north lanarkshire council report · i jnffhationgovernanceeolicy framework .i_i_____version 1...

NORTH LANARKSHIRE COUNCIL

REPORT

To: POLICY AND RESOURCES Subject: INFORMATION GOVERNANCEPOLICY FRAMEWORK

From: EXECUTIVE DIRECTOR OF FINANCE ANDCUSTOMER SERVICES

Date: 20 AUGUST 2014 Ref: AC/IMcK/PT

Purpose

1.1 To seek committee approval for the creation of the Information Governance PolicyFramework.

1.2 This framework will result in the:• Deletion of the current records management and information management policies;• Creation of a combined records and information management policy• Deletion of the current protective marking, handling and disposal policy which will be

replaced by a new information handling policy; and• Updates to the existing information risk policy, information security policy and data

protection policy.

2. Background

2.1 In January 2012, the Information Commissioner's Office (ICO) undertook an audit of theCouncil's information governance arrangements. The resulting action plan recommendedregular reviews of information governance policies.

2.2 These policy reviews are carried out by the Information Assurance Working Group (IAWG) andprogress is monitored by the Information Governance Working Group (IGWG). These arecorporate working groups created to ensure effective information governance across thecouncil.

2.3 In January 2013, the Public Records (Scotland) Act 2011 came into force. This requires thecreation of a Records Management Plan (RMP) for the management of records within thecouncil. This meant that the current Information Management Policy and the current RecordsManagement Policy needed to be reviewed and updated.

2.4 In April 2014, the new UK Government Security Classification Policy came into force. Thissignificantly changed the protective marking guidelines. This meant that the current ProtectiveMarking, Handling and Disposals Policy and the Information Risk Policy needed to bereviewed and updated.

3. Discussion

3.1 The changes brought in as part of the Public Records (Scotland) Act are significant. The actnow clarifies the definition of a public record as:(a) records created by or on behalf of the authority in carrying out its functions,(b) records created by or on behalf of a contractor in carrying out the authority's functions,(c) records created by any other person that have come into the possession of the authority or

a contractor in carrying out the authorities functions.

It further defines a record as anything in which information is recorded in any form.

3.2 This clarifies for the first time that any information created by or on behalf of the council is nowa record by definition. The Records Management Policy now covers all information and as aresult the Information Management Policy in its existing form is now no longer required. Thispolicy will now be combined with the records management policy, updated and renamed asthe Records and Information Management Policy.

3.1 The changes brought in as part of the new UK Government Security Classification Policy arealso significant. The old protective marking categories of NOT PROTECTIVELY MARKED,PROTECT, RESTRICTED, CONFIDENTIAL, SECRET AND TOP SECRET have beenabolished and replaced with the new categories of OFFICIAL, SECRET and TOP SECRET.

3.2 Under the new policy any information that is created, processed, generated, stored or sharedwithin (or on behalf of) NLC is now OFFICIAL by definition. A limited sub−set of OFFICIAL isalso to be used for more sensitive information in accordance with the Data Protection Act and'need to know' guidance in relation to its content; this is known as OFFICIAL−SENSITIVE.

3.3 These changes mean that the OFFICIAL classification has moved away from a reliance onprotective marking and now places emphasis on personal responsibility and accountability inthe handling of information. For this reason the current Protective Marking, Handling andDisposals Policy has been deleted and replaced by a new Information Handling Policy.

3.4 In addition, to ensure that all of the information governance policies remain consistent, aslegislation and other guidance changes in the future, it is proposed to create a frameworkdocument. This information governance policy framework provides a summary of allinformation governance policies and procedures, along with best practice and standards formanaging the council's information assets. It also describes the council approach toinformation assurance and information risk management.

3.5 The information risk, data protection and information security policies were reviewed andupdated to reflect the new template.

4. Recommendation

4.1 The Committee is asked to approve the:

(a) Creation of the over arching information governance policy framework;(b) Deletion of the current records management and information management policies;(c) Creation of a combined records and information management policy(d) Deletion of the current protective marking, handling and disposal policy which will be

replaced by a new information handling policy; and(e) Minor updates to the existing information risk policy, information security policy and data

protection policy.

ALISTAIR CRICHTONExecutive Director of Finance and Customer Services

For further information please contact Irene McKelvey, on tel. 01698 302532 or Peter Tolland,Customer Services Manager, on tel. 01698 274385

I

Lanarkshire:COUfldI

Information Governance Policy Framework

Version 1.0

This is a controlled document. Whilst this document may be printed, the electronicversion posted on the intranet is the controlled copy. Any printed copies of this

IInforriati6?LGovernance Policyframework_

_Version 1.0 − I Jul 2014 I −.

− −Organisation −−−− −North −Lanarkshire −Council −− −− −

—Title Information Governance Policy FrameworkCreatô( − MaôiáJãiiëll − −−−−−Owner − −. P e t e r T o l l a n d " − − − −−−.−− . −Subject Governance of Council Information Assets

−Classification OFFICIALIdentifier 20140725 Information Governance−overnand Policy Framework −Date Issued Ito be insertedi

Revision History

Revision No. Originator Date of revision Revision Description1.0 Marcia Jarnell 25.07.2014 Following consultation with IGWG and

IMWG

Document Approvals

Sponsor Approval Revision No. DatePolicy and Resources 1.0 18.09.2014

Document distribution and communication

This document will be made available to all users. It will be published on the corporate intranet.Staff will be informed by periodic staff notices and induction information.

North Lanarkshire Council I Paae 2 of 9

lnformatiôñT.Governance Policy, framework _ j Version 1.0 I _Jul 2014

− −. _−_− − . −−−−−−−− = − − − −

− −1−−−−−−Fceword−bySenior−Infórmation−Risk Owner− (S IRO) .−−.−.................................−4−−

− − −−−−−−2−−Introduction . −−−− ...− ...... ...... . − . . . − − − n − . 4− −− − −−−−

−− − −−− − − 3−−P u r p o s e . . − . − − . . . − h − − − . . . . . . . . ; ; − . . . . . . . . . . . .− . .−.−.−.−.− . .4 − − −. −4. Scope .................................................................................................................. ............5

5. Definition of information asset ....................................................................................... 56. Information Governance Policies...............................................................................5

7. Principles .....................................................................................................................58. Information as a corporate Asset...............................................................................69. Policy Review and Revision........................................................................................6Appendix A: Glossary of Terms..........................................................................................8Appendix B: Supporting legislation, policies, standards and guidelines ........................9

North Lanarkshire Council I Pacie 3 of 9

− InfcThTti6?LGovernance.Rôiicyframework L_−−Version 1.0 1 1 J u l 2014I

1. Foreword b y m ç j j n f o r m a t i o n Risk Owner(SIRO)_____ •−−= −

North Lanarkshire Council processes data to support.its operational activity,−planning and − − − −

decision:makingand thecoordinationand deliverSrof desired outcomeslrraccord withitslegql qtjig ai3d_ powers. The council is committed to the secure use of inforrnat1Qfl____

−

irformati6 technolog st i s i i order to é i ë i a i l a b i l i t y i t i i t y andóhfidentialityoftheinformatibn underits ntrol.Thiscommitrnntisvital for publicconfideiiceand for the−−−−−−−−efficient, effective and safe conduct of our business.

−The council's information governance policies introduce changes to the we do things aspart of the broader agenda to modernise and transform. I am confident that these policiesand associated procedures will enable us to improve performance whilst securing theinformation under our control. They set out mandatory standards, define compliance andassurance arrangements and offer guidance.

Responsibility for the governance of information is delegated from the Chief Executive toHeads of Service. Ultimately, however, it is the responsibility of everyone and ourinformation governance policies and processes will only work well if we all comply with thestandards contained within.

2. Introduction

North Lanarkshire Council will create an environment where council information, in any form,is valued as a corporate asset. One where organisation boundaries are invisible andinformation is shared in a way that preserves the context, integrity, sensitivity and security ofthe information asset, guaranteeing that access to confidential information is available only inaccordance with legislation as detailed in Appendix B, whilst ensuring that all staff haveappropriate access to accurate information needed to perform their duties.

3. Purpose

This policy sets out the council's responsibilities in relation to information governance inaccordance with legislation and professional principles.

It summarises the relevant regulations and commits the council to their application whereappropriate. It has been updated to take into account the Public Records (Scotland) Act2011, the new UK Government Security Classification Policy and standards required byHealth and Social Care integration. As such, it is presented as a framework comprising threeelements:• The corporate management of information governance• An overarching policy drawing all the legislation and issues together• A suite of comprehensive individual policies, standards and procedures

It is supported by information capture, storage, analysis and exchange systems that willenable NLC staff to:• conduct their daily business efficiently and effectively;• have timely access to meaningful information;• operate within the requirements of current legislation;• support and inform NLC decision−making;• respond promptly to information and data requests; and• share information with colleagues, partners and customers but only where appropriate

and where legally possible.


−− I Jn f fha t ion GovernanceEolicy Framework . i _ I _ _ _ _ _ V e r s i o n 1 O _ _ t i J u l 2014_I==−_

4. Scope

This policy applies to all NLC employees and all elected members when they are working ondata (eg._cpmrnunity:planning_

partners, third party organisations etc) to be aware −of and understand this: policy and howit −•− should bei applied when using council informationT

It applies to all information assets irrespective of their format:...• In the case of the Data Protection Act 1998 (DPA) it applies to all personal information

acquired, held and used.• In the case of the Freedom of Information Act 2000 (FOl) and the Freedom of Information

(Scotland) Act 2002, it applies to all recorded information held, including that on networkdrives and within the email system.

• In the case of Environmental Information Regulations 2004 (EIR) and the EnvironmentalInformation (Scotland) Regulations 2004, it applies to all environmental information held,in written, visual, aural, electronic or other material form.

Contractors are included in the policy, but there are some exclusions such as the voluntarysector, care home providers, nurseries, child minders, etc. However, all contractualarrangements will include a section detailing the council's Information Governancecompliance requirements.

5. Definition of information assetThis policy must be applied to all information assets used by the council and these can takemany forms that include, but are not limited to, the following:

• Hard copy data printed or written on paper.• Data stored electronically.• Communications sent by post I courier or using electronic means.• Stored tape, video or other electronic media (e.g. call recordings).

6. Information Governance Policies

The following suite of policies is part of the Information Governance Policy Framework:• Records and Information Management Policy• Information Risk Policy• Information Handling Policy• Data Protection Policy• Information Security Policy

7. Principles

The collection, storage, analysis, exchange and destruction of North Lanarkshire Councilinformation resources will embody the following principles:


I IiñföifiTationGovernaicëJci icy− ram ewôrk − −−Version J.0.−

I : Jul 2 0 1 4 4 t−

.a) We treat council information as a North Lanarkshire Council resource. Council

• f h e r e t h e y areLanarkshireCounciLand not of specific groupsorindividuals.

