1.

Introduction
This guide is designed for an audit practitioner who needs to assure their senior management team
that appropriate arrangements are in place for complying with data protection legislation. It
provides practical advice and recommendations to improve the way organisations deal with
information rights issues, and it focuses on the issues that an auditor from the Information
Commissioner’s Office would be most likely to examine.

Organisations who follow the approach set out in this guide will be able to determine whether
sufficient steps have been taken to implement policies and procedures to regulate the processing of
personal data and, if so, to assess whether the processing is carried out in accordance with these
policies and procedures. This will help them:

• Raise awareness of data protection within the organisation;

• Show the organisation’s commitment to, and recognition of, the importance of data protection;
and

• Identify any significant data protection risks.

To break down this task into more manageable sections, this guide follows the audit approach
currently taken by the UK’s Information Commissioner’s Office (ICO). Six scope areas are of
particular concern to the ICO. These are:

• Data Protection Governance - The arrangements and controls in place to ensure compliance with
the Data Protection Act (DPA).

• Training & Awareness - The provision and monitoring of staff DPA training and the awareness of
DPA requirements relating to their roles and responsibilities.

• Records Management - The processes in place for managing both electronic and manual records
containing personal data.

• Security of Personal Data - The technical and organisational measures in place to ensure that
there is adequate security over personal data held in manual or electronic form.

• Requests for Personal Data - The procedures in place to deal with any requests for personal
data.

• Data Sharing - The design and operation of controls to ensure the sharing of personal data
complies with the principles of the DPA.

Where appropriate, this guide also refers to the requirements of British Standard 10012:2009, which
specifies requirements for a personal information management system. The BSI controls mirror
many of the issues that are contained in each scope area.

Should the ICO decide to inspect an organisation, its auditors will expect to find evidence that a
range of controls are in place. The effectiveness of these controls will result in the organisation
receiving an overall assurance rating, which may be publicised by the ICO. The ratings are:
• High Assurance – There will be a high level of assurance that processes and procedures are in
place and delivering data protection compliance. The ICO’s audit will have identified only limited
scope for improvement in existing arrangements and as such it is not anticipated that significant
further action is required to reduce the risk of non-compliance with the DPA.

• Reasonable Assurance – There will be a reasonable level of assurance that processes and
procedures are in place and delivering data protection compliance. The ICO’s audit will have
identified some scope for improvement in existing arrangements to reduce the risk of non-
compliance with the DPA.

• Limited Assurance - There will be a limited level of assurance that processes and procedures are
in place and delivering data protection compliance. The ICO’s audit will have identified
considerable scope for improvement in existing arrangements to reduce the risk of non-
compliance with the DPA.

• Very Limited Assurance - There will be a very limited level of assurance that processes and
procedures are in place and are delivering data protection compliance. The ICO’s audit will have
identified a substantial risk that the objective of data protection compliance is not being
achieved.

Immediate action will be required to improve the control environment.

People who follow the advice in this guide will significantly improve the likelihood that, should their
organisation be examined, the ICO will determine that there is a high level of assurance that
effective controls are in place.

2. Data Protection Governance

The extent to which data protection responsibility, policies and procedures, performance
measurement controls, and reporting mechanisms to monitor DPA compliance are in place and in
operation throughout the organisation.

Question areas:

• Policies & procedures

• Governance structures

• Measures to assure compliance

• Audits

• Risk Registers

• Privacy Impact Assessments

Example evidence required:

• Policies & procedures

• Intranet site

• Organisation charts

• Job descriptions

• Terms of reference

• Minutes of meetings

• Internal reports

• External reports

• Audit reports

2.1 Policies & Procedures

Responsible organisations should be able to assure an auditor that the following controls are in
place:

1. Policies have a common format and style.

2. Policies are reviewed and updated at regular intervals, to help ensure that they remain up to
date with current legislation and guidelines.

3. Records of these reviews are maintained.

4. A policy review schedule exists to ensure relevant policies are reviewed.

5. Each policy has a policy owner.

6. All relevant staff are consulted during the creation / review cycle.

7. Version controls are in place.

8. Changes to the previous text are described.

9. Policies are centrally located.

10. Policies easy to find, e.g. on an intranet.

11. Reports are regularly submitted to senior committees on whether policies have followed due
process.

12. Old policies are archived, so staff only have access to the most up to date versions.
13. A system notifies relevant staff when key policy updates are made / withdrawn.

14. A system provides oversight and assurance that staff have read and understood all key policy
documents.

15. Key policy standards are published as stand-alone documents, rather than being incorporated in
other documents.

16. Key policy documents are not just at their draft stage.

Helpful hints: Key policies

Depending on the size of the organisation, the following policies are likely to exist, either as stand-
alone policies, or incorporated into other overarching information governance policies:

• Archiving Policy

• Code of Connection

• Data Protection Policy

• Data Quality Strategy

• Incident Reporting & Management Policy

• Information Risk Management Policy (to establish ownership, responsibility and oversight of
information risk management at appropriate levels within the organisation)

• Information Sharing Policy

• Information Security Policy

• Homeworking Policy

• Physical Security Policy

• Protective Marking Policy

• Records Management Policy

• Retention and Disposal Guide

• Subject Access Policy

2.2 Governance Structures
BSI 10012:2009 requires that:

• A member of the senior management team shall be accountable for the management of
personal information within the organisation such that compliance with data protection
legislation and good practice can be demonstrated.

• One or more suitably qualified or experienced workers shall be appointed to take responsibility
for the organisation’s compliance with the policy on a day-to-day basis.

• If the organisation has multiple departments or systems which process personal information, a
network of data protection representatives shall exist.

Responsible organisations should be able to assure an auditor that the following controls are in
place:

1. The management framework has clear lines of responsibility & accountability for the data
protection training, records management, IT security management, and information assurance
agendas to the senior management team. [Ideally, it should not be provided across a variety of
functions, overseen & scrutinised through a number of different meeting forums.]

