| Notes | ISIS (Info Sharing, Info Security) PIA Guidance Document Version 1.0 October 2017 Privacy Impact Assessments: Guidance Document Introduction Delivering services effectively requires XXXXXXX Council to collect and hold large volumes of personal and organisational information. This process has a number of risks including security, data quality and privacy. The council has a responsibility to ensure that its activities maintain appropriate privacy for its service users and other stakeholders. It is important that the proposed project complies with all relevant privacy-related laws. The key legislation a PIA will consider is: Data Protection Act 1998 The Human Rights Act 1998 The Regulation of Investigatory Powers Act 2000 The Privacy and Electronic Communications Regulations 2003 Common law duty of confidentiality All of the council’s relevant policies and procedures including the XXXXXXXX Information Security Policy 1. Why carry out a PIA? There are many reasons for undertaking a PIA exercise. The potential for privacy risk will be dictated by the nature of the initiative under consideration, and the context within which it is introduced. There can be no automatic "triggers" which can replace the exercise of human judgement. Key reasons are likely to be: 1.1 Identification and management of risks Projects that give rise to privacy concerns generally involve considerable financial investment. Senior management are responsible for ensuring that risks are identified, assessed, and managed. If privacy issues represent a barrier to realisation of the intended benefits, they need to be assessed, and a risk management plan devised and implemented. A PIA therefore is a means of identifying and addressing an element of project risk within a broader risk management strategy at project management levels, whilst generating information to aid decision-making and supporting good governance and business practices at senior levels of organisations 1.2 Cost avoidance By performing a PIA early in a project, XXXXXXXX may avoid problems being discovered at a later stage, when changes and the 'retrofitting' of features are much more expensive. The PIA process of articulation of a project's objectives, XXXXXXXX’s requirements and the justifications for particular design features will also have important benefits for general project management. Building privacysensitivity into the design from the outset also provides a foundation for a flexible and adaptable system, reducing the cost of future changes and ensuring a longer life for the application 1.3 Avoidance of loss of trust and reputation A PIA is a way to ensure that systems are not deployed with privacy flaws that will attract the attention of the media, public interest advocacy groups or regulators, or give rise to concerns among data subjects. ISIS (Information Sharing, Information Security ISIS (Info Sharing, Info Security) PIA Guidance Document Version 1.0 October 2017 1.4 Meeting and exceeding legal requirements Data protection compliance checks and privacy audits will ensure that XXXXXXXX addresses the informational aspects of privacy. Meeting such requirements is essential to avoid loss of trust and reputation. However, where a project affects wider dimensions of privacy, such as privacy in communications or physical privacy, it will be to XXXXXXXX’s advantage to define the scope of the PIA to extend beyond information privacy and explore how such privacy issues can be identified and addressed in innovative and publicly visible ways 2. When should a PIA be carried out? 2.1 Ideally, the PIA process should begin early to ensure that project risks are identified and appreciated before problems become embedded in the design. This will usually mean commencing a PIA as part of the Project Initiation Phase. 2.2 If the project is already under way, the PIA should be started as soon as possible so that any major issues are identified with the minimum possible delay. A PIA can be conceived and conducted as a one-time activity. In such circumstances, the PIA will take into account the information available about the project at the time, and feed ideas forward into the design. 2.3 However this type of PIA cannot reflect information, often of a more detailed nature, that may become available at a later stage in the project. In major projects, thus the most beneficial and cost-effective approach may be to conceive of the PIA as: A cyclical process Linked to the project's own life-cycle Re-visited in each new project phase 3. Who should be involved in a PIA? 3.1 ISIS (Information Sharing, Information Security) has responsibility for producing and reviewing the PIA but draw on a variety of expertise from the service area concerned and IS. PIAs are often completed at the senior analyst level or by a manager with ongoing programme administration responsibilities. 