−−−−−−b)−−We are −all−responsible −for the −council's−information−−Everyone −is−personally−−−responsible for the effective management of the council information they create, capture

use Those council In !9 ! ! t !o f tasets ch..._•as −databases −must−be −clearly identified. _.__− −−−−− − • • • _ −•−−−−−− − ___________

c) We will share council information responsibly with our colleagues, partners andcustomers. Authorised individuals will be able to access council information required forthe effective performance of their role. Customers should gain access to councilinformation to which they are entitled. Information access will be controlled wherenecessary due to sensitivities or legislative requirements.

d) We keep records of what we do and retain them in a consistent and cost−effectiveWay. Authorised individUals will store council records in accordance with appropriatepolicies and guidelines.

e) The information we produce will be accurate and meet our customers'expectations. Information must be timely, relevant, accurate and consistent.

f) Our information complies with our statutory obligations. Information managementwithin the council must comply with prevailing legislation and will do so, when managedin accordance with the council's policies, standards and guidelines.

8. Information as a corporate Asset

• The council will maintain an Information Asset Register (IAR) as an inventory of itsinformation assets.

• All information will have a defined Information Asset Owner (lAO) and this will berecorded in the IAR. It will be the lAOs responsibility to manage, protect the informationand to make it available to others.

• Information will be made available unless there is a compelling reason not to, recognisingall the relevant legislative and regulatory requirements. This applies to both internal andexternal users of information.

• The storage and organisation of information will be in accordance with the Corporate FilePlan to promote its sharing, thereby minimising duplication of effort and the cost of itsretrieval.

• The re−use of information for which the council holds the Copyright will be grantedwhenever possible. The terms for re−use will be in line with legislation and clearlyexplained.

• The protection of information assets will be carried out in accordance with council'sInformation Security Policy.

• The management and retention of information will take into account its value to thecouncil. Information will only be retained as long as there is a business need and toensure compliance with the relevant legal and regulatory requirements.

• Disposal of information of a personal or confidential nature will be carried out securelyand when there is no longer a legal or business need to keep it.

• Information ownership rights will be observed in that Information from third party sourceswill only be used in accordance with the license or permissions granted.

9. Policy Review and Revision

North Lanarkshire Council I Paqe 6 of 9

I lñfórmation Governance−Policy Framework V e r s i o h i t Q i i i J J u l 2 0 i 4 j−

− TI−us policy will be reviewed whenever guidance or the law is changed .but at a minimum− −− every 24 ö ñ T h P l i c y r e v i i l l k t h l 6 f t i 6 i T G o v e r n a n c é W&king −−−E−−−−Group

under the guidance of the SIRO.__ − − −− − −


jnfdrmation Governance Eolicy Framework − _ I VersKrLi O____I−. − Jul 2014j

− − − − − ' Descritión.•—AU−parties who have −access−to Council information including employees

ALL USERS elected members and third party contractors and any other individuals ororganisationswho access Council information.

CDPO Corporate Data Protection OfficerCMT Corporate Management TeamCouncil Information Council information includes data, records, paper and digital formats.IAA Information Asset AdministratorlAO Information Asset OwnerIGWG Information Governance Working GroupIAWG Information Management Working GroupNLC North Lanarkshire CouncilSIRO Senior Information Risk Owner


Information GderñjnäePolicy FramevQ−. I. V.érThj.Q__−−I ....Ju120141.

AppendixE.$uppQding legislation, p.o!Lci.as.,__aiidardsan dg e e s −.−−. −− .:−−− −

.DataProtect ionAct1998− −−−−−•Environmental Information (Scotland) Regulations 2004

• Freedom of Informatidn (Scotland) Act 2002 − −• Information associated aspects of the Human Rights Act 1998• Information associated aspects of the Local Government in Scotland Act 2003• INSPIRE (Scotland) regulations 2009

Internal policies, standards and guidelines• Records and Information Management Policy• Information Risk Policy• Information Handling Policy• Data Protection Policy• ICT Security Policy• Acceptable Use of ICT Policy• Records and Information Management Guidelines• Information Security Good Practice Guidelines• Acceptable Use of ICT Guidelines• Flexible Workstyle Handbook• Records Management Plan• Corporate File Plan• Information Asset Register• STD 0125 System Access Password Standard

External standards and guidelines• Codes of practices issued by regulatory and statutory bodies (e.g. Information Commissioner's

Office, audit Scotland etc).• Government Connect Code of Connection/Public Services Network• ISO 27001 and 27002 Information Security Management Standards• Lanarkshire Data Information Sharing Partnership• Payment Card Industry (PCI) Standards


− − V . − − − − − − −−− −− . − − − − − − − − −− −−−− .−Lanarkshire−−=

A−t Coundi

Records and Information Management Policy

Version 1.0


− Recotdsnd Information−Magement −_ V e r s i o n 1.0− −Jul.P o l i c y − − − −− − f l I 2O14

Document Control

Organisation North Lanarkshire CouncilT i t l e − − − − . −. −Records −and:lnformationManagementPolicy −−−−− −− − − − −−− −−−−−−− −_____CreatorOwner Peter TollandSubject − Governance of Council Information AssetsClassification OFFICIALIdentifier 20140709 Records and Information Management PolicyDate Issued [to be insertedi

Revision History

Revision No. Originator Date of revision Revision Description1.0 Marcia Jarnell 25.07.2014 Combination of Record Management

and Information Management policies

Document Approvals

Sponsor Approval Revision No. DatePolicy and Resources 1.0 18.09.2014




_ − − Records_and −Information − − − Version 1 O−= —JulPolicIntroduction......................................................−.....................................................4

−2. Purpose ........................................................................................................................ 4

−3 S c o p e — − − −−.−−−− −−−−−− −−−−−−− 4

4. Objectives ....................................................................................................................4S. Responsibilities ............................................................................................................ 56. Records and Information Life Cycle Management....................................................57. Records Management Plan.........................................................................................58. Corporate File Plan ...................................................................................................... 69. Retention Schedule ........... . ......................................................................................... 6

10. Electronic Document Naming Convention.................................................................7

11. Record Maintenance....................................................................................................7

12. Record Access.............................................................................................................813. Record Disclosure.......................................................................................................814. Record Disposal ..........................................................................................................815. Review and Revision...................................................................................................8Appendix A: Glossary of Terms .......................................................................................... 9Appendix B: Records and Information Life Cycle Management.....................................10


R e à d á n d InformatioMànagement−− Version 10 JulPoll2O14−1.

Introduction

North Lanarkshire Council (NLC) creates, collects, uses and disposes of a large amount of− − − irifdmitioffin emplã7ees Thust

c r e ä t ë i a t ë documéntati( ñtöaccbmpany t h e i ? k : t o rovide authentiãñd reliableevidenáé of council business, and to document culturl activity within North LanarkshireCouncil area. −

NLC recognises that managing this information carefully will ensure that the record of itsactivities is accurate and complete. The Council regards this record of what the Councildecides, what it does and how it does it as a corporate asset and will endeavor to manage itlawfully and to comply with current standards of professional practice as detailed in theinformation governance policy framework.

2. Purpose

This policy defines the duties of the Council in respect to record keeping and informationmanagement. The Public Records (Scotland) Act 2011 defines a public record as:a) records created by or on behalf of the authority in carrying out its functions,b) records created by or on behalf of a contractor in carrying out the authority's functions,C) records created by any other person that have come into the possession of the authority

or a contractor in carrying out the authorities functions.

It further defines a record as anything in which information is recorded in any form making itclear that any information created by or on behalf of the council is now a record by definition.

3. Scope

This policy applies to all NLC employees and all elected members when they are working oncouncil business. However we expect anyone using NLC data (e.g. community planningpartners, third party organisations etc.) to be aware of and understand this policy and how itshould be applied when using council information.

4. Objectives

Council records and information regardless of its location or point of creation or receipt, is avital corporate asset. The objectives of this policy are to:a) Provide a framework for good record keeping practices within North Lanarkshire Council,

ensuring that records are managed effectively and efficiently, and that the councilcomplies with its statutory and regulatory obligations.

b) Develop and encourage a working culture that recognises and acknowledges the benefitsof effective records management.

C) Secure a co−ordinated approach to the management of the council's records as acorporate resource.

d) Establish a framework to support, implement, monitor and review the council's policy onrecords.

e) Define responsibilities for records management throughout the council.f) Ensure that council records are reliable and authentic and that it is possible to establish

the context of the record, including who created the document, during which businessprocess, and how the record is related to other records.


Redórd .ánd lnformátionManagemenL== —Version −tO− a−−..−JulR o l i _ —

_ _ _ − −____2014−g)

Support public rights of access to information and ensure that records of long−term value

− − −areidentified_and preserved as archives within the collections of the council.−

h) Other records are confidentially destroyed when no longer required.

− – − 5 —Responsibilities−a)

The chief executive and each executive director have a duty to ensure that records areproperly managed within their Service according to the requirements of legislationaffecting the management of records, and with supporting regulations and codes.

b) The records manager is responsible for providing advice, training and guidance on goodrecords management practice, and should ensure that designated officers in all servicearéa are supported by retention schedules, file plans and procedures óh recordsmanagement.

c) The archives are the designated place of deposit for council records of continuingevidential and historical value, and the archivist is responsible for preserving, promotingand making accessible these records and other historical records that may be acquiredby the council.

d) Service managers have day to day responsibility for records management and shouldensure that systems are in place to enable compliance and that staff for whom they haveresponsibility are familiar with and adhere to this policy and with related policies,standards and guidance.

e) All members of staff are accountable to their supervisors for documenting their actionsand decisions and for maintaining records and information systems in accordance withthis policy and with related policies, standards and guidance.

6. Records and Information Life Cycle Management

Records and Information Management plays an integral role within NLC as it underpinseffective information sharing within our organisation and externally to customers andsuppliers. The law requires certain records to be kept for a defined retention period; howeverrecords are used on a daily basis for internal purposes to help make decisions or provideevidence. This life cycle is detailed in Appendix B. This life cycle is supported by thefollowing processes and procedures.

7. Records Management Plan

The Public Records (Scotland) Act 2011 came fully into force in January 2013 and requiresNLC and other public authorities to prepare and implement a Records Management Plan(RMP) setting out proper arrangements for the management of records within the council.The plan is agreed with the Keeper of the Records of Scotland and is reviewed by the councilon an annual basis thereafter.

The RMP will relate to records throughout their lifecycle, from creation and receipt through todisposition. It will encompass all records across all council service areas and will alsoincorporate records held by North Lanarkshire Licensing Board and North LanarkshireSchools.

The RMP is based on the Keeper's published Model Records Plan. The model plan has 14Elements. These are:1. Senior management responsibility


−RéE6rds−and lnformàtionManagement−.. −−− −−Versioh−1O= − Jul−−−

2. .Recors manager responsibility3 Records management policy statement4. Business classification

−−−5−Retention−schedules

− −6 Dëtructionarrariemèi9t−− − −

− 7 : A i h V f l and traféiangements8. Information security −9. Data protection

−10. Business continuity and vital records11. Audit trail12. Competency framework for records management staff13. Assessment and review14. Shared information

8.

North Lanarkshire Council will provide the Keeper with evidence of policies, procedures,guidance and operational activity on all elements of the plan as required.

Corporate File Plan

As most records and information is created electronically, shared storage areas (such asI:drive) have started to supersede traditional paper filing systems as the main repository forstoring records. As a result due care and attention must be paid to how records andinformation are saved, stored, organised and managed.