2. The Terms of Reference of the relevant governance boards have been agreed by the senior
management team.

3. Participants have appropriate role descriptions.

4. Participants are knowledgeable and aware of their roles.

5. Regular meetings are held.

6. Most participants attend regularly.

7. Formal agendas are issued and minutes of meetings are taken.

8. Minutes are made available to other committees.

9. Outstanding issues are followed up.

10. Subgroups provide specialist support – e.g. for technical security issues, information governance,
data quality subgroup or regarding specialist records.

11. Members view it as useful and effective in monitoring and driving forward data protection
compliance needs.

12. Reports are prepared for the senior management team, to provide evidence for annual reviews /
governance statements.

13. A Senior Risk Information Officer / Chief Information Officer / Data Protection Officer has been
appointed.
14. Their role profile is adequate, covering both manual and electronic records.

15. Their performance objectives are adequate.

16. They have received appropriate training / qualifications.

17. They sit on all relevant committees and have a good level of exposure within the organisation

2.3 Measures
Key Performance Indicators can measure compliance with the DPA, and give senior management
oversight of compliance regarding areas of information risk.

Responsible organisations should be able to assure an auditor that the following controls are in
place:

1. A range of management performance indicators exist.

2. These KPIs are regularly reported on.

2.4 Audits
Senior management should receive objective reporting to inform their assurance that policies and
procedures are effective and working as intended.

Responsible organisations should be able to assure an auditor that the following controls are in
place:

1. It is clear how compliance with the data protection, information governance or records
management policies is monitored.

2. Regular data protection governance audits are carried out.

3. Regular records management audits carried out, to check weeding & secure disposal in order to
monitor compliance with Records Management Policy.

4. Regular IT security audits are carried out.

5. Regular physical security audits are carried out.

6. Audit reports are reviewed and compliance plans are monitored through regular meetings,
where actions or issues on outstanding recommendations can be raised with risk owners and
their managers.

7. Regular spot checks are carried out, e.g. to assess compliance with clear desk policies.

8. Local managers annually sign a statement that covers data quality and security risks, to help
inform the internal audit plan.
9. These statements are reviewed by senior managers.

10. External or internal audit teams are available to carry out audits, to verify the self-assessments
that are carried out.

2.5 Risk Register

Information risks should be routinely identified, assessed and controlled.

Responsible organisations should be able to assure an auditor that the following controls are in
place:

1. The risk management framework and process has been agreed by the senior management team.

2. A risk register exists.

3. Where potential third party standards are deemed to be lacking, the register is used to record
whether the organisation has allowed the third party to use their own standards to proceed with
the contract.

2.6 Privacy Impact Assessments

BSI 10012:2009 requires that:

• A process for assessing the level of risk to individuals associated with the processing of their
personal information shall exist.

Privacy Impact Assessments (PIAs) ought to be seen as a key stage in the development for new
projects or major changes to existing processes (e.g. when there are significant changes to
information and computer technology systems or data handling processes). This is to ensure that
any issues relating to the processing of personal data are identified and addressed at the earliest
opportunity, and prior to the changes going into effect.

Responsible organisations should be able to assure an auditor that the following controls are in
place:

1. A formal PIA process has been developed, for use on appropriate projects, to ensure that privacy
implications are considered and the necessary controls put in place to reduce risks.

2. PIAs for significant projects should be compulsory, not voluntary.

3. The formal procedure was signed off at senior management team level.

4. A process document is readily available.

5. There is a requirement to consult the Data Protection Manager or the Information Security
Officer when preparing a PIA.

6. A log is maintained of all PIAs carried out by / for the organisation.

7. All PIAs are documented, so that in the event of a complaint or a breach of the DPA, the
organisation can evidence the reasoning behind their decisions.

3. Training & Awareness

Training and awareness – The provision and monitoring of staff data protection training and the
awareness of data protection requirements relating to their roles and responsibilities.

Question areas:

• Induction

• Role based training

• Refresher

• Records

• e-learning

• IT access

• Awareness of where to find out about data protection & ease of access to it

Example evidence required:

• Training presentation

• e-learning module

• Central training records

• Refresher training records

• IT profile requests

BSI 10012:2009 requires that:

• A training & awareness programme for all workers shall exist.

• All relevant workers shall be aware of, and comply with the organisation’s processes and
procedures, with sanctions, appropriate worker development, or procedures put in place to
respond to any non-conformities.

3.1 Induction
Responsible organisations should be able to assure an auditor that the following controls are in
place:
1. Induction training exist about data protection, records management and information security, to
help minimise the risk of inadvertent security breaches.

2. Training is mandatory.

3. Training is for all workers who process personal data (i.e. full time staff, part time staff,
contractors and volunteers).

4. Training must be completed by staff before access to personal data is allowed.

5. Software is linked to the sign-on process of all computer users to ensure they accept and
confirm their understanding of the organisation’s policies – particularly the Information Security
Policy. [Some systems can ensure that staff confirm awareness of policies at initial log on and
then every 6 months.]

3.2 Role Based Training

Responsible organisations should be able to assure an auditor that the following controls are in
place:

1. Training needs have been identified for all staff groups, volunteers and key roles with
information risk management responsibilities.

2. Specialist training / advice is available to particular groups (e.g. Information Asset Owners, those
responsible for information governance, Subject Access Request teams, those involved in Privacy
Impact Assessments, data processing and data sharing agreements).

3. Face-to-face training is given to key staff.

3.3 Refresher training

Responsible organisations should be able to assure an auditor that the following controls are in
place:

1. Refresher training on Data Protection, Records Management and Information Security exists to
ensure knowledge of current data protection practices is maintained.

2. Refresher training is mandatory.

3.4 Records
Responsible organisations should be able to assure an auditor that the following controls are in
place:

1. Training is endorsed at a senior level.

2. It is clear which individual or Committee has overall responsibility for the entire end to end
training process and for mandating any improvements in data protection training.

3. The training includes ‘knowledge checks’ to ensure the subject has been fully understood.
4. Pass/fail scores are set.

5. KPIs are set for training.

6. Training is monitored (ideally, electronically).

7. There is a requirement to report on and follow up non-attendance at training sessions. [Team

leaders should receive reports on individual staff performance to assist them in targeting
additional training, where required. Where issues have been identified, teams can be monitored
by senior management.]