3.2 in order to ensure the PIA is as thorough and accurate as it can be you will need to identify and consult the following people on your project: System Owner (s) Data Owner (s) Project Manager (IS or Service Area) ISIS Risk Team IS Security Officer Communications staff Other functional specialists, as appropriate PIA Questions Guidance: 3. Purpose of system/process. ISIS (Info Sharing, Info Security) PIA Guidance Document Version 1.0 October 2017 Why is the system/process being introduced and what does the system/process aim to do. For example, SupportWorks is designed to manage IT related issues within the council and help provide IS with Management Information on its IT infrastructure. The Insight solution is designed to drive partnership working across local public sector agencies, citizens and their informal care networks. In addition the solution also supports community budgets type discussions by delivering a consolidated view of evolving citizen needs and the service demands they will create in the future. At an aggregate level this provides a solid basis for pooled funding decisions. 4. If there are changes to the process who provides authorisation? For each system/process there will need to be a process in place to authorise changes that are made. This system can be tied into the IS Change Control process or just be an internal review completed by key staff that use & own the system. IG measures have been robustly detailed to ensure the sharing could all take place legitimately. The Privacy notice on the web was changed to be in line with the aims of the project and we checked that each data set we were using contained data that was fairly and lawfully collected in the first place, we did this by creating a checklist to ensure we held the data correctly before we considered sharing it. All changes to data collection are reflected by revisions to these checklists. We are satisfied that the whole project is safe and secure and can go ahead. For changes that affect the data that is provided to the system, the way that data is used and accessed etc – the solution implements discrete data sharing protocols that act as discrete Configuration Items and reflect the agreed data sharing protocols and checklists. Xantura operates a web based application to manage user driven change requests; change control requests are classified accordingly for software related changes, this is followed by an impact analysis, that takes into account our IT and data security policies. Once approved, changes are scheduled into our product delivery road map. 5. What does the system do? (Include a process map or flowchart if available). Regardless of whether it is a system or process the information going into the system will flow from input to output (very much like a river or conveyer belt). At each stage of the process the PIA will need to know exactly what information goes in, what happens to the information and what are the predicted outputs of in the system/process. Data inputs are received into the platform in two ways: As periodic data extracts from existing systems (transmitted over a secure encrypted GovConnect connection) In real time over a secure encrypted web connection ISIS (Info Sharing, Info Security) PIA Guidance Document Version 1.0 October 2017 Data supplied as periodic extracts from multiple agencies are matched in a controlled way, that satisfies the needs of local information governance teams. The specific ETL process, data matching, scoring processes etc will all be agreed with local information governance teams as part of the system implementation / configuration activity. Although we have a view of the data available in key systems, we continue to evolve the PIA with more detailed definitions of approaches and specific data scope as part of the Data Governance workstream of this project. 6. Please list any statutory or legal requirements the system or process is being implemented to meet. Similar to question 3 but here we want to know if you have a specific legal or statutory duty to have such a system or process such information for your purpose. For example, system A has to contain sensitive personal information because XXXXXXXX has a statutory duty to provide social care and manage service user care. As mentioned above a core part of the project is defining the specific legal gateways that are going to be used to enable the sharing of multi-agency personal data. These gateways are agreed and incorporated into discrete data sharing protocols in the system. Illustrative legislative frameworks that will be used include: • 1989 Children Act “welfare of the child is paramount” • The Crime & Disorder Act 1998 – “Section 115” • The Local Government Act 2000 – “Well being clause” • Children Act 2004, have data sharing powers. • NHS Act 2006 partnership arrangements 7. Are staff that have access to the system fully trained on its use & made aware of their obligations when using the system? What training regimes are in place to ensure the system is used correctly? Ideally this should include clear how to guides and clear reporting processes should anyone have difficulty with the system. If the system contains personal sensitive information what training is in place to ensure staff are fully briefed on what is expected of them with regards to confidentiality and inappropriate access? There are a range of controls built into the system that control access to data – designed to prevent un-authorised searching of data. The core principle is that data is ‘pushed’ to individuals with an existing duty of care for a specific data subject (an approach that we have validated with the ICO). In addition all data accesses are logged to provide a full audit trail of data accesses. We would envisage providing training as part of the project’s implementation workstream. In addition, the system can be configured to prompt users to accept ISIS (Info Sharing, Info Security) PIA Guidance Document Version 1.0 October 2017 system usage terms each time they log-on. This applies to all applications making up the solution. 