NLC is committed to using a corporate Electronic Document and Records ManagementSystem (EDRMS) to manage key documents more effectively and a key element of this is ashared filing structure. A well−managed shared filing structure:• Provides clear, consistent folder structures for all records and information;• Supports effective information sharing;• Aids search and retrieval processes;• Reduces duplication of records, assisting version control; and• Supports effective retention and disposal practices.

Information on the use of the corporate file plan is provided in the Records and InformationManagement Guidelines.

9. Retention Schedule

Keeping unnecessary records wastes staff time, uses up valuable space and incursunnecessary costs. It also imposes a risk liability when it comes to servicing requests forinformation made under the Data Protection Act 1998 (DPA) and/or the Freedom ofInformation (Scotland) Act 2002. Moreover, compliance with these acts means that, forexample, personal data must not be kept longer than is necessary for the purposes for whichit was collected (Principle 5 of the DPA).

Records should only be destroyed as per the Information Handling Policy. It can be apersonal criminal offence to destroy information once it has been requested. NLC needs tobe able to demonstrate clearly that record destruction has taken place in accordance withproper retention procedures.

North Lanarkshire Council Paae6of 11

− •−−−Ró?ds and lnformation−Managemêñt−= −−−• Veriôn=1O− −− Jul −=−i2014 −

The réention schedule is a key component of information governance compliance and

− −alloWs standardised retention and disposal. The recommended retention periods shown on −the Retention Schedule apply to the master copy of the records. Any duplicates or local

−−−−−−copies−.made for−working purposes−should −be −kept:forasshort−a −period −−of−−time −as possible

−ah then destroyed._Du'piiation should bëàOidëd'uh b s d l n ë ã s y _

−−

Records involved in Investigations or Litigation −NLC has a duty to preserve relevant information when a lawsuit or investigation isreasonably anticipated. Staff must immediately notify the Records Manager if they have beennotified of litigation or investigation or have reasonable foresight of a future litigation orinvestigation as this could result in records being held beyond their identified retentionperiod. The Records Manager will use this information and log details of the records whichhave been placed on hold.

At the completion of the investigation or litigation, records and information previously coveredby the hold decision should be retained in accordance with the applicable retention period.Information on the use of the retention schedule is held in the Records and InformationManagement Guidelines.

10. Electronic Document Naming Convention

Record naming is an important process in records and information management and it isessential that a unified approach is undertaken within all areas of the Council. Staff membersshould refrain from naming folders or files with their own name unless the folder or filecontains records that are biographical in nature about that individual, for example, personnelrecords.

The NLC standard naming convention, provided in the Records and InformationManagement Guidelines must be used for the filename of all electronic documentscreated−by NLC staff members from the implementation date of this policy.

The re−naming of old documents is optional but new documents must follow the standardnaming convention

11. Record Maintenance

To keep costs low, and in accordance with our aim to move to become a largely paperlessorganisation where possible, staff are encouraged to save in electronic format.

For records which need to remain in paper format, external storage is provided by CultureNL.Records classified as OFFICIAL−SENSITIVE are held at the Archive and all other records areheld at a storage facility managed by NLlndustries. The records classified as OFFICIAL areheld here.

Information on the management of paper records and information at these facilities isprovided in the Service Level Agreements with CultureNL and with NI−Industries. Informationon the management of electronic records and information is provided in the Records andInformation Management Guidelines.

North Lanarkshire Council I Pace 7 of 11

_Records and Information ManagemeFit−.− Versióñ−1O − − JUI=

For both electronic and péper records, Information Asset Owners should ensure that they

−have a contingency or business continy_plan to provideprotection for records which are −vital to the continued functioning of NLC.

—12−− Record Access−.−−−−−.− − − − . − − − − − . − . −−−−−−− ________

Access to the information held by North Lanarkshire Council is governed primarily by theFreedom of Information (Scotland) Act (FOISA), the Environmental Information Regulations(Scotland) (EIRS) and the Data Protection Act (DPA). Information on compliance is providedin the Records and Information Management Guidelines.

13. Record Disclosure

There are a range of statutory provisions that limit, prohibit or set conditions in respect of thedisclosure of records to third parties, and similarly a range of provisions that require or permitdisclosure. Only certain staff members have the authority, which is dictated by their role, todisclose records. Information is provided in the Information Handling Policy.

14. Record Disposal

Disposal is the implementation of appraisal and review decisions and the term should not beconfused with destruction. A review decision may result in the destruction of records but mayalso result in the transfer of custody of records, or movement of records from one system toanother.

Records should not be kept longer than is necessary and should be disposed of at the righttime. Unnecessary retention of records consumes time, space and equipment use, thereforedisposal will aid efficiency. Staff members must regularly refer to the council's RecordRetention Schedule saved within the Information Governance section of the Intranet.

Unnecessary retention may also incur liabilities in respect of the Freedom of Information(Scotland) Act 2002, the Environmental Information (Scotland) Regulations 2004 and theData Protection Act 1998. If NLC continues to hold information which we do not have a needto keep, we would be liable to disclose it upon request. The Data Protection Act 1998 alsoadvises that we should not retain personal data longer than is necessary.It is the responsibility of the staff member who is leaving their current post or theorganisation, and their Line Manager, to identify as part of the exit procedure specific recordsthat should be retained in line with the Retention Schedules. These records should then betransferred securely to the requisite drive or storage facility and any non−work related recordsdisposed of.

Short−lived documents such as telephone messages, notes on pads, post−its, e−mailmessages, etc do not need to be kept as records. If they are business critical they should betransferred to a more formal document which should be saved as a record.

15. Review and Revision

This policy will be reviewed whenever guidance or the law is changed but at a minimumevery 24 months. Policy review will be undertaken by the Information Governance WorkingGroup under the guidance of the Senior Information Risk Owner.


−−=...Re−cords and lnformation.Managémènt− VërsionT10. −Jul= −EolicyAppendix

A:A: GIosary of Terms

ALL USERS

CDPOCMTCouncil InformationIAAlAOIGWGIAWGNLCSIRO

DescriptibhAll parties who have access to Council information including employees,elected members and third party contractors and any other individuals or

−organisations who access Council information.

− −−

Corporate Data Protection Officer −

—Corporate Management Team

−Council information includes data, records, paper and digital formats.Information Asset Administrator −

—Information Asset Owner

−Information Governance Working GroupInformation Management Working Group

−North Lanarkshire CouncilSenior Information Risk Owner


−Records and Information Management− Version −1−O—JuI−111Policy— −− ____ −_____ −

Appendix B: Records and Information Life CycleManagement−Creation

Receipt

IStage 1: Creation and ReceiptThis part of the life cycle is when we put pen to paper, make an entry into a database or start anew electronic document. it is known as the first phase. it can be created by internal employees orreceived from an external source.

Stage 2: DistributionDistribution is managing the information once it is created or received whether it is internal orexternal. it occurs when records are sent to someone for which they were intended or were copied.Records are distributed when photocopied; printed, attached to an email, hand delivered or regularmail, etc. After records are distributed, they are used. − −Stage 3: UseThis stage takes place after information is distributed. This is when records are used on a day today basis to help generate organisational decisions, document further action or support other NLCoperations. It is also considered the Active Phase.


Records and−Information Managèfnènt−ttPoIicy—Stage

4: Maintenance −Maintenance is when records are not used on a day to day basis and are therefore stored inthe—records

management system. Even though they are not used on a day to day basis, they will be− . ._keptfor−legal or−financial;reasons until −they −have :met their−retention −period −The maintenance−−−−−−−−−

phase inchjdes filing,___transfers and retrievals−The_information may be fetrieved during this period −to be used as a resource for reference 6r−t6—aid in−'a' business decision.− Records should−n− obt beremoved from a Records Management system; the information should be copied and tracked toensure no amendments were made.

Stage 5: DispositionDisposition is when a record is less frequently accessed, has no more value to NLC or has met itsassigned retention period. It is then reviewed and if necessary destroyed under confidentialdestruction conditions. Not all records will be destroyed once the retention period has been met.Any records that have historical value to NLC will be kept and sent to the Archives, where it will bekept for the future of the organisation and may never be destroyed. This is the final phase of arecords lifecycle


. Lanarkshireouici

Information Risk Policy

Version 2.0

This is a controlled document. Whilst this document may be printed, the electronicversion nosted on the intr2net is the controlled cony. Any minted conies of this

−____1_Ihformation R i s k E o l i c 1 i

_. I Version2.0−

I Jul2014I I.

−Document Control

− −. −

Revision History


IMWG2.0 Peter Tolland 04.07.2014 Following consultation with IGWG and

IAWG document content revised.

Document Approvals

Sponsor Approval Revision No. DatePolicy and Resources 1.0 14.03.2013Policy and Resources 2.0 18.09.2014




I Information RikEoiiEyT_− − I Versic.ñ2 0

− −I Ju12014_

−

. − , C o n t e n t s..−−−. .•.•.−. .−.−− −−−−−− −

t−−Introduction −.n−.n−............−. ...... . . . . . . − r o − − − − − . i v . . − . . . . . . . . . . j j . j & . • j . . . i i . . . . . . . . . . . . . . . − i . − . − . . . . . . . . −.vn−.−.......4−−−−

—2−−−−−Purpose ............................................................................. •. . . . . . . 4 − − − −1−−−−−−S c o p e− . . . .. . . . . . . . . . . . 5 − − − −

4. Definition of information risk.................................................................................................5

5. Information risk management ............................................................................. .....................5

6. Roles and Responsibilities....................................................................................................6

7. Information Risk Assurance Framework..............................................................................7

8. Information Security Principles.............................................................................................88.1 Confidentiality −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−:−−−−−−−−−−−−8

8.2 Integrity −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−88.3 Availability−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−8

9. Putting the Policy into Practice.............................................................................................99.1 Information Asset Register−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−99.2 Risk Assessments. 99.3 Escalation −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−99.4 Monitoring Compliance −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−9

10. Training .............................................................................................................................1011. Review and Revision ........................................................................................................10Appendix A: Glossary of Terms.................................................................................................11


_ I information Rik:Eôli5v_. IVers i6ñ2.0 ' i−14L2Qi4_ ..]

1. Introduction

−−−−−North Lanarkshire Council (NLC)−is−càmmitted to making −the −best−use of the − inf6rt ion −it−−−−− −

______holds to provide efficient services to the public, whilst ensuring that adequate safeguards are

− ihlace:tokeep iiifôThitibn secure−and l o p ro tè f t h iT i I i __fThë1Fidiidüäl to−privacy:

− − −−−−−−Managing−information−risk involves−aproportionate−approach so that−these−aim−ari—•achieved.

This policy defines the council's framework for formal information risk management byexplicitly establishing accountability and responsibility for information risk identification,analysis and mitigation in line with its legal duties and powers.

The council must comply with all relevant data handling legislation and with recognised goodpractice while doing so. In this respect, an indicative list of supporting legislation, policies,standards etc is provided in the information governance policy framework document.

2. Purpose

Information risk is inherent in all council activities. It refers to the ongoing process ofidentifying information risk and implementing plans to manage them.

The Chief Executive, the Senior Information Risk Owner (SIRO), the Information GovernanceWorking Group (IGWG) and the Corporate Management Team (CMT) are required to assurethrough the Annual Governance Statement that information risk management is formallyembedded into the key controls and approval processes of all major business processes andfunctions of the council.