8. Training completion rates are fed into annual staff appraisals and included in performance
objectives for staff.

9. There are relevant training obligation clauses in staff contracts.

10. If the completed training records are documented on an HR system, automatic controls
integrate with an Active Directory to authorise access to certain systems in line with that
person’s job role and training.

3.5 e-learning
Responsible organisations should be able to assure an auditor that the following controls are in
place:

1. Good use is made of technology to maximise limited resources in the area of training through
the use of webinars and e-learning modules.

2. These training modules are readily accessible via the intranet.

3. E-learning portals are used to access training resources that are shared with other organisations.

3.6 IT Access
Responsible organisations should be able to assure an auditor that the following control is in place:

1. Classroom-based training is made available for staff without access to computers.

3.7 Awareness
Responsible organisations should be able to assure an auditor that the following controls are in
place:

1 Regular team meetings, data protection and information security matters are discussed, when
appropriate.
2 A variety of channels is used to raise awareness of information management issues (e.g. a
weekly e-Brief, staff magazines & posters. Specific security awareness programmes have been
developed (e.g. ‘TH!NK PRIVACY’)?).

3 Bulletins are sent to staff outlining any lessons learned from security incidents.

4 Dedicated training officers and champions are in place to support staff training needs, which
includes data protection and security.

5 The training modules are appropriate and regularly reviewed.

4. Records Management
Records management (manual and electronic) – The processes in place for managing both manual
and electronic records containing personal data.

This will include controls in place to monitor the creation, maintenance, storage, movement,
retention and destruction of personal data records.

Question areas:

• Roles and responsibilities

• Policies and procedures

• Training and awareness

• Information assets

• Indexing and tracking of records

• Collection of data

Example evidence required:

• Policies and procedures

• Data collection forms

• Fair Processing Notices

• Records management systems detail

• RM roles and team structure

• Training records

• Information asset register

• Retention schedules

• Destruction records / certificates

BSI 10012:2009 requires that:

• Each Organisation should have in place a Records Management Policy defining how it manages
all of its records, including electronic records. The policy should be endorsed by the
organisation’s senior management team and made available to all staff at all levels of the
Organisation, both on induction and at regular training

4.1 Roles and Responsibilities

Responsible organisations should be able to assure an auditor that the following controls are in
place:

1. The organisation has appropriate organisational arrangements in place to support the records
management function to ensure that physical & electronic records containing personal data are
being managed in compliance with the data quality principles of the DPA - for example, personal
data is not held any longer than is necessary for a particular purpose.

2. Clear lines of responsibility from the senior management team downwards exist.

3. Information Asset Owners (IAOs) have been appointed.

4. Their role profiles covers paper as well as electronic records.

5. Their performance objectives are adequate.

6. They have received relevant training in data protection and risk analysis.

7. They regularly review the data they own to ensure they are clear about the nature of the
information held, how it is used &transferred & who has access to it and why.

8. They systematically assess risk to information in their business areas, to give the SIRO an
accurate overview of information risk across the organisation.

9. Records management policy reviews are included on IT Strategy Group and / or senior
management team meeting agendas.

4.2 Policies and procedures

BSI 10012:2009 requires that:

• There should be regular reviews of technology and processes which involve the processing of
personal information to ensure that the information continues to be adequate for those
purposes. Ideally, these should be incorporated in the accountabilities of Data Custodians.
• Individuals should be able to challenge the accuracy of their personal information and have it
corrected where necessary. Where personal information is inaccurate and unable to be
corrected, for example in relation to a historical record, the organisation shall note the reported
inaccuracy and, where appropriate, the accurate personal information.

Responsible organisations should be able to assure an auditor that the following controls are in
place:

1. An overarching Records Management (RM) policy ensures that RM roles and responsibilities are
clearly defined and understood.

2. Detailed policies exist to assist staff in the management of records containing personal data.
[Administration staff may deal with the bulk of records management processes, from file
inception through to disposal, but they need to know just what is required of them. Key policies
will include an Archiving Policy, a Retention and Disposal Guide and a Protective Marking Policy.]

3. The policy defines KPIs for measuring performance of the RM function.

4.3 Training and awareness

Responsible organisations should be able to assure an auditor that the following controls are in
place:

1. Periodic refresher training concerning records management compliance is carried out.

2. Information Asset Owner (IAO) workshops discuss / highlight potential areas of data risk and
discuss incident trends.

4.4 Information assets

BSI 10012:2009 requires that:

• An inventory of the categories of personal information shall exist.

Responsible organisations should be able to assure an auditor that the following controls are in
place:

1. Information Asset Registers exist to record all information assets, electronic and paper-based,
held by the organisation, to identify where personal data is stored for easy retrieval and deletion
when necessary. [Risks associated with those assets can then be determined and appropriate
staff (IAOs) given responsibility for mitigating those risks.]

2. There is a location inventory of all paper records. [There must be proper oversight of the
disposal or transfer of records when redundant premises or filing cabinets are vacated].

3. Each Register has an Information Asset Owner.

Helpful hints: Fields you could use in your Information Asset Register

Description
• Brief description of what the asset is

• More detail on what the components of the asset are

Users

• Who created the asset, or where does the asset come from?

• Who is the Information Asset Owner?

• Which department holds responsibility for the asset?

• Who are the stakeholders?

Date

• Creation date

• Date closed (for closed assets)

• Last date asset register was reviewed/updated

Asset status

• Is this asset being actively updated?

• Has the asset been closed?

Purpose

• What part of the organisation does this asset support?

Value

• What is the value to the organisation?

• What would be the cost of replacing the information?

Retention schedule

• How long should it be kept in immediate access?

• What should happen to it when it no longer needs immediate access?

• What are the disposal requirements?

How the asset should be used

• How will you find the information?

• Who can access the information and how?

• What do you need to be able to do with the information

• What do you need to be able to understand about your information

• To what extent do you need to prove your information is what it claims to be?

Risk

• What are the risks to the asset?

• What are the risks to the organisation from the asset (for example from its loss, corruption or
inappropriate access)?