10. What is the classification of the information on the system? All information (personal and business) has an impact rating under the HMG Protective Marking Scheme based on its level of impact should the information be disclosed or lost. An outline of each of the impact levels is in appendix A. Xantura are PSN accredited and connected to the PSN. 11. Do you use all of the information you are collecting? This question will ensure you review each part of the information that you wish to put into the system or process and determine if all of it is going to be used. If any aspects of personal information will never be used in any aspect of the system/process then you must not collect it. All data supplied to the system will be approved for use by local data owners and governance teams as part of the data governance workstream. These data agreements and how data will be used by the system is set up as discrete ‘data sharing protocols. in the core application. These data sharing protocols stipulate the specific data that is supplied, how the data can be used and the legal basis for data sharing. These data sharing protocols control all access to data held in the system – i.e. all data accesses occur in the context of an authorised, relevant and discrete data sharing protocol. 16. How often do you review the system to ensure data is up to date and the purpose for collecting the information hasn’t changed? The system/process will need at least an annual review. This review should incorporate reviewing the systems progress, addressing any upgrades or extensions needed and ensuring that the purpose for which the system was designed hasn’t changed. If the purpose does change you will need to ensure the system is modified to encompass the changes and the individuals that you hold information on must be informed/sought consent from accordingly. Normal Information Governance cycles are used to review the data sharing protocols set up in the system. Data access reports would provide a key input into this process. Data supplied to the system is refreshed on a periodic basis from core business systems. Our base assumption is that the accuracy and currency of this data is managed through normal business processes. 17. Is there a procedure to monitor the relevance and accuracy of any information inputted into the system about the individual? Does the system/process have any way of ensuring that valid information is inputted before a record is saved? For example, on online systems you have to enter a valid format email address in order to register on the system. ISIS (Info Sharing, Info Security) PIA Guidance Document Version 1.0 October 2017 As mentioned above data supplied to the system will have been captured into XXXXXXX’s existing business management systems (e.g. Adult Social Care’s case management system). We have assumed that these systems have implemented relevant data entry validation. However, the platform does offer the opportunity to establish the accuracy of data held on systems via Insight. 22. How do you destroy information when it is no longer required? There will need to be a process in place for the secure destruction of information once it is deemed as no longer required. This can range from a secure shredding service for paper files to a technical outline of how digital information is destroyed. In relation to digital media, Xantura operate a no removable media policy and as such the destruction of same is not applicable in this context. Likewise we do not generate paper based reports for clients and as such the destruction of same is not applicable in this context. 23. How are security incidents reported? Users of the system/process will need to be aware of what constitutes a breach of security and how to report it by following the XXXXXXXX how to guidance. If the system is being hosted externally the 3rd party provider will need to outline how they detect and monitor breaches of security and how they will inform XXXXXXXX of the breach. Xantura has an incident reporting policy that has been included for approval as part of our PSN accreditation submission. We can share the broader Incident reporting policy if required. 24. What damage to XXXXXXXX and the individual could be caused by any inaccuracy or loss of personal data What are the worst case scenarios should any of the information be lost or corrupted? Are there any areas of the process that could be a threat and what are the risks to the service/individual? Data loss risks All data transmissions are encrypted (Https / SSL / SFTP) All data held at the (ISO 27001 certified) Fusion data centre. The infrastructure is PSN accredited, externally audited and penetration tested annually. Data supplied to the system is not combined (risk scores, matching indices etc are held independently of the supplied data) Data corruption risks ISIS (Info Sharing, Info Security) PIA Guidance Document Version 1.0 October 2017 The system has been designed to provide additional intelligence to existing systems and processes. Real time outputs (e.g. risk scores) to existing systems are provided by secure asynchronous web services – minimising the impact of any service outage. In combination these approaches minimise the impact of data corruption / loss on the ability of an organisation to conduct its business. 