The role of the SIRO is to take ownership of the council's information risk and to act as anadvocate for information risk at CMT level and to provide written advice to the ChiefExecutive on the content of the annual governance statement with regard to information risk.

The purpose of this policy is to formally establish the council's position regarding aninformation risk management process. The intent is to embed information risk managementinto business processes and functions by means of key assurance, review and controlprocesses. In doing this the policy supports the council's strategic business objectives andshould enable staff across the organisation to identify an acceptable level of risk beyondwhich escalation is necessary. The information risk policy therefore fits within the council'soverall business risk management framework. Information risk will not be managedseparately from other business risks and will be considered as an element of the overallcorporate governance framework.

The information risk management policy has been developed in order to:• Define how the council and its partners will manage information risk and how risk

management effectiveness will be assessed and measured.• Protect the council from information risks of significant likelihood and impact.• Provide a consistent information risk management framework through which information

risks relating to business processes and functions within the council can be identified,assessed, and addressed through the systems of review, control and assurance.

• Promote proactive rather than reactive approaches to information risk management.• Meet statutory and local government policy and strategic requirements.


−information _RiskEöhcy I − V e r s i 6 h _ 2 _ 0 7ILu i2O14 I

• Assist in_safeguarding _the council's information assets which comprise of people,finan ópertyhdrputat io −

• Ensdre respect for custom érprivacy through safeguarding uses of and accesses to−−−−−—personal−data.

− − − − J Sçpe

This policy applies to all NLC employees and all elected members when they are working oncouncil business. However we expect anyone using NLC data (e.g. community planningpartners, third party organisations etc.) to be aware of and understand this policy and how itshould be applied when using council information

4. Definition of information risk

The information that the council holds is an asset. Using it well improves the efficiency ofservice delivery and the quality of services offered to the public. The risks in handlinginformation are not only in failing to protect it properly, but also in using it outwith our legalduties and powers. Managing information risk is about taking a proportionate approach.

Information handling risks can include losing paper documents, accidentally deletingelectronic files, or inappropriate sharing of personal data. Information risk also exists wheredata required for public notification or consultation is unavailable or when we are unable tolocate information to respond to Freedom of Information or subject access requests.

5. Information risk management

The council will seek to mitigate information risks that may result in reputational damage,financial loss, or exposure, major breakdown of information system or information integrity,significant incidents of regulatory non−compliance, potential injury to staff, service users orother people working on behalf of the council. All those handling council information areexpected to adhere to council policies and procedures at all times.

The requirement is for a positive and robust approach to be taken to managing informationrisk. The council recognises that the purpose of information risk management is not toeliminate all information risks but rather to provide the organisation with the means toidentify, prioritise and manage risks in order to provide a balance between the costs ofmanaging and treating risks and the anticipated benefits that may be derived from this action.

Information risk is not the sole responsibility of any one area of the council. All staff have aresponsibility to protect the security of information particularly when it is person identifiable.All staff therefore should actively participate in identifying potential information risks in theirareas and contribute to the implementation of appropriate action.

This requires a structured approach with the clear identification of specific roles andresponsibilities to ensure that risks can be managed across all levels in the organisation. Thecouncil will base this approach on the clear identification of information assets. All assetsheld will be recorded on the council's Information Asset Register (IAR). Ownership for eachasset will be allocated to a senior accountable manager designated as the Information AssetOwner (lAO). Information Asset Administrator (IAA) roles will be allocated to operational staffwith day to day responsibility for managing risks within their designated information asset.

Information risk management is a component of information governance and the introductionof an accountable hierarchy supporting the SIRO and lAOs is essential for identifying andmitigating information risk. The aim is to ensure that the approach to information risk


=−_−− −Il n f o r m a t i 5 ñ j ô l i c y .

−j Y e s i o n 2.0

. . IJ12O14. Imanagement:

−−•−Sets

out accountability and responsibility structures that are fit for purpose in that theyensure−that−information −risks−are −managed −effectively−at−all−levels−in−the−council.

−. Associates task propriate levels in the organisation. P i s t r á h s p ã 1 ñ t I W ä y inwhithirforrnatiöñ risks are i ë d J i J

−−−6.

Roles and Responsibilities

The following roles play a critical part in the successful management and mitigation ofinformation risk at the council.

Role Title ResponsibilitiesOverall Chief Executive • Has overall responsibility for ensuring thatGovernance information risks are assessed and

mitigated to an acceptable level.Manages information risks in a similarway to other corporate risks such asfinancial, operational, legal andreputational risks.

Senior Information Executive Director of • Acts as the advocate for information riskRisk Owner (SIRO) Finance & Customer to the CMT.

Services • Provides written advice to the ChiefExecutive on the content for the AnnualGovernance Statement in regard toinformation risk.

Information Chair of IAWG Responsible to the SIRO for:Assurance Lead • The overall management of the

information asset register• Ensuring that each information asset has

an identified owner and administrator• Maintaining the information risk policy• Monitoring the implementation of the

information risk policy• Ensuring the completion of information

risk assessments.Information Asset Senior manager • Has responsibility for the overallOwner (lAO) assigned as management of the information asset.

information asset • Ensures the confidentiality, integrity andowner on the availability of all information that theinformation asset system creates, receives, maintains orregister transmits and protects against any

reasonably anticipated threats or hazardsto the security or integrity of suchinformation.

• Conducts information asset riskassessments

• Participates in the annual information riskassessment process

• Provides assurance to the SIRO on thesecurity and use of these assets.


I lnformaonRik.Policy :.−

2.0 .i−1j:JuL2014

lnformatiàn Asset Staff .v1th • Day today operation of information'Administrator(lAA) 'responsibility for thern −

information asset. • Ensures policies and procedures are −.−−− −followed

_________ ___________ • Identifies and acts on actual or potentialsècurity.incidents.

Subject MatterExperts (SMEs)

7

Corporate DataProtection Officer(CDPO)

Records Manager

Information ServicesManager

Freedom ofInformation Officer

Data Custodian

ICT Security Manager

GIS Team Leader

W 5 k i t h t h e i i i f o rma t i ö f f è t rieffon incident management and riskassessments

• Ensures that the details in the information −asset register are accurate and complete.

• Provide expertise on respective areasunderpinning information riskmanagement.

Information Risk Assurance Framework

The Chief Executive has delegated authority for the oversight of the information riskmanagement assurance framework to the SIRO who is accountable to the CorporateManagement Team for the implementation of the Information Risk Policy.

The Information Governance Working Group (IGWG) will on behalf of the CMT beresponsible for the oversight and assurance of the processes for the identification andassessment of information risk.

The SIRO will provide written advice to the Chief Executive on information risk matters. TheSIRO is therefore required to ensure that information security risks and incidents areidentified and managed and that the CMT and Audit & Governance Panel are kept informedon all significant information risk issues. To provide this assurance the SIRO will reportregularly to the CMT and Audit and Governance Panel on the management of informationrisks.

The Information Assurance Working Group (IAWG) will identify and promote good practice inrelation to the management of information assets including compliance with informationlegislation detailed in the information governance policy framework document. The IAWG willalso harmonise policy, practice and support information governance and informationmanagement across North Lanarkshire Council. This includes practices relating to thetraining of staff in information management and associated legislation and the creation,


.1 Informàtiôñ:ik:PoIicy.− −. −−

. _ — I V e r s i o n 2.0.. − " l J u l 2014

monitoring and maintenance of a corporate Information Asset Register.(IAR)_and the use ofriv

nk− −.−−−

.− − − − −−−−v −C h a i r e d by the Chief Executive' −− − − −JCPr̀ov;icion informati ovi g e r n a n c e m i t in N ICria d >

I− a d c e on IG p ô s i t o NLCAccodritableOfficer − . −...........

; . _ − ...gInforniation1Assurance Working Group (IAWG)−Day to day operational responsibility for.. −

•informationmanagement−.....−− −−,−−−−−−.−−− −−−−−−om

SULai

8. Information Security Principles

The Information Governance Working Group has adopted the following principles underwhich it requires information risk to operate.

8.1 Confidentiality

The council must apply appropriate confidentiality measures. The council, however, shouldnot classify documents as official−sensitive without clear justification for doing so. Guidanceon protective marking is contained within the council's Information Handling Policy

8.2 IntegrityThe council will ensure the accuracy and completeness of the information that it holds andensure that it is held only as long as required.

8.3 Availability

The council should make information publicly available unless there are sound operational orpublic interest reasons for not doing so or there are legal reasons preventing it − in particularreasons relating to the Data Protection Act and the privacy of individuals.


lnfoi−mtiöff Risk Policy −−.

.J.Version 2.0−

iJuL2014 1T_

9. Pufting the Policy—in to Practice

9.1 information Asset Register.

North Lanarkshire Council will use an Information Asset Register to understand and manage− i t s : i n fo rma t i onasse ts−and −the associated−risks._

The Information Governance Working Group will own the Information Asset Register and theInformation Assurance Working Group will ensure that the information contained within it isaccurate and complete.

The Information Asset Register will be published on the council's intranet.

9.2 Risk AssessmentsInformation asset owners (lAOs) will risk assess the information assets for which they areresponsible. Each asset will have a separate risk assessment. In completing this task, lAOswill be supported by the Information Assurance Working Group and Information AssetAdministrators (IAAs).

Risk assessments will occur at the following times:• At the inception of new systems, applications or facilities that may impact on the

assurance of council information systems;• As a result of any significant changes, enhancements or upgrades to existing critical

information systems or applications;• When council policy requires risks to be assessed;• When the Audit & Governance Panel or Corporate Management Team requires it.• When there has been an adverse incident.

Significant risks identified as a result of this process will be recorded on the Corporate RiskRegister and monitored through the associated processes.

9.3 Escalation

Anyone who identifies risks to our information assets will alert the relevant lAO. If the lAO isnot able to address the risks using the resources within their control, they will raise the matterwith the chair of the Information Assurance Working Group, who, if appropriate, may escalateit to the SIRO.

9.4 Monitoring ComplianceThe table below outlines the council's monitoring arrangements. The council, however,reserves the right to commission additional work or change the monitoring arrangementsshould organisational needs require.


− .. I Infotht .Risk5PoI icy− −. − .

t −J−Version 2 . O −..

I Jul−

A s p c t o f M o n i t o r i n g G r o u p =Frequency Group 1ndividual'....compliance method responsible. of the which will responsible−or— − − − −− −for the −monitoring − −receive−the— −for−ensuring−effectiveness

m o n i t o r i n g activity findings I that thebeing monitoring actions are

−−−m o n i t o r e d _−−−= − −−_− −−−−=_−−.− −−−−−−−−−−−_—report−−−−−−−complete−−−−−−−−−−−InformationQuarterly Information Quarterly Information Chair of the

Asset performance Assurance Governance IAWGRegister management Working Workingreview Group Group

(lAWG (IGWG)Number ofcompletedriskassessments

10. Training

Quarterly Information Quarterlyperformance Assurancemanagement Working

Group(IAWG)

Information Chair of theGovernance IAWGWorkingGroup(IGWG)

All users will be required to undertake training and thereafter annual refresher training oninformation governance and information risk awareness. New employees will be required tocomplete this training as part of their induction programme. Additional training on informationrisk management and security will be provided to specific groups where this is required aspart of their role, e.g. staff with responsibility for sensitive or confidential information. Annualtraining on aspects of information risk management will be provided to the SIRO, lAOs,CDPO and IAAs. Data handling and information governance training will be considered aspart of the corporate annual performance review process.