Helpful hints: Accountabilities for Information Asset Owners

• Understand and address risks to your information assets, and provide assurance to your
manager.

• Know who has access to your information assets and why, and monitor use.

• Understand whether a delivery partner or supplier has a dependency on your information to

deliver a service.

• Approve and minimise data transfers.

• Monitor the allocation of users’ rights to transfer personal information to removable media.

• Approve arrangements so that information put onto removable media is minimised and
protected.

• Make sure your information assets are fully used, including responding to access requests.
This includes actively considering whether public protection or public services could be
enhanced through greater access to the information assets that you’re responsible for.

4.5 Indexing and tracking of records

Responsible organisations should be able to assure an auditor that the following controls are in
place:

1. An electronic document and records management system is used which has in-built role specific
access controls. [Some systems have audit trails which provide details of all access, changes and
actions taken on documents.]

2. There is a procedure for ensuring that particularly sensitive paper records, taken from individual
offices on an ad-hoc basis, are recorded and monitored.

3. The off-site storage of paper records, including transport and retrieval, is well managed with a
clear audit trail. [A Master External Records spreadsheet should require the mandatory
completion of a pro-forma designed to capture essential retention requirements.]
4. A protective marking scheme is in use for electronic and paper documents, to ensure they are
handled appropriately.

5. Staff are trained on protective markings.

6. Software is in place to ensure staff must attach a protective marking classification to every email
sent.

7. Retention schedules have been developed.

8. Retention schedules have been agreed.

9. Retention schedules are similar to the standards published by the Records Management Society.

10. Retention schedules for paper records been implemented (by weeding and secure disposal).

11. Retention schedules for electronic records have been implemented.

4.6 Collection of data

BSI 10012:2009 requires that:

• The legal grounds for processing of personal information must be clearly identified before
processing commences.

• The processing of personal information must not be carried out in a way which breaches or
potentially breaches any legal obligations, including statutory provisions, common law or
contractual terms.

• Sufficient consents for marketing and sensitive purposes must be obtained.

• Retention schedules should ensure that personal information is not kept for longer than
necessary.

Helpful hints: Best practice marketing checklist

When obtaining consent for marketing:

• We use opt-in boxes.

• We specify methods of communication (e.g. by email, by text, by phone, by recorded call, by

post).

• We ask for consent to pass details to third parties for marketing, and name or describe those
third parties.

• We record when and how we got consent, and exactly what it covers.

When using bought in lists:

• We check the origin and accuracy of the list.

• We check when and how consent was obtained, and what it covers.

• We don’t use bought-in lists for texts, emails or recorded calls (unless we have proof of opt-in
consent within last 6 months which specifically named or described us).

• We screen against the Telephone Preference Service.

• We tell people where we got their details.

When making calls:

• We screen live calls against the Telephone Preference Service.

• We only make recorded calls with opt-in consent.

• We keep our own do-not-call list of anyone who says they don’t want our calls.

• We screen against our do not call list.

When sending texts or electronic communications:

• We only text or email with opt-in consent (unless contacting previous customers about our own
similar products, and we offered them an opt-out when they gave their details)

• We offer an opt-out (by reply or unsubscribe link)

• We keep a list of anyone who opts out

• We screen against our opt-out list

Responsible organisations should be able to assure an auditor that the following controls are in
place:

1. Fair processing notices (FPNs) exist for customer and staff data. [As a minimum, and in line with
the ICO’s Privacy Notice Code of Practice, the FPN will identify the organisation and describe the
non-obvious uses of the information (e.g. who it will be shared with.]

2. FPNs are available in respect of data collected by websites, paper forms and CCTV.

3. Data collection forms have been designed to minimise the amount of information gathered
when individuals first contact them.

4. Cookie notices on websites are appropriate.

5. Special notices are available for individuals with particular needs

6. There is a central log of data collection forms, to ensure that FPNs are up-to-date and consistent.
7. Other informative leaflets are available (say, in a document entitled ‘How we use personal
information’, accessible both through the organisation’s website and as a printed version,
distributed in customer facing areas).

8. The notice fairly explains an individual’s rights (particularly about marketing).

Helpful hints: CCTV systems

Responsible organisations should be able to assure an auditor that the following controls are in
place:

1. Annual reviews of the use of CCTV are carried out.

2. Notification has been submitted to the Information Commissioner and the next renewal date
recorded.

3. There is a named individual who is responsible for the operation of the system.

4. The problem the organisation are trying to address has been clearly defined and installing
cameras is the best solution. [This would have been set out in a CCTV policy document.]

5. A system has been chosen which produces clear images which the law enforcement bodies
(usually the police) can use to investigate crime and these can easily be taken from the system
when required.

6. Cameras have been sited so that they provide clear images.

7. Cameras have been positioned to avoid capturing the images of persons not visiting the
premises.

8. There are visible signs showing that CCTV is in operation.

9. Staff and customers are aware of the purposes of the CCTV system.

10. Where it is not obvious who is responsible for the system contact details are displayed on the
sign(s)

11. Images from the CCTV system are securely stored, where only a limited number of authorised
persons may have access to them.

12. A retention period has been determined that is long enough for any incident to come to light
(e.g. for a theft to be noticed) and the incident to be investigated.

13. Images are deleted securely when they no longer need to be retained.

14. Except for law enforcement bodies, images will not be provided to third parties.
15. The potential impact on individuals’ privacy has been identified and taken into account in the
use of the system. [This would have been achieved by means of a Privacy Impact Assessment.]

16. The organisation knows how to respond to individuals making requests for copies of their own
images. [If unsure, the controller knows to seek advice from the Information Commissioner as
soon as such a request is made.]

17. Regular checks are carried out to ensure that the system is working properly and produces high
quality images.

5 Security of Personal Data

Security of personal data – The technical and organisational measures in place to ensure that there
is adequate security over personal data held in manual or electronic form.