28. Is any information to be passed as part of a secure transaction? (e.g. email or CD) If yes, how is it suitably protected? If the system is electronic is there an online portal that users have to login to in order to complete their information? If so, how is that process secured as it goes across the web? e.g. https: connection. If you have a “physical” process then how is information transported from one place to another, for example encrypted CD. All data transfers between Xantura and local government systems are encrypted with pseudonymising. Data extract transmissions are encrypted before transmission. All browser based access to data occurs over a secure web connection and real time integration utilises Public / Private Key architecture. We would anticipate establishing the precise data transmission model / architecture as part of the technology workstream of this project. Data is never transferred by CD or other removable media device. 30. What sort of data is being used for testing? If your project is building a system or database to store personal information they will likely have a “test” environment that mirrors the live one but is kept separate. In these cases the information stored in the database is dummy data so the security requirements around it are more relaxed. If your project requires live data to be input into the test system then a security review will be needed and an exception to use live data sought from ISIS. The business case for doing so will need to be very strong as the privacy regulators and industry standards do not allow the use of live data for testing unless absolutely and legally necessary. Our test environment is separate from our production environment. Test data is generated from a test data generator application. Prior to deployment into production, a pre-production environment is configured, this environment is supplied with production data and subject to a final UAT prior to live deployment. 33. Are you transferring information out of the UK? In order to determine the answer to this if your system is being hosted outside of XXXXXXXX you will need to get the 3rd party to detail exactly where they host that system. If the country is within the EEA (European Economic Area) the data will be deemed as safe since these countries have comparable or more robust privacy laws as the UK. However if the data is going to or being hosed in any other country ISIS will need to review the contract with the 3rd party before it is signed. ISIS (Info Sharing, Info Security) PIA Guidance Document Version 1.0 October 2017 No 35. Does any third party need to connect remotely to our network? If a system is being built / provided by a 3rd party will they host the system via the internet and therefore never need to access our servers or will the system be hosted by Information Services and supported by the 3rd party? If it is the latter the 3rd party will need to outline what they will require access to, the reasons why and agree to the XXXXXXXX Code of Connection. This will need to be reviewed by ISIS before any contracts are signed. Insight is offered as a hosted platform. In terms of the local partner technology footprint, this is dependent on the approach adopted to providing data to the system. Our preferred option is for outbound server to server transmission of encrypted data only. Fusion would then apply all necessary ETL processes centrally (including filtering of citizens) prior to risk scoring and alert generation etc. However, it is possible that some partners may be uncomfortable with this approach, in which case there will need to be two way communication between the platform and the ‘SFTP server’ at the local site. In this case the ‘SFTP server’ would be used to filter data prior to transmission. We would anticipate refining this model as part of the project. 26. What agreements are in place with any third parties? If the system or process that you are looking to create requires input or output to any 3rd party (I.e., not XXXXXXX Council) the contract that they agree to will need to contain the following information: Outline and confirmation of who is the Data Controller & Processor. What security arrangements we expect of the 3rd party when handling our data. Freedom of Information & EIR requirements for contract details. Data Transparency requirements for contract details. Details of how information will be exchanged. Confirmation of Code of Connection requirements. There is a current ongoing project to review all third party connections and there will soon be a third party pack available for release. Data is transmitted from multiple agencies (including XXXXXXX Council) to Xantura’s platform. We have a template Data Processing Agreement that provides a basis for this data transmission. |