−.I.lnforrnatioñ.RiskPolicy.

− −−_IVersion 2.0 Jul 201411J...

Appendix A: Glossary o f Terms

Description− − − −

All parties who have access to Council information including employees,−ALL−USERS −− −−−−−−−1t:fl1emberS and −third _pAEty −contractors −and −any−other−individuals −or.

− organisations who access Councilinformation..−−−.−−−−−−−CDPO − Cörpbrate Data Protëtion OfficerCMT... Corporate Management TeamCouncilInforma tion Council information includes data, records, paper and digital formats.

EGASD Efficient Government and Service DevelopmentIAA Information Asset AdministratorMO Information Asset OwnerIGWG Information Governance Working GroupIAWG Information Assurance Working GroupNLC North Lanarkshire CouncilSIRO Senior Information Risk Owner


− − −

JNodh___Lanarkshire−−

− − −Council

lnformatio.n Handling Policy

Version 2.1


− _ − − _ − I iVeroñ.2:1 I . i 1 i 4 1 2 0 1 4I−−I nformatio6 H

−

−−−−−DirñfCiitilRevision

History


IMWG2.0 Peter Tolland 04.07.2014 Following consultation with IGWG and

IAWG document names changed andcontent revised.

2.1 Peter Tolland 17.07.2014 Access and Security areas revisited.

Document Approvals





j i Information Häiidling Policy− − I VeThion 2 1 I Ji I 2014_I

− : − − − − − − − = − − = − − − − : = − _ − − − .:−− −−− −

−−−−−−−1−−−−−lritroductiónr................4

− _ −_−− 1 −−Purpose.−−−−−−−−−.....−−−. .−...−i−−...−.−.−. − a − . . − − . . . . ; − . . .;;;−−−.−−.

−− − − Scope.−.−.............................................................................................._.._.._4_−−−−−− −4. Classification Policy ......................................................................................... ............ 4

5. Handling & Storage Policy ........................................................................................... 6

6. Disposal Policy............................................................................................................6

7. Roles and Responsibilities .........................................................................................7

8. Putting the Policy into Practice..................................................................................7

9. Policy Review and Revision........................................................................................7

Appendix A: Glossary of Terms..........................................................................................8

Appendix B: Risk and Impact Assessment........................................................................9

Appendix C: OFFICIAL−SENSITIVE: Descriptor ..............................................................10

Appendix D: Handling, storage and disposal procedures...............................................11


I _ _Informatiorfi−Iffiidling_Pol icy*− −

I V e ? s i o n _ 2 1 I JuI 2014 I

_ 1 . Introduction−___________ − −−−'•' −

− − North Lanarkshire Council (NLC) holds a significant amount.of information. This informationisanassetand 1tneedsto beprotected secu rely −in:linewiththe sensitivityofcontentand therisk f disclosure. also w _yey. closely with otherpafle[s who hold sensitive

.1. inform ä t i b n . . I ... ...

It is important that the level of sensitivity of a document can be easily and accuratelyunderstood k all times by those working with it, so it can bb−handled appropriately.−ppropriately Tosupport this we are adopting the UK Government Security Classification Policy.

2. Purpose

This policy defines how NLC information is to be classified, handled, stored and disposed of,for both paper and electronic media.

It is our intention to comply with all relevant data handling legislation and to comply withrecognised good practice while doing so. In this respect, an indicative list of supportinglegislation, policies, standards etc is provided in the information governance policyframework document.

The classification of the information does not make it exempt from disclosure under theFreedom of Information (Scotland) Act, the Data Protection Act or the EnvironmentalInformation (Scotland) Regulations nor does it mean that it must be supplied

3. Scope

This policy applies to all NLC employees and all elected members when they are working oncouncil business. However we expect anyone using NLC data (e.g. community planningpartners, third party organisations etc) to be aware of and understand this policy and how itshould be applied when using council information

4. Classification Policy

The UK Government Security Classification Policy has three levels: TOP SECRET, SECRETand OFFICIAL. There is no level below OFFICIAL.

Information bearing the classification SECRET or TOP SECRET is outside the scope of thispolicy. Information with these classifications require specialist handling procedures, asdetailed in the UK Government Security Classifications Policy. Any information received thatbears these or any other classification other than OFFICIAL (e.g. sensitive,commercial−in−confidence,

confidential etc) should be referred to the corporate Data Protection Officer(DPO) for guidance.

NLC has adopted the classification level of OFFICIAL. Personnel, physical and informationsecurity controls for OFFICIAL are based on commercial good practice, with an emphasis onemployees to respect the confidentiality of all information and to evaluate information risks tothe council in terms of business impact.

Evaluation of business impact is based on Her Majesty's Government (HMG) BusinessImpact Level tables as defined in HMG IA Standard 1. Often shortened to impact levels (IL),


Informatiôlãhdlin Policy'−− −

' V e r s i o n 2.1 I

these are a set of numbers (ILO up to IL3) used to categorise the impact of a data loss in −

− − − − − − − − − − _ _ − . − _ _ − − − '−−•confidentiality −the potential consequences of information being seen by those who

−should−not−see it−−

− − • integnty−the potential consequences of havingthe accuracy or completeness of

− − • availabilitythe potential corisequences of informatiombecoming inaessible − −−−−− −

Any information that is created, processed, generated, stored or shared within (or on behalfof) NLC is OFFICIAL by definition. This includes published data where integrity andavailability considerations (e.g. copyright) may apply and can also include information wheredisclosure or unauthorised access could have damaging consequences if lost, stolen orpublished in the media. There is no requirement to protectively mark OFFICIAL information.Examples of information that falls within the OFFICIAL category are:

Non−Sensitive Information: This information will typically be public knowledge orintended for public consumption; for example, marketing material, open consultations,information to be published under transparency/open data or even routinecommunications with members of the public or third parties where there is noconfidentiality requirement. There may however be a requirement to protect the integrityand availability of this information.

Transactional: This includes one−off (potentially) confidential exchanges with externalpartners, (citizens, industry, third sector etc), and online transactional services where theloss of a small number of instances is tolerable, but systematic or large scalecompromise is unacceptable. Loss of confidentiality, integrity or availability of this datawill result in disruption to NLC service delivery and may have a commercial or financialimpact. Use of this information may also need to comply with external complianceobligations such as the Payment Card Industry Data Security Standard (PCI DSS).

• Routine Business: Information of varying sensitivity that supports the routine business,operations and services of NLC. There is a requirement to protect the confidentiality,integrity and availability of this information.

• Legally defined (e.g. personal): Information which is subject to legal and I or regulatoryrequirements. For example, personal information that relates to an identifiable individualas defined by the Data Protection Act (DPA). Legal or regulatory requirements must bemet and additional controls may be required. There is a clear requirement to protect theconfidentiality, integrity and availability of such information.

In some instances more stringent controls must be enforced and assured for OFFICIALinformation where the risk of loss, compromise or misuse of information has been assessedas being likely to have damaging consequences for an individual, an organisation or NLCmore generally.

• Security and Access: OFFICIAL and OFFICIAL SENSITIVE information is still protectedby DPA legislation. Information created, processed, generated, stored or shared within(or on behalf of) NLC may have additional security applied in accordance with DPA and'need to know' guidance in relation to its content via system or physical storage security.


lnfornãoTiHándling P o l i c L__− .

− _Version 2.1 1 I . ! Jul.2O14]

For OFEICIAL information − % i sensitivity, a single caveat OFFICIAL−SENSITIVEbe üsedAllDFFlC'IALSENSITl V E i i f ä ñ i f ion

− −−SENSITIVE at the centre top orbottom of each page

_ − − −−−−−−The −OFFI GIAL−SENSITI VE5aiéatshould −be used −by−exception −in limited −circumstances−−−where there is a clear and justifiable requirement for its use. This might include, but is not

− −limited to the following Types of information•

the most sensitive corporate or operational information, e.g. relating to organisationalchange planning, contentious negotiations, protection of vulnerable people or majorsecurity or business continuity issues;

• policy development and advice to ministers or elected members on contentious and verysensitive issues;

• commercial or market sensitive information, including that subject to statutory orregulatory obligations, that may be damaging to NLC or to a commercial partner ifimproperly accessed;

• information about investigations and civil or criminal proceedings that could compromisepublic protection or enforcement activities, or prejudice court cases;

Detail guidance with examples is available in Appendix B. In addition OFFICIAL−SENSITIVEis used with three descriptors as listed in Appendix C and these must be used to clearlyhighlight the reason for the protection and restriction.

The classification applied must be reviewed during the life of the information or document toensure that the classification continues to be appropriate and relevant. For example: theremay be a locally sensitive issue that has not yet been announced and the information wouldbe classified and marked OFFICIAL−SENSITIVE:LOCSEN, but once the announcement hasbeen made it may become available to all with the classification changed to OFFICIAL andthe protective marking removed.

Only the originating creator of the asset, the associated Information Asset Owner (lAO),Head of Service or the Senior Information Risk Officer (SIRO) can alter the classification ofan asset.

5. Handling & Storage Policy

All information must be handled in a manner appropriate to the OFFICIAL classification, asdetailed in Appendix D. Employees must not attempt to classify or store information by anymeans other than that defined within this policy.

All handling or disclosure of OFFICIAL−SENSITIVE information, including release under theFreedom of Information Act, must be authorised by the lAO or appropriate Head of Servicefor that information asset. The identity of the lAO can be found in the Information AssetRegister (IAR).

6. Disposal Policy

All information must be disposed of or sent to archive, in accordance with the approvedretention and disposal schedule which forms part of the NLC Records and Information


InfcrrnätiófrHandIing Policy. . .

_ L l V e r s i o n 2 . 1 _ _− j _ ` _ _J I _ J u l 2014.I

__− Management _Policy. Disposal of information must be appropriate to its classification asdiilëAppendiD:

−−All −redundant−copies Of −OFF IGIAL−informationthat−have−been−generated−in−the−course−of−−−−_−printing,photocopying or handling, must be disposed of according to approved procedures. It

is the responsibi l i f f the lAO for these assets to ensure that proedures are followed to −− −−−assure:securedisposal −of:information when it−is−no'Ionger required.

Where OFFICIAL information is held by a third party and it needs to be disposed of, this mustbe carried out by authorised NLC personnel or a NLC approved external disposal service.When a third party is used for the disposal of NLC information, the third party must becontractually bound to employ security controls required by NLC.

Disposal of OFFICIAL information captured on electronic storage media must only beperformed with methods and equipment approved by the ICT Security Manager. All data andsoftware on NLC information system hardware or machine−readable media will be erasedand made unrecoverable prior to reuse of the media within the Council or release of themedia to a third party for disposal, sale, service or repair.

7. Roles and Responsibilities

The originator or recipient of information is responsible for setting the classification at theinitial stage of creation or receipt. Those handling, storing or disposing of information cannotchange the classification that has been applied; however they can challenge it with the lAOor via the Information Assurance Working Group (IAWG).

The IAWG is responsible for providing guidance on the classification, handling, storage anddisposal of information held or created by the council

8. Putting the Policy into Practice

Detailed practical guidance on how to apply this policy is contained in the InformationHandling Policy Guidelines.