Question areas:

• Owner / responsibility

• Physical security - manual records

• Network security

• Mobile media

• Home working

• Staff monitoring

Example evidence required:

• Policies & procedures

• Key registers

• IT security licenses

• Incident log

• Security standards clauses

• Home working risk assessments

• Register of mobile media

BSI 10012:2009 requires that:

• Personal information must be protected against loss or damage and unauthorised or unlawful
processing, by the implementation of appropriate technical and organisational security
measures.
• Security incidents shall be managed appropriately

Helpful hints: PECR audits

When auditing the security controls that are in place to safeguard information held by
communications service providers, the ICO is likely to particularly focus on the following areas:

• Information Security Framework - A Formal Information Security Framework is in use to cover

all aspects of Information Security including strategy, policies, breach notification logs,
ownership and legal/sector standards such as ISO27001, ITIL and COBIT. Framework should
reflect organisation size and IS maturity requirements in terms of “appropriate” security.

• Information Risk Management - Information security risks are managed throughout the
organisation in a structured way so that management understands the business impact of
personal data related risks and manages them effectively to assure the business of the
organisation.

• Information Security Policy and Controls - [PECR Regulation 5(1)(c)] The existence of a formal
policy covering all requirements of Information Security and which is mapped to corresponding
controls and rules e.g. password complexity and lifecycle. Policy should have an owner and be
subject to regular review based on policy lifecycle including monitoring and assessment.
Evidence of policy awareness and a security culture.

• Asset Management - Systems in place to record all data, software and hardware devices in use
by the enterprise and all assets should have a nominated owner.

• Third Party Service Contracts - Contracts in place covering all statutory requirements including
DPA. Security standards defined and systems in place to assess effectiveness.

• Network Access Controls - Systems in place to apply security policy mapped rules covering areas
such as network firewalls, network endpoint controls e.g. USB port and optical drive restrictions,
web and email filtering. Use of endpoint controls systems for auditing, disc encryption etc.

• Remote Working - Procedures and systems applied to provide additional controls and security
levels for devices and users not directly connected to the enterprise network including Wi-Fi,
home broadband use, 3&4G mobile working access and other third party system access.

• System Monitoring - Systems in place to distribute software and AV patches and updates.
Related system “hygiene” rules designed to protect against external security threats or
unauthorised internal system access.

• Web Applications & Cloud Computing - Systems in place to protect any personal data processed
via the internet. (see ICO Good Practice Summary on protecting Personal Data in online services
below)
• Breach Notification - The procedures and organisation in place to monitor, record, investigate
and report any personal data related security incident. Investigations may include root cause
analysis. Evidence of learning outcomes from incidents.

• Physical security – Building controls including pass card security zoning for key areas such as
server rooms. Secure printing capabilities including safe harbour or other arrangements for fax
machines. Secure storage of mobile devices and secure destruction at end of life. The location
and equipment used for holding manual personal data has appropriate security controls,
including access controls, key management and alarm systems.

Helpful hints: Protecting Personal Data in online services

In May 2014 the ICO published a report on the top eight security vulnerabilities facing organisations.
These are:

• A failure to keep software security up to date.

• A lack of protection from SQL injection.

• The use of unnecessary services.

• Poor decommissioning of old software and services

• The insecure storage of passwords.

• Failure to encrypt online communications.

• Poorly designed networks processing data in inappropriate areas.

• The continued use of default credentials, including passwords.

Specifically, the following advice was offered:

Software security updates

• You should have a software updates policy in place for all software used for processing personal
data. Ensure that all software components are covered by the policy, including operating
systems, applications, libraries and development frameworks.

• There may be good reasons not to apply all available updates as soon as possible. Your policy
can take into account these reasons.

• When there is no compelling reason to delay, you should apply security updates as soon as is
practical.

Structured Query Language injection

• Be aware of all of your assets that might be vulnerable to Structured Query Language (SQL)
injection. SQL injection can affect applications that pass user input into a database. This includes
many modern websites and web applications.

• SQL injection presents a high risk of compromising significant amounts of personal data. You
should consider it a high priority for prevention, detection and remediation.

• SQL injection results from coding flaws – so be sure you know who is responsible for developing
and maintaining your code. It is these people who you will need to rely on to prevent SQL
injection or fix SQL injection flaws if they are found. They will need guidance and training to
understand the issue.

• Consider procuring independent security testing (penetration testing, vulnerability assessment,

or code review, as appropriate) of the relevant sites or applications in order to identify code
development issues, including SQL injection flaws. Do this before the application goes live. It is
good practice to periodically test live applications.

• When remediating an SQL injection flaw, use parameterised queries where possible, and ensure
that all similar input locations are also checked and remediated where applicable.

Unnecessary services

• Completely decommission any service that is not necessary.

• Av· Ensure that services intended for local use only are not made publicly-available.

• Use periodic port-scanning to check for unnecessary services which have been inadvertently
enabled.

• Maintain a list of which services should be made available. Periodically review the list to see
whether any services have become unnecessary and restrict or decommission them as
appropriate.

Decommissioning

• Be aware of all the components of a service so that you can make sure they are all
decommissioned.

• Make a record of any temporary services which you will eventually need to disable.

• Thoroughly check that the decommissioning procedure has actually succeeded. Use systematic
tools such as port scanners to do this where possible. Do not forget to arrange for proper
disposal of any hardware, as appropriate (see the ICO guidance on IT disposal).

Password hashing

• Don’t store passwords in plain text, nor in decryptable form.

• Use a hash function. Only store the hashed values.

• The hash function should have appropriate strength to make offline brute-force attacks
extremely impractical.

• Use salting to make offline brute-force attacks less effective

• Periodically review the strength of the hash function and keep up to date with advances in
computing power. The best way of achieving this is to use a password hashing scheme with a
configurable work factor.

• Use a combination of password strength requirements and user-education to ensure that

attackers can't simply guess common passwords.

• Have a plan of action in case of a password breach. This should include how to reset users'
passwords in bulk and how to notify them of what has happened and what they need to do
about it.

Configuration of Secure Sockets Layer or Transport Layer Security

• Ensure that personal data (and sensitive information generally) is transferred using Secure
Sockets Layer (SSL) or Transport Layer Security (TLS) where appropriate.

