DATA PROTECTION SELF-ASSESSMENT TOOL. Protecture:

Transcription

1 DATA PROTECTION SELF-ASSESSMENT TOOL Protecture:

2 Instructions for use touches many varied aspects of an organisation. Across six key areas, the self-assessment notes where a decision should have been made, or an action taken, in order to ensure compliance across your organisation. The Position column is where you indicate one of three possible positions: 1. Yes you consider yourself compliant. Record your evidence for this position. 2. No you believe you do not need to address the issue (e.g. because of the size of your organisation). Record your rationale for this position. 3. Under Review the issue is under. Record the actions you plan to address the issue, e.g. who has been allocated responsibility and the timescale / next date. The results of your self-assessment should then be summarised on the following page. This will enable you to prioritise actions and changes in the areas of greatest risk. Subscribers Subscribers to our data protection service get four hours of data protection advice and guidance i.e. we would work though the self-assessment tool with you, if needed. We would then address any gaps you might have. For example, work with you to make changes to existing policies; deliver any onsite training; audit systems or processes. Our Subscribers also have access to guidance, template policies and checklists via the Members Area of our website (the Reference column of this Self-assessment Tool refers to these). P a g e 1

3 Index Number of Action Points Position Y N Action Plan 01 Roles and Responsibilities staff, agency workers and service providers 4 02 Your staff 3 03 Your day-to-day handling of personal information 5 04 Your buildings (physical security) and offsite working 2 05 Your handling of information security incidents 1 06 Your handling of requests for access to personal information 2 Top 3 priorities: P a g e 2

4 01 Action point A : Roles and Responsibilities staff, agency workers and service providers Your employees: Appoint or confirm the following roles: 1. Senior Management Glossary 2. Oversight Glossary 3. Audit Glossary 4. Senior Information Risk Owner (SIRO) Glossary 5. Information Asset Owners (IAOs) Glossary 6. Managers Glossary 7. Human Resources Glossary 8. Users Glossary 9. Officer Glossary 10. Information Security Officer Glossary 11. Facilities Management Glossary 12. Legal Services Glossary 13. Business Continuity Glossary P a g e 3

5 01 Action point B: Roles and Responsibilities staff, agency workers and service providers Your employees: Adopt or amend Human Resources policy, to address the following areas: 1. Before employment prior to access to personal data 2. During employment accessing personal data 3. After employment no longer accessing personal data DP Guide 01 DP Guide 01 DP Guide Emergency suspension of a User s access Action point C: Agency workers and service providers: Adopt or amend contract clauses / terms and conditions to address the following: 1. Third parties with temporary access to personal data 2. Engaging third parties on a contractual basis 3. Engaging third parties on a non-contractual (information sharing) basis Action point D: Glossary DP Guide 01 DP Guide 01 DP Guide 01 Your organisation: Ensure notification with the Information Commissioner s Office (ICO) 1. Notification with the ICO 2. Annual of notification P a g e 4

6 02 Your staff Action point A: Provide data protection training and awareness, and maintain evidence it has been received for each User 1. At induction DP Guide Annually DP Guide When new systems / policies are introduced Action point B: DP Guide 02 Adopt or amend an Acceptable Use (AUP) 1. Evidence maintained of Users receiving and signing their AUP AUP addresses the following areas 2. Sharing and disclosing personal information DP Guide 02 DP Guide Use of DP Guide Use of the internet DP Guide Monitoring DP Guide Personal use DP Guide Computer Misuse DP Guide Adherence to policies and procedures DP Guide 02 P a g e 5

7 02 Your staff Action point C: Adopt or amend the following Policies and / or guidance for use by all Users: 1. Password 03.C.4 below 2. Clear Desk, Clear Screen and Secure Waste 03.C.7 below 3. Offsite Working 04.B. below 4. Removable Media 03.B.4 below 5. Sharing Personal Information 03.B.5 below P a g e 6

8 03 Action point A: Your day-to-day handling of personal information Know what personal information you collect, use and hold. Understand which is most important to you. 1. Undertake an information audit Glossary DP Guide 03 Action point B: 1. Adopt an Information Classification Scheme Ensure that proportionate controls are applied consistently to all types of personal information. 2. Adopt measures to fairly collect personal information including photographs 3. Adopt measures to ensure the accuracy of personal information Glossary DP Guide 03 DP Guide 03 Form DP Guide Adopt rules for the storage of personal information including removable media DP Guide Adopt rules on sharing personal information for the different methods in use 6. Adopt rules on the transfer of personal information outside the EEA 7. Adopt rules to ensure the backup of personal information DP Guide 03 DP Guide 03 DP Guide 03 P a g e 7

9 03 Action point C: Your day-to-day handling of personal information Ensure that controls on access to personal information meet business requirements. Adopt or amend an Access Control policy to address the following areas: 1. Rationale for providing access DP Guide Process for administering access DP Guide Responsibilities DP Guide Password management and secure login DP Guide Controls against malicious code and mobile code 6. Network access control DP Guide 03 (i) General DP Guide 03 (ii) Third Party and remote access DP Guide 03 (iii) Session time-out and limitation of DP Guide 03 connection time (iv) Control of operational software DP Guide 03 (v) Connection of devices DP Guide 03 (vi) Use of system utilities DP Guide Clear Desk, Clear Screen and Secure Waste DP Guide 03 P a g e 8

10 03 Action point D: Your day-to-day handling of personal information Ensure that personal information is only kept for as long as necessary: 1. Adopt a retention and disposal schedule DP Guide Adopt a disposal and deletion policy DP Guide 03 Action point E: Ensure the confidentiality, integrity and availability of personal information in the event of interruption by adopting or amending business continuity plans that address personal information: 1. Management process DP Guide Risk Assessment DP Guide Requirements DP Guide Testing, maintaining and ing DP Guide 03 P a g e 9

11 04 Action point A: Your buildings (physical security) and offsite working Ensure physical security is proportionate to the risks faced by the office, location or area concerned. 1. Premises DP Guide Personal information and ICT equipment DP Guide Protection of ICT equipment DP Guide Protection from external threats DP Guide Delivery and loading areas DP Guide Equipment siting DP Guide User siting DP Guide 04 Action point B: Ensure offsite working arrangements provide adequate protection against the loss of confidentiality, integrity or availability of personal information. Adopt an offsite working policy to address the following: 1. Remote Access to Network and DP Guide User responsibility Classification DP Guide User responsibility Security DP Guide Further user responsibilities DP Guide Authorisation DP Guide 04 P a g e 10

12 05 Action point A: Your handling of information security incidents Adopt policy and procedures for managing information security incidents, to address the following areas: 1. Reporting Incidents DP Guide 05 Checklist 2. Management of Incidents DP Guide 05 Checklist 3. Collecting evidence DP Guide Learning lessons from Incidents DP Guide 05 Checklist P a g e 11

13 06 Action point A: Your handling of requests for access to personal information Adopt policy and procedures for managing Subject Access Requests, to address the following areas: 1. Validating requests DP Guide 06 Checklist 2. Locating personal information DP Guide 06 Checklist 3. Reviewing personal information DP Guide Responding secure disclosure of personal information Action point B: DP Guide 06 Checklist Adopt policy and procedures for managing requests for access to personal information by other individuals and/or organisations, to address the following areas: 1. Formal data sharing DP Guide Ad-hoc / unplanned sharing DP Guide 06 P a g e 12