poor manual handling of documents Not checking what is in a pile of documents Enabling people to view documents in public places Giving people the wrong documents Insecure disposal of documents  All can lead to unauthorised people accessing information they are not entitled to

What are the risks?  Electronic documents Clicking on Phishing s can install malware Malware gives access to council network or logs keystrokes Files stored on unencrypted memory sticks / hard drives Sensitive data being sent by to incorrect place  Impact for electronic files can be larger, due to larger volume of files involved in breaches.

Why is the Council at risk?  We hold lots of data about our citizens. Financial details Bank details, credit card details Health information Child protection information Educational information  The council is seen as an easy target by some people Councils are viewed as not having the resources to implement high security  The Council is connected to national government networks Could be used as an easy access point  The Council has a very public profile As such it is a natural target for some people

What you can do  Protect the paper documents under your control  Ask yourself if it is necessary to carry Council data around  Know where your data is being put electronically  Only use Council supplied equipment to process Council data Keep party political information separate  Report any breach to ICT & Information Governance Manager Take action to reduce impact Recover any lost document  Read the Information Security booklet for Councillors

Data Breaches