• Consider using SSL or TLS for all data transfer in order to reduce complexity. Remember that in
the case of a website, any included content such as images, JavaScript or CSS should also be
provided over SSL or TLS in order to avoid 'mixed content' warnings.

• Ensure that SSL or TLS is set up to provide encryption of adequate strength.

• Ensure that every SSL or TLS service uses a valid certificate, and schedule renewal of all
certificates before they expire to ensure the services remain secure.

• Consider obtaining an Extended Validation (EV) certificate if assurance of identity is of particular

importance.

• Do not encourage users to ignore SSL or TLS security warnings.

Security architecture

• Ensure testing or staging environments are segregated from the production environment.

• Consider segmenting your network according to function and in accordance with your data
protection policies.

• Ensure your network architecture accounts for functions such as backups and business
continuity in general.

Accessible locations

• Make sure you have policies for how, when and where personal data will be processed.
• Consider all the services you are running, how they are accessible, and whether they comply
with your policies.

• In particular, ensure any web servers are exposing only the intended content. Where necessary,
apply specific access restrictions. Do not rely merely on obscurity to prevent access.

• Avoid high risk services such as telnet.

5.1 Owner/responsibility

Responsible organisations should be able to assure an auditor that the following controls are in
place:

1. Nominated individuals are responsible for the security of personal data.

2. An IT Asset Register exists.

3. The register has an owner.

4. The register records repairs and disposals.

5. An Information Security Policy exists.

6. The current levels of security are sufficient to prevent unauthorised or inappropriate access to
data held on business systems.

7. Nominated individuals are responsible for managing security breaches.

5.2 Physical security

Responsible organisations should be able to assure an auditor that the following controls are in
place:

1. A physical security policy exists (which, if necessary, meets HMG standards).

2. Working areas are not shared with other organisations.

3. Staff are required to wear their ID badges.

4. Visitors must sign in to buildings and sign for receipt of a temporary access card.

5. Staff and contractors, when they leave the organisation, must return their ID badges.

6. Temporary passes for staff must be only active for the day of issue.

7. An Identity Access Management System is used for physical access to office premises.

8. Physical access permissions to premises default to standard office hours for all staff, unless
specific authorisation is granted.

9. People without passes are routinely challenged.

10. Compliance reporting is provided to senior management on a periodic basis to confirm this is
taking place.

11. Access swipe cards are not shared by staff. [Swipe or proximity cards may have unique PINs to
monitor this.]

12. Physical access to business areas is restricted to that which is required for each role.

13. Secure areas are not shared with non-secure teams.

14. Biometric zoning access control is in place to prevent unauthorised access to key areas holding
information classified as ‘Confidential’ or above.
15. Additional controls are applied to server rooms.

16. Some rooms are locked by default (e.g. records rooms).

17. Access codes for office doors where key pad locks are used are periodically changed.

18. Key safes exist for safe storage of keys for lockable units that store paper files.

19. Clear desk policies are in place.

20. Clear desk policies are being observed.

21. Regular floor sweeps take place.

22. Action is taken against those who ignore the clear desk policy.

23. The results of clear desk policies are reported to senior management.

24. Paper files have Radio Frequency Identity tags (to facilitate easy access, record tracking, reduce
the risk of missing records and help locate missing files).

25. Sensitive paper files, in daily use in public areas, are secured in lockable trolleys or cupboards.

26. Controls for transporting paper files are effective. [Paper records need good audit trails, e.g. a
signing out and in process to log their flow between offices. These issues should be covered in a
‘Data Handling Guide’.]

27. Tamper proof mail bags, approved couriers and contents lists are used.

28. Effective fire and flood controls are in place with respect to paper files.

29. Secure printing controls are in place, especially in shared printing areas.

30. Web-based booking systems help mitigate the physical security risks around paper based
booking forms and receiving forms by fax.

31. Effective procedures are in place for the destruction of paper records. [Confidential waste bags
should be individually tagged and separated from normal waste via locked bins and cages.
Destruction certificates should identify each individual bag that is shredded.]

32. These procedures are standard across the organisation.

33. Secure disposal contractors have been appointed. [Written contracts must contain relevant
data protection and

34. Contractors who destroy confidential waste are monitored

5.3 Network security

Responsible organisations should be able to assure an auditor that the following controls are in
place:

Access controls

1. An access control policy been established, documented and signed off based on business and
security requirements.
2. The policy sets out when an account is created / deleted.

3. The policy takes into account the removal of access rights.

User registration

4. A user registration and removal procedure is in place.

5. User ids are unique.

6. Users are required to sign an Authorised User Policy prior to having an account created.

7. Access roles are defined and used.

8. There is no generic administrator account.

Privilege management

9. The allocation of privileges is controlled in a formal manner.

10. There is a record of the authorisation process and the privileges assigned.

11. The Authorised User Policy covers keeping passwords secure.

12. There a procedure to verify the identity of the user prior to resetting or sending passwords.

Review of user access rights

13. Regular reviews of access rights take place using a documented process, to ensure staff only
have access to data that they need to carry out their duties.

14. Regular reminders are issued to all managers who are responsible for communicating new
starters, leavers and mover amendments to the IT Help desk so access rights can be amended in
a timely manner, helping to minimise any unauthorised access to systems. [The accounts of
leavers should be permanently deleted rather than disabled.]

15. Active Directory accounts set up for temporary staff are time-limited to help mitigate the timing
delays and /or lack of communication from departments in removing these staff from relevant
systems.

16. As a back stop, redundant Active Directory accounts unused after a set period of inactivity (e.g.
one month) are automatically suspended and after 3 months automatically deleted. [Checks
should be performed for inactive accounts, including long term sick and maternity leave, and for
unauthorised activity on the network, including wireless access.]

17. User access rights are re-allocated when they move groups within the organisation.

User responsibilities

18. Users keep their passwords secure and not share their passwords.

19. Users do not write down their passwords on post-its or store them on the side of their laptop or
keyboard.

20. Users change temporary passwords at first log-on

21. Appropriate user authentication controls are in place for external connections (e.g. Citrix,
Virtual Private Networks with tokens/fobs, certificates).
Password management system

22. The use of individual username / passwords is enforced.

23. A password history file is maintained to prevent re-use of previous passwords.

24. Users are allowed to select / change their own passwords.

25. Secure passwords are enforced. [These will include the use of higher / lower case letters,
numbers etc. and, depending on the sensitivity of the information to be protected, passwords
greater than 8 characters in length.]