9. Policy Review and Revision

This policy will be reviewed whenever guidance or the law is changed but at a minimumevery 24 months. Policy review will be undertaken by the Information Governance WorkingGroup under the guidance of the SIRO.

North Lanarkshire Council I Paoe 7 of 15

ln f6r t ionH6ndl in P o l i c . _ J . 1 j V e r s i o n 21 hI1 J u l . 2 0 1 4 j .−

− ........ . − . . . . . − • . −. . .,,.... −;Description−All−parties−who have access−to c−ouncil −information −including employees=,−

ALL USERS elected members and third party contractors and any other individuals ororganisations who access Council information.

CDPO Corporate Data Protection OfficerCMI Corporate Management TeamCouncil Information Council information includes data, records, paper and digital formats.IAA Information Asset AdministratorlAO Information Asset OwnerIGWG Information Governance Working GroupIAWG Information Management Working GroupNLC North Lanarkshire CouncilSIRO Senior Information Risk Owner


− I .1iintc5r7mation Handl inP_ôlci_._ J . Version2.1. I−− −Jul 2 0 1 4 _ L

− −

.AppendixBRisk.andimpactAsse.ssment:_ ...:The table below defines how the information content in NLC is assessed for risk and impact level

− − −(IL) to_dëtiimineiheappropriitëTlassifi cation.

−− Cl ass ifidationExaml•

Little of no impact on the OFFICIAL • • Policies and procedures 0 or Ifinances of the authority • Documents available in the

• NO inconvenience or distress to public domain or on the NLCour customers public website

• Little or no financial impact to our • Property address where itcustomer does not identify the

• Little or no impact on the individual owner or residentsauthority's standing or • Names and contact detailsreputation. of specific employees or

individuals that are in thepublicdomain

• Short−term inconvenience, harm OFFICIAL • Personal information relating 2or distress to an individual to any customer or

• Financial loss or loss of earning employee such as a name,potential, or can facilitate address and contact details,improper gain VAT number or National

• Damage to the authority's Insurance number for whichstanding or reputation we have a duty of care

• Financial impact to the authority • Exempt committee papers(up to L1M) excluded from the public

• Breach of proper undertakings to under Local Governmentmaintain the confidence of (Scotland) Actinformation provided by • An employee recordindividuals or third parties • A customer case file

• Breach of statutory restrictions • Draft documents beforeon the disclosure of information approval for release into thepublic

domain• Substantial inconvenience, harm OFFICIAL− • Complete set of an 3

or distress to individuals SENSITIVE individual's social care files• Substantial financial loss or loss or health record

of earning potential, or to • Investigation filesfacilitate significant improper • A smaller multiple ofgain or advantage complete customer or

• Substantial damage to the employee records whereauthority's standing or reputation information is sensitive, or

• Significant financial impact to the has financial or identity dataauthority (fMillions) (remembering that the

• Prejudice the investigation of or classification reflects thefacilitate the commission of low− highest impact individuallevel crime, hinder detection of item)serious crime • Volumes of OFFICIAL data

• Could have wider implications about a reasonably largewithin local government number (hundreds) of

• Affect inter−organisational customers or employeesrelations


I . ._lr j fóThationHàndlingPoHäL_.−

Versidn2;1.Ji_I. −−−Jul 2Q4I....

− −_The1tblé1below_definesthéd iptorstobeusedithiheclassification..bièd.on information'content, for example, OFFICIAL−SENSITIVE: COMMERCIAL.

−.Jheus:isstrongly.recomm:endedas..they a o : s e r e:tohelp..those.handhng:theinformation..todecide who should have access to the material. Information received from other public sectorpartners may use one of these descriptors. − −

D e c i t o r U.sedfor..COMMERCIAL Disclosure would be likely to damage the council, a third party or

commercial establishment's processes or affairsLOCSEN Locally sensitive issues not yet for publication

PERSONAL Information that is personal to an individual or the sender and/or recipient

NOTE: In unusual circumstances OFFICIAL−SENSITIVE information may contain a combination ofall three descriptor areas (e.g. it may hold both Personal and commercial data). In these cases thedescriptors should not be used and the information should be classified as OFFICIAL−SENSITIVE.

North Lanarkshire Council I PaQe 10 of 15

I Inf5imation HandlinEqIic___ I−.... I.. Versiori2_,,t8_l.

Jul.2014_I...−

PencIJx P . ; a ndluig,−

geaçLc.Js

−This table defines how the information resource should be handled, stored and disposed of for the−:

− − − − −classifications of information in use by NLC. Internal applies for sending information within NLC−−and−External appliesjor:sending −information −outside _qfNLC to .partners,−tbLrpartiesor−the−public.−−.−−HANDLING

(general)

In all instances, the transfer or transmission of OFFICIAL−SENSITIVE information must beauthorised by the Information Asset Owner (lAO) or the appropriate Head of Service for thatinformation asset. There are no exceptions.

.OFFICIA1.:OFFICIAL−SENSITIVE.,Document None OFFICIAL−SENSITIVE [descriptor]Marking at the centre top or centre bottom

of every page.Licensed Copies must not be taken of Copies must not be taken ofMaterials copyrighted material unless they are copyrighted material unless they(Photocopying covered by the council's license are covered by the council'sand Scanning) contract. For example, with the license contract. For example, with

Copyright Licensing Agency or by the Copyright Licensing Agency orobtaining specific written permission by obtaining specific writtenfrom the copyright owner. permission from the copyright

owner.Email within the Normal use of email, no specific Confirm email addresscouncil requirements.

Use disclaimer in the first line oftext in email body − "Only to beopened by addressee(s). Neverforward or send to otheraddresses"

All OFFICIAL−SENSITIVEinformation must be in anattachment.

Ensure that the covering emaildoes not containOFFICIAL−SENSITIVE

level information.

Encrypt the OFFICIAL−SENSITIVElevel information to an appropriatestandard. (the instructions forencryption can be found onConnect under Training and guidance /IT systems guidance / Security hints andtips)

Email out with the Confirm email address Never send via non−GCSX email.Council (without Normal use of email, no specificGCSX) requirements. Consider using courier instead of

using email.

North Lanarkshire Council I PaQe 11 of 15

I Jhfôrmation_HàndlingEälicy_ − I V e r i i T I − JUI204I

RA ,.l ' − − − − • − • − − I I ( ' I A I • Q MQITIV!. − − − − . − −

−.,,

−Emailoot withthë N ô t t O b è i s d −− C O f i r m e i l ddress 'Council (with

−Instead −use northIanarkshire:gov:uk−− −Use disclaimer−in the firstline−of−−−−mailbox

−t e x t i n ernaji body−"Onlyto be

−

− opened byaddressee(s) NeVér_______

− −

− − − − − − • •

−−−Jorwar −or−−send−to−

addresses".

Short MessagingService (SMS) orMulti−MediaMessagingService (MMS) orInstantMessaging (IM)Transferring datavia electronictransmissionand/or electronicmediaPublic Website

Surveys

Post (InternalMail)

No specific requirements.

No specific requirements.

Open access.

Open access.

Can be sent through internal mail.

Always use an envelope

Always address to an individual byname or role.

Encrypt any volume data in anattachment.Do not use.

Secure, approved connection asagreed by Information SecurityManager, or encrypted (see ICTSecurity Policy)

Only to be used with authenticatedaccess.Only to be used with authenticatedaccess.Sealed envelope marked"OFFICIAL−SENSITIVE [descriptor]Addressee Only".

Always address to an individual byname or role.

Double enveloped, both sealed andfully addressed.

Outer envelope with no markingsor descriptors (other than"personal" or "addressee only" ifyou wish to limit access.

If sending electronic media allOFFICIAL−SENSITIVE [descriptor]information must be encrypted toan appropriate standard. (theinstructions for encryption can befound on Connect under Training andguidance / IT systems guidance / Securityhints and tips )

Only to be opened by addressee ordeleoated emDlovee.


−−I_T• Information HañdhnEölicy V e i 2 1 _ _ J 61217I

RA . '−1 " I f ' I A I −••−. .r− Pot(Externäl Bypublib pidst s ê i ôthe'

Mall) courier service. courier service.

If sending electronic media allinformation must be encrypted to anappropriate standard. (see ICTSecurity Policy)

Always include return addressDoubLëtiVeloped both seaIe'df_fully:addressed.−−−−−− − − −−−−−−−−−−.

Outer envelope with no markingsor descriptors (other than"personal" or "addressee only" ifyou wish to limit access.

Inner envelope to be marked"OFFICIAL−SENSITIVE [descriptor]Addressee Only".

Consider using bonded courier orspecial delivery.

Only to be opened by addressee ordelegated employee.

Always include returnaddressSinleTsealed fully addrd−envelope with −no 'marking −ordescriptors (other than "personal" or"addressee only" if you wish−to limitaccess.

If important or sensitive, considerusing bonded courier or specialdelivery.

Telephone(Internal, publicnetwork, mobile)and/orconversations

Normal use if recipient can beidentified and spoken to.

Information should not be discussedwhere it is likely to be overheard.

If sending electronic media allinformation must be encrypted toan appropriate standard. (theinstructions for encryption can befound on Connect under Trainingandguidance / ITsystemsguidance / Securityhints and tips)

Normal use if recipient can beidentified and spoken to.

Inform the recipient that theinformation isOFFICIAL−SENSITIVE

[descriptor].

Information should not bediscussed where it is likely to beoverheard.

Fax Normal use of a fax machine

Consider not using one touch diallingin case the number has beenchanged or corrupted.

Do not leave messages containingOFFICIAL−SENSITIVE informationonansweringsystems.Consider not using one touchdialling in case the number hasbeen changed or corrupted.

Information should be kept to aminimum.

Recipient must be at hand.

Send cover sheet first and wait for


Information Hãñ iP_o l i cy . . . .. _.I − ._JüJ2.O14jd _ .•.. • ., .− . '. . ,. ...− I¼1U_SENSITIVE

,ntediu J I J − .

señdiñg._−Bulk−Transfers— −iAOor appropriateHead −of Service −Only permitted−ifa p p r o v e d t y t h e−_ _ _ _ _ a p p r o v a l ,

subject to NLC p c y lAO or approprte Head of−−..p[.Qpëdure (e g d a t h ã L ñ Serice,.subject to NLCôlicy_ard

− − agreementdataprocess ing ' − procedure(e:gdatasharing−−•−••agreement, contract, risk agreement, data processingassessment) agreement, contract, risk

assessment)For electronic transfer, secure,approved connection as agreed byInformation Security Manager, orencrypted (see ICT Security Policy)

For electronic transfer, secure,approved connection as agreed byInformation Security Manager, orencrypted (the instructions forencryption can be found onConnect under Training and guidance /IT systems guidance / Security hints andtirs)

HANDLING (additional safeguards for flexible, remote working, hot desking)

.xternal....

OFFiC!AL•− . : OFFlCIALSENSIT!VE'.'::locations

−. − •Hot desking, Never leave information assets Only permitted if approved by the lAOmobile, home or unattended. or appropriate Head of Serviceworking awayfrom the office Secure information assets out of Never leave information assets

sight and locked away when not in unattended.use i.e. clear desk/screen policy

Secure information assets out of sightInformation must not be discussed and locked away when not in use i.e.in a public place where it may be clear desk/screen policyoverheard or overlooked.