26. Periodic password changes occur (i.e. every 40 – 60 days).

27. Passwords are stored and transmitted securely.

28. Automated password change prompts are enabled not just for Windows but for all other
applications, such as CRM.

Monitoring

29. Audit logs recording user activities, exceptions, and information security events are produced
and kept for an agreed period, particularly in respect of the organisation’s case management
system, to assist in future investigations and access control monitoring.

30. Procedures for monitoring use of information processing systems exist.

31. The results of such monitoring activities is reviewed regularly.

32. Regular penetration tests are undertaken on web based applications.

33. Regular penetration tests are carried out for social engineering purposes.

Security breach management

34. There a Security Breach Policy.

35. The policy describes the types of events that should be classified as a security breach and how
they should be reported (with referral to the ICO if necessary). [An automated incident
reporting tool allows incidents to be effectively managed.]

36. Reports are referred to senior management for oversight of the breach logs and to work with
others to identify trends, record lessons learnt and formulate good practice.

IT assets

37. There is a central register of the organisation’s main IT systems. [IT assets being
decommissioned should be reconciled against the master IT asset register and deleted, where
appropriate.]

38. There are regular audits between actual hardware and IT asset register entries to ensure the
organisation has an accurate record of what IT hardware (including mobile media) is in use and
held across all premises.

39. USB ports on desk top machines have been locked down.

40. Computer screens are locked when not in use or inactive.

Code of connection

41. The organisation meets relevant Code of Connection requirements.

42. Where appropriate, Formal Risk Management Accreditation Document Sets (RMADS) exist for
restricted systems or those storing or processing sensitive information in line with HMG
Information Risk Standards 1&2 (which requires accreditation specifically for all systems
connected to the organisation).

5.4 Mobile media

Responsible organisations will employ a range of technologies to protect mobile devices, such as
encryption, anti-virus, tracking and monitoring software.

They should be able to assure an auditor that the following controls are in place:

1. An endpoint control system is in place to help protect against unauthorised use of unencrypted
memory sticks, removable media and drives, to reduce the risk of unauthorised transfers of
personal data to non-approved storage media. [Software should enable monitoring and
reporting of attempts to introduce unauthorised hardware to the network. It should not be
possible to write data to non-approved and unencrypted removablestorage media.]

2. All laptops and other mobile devices owned by the organisation are fully encrypted.

3. Encrypted USB sticks are issued by the organisation.

4. A record of ownership of mobile devices and mobile storage media is kept, which includes the
location of the owner.

5. The disposal of equipment is appropriately authorised and logged for audit, monitoring and
investigation purposes.

6. The organisation has a log of the justifications for using approved USB devices within their job
roles.

7. USB ports in laptops have been locked down.

8. A ‘white list’ of acceptable network devices has been created.

9. Unauthorised access alerts relating to the use of mobile devices are regularly reviewed.

10. Technical solutions allow remote workers to access key business systems without personal data
leaving the organisation’s network. [Access to IT systems should be via thin client devices.]

11. Computer screens are locked when not in use or inactive.

5.5 Home working

Responsible organisations should be able to assure an auditor that the following controls are in
place:

1. A homeworking policy exists. [Homeworkers must know and understand the organisation’s
recommended practices and procedures to ensure the
 security of personal data while working from home.]

2. Remote working risk assessments are completed. [All staff working remotely or who undertake
regular home working should have signed a declaration evidencing that they take responsibility
for the safe keeping of personal data, prior to being authorised to work from home. The use of
home computers with limited corporate control need risk assessing and appropriate measures
introduced to mitigate the risks identified.]

3. Homeworkers are instructed not to store data on local computer drives to reduce duplicated
and redundant data, and to ensure the organisation is complying with its retention and disposal
schedules.

4. The remote working system requires both user and device authentication.

5.6 Staff monitoring

Responsible organisations should be able to assure an auditor that the following controls are in
place:

1. Measures allow the tracking and monitoring of the volume of emails being sent to private email
addresses such as Hotmail and Google mailaccounts. [Sample checks should ensure the content
being sent externally to such addresses does not contain personal data / sensitive information,
without adequate protection.]

2. There is a robust process for tracking outgoing mail. [Audit logs of all outgoing mail should
record relevant transaction information, tracking communications through delivery to receipt.]

3. There is a process for tracking staff internet usage.

4. There is a process for tracking staff mobile phone usage.

5. There are good processes in operation to protect customer data within the contact centre
environment. [Customer identities are authenticated before staff enter into any transaction
with them; employee access to customer call recordings and payment card details is restricted
on a need-to-know basis.]

6. Requests for Personal Data

The processes in place to respond to any requests for personal data. This will include requests by
individuals for copies of their data (subject access requests) as well as those made by third parties.

Question areas:

• Owner/procedures

• Log

• Monitoring

• Redaction

• Exemptions
• Disclosures

Example evidence required:

• Policies & procedures

• Subject Access Request Log

• Performance reports

• Sample of responses to requests

BSI 10012:2009 requires that:

• Individuals should be able to exercise their statutory rights.

6.1 Owner/procedures

Responsible organisations should be able to assure an auditor that the following controls are in
place:

1. A Subject Access Policy exists.

2. The policy outlines the general process which applicants are expected to follow.

3. The policy is regularly reviewed.

4. The policy has an owner.

5. Staff and customers receive guidance on how to make Subject Access requests.

6. Sufficient SAR-specific training has been provided for key staff. [Which includes detailed
guidance for key staff on how to process requests using all relevant systems.]

7. Completion of subject access requests is not wholly dependent on the continuing availability of a
team or one key individual.