Information must not be discussed inNot to be stored electronically on a public place where it may bepersonal home computer or overheard or overlooked.personal mobile device.

Not to be stored electronically onMinimum encryption protected on personal home computer or personalNLC mobile storage device, mobile device.

Remote access to server−based Minimum encryption protected onmaster is preferable. NLC mobile storage device.

Personal use only. No access to Remote access to server−basedunauthorised users. master is preferable.

Personal use only, no access tounauthorised users.


Policy−

.I _YeTih.2.i .. I _JL2Oi4. I.−.STORAGE

%Médiüfn: OFFICIAL .T.,

OFFICIAthSENSIT.IVEI−− −−Storage−of−−−− −Protected −by one−physical−lock. Protected −by two−physicaliocks:−−−−−.

media (e g CDs iEämples locked drã__wro work Exarne 1ócked cabinet aiid Ldked−Electronic Access rights must be

storage approved/granted to the job role bythe Information Asset Owner.

NLC network:Controlled access by defined usergroups to specific areas.

For example: network storage,electronic document managementsystems or application systems.

Mobile working:Encrypted to minimum NLCencryption preferably accesseddirectly through remote networkaccess.

Examples: Secure fob and Citrix.

Electronic backup(not held on datacentre servers)

Do not leave screen unattended.(See also Mobile Working)Backup stored in locked cabinet.

DISPOSAL

:o f f i c e − o r − o r − −. −−−−−− −Access rights must beapprovèd/granted to the job role bythe appropriate Head of Service andthe Information Asset Owner

NLC network:Controlled access by defined usergroups to specific areas.

For example: network storage,electronic document managementsystems or application systems.

Mobile working:Encrypted to minimum NLCencryption preferably accesseddirectly through remote networkaccess.

Examples: Secure fob and Citrix.Do not leave screen unattended.(See also Mobile Working)Backup stored in locked cabinet in alocked area.

MédiUrii' OFFICIAL−SENSITIVEDisposal of Recycle − for information freely Only permitted if approved by the lAOpapers available in the public domain, or appropriate Head of Service

Otherwise, use secure waste Secure waste disposal − destructiondisposal − destruction or or shredding.shredding.

Disposal of Destroy or erase to make Only permitted if approved by the lAOelectronic media unrecoverable if media is to be or appropriate Head of Service

reused.Destroy or erase to makeunrecoverable if media is to bereused.


Lanarkshire−Data

−r Council

Data Protection Policy

Version 2.0

This is a controlled document. Whilst this document may be printed, the electronicversion Dosted on the intranet is the controlled CODV Any nrinted conies of this

_ _ _ _ _ _ _ _ _ _ _ _ I V e r s i o n 2 J − _ _ . J Aug 20i4JI.

Document Control− − −.

_OrganisationT i t l e — −− −CreatorQérSUbjct −ClassificationIdentifierDate Issued

Revision History

• −_North Lanarkshire Council−Data−Protection−Policy−−−−−−−−−−−−−−Gerry

Gardiner7S-enior lnformatioriRiktOfficer

− GbVernarceofCbuffil1riforrnationOFFICIAL20140818 Data Protection Policy V2.0[to be insertedi

Revision No. Originator Date of revision Revision Description1.0 Gerry Gardiner 22.02.2013 Following consultation with IGWG2.0 Gerry Gardiner 04.07.20 14 Following consultation with IGWG

Document Approvals





77

_ J Q á t ä Protection Policy− ..

I Version−2.0− −

i A i g 1 2 Q i 7 — .:I

Contents.

− I −Introduction−... . − ...................... ............. ... ............. .;−...................... . 42._information −Risk ................................ ..................................................................................... 4____

2i..senior−1nfothiRiskowner(siRo):....−........................................

3. Data Protection.......................................................................................................................44. Scope of this Policy ...............................................................................................................55. Personal Data .........................................................................................................................56. The Data Protection (DP) Principles .....................................................................................57. Discharging our Responsibilities under the Act..................................................................6

7.1 The Data Controller ............................................................................................................................ 6

7.2 The Corporate Data Protection Officer (CPDO) ................................................................................77.3 The Chief Executive and Executive Directors....................................................................................7

7.4 Service Managers..............................................................................................................................8

7.5 All Users.............................................................................................................................................8

8. Privacy Impact Assessments................................................................................................89. Data Protection Incidents/Breaches .....................................................................................810. Notification to ICO of Personal Information Held.............................................................911. Giving Information to other Departments and Third Parties............................................912. Data Sharing........................................................................................................................913. Rights of Individuals.........................................................................................................10

14. Review and Revision........................................................................................................10Appendix A: Glossary of Terms.................................................................................................11


pataProtecti on'p_oiicy_i_. . I V e r o n j Q..... I Aug.2014J__I

−1. Introduction− −−North −Lanarkshire −Council −(−The −Council"−) −provides −a wide range −of−services −for−people −who −live or work in North Lanarkshire, who invest in North Lanarkshire and who visit North

a−range−of i b l i déo r ,− commerciIand voIuntr iector−organisations−tjxovideservices−and−support:−−−−−−− − − " − −

− To deliver services effectively the Council needs to collect, process and hold large volumesof information relating to organisations and individuals.

2. Information Risk

2.1

3.

The collation and holding of information of any nature creates a risk of information falling intothe hands of third parties or misuse of the information. To manage those risks the Councilhas in place a number of policies. These are listed in the information governance policyframework document.

Senior Information Risk Owner (SIRO)The Senior Information Risk Owner (SIRO) is the Executive Director of Customer & FinancialServices. The SIRO's duty is in respect of all information collected, held and processed bythe Council. The SIRO is not a position prescribed or regulated by legislation. It is a positionrecommended by the Information Commissioner. The SIRO is responsiblefor:−(a)

overall information risk and he/she will provide written advice on a regular basis tothe Chief Executive on internal control and performance in respect of informationrisk;

(b) assessing the impact of information risks on the Council and how the risks may bemanaged ensuring arrangements are put in place to mitigate risks. He/she willimplement and lead information risk and management processes within theCouncil; and

(c) advising the Corporate Management Team on effectiveness of information riskmanagement across the Council.

Data ProtectionAs explained in 2 above, to deliver services effectively the Council needs to collect, processand hold large volumes of information which includes personal information (personal data)relating to current, past and prospective customers, clients, employees, elected members,and contractors.

In addition, it may from time to time be required by law to process personal information tocomply with the requirements of government departments and other public agencies. Thereare also instances where we process personal data for contractors; and arms length externalorganisations and third parties process Council information which includes personal data.

The Data Protection Act, 1998 ("the Act") makes provisions for how personal data(information) about living individuals in any form including paper and electronic must becollected, processed and held. The Act imposes restrictions on how the Council may processpersonal data, and a breach of the Act could give rise to criminal and civil sanctions,including fines, as well as bad publicity.


_−_− IData Protect ionTEól i___ _ _ − − − −.−

I VersicIi2.O__− I.Aü=2014_i I

−ThèHig1ltion providè lthtopinions, religious beliefs, trade union membership, physical and mental health, sexual life

− −−−and −criminal−records) −shall −only−be −collected −for certain −specific−purposes—arid −with −the −individual's express written consent. The Council can only process sensitive data where

− − certain conthtionsapply See Schedule −3 of the Act The Council should not collect sensitive−−−data unless−there−is a genuine particular−need −forthis−information−−−−−4.

Scope of this Policy

This policy is applicable to all personal data held by the Council whether in manual form andaccessed on Council premises or via Council information technology systems accessed onCouncil premises or via mobile or home−working equipment. Personal data held onremovable devices and other portable media is also covered by this policy.

The policy applies to all employees, elected members, third party contractors and any otherindividuals or organisations who access Council information.

This policy is not part of the contract of employment and the Council may amend it at anytime. However, it is a condition of employment that employees and others who obtain,handle, process, transport and store personal data will adhere to the rules of the policy. Anybreach of the policy will be taken seriously and may result in disciplinary action.

5. Persona' Data

This policy adopts the definition of personal data contained in the Data Protection Act 1998.

It is accepted (from decisions reached in the courts):

• that data will relate to an individual if it is information that affects a person's privacy,whether in personal or family life, business or professional capacity; and

• two tests can help to decide if information does affect an individual's privacy

The first test is whether the information is biographical in a significant sense. This would beif the information goes beyond recording an individual's involvement in a matter or an eventwhich has no personal connection.

The second test is whether the information has the individual as its focus rather than someother person with whom the individual may have been involved or a transaction or eventwhere the individual may have been mentioned.

6. The Data Protection (DP) Principles

The Act requires organisations (like the Council) which handle personal data to collect,process and hold personal and confidential information securely and responsibly. Thisincludes destroying information safely when it is no longer required.

The Act sets outs eight key principles:

First Personal data shall be processed fairly and lawfully and, in particular, shall notbe processed unless specific conditions are met.


t1_IData Protectio1TPcy.._.−−− .− ..−−−−− −−.

IVersO2.O....

Iti−2Oi4..

Second Personal data shall be obtained only for one or more_specified_.and lawfulpurpôses a l l F f ü i t h r processed −manner 1ncompatibliithnd ñthat

purpose or those purposes.

Third Personal data shall be adequate, relevant and not excessive in relation to the—purposeor purposes for which they are

−Fourth Personal data shall be accurate and, where necessary, kept up to date.

Fifth Personal data processed for any purpose or purposes shall not be kept forlonger than is necessary for that purpose or those purposes.

Sixth Personal data shall be processed in accordance with the rights of data subjectsunder the Act.

Seventh Appropriate technical and organisational measures shall be taken againstunauthorised or unlawful processing or personal data and against accidentalloss or destruction of, or damage to, personal data.

Eighth Personal data shall not be transferred to a county or territory outside theEuropean Economic Area unless that country or territory ensures an adequatelevel of protection for the rights and freedoms of data subjects in relation to theprocessing of personal data.

7. Discharging our Responsibilities under the Act

7.1 The Data Controller

In terms of the legislation, the Council is the Data Controller. To ensure compliance with thedata protection principles, the Council will:

• Observe fully conditions regarding the fair collection and use of data.• Meet its obligations to specify the purposes for which data is used.• Collect and process appropriate data and only to the extent that it is required to fulfil

operational needs or to comply with any legal requirements.• Ensure the quality of the data used.• Put in place arrangements to determine the length of time the data is held.

7.1.1 Fair Obtaining and ProcessingThe Council will tell people how their personal information will be used and also ask for anindividual's "informed consent" if this is needed (the individual must understand what theirinformation will be used for and how it will be shared and stored) (see first DP Principle).The individual may sign to give their consent. This requirement to tell people will alwaysapply, no matter how the information is gathered (for example, paper forms, email, surfacemail correspondence, web data collection forms, or any other method). We must say clearlyin all of these methods how we will use people's personal information.

7.1.2 AccuracyThe Council must make sure that all personal information that it holds is accurate and, wherenecessary up−to−date (fourth DP Principle). Information should be reviewed regularly andservice managers must have procedures in place to make sure that inaccurate or out−of−date


−−_IData ProtectiQnlP.ólicy___....._

.. ._I/erôn 2.0 . . Iinformation is updated. Information that the CounciLno longer needs to. hold must be

.. −− −− ...........