6.2 Log

Responsible organisations should be able to assure an auditor that the following controls are in
place:

1. A log of all information requests is maintained.

2. The log has an owner.

3. The log is regularly reviewed.

4. Formal reports on SARs are made to a senior management.

6.3 Monitoring

Responsible organisations should be able to assure an auditor that the following controls are in
place:

1. Key Performance Indicators are set in respect of SAR compliance.

2. A suitably experienced officer carries out a quality check and authorise SAR responses prior to
despatch.

3. There is a traffic light system for managing the progress of subject access requests through the
disclosure procedure ensures that requests approaching the deadline for response are
highlighted to disclosures staff.

4. Corrective measures are taken when there are failures to respond to SARs within the required
time period.

6.4 Redactions

Responsible organisations should be able to assure an auditor that the following controls are in
place:

1. Logs report on the redactions that have been applied and the reason for their application.

2. An un-redacted and redacted version of personal data compiled in response to subject access
requests is retained. [To provide a complete audit trail of the response issued to each requester
and to assist the organisation in answering any redaction-related enquiries.]

3. Redactions are not carried out on a ‘blanket’ basis, but in accordance with the circumstances of
the case.

6.5 Exemptions

Responsible organisations should be able to assure an auditor that the following controls are in
place:

1. Logs report on the exemptions that have been applied and the reason for their application.

2. Exemptions are not carried out on a ‘blanket’ basis, but in accordance with the circumstances of
the case.

7. Data Sharing

The design and operation of controls to ensure the sharing of personal data complies with the
principles of the Data Protection Act 1998 and the good practice recommendations set out in the
Information Commissioner’s Data Sharing Code of Practice.

Question areas:
• Owner/authorisation

• Policies and procedures

• Training and awareness

• Privacy Impact Assessments

• Log

• Data sharing agreements

• Sharing protocols

Example evidence required:

• Policies & procedures

• Training material

• Log

• Sharing protocols

BSI 10012:2009 requires that:

• Where the organisation shares personal information with another organisation, the
responsibilities of both parties with regard to the personal information are formally documented
in a written agreement or contract as appropriate. Where data sharing with third parties is
allowed without the consent of the individual, an auditable record of the protocols and controls
for this data sharing must be documented. Where data sharing with a third party is required, for
example, by law, the organisation shall document the protocols and controls for the data
sharing.

• Disclosures to third parties must be managed in compliance with data protection legislation and
good practice.

• Personal information must be adequately protected when it is processed outside the European
Economic Area

7.1 Owner/authorisation

Responsible organisations should be able to assure an auditor that the following controls are in
place:

1. It is clear who has the authority to make data sharing decisions in all circumstances. [Information
Sharing Agreements should be approved at a senior level.]
2. Procedures are in place for the routine monitoring of third party requests for personal data
within teams.

7.2 Policies and procedures

Responsible organisations should be able to assure an auditor that the following controls are in
place:

1. Information Sharing Agreements (ISAs) follow a standard template.

2. Specific requirements in Information Sharing Protocols stipulate in detail how data will be
shared, who can access the data, what it will be used for, security and destruction of physical
and electronic records and accepted methods of movement of files.

3. All data processor contracts that are currently in place have adequate data protection or
information security clauses. [Some contracts may be drafted and agreed within business areas,
rather than having central oversight by a dedicated team. The production of additional detailed
guidance for business areas will help to ensure all contracts include the necessary data
protection clauses.]

4. Baseline Security Checks or Codes of Connection are used when dealing with other
organisations, to set a minimum requirement that has to be met in order to provide services.

7.3 Training & awareness

Responsible organisations should be able to assure an auditor that the following controls are in
place:

1. Staff responsible for developing ISAs undergo periodic refresher training on standard data
protection clauses.

2. Information Asset Owners and staff responsible for developing ISAs regularly discuss / highlight
potential areas of data risk and discuss incident trends.

7.4 Privacy Impact Assessments

A PIA should set out what the sharing is meant to achieve, the potential benefits and risks to
individuals, if sharing is proportionate to the issue being addressed, and whether the objective could
have been achieved without sharing personal data.

Responsible organisations should be able to assure an auditor that the controls specified in section
2.6 are in place.

7.5 Log

Responsible organisations should be able to assure an auditor that the following controls are in
place:

1. A log of all sharing protocols and data processing agreements is maintained.

2. The log has an owner.

3. The log is regularly reviewed / audited to ensure it is kept up to date.

4. Regular reports on the agreements are made to a responsible manager / committee.

7.6 Data sharing agreements

Responsible organisations should be able to assure an auditor that the following controls are in
place:

1. A formal process is in place for oversight of data sharing agreements.

2. An assessment of the existing and planned DP practices and/or security arrangements occurs
before an agreement is made. [The assessment reviews the legality, benefits and risks of
information sharing to ensure that all new services, projects, processes, software and hardware
comply with information security, confidentiality and data protection requirements.]

3. There are named points for each organisation.

4. Appropriate Fair Processing Notices exist.

5. Appropriate Subject Access arrangements been developed.

6. Regular reviews are undertaken to ensure all requirements are being fulfilled.

7. Each agreement has a review date.

8. Reviews have taken place.

7.7 Standard sharing protocols

Responsible organisations should be able to assure an auditor that the following controls are in
place:

1. Where relevant standard sharing protocols exist, they are used by the respective organisations.

Helpful hints: One-off data sharing checklist

Is the sharing justified?

• Should you share the information?

• Have you assessed the potential benefits and risks to individuals and/or society of sharing / not
sharing?

• Is an individual at risk of serious harm?

• Do you need to consider an exemption in the DPA to share?

Do you have the power to share?

• Consider the type or organisation you work for.

• Consider any relevant functions or powers of your organisation.

• Consider the nature of the information you have been asked to share (e.g. was it given in
confidence?).

• Do you have a legal obligation to share (e.g. a statutory requirement or a court order)?

What information do you need to share?

• Only share what is necessary.

• Distinguish fact from fiction.

How should information be shared?

• Information must be shared securely.

• Make sure you are giving it to the right person.

• Consider whether it is appropriate / safe to inform the individual that you have shared their
information.

If you share information you should record

• What information was shared and for what purpose.

• Who it was shared with.

• When it was shared.

• Your justification for sharing.

• Whether the information was shared with or without consent.