− − 7:1:3DataProcessors−−The

−Act:requires−the −Council to −put−in place −procedures −:and technologiesto;maintain−these..cunty..otalLpersonal dataJ.ow:th&po.int.ofco.HectnLto:the−point ofesucorj.:.Eersonal._______data may only be transferred to a third−party data processor if the processor agrees in writingto comply with those procedures and policies, or if it puts in place adequate measures itself.

7.1.4 ICO AssessmentThe Council must co−operate with any Data Protection assessment carried out by the Officeof the Information Commissioner (ICO). Users must assist with any assessment as requiredby the ICO and I or the Council.

7.2 The Corporate Data Protection Officer (CPDO)The CDPO is the Head of Legal Services. The CDPO's responsibility is in respect ofpersonal data, collected, held and processed by the Council. The CDPO is not a positionrequired by the Act, it is a position recommended by the Information Commissioner.

The CDPO's responsibilitiesinclude:−(a)

ensuring that the Council complies with UK data protection legislation.(b) ensuring Council staff are fully informed of their own legal responsibilities.(c) developing and managing the Council's Data Protection Strategy, including

development, implementation and enforcement of this policy and Data Protectionprocedures.

(d) reporting on the Council's compliance with the Act to SIRO on a six monthly basis.(e) ensuring that necessary arrangements are in place for dealing where appropriate with

subject access requests that relate to more than one service of the Council.

7.3 The Chief Executive and Executive DirectorsThe Chief Executive and each Executive Director's responsibilitiesinclude:−(a)

ensuring that the information under their control is collected, processed and held inaccordance with this policy and the Act.

(b) nominating lead contacts for data protection responsibility within their services to theCDPO; and reporting immediately changes to the contact details to the CDPO.

(c) ensuring that necessary arrangements including nominated officers are in place to dealwith subject access requests (see paragraph 13).

(d) identifying all categories of personal information held within their service.(e) identifying all processing to which that personal information is put.(f) identifying how long personal information needs to be held within each Service.(g) ensuring that necessary arrangements are in place in their service for the secure

disposal of personal data.(h) putting into place procedures for the secure destruction of any personal information

immediately when the Council no longer needs to keep it.


−I Data ProtèctioTiEolicy−. − −.

_.I.Yession2.0. _Aug 2014.. I−−____(i) putting in place all arrangements and procedures as are necessary for the_safekeeping

: ä t i ô ñ f i l l personaliñfô ensuriñtt− :one can get unlawful access to personal information that is held.

j)—issuing −instructions−and −putting into place procedures−to make sure −that−every −personwho has access to personal information held by their service makes use of thatu,formation only for the purposes for which the −said information is held;and(k)ensuring−thatall

processing−of−personal information −complies fully−with−all−theprovisions of the Act and this policy

7.4 Service ManagersService managers' responsibilitiesinclude:−(a)

ensuring that employees know what they have to do under the Act (seventh Principle),ensuring that their staff are trained in DP and confirming to the CDPO whenappropriate training has been undertaken by employees and maintaining records oftraining;

(b) ensuring that disciplinary action up to dismissal is taken where an employee hasdeliberately broken the terms of the Act or this policy or of any of the Council's ownprocedures;

(C) ensuring employees know that they could face criminal proceedings if they deliberatelyor recklessly obtain information or give it out unlawfully (seventh DP Principle);

(d) ensuring that all personal information held is accurate and up to date; and(e) determining whether a Privacy Impact Assessment needs to be undertaken and, if so,

putting in place appropriate arrangements to ensure that such an Assessment isundertaken and completed.

7.5 All Users

All users must

(a) observe and comply with the Data Protection principles.(b) ensure that personal information is properly protected at all times. This requires

continued compliance with the Act, this policy and all other Council information policies,procedures and other guidance.

(C) report any observed or suspected breach of this data protection policy or relatedinformation procedure and guidance (in accordance with the protocol set out inAppendix B to this policy).Link to Appendix B − Data protection breach and incident management protocol.

(d) ensure that individual archives, or any personal records they hold, are not kept whenthey are no longer required.

8. Privacy Impact Assessments

The CDPO is responsible for producing guidance on Privacy Impact Assessments andreviewing the guidance every alternate year commencing October 2012. (The currentguidance and guidelines is Appendix C of this document)Link to appendix C − North Lanarkshire privacy impact assessment guidelines.

9. Data Protection Incidents/Breaches

All incidents must be reported, whether or not the incident results in a breach of the Act andactual damage or loss to any person, to the CDPO in accordance with the protocol inAppendix B to this policy and the CDPO will take appropriate action in respect of the breach,in accordance with the said protocol. ("Incidents" are defined/explained in Appendix B).


−I_Data_PrbtectjnTPolicy IMeision_2.0

.:i.Ag_2014

10. Notification to ICO of Personal Information HeldV V

− V −it−is−the−responsibility of −the CbPO to notify the−Office ofthe Information −Commissioner−of Vail −categories of personal information held bythe Council and to renew that notification eachy e a r T h includes all the uses to which the information is put To enabthenotification to −

− −−be−kept−up to−date at−all−times−it−is the−responsibility−of−the Chief Executive −and −each−−−−− − −−•−−−−− −Executive Director:

• to advise the CDPO immediately of any new categories of information held in his/herservice.

• to advise the CDPO immediately of any changes in the uses to which his/her service isputting any personal information his/her service holds.

• to advise the CDPO immediately of any categories of personal information which is nolonger held by his/her service. V

11. Giving Information to other Departments and Third PartiesThe Council must protect against giving out personal information unlawfully.

Personal information can only be shared between council services and/or third parties wherethe individual concerned knows that such sharing may happen and where the processingcomplies with the Data Protection Principles. The first Data principle states that personalinformation shall be processed fairly and lawfully and shall not be processed unless at leastone condition from Schedule 2 of the Act is met. If the information is 'sensitive', at least onecondition from Schedule 3 of the Act must also apply.

Where a request for personal information is received from a third party, the identity of therequester and the need for the information must be known before consideration is given toproviding it. Personal information can be given to the police or the procurator fiscal to helpwith a criminal investigation and to certain statutory authorities/agencies (eg DWP, HMRC)(Section 29 of the Act). This only applies in certain circumstances, so such requests fordisclosure must be made in writing, providing details of the data subject, reason fordisclosure, name of requesting officer and certification by a senior officer. A record must bekept of all such disclosures by services and a report provided immediately to the CDPOwhen such disclosure is made.

In all cases, if there are any concerns at all about an enquirer or their enquiry, informationmust not be given out and the enquiry should be referred to the CDPO.

12. Data SharingServices and officers might be approached and asked if the Council will enter into a DataSharing Agreement with another organisation. A Data Sharing Agreement addressesarrangements whereby one organisation shares personal data with another organisation. 4statutory code of practice (link below) in respect of data sharing arrangements betweenorganisations has been issued following its approval by the Secretary of State and the UKParliament. The code explains how the Act applies to the sharing of personal data. Itprovides practical advice to organisations', that share personal data and covers systematicdata sharing arrangements as well as ad hoc or one off requests to share personal data.

Data Sharing − Code of Practice − ICO


..IData Protectioh Policy− .

. __ j−Vers i on 2.0−

j A u g 2014

6Ti9lii?ii1g Agreements should be app rovedbh roriate cómmitte6fihé Council— a n d t h i n e g d t i ä t i d ä d j ü i i t f t h e ' n e c e s s a r y lél

to the Head of Legal Services, who will hold the signed completed agreements. In his her− −−−capacity as−GDPO the−Head −of −Legal −Services−willhold −a register of−all−Data−SharingAgreements

entered into by the Council.

13. Right of Individuals −

The Council, elected members, employees and suppliers must respect the rights of allindividuals (data subjects), including employees and elected members. These rights are:

• Right to subject access (individual's access to personal information).• Right to prevent processing likely to cause damage or distress.• Right to prevent processing for the purpose of direct marketing.• Right in relation to automated decision taking.• Right to compensation if an individual suffers damage or damage and distress due to a

breach of the Act.Right to have inaccuracies addressed.

The Council applies the maximum fee of £10 to process requests. There is a differentsystem for charging that applies to educational records, under which the Council may chargehigher fees.



North Lanarkshire Council Paae 10 of 11

− I Data Erot&ction Policy − 1 I Version 2 0−−

J A u g 2014 1_L.

Appendix A: Glossary of Terms

TermThe Act Data Protection Act 1998

have .access −toCouncil −informationncludingemployeesALL USERS elected members and third party −contractors and any−other individualsor−−

.. örãhisations who access CoUncil information. − − .........−•CDPO

.Corporate Data Protection Officer

Counciltion Council information includes data, records, paper and digital formats.Informa

The people or organisations who determine the purposes for which, and

Data Controller the manner in which any personal data is processed. They have a.responsibility to establish practices and policies in line with the Act. The

Council is the data controller of all personal data used in its business.Any person who processes personal data on behalf of a data controllersuch as the Council. Council employees are excluded from this definition

Data Processor but it could include suppliers which handle personal data on behalf of theCouncil, for example where the Council outsources IT, paper wastedisposal & mail shot / marketing services.

DP Data ProtectionDWP Department of Work and PensionsHMRC Her Majesty's Revenue & CustomsICO Office of the Information Commissioner

Data which relate to a living individual who can be identified from thosedata or from those data and other information which is in the possessionof or is likely to come into the possession of the data controller andPersonal Data includes any expression of opinion about the individual and any indicationof the intentions of the data controller or any other person in respect of theindividual

SIRO Senior Information Risk Owner


APPENDIX B−. −−−NORTH

LANARKSHIRE COUNCIL

DATA PROTECTION BREACH ANDINCIDENT MANAGEMENT PROTOCOL

1. Background to this Protocol

Every care is taken by North Lanarkshire Council (NLC) to protect personal dataand to avoid a data protection breach. In the unlikely event of data being lost,damaged, misused, stolen or otherwise shared inappropriately it is vital thatappropriate action is taken to minimise any associated risk as soon as possible.

For the purposes of this protocol, an incident e.g. theft of an encryptedlaptop or any other incident involving a loss / inappropriate sharing of datahas occurred but there has been no adverse consequence as a result of theloss, will be constituted 'a near miss'.

2. Purpose of this Protocol

This protocol sets out the procedure to be followed by all NLC officers, staffelected members and third party contractors if a data breach takes place, or isbelieved to have taken place or where there has been 'a near miss'.

3. Scope of this Protocol

This protocol applies to all personal and sensitive data held by or on behalf ofNLC.

4. Types of Breach

Data protection breaches could be caused by a number of factors. Someexamples are:

• Loss or theft of data or equipment on which data is stored;

• Inappropriate access controls allowing unauthorised use;

• Equipment failure;

• Human error;

• Unforeseen circumstances such as fire or flood;

• Hacking, phone/email 'Pishing' and other 'social engineering' methods;

• 'Blagging' offences where information is obtained by deception.

5. Immediate Mitigation I Recovery Actions.

5.1 The person who identifies a breach or near miss (collectively referred to as an −. −−− i nc ident ) −must−inform −his−−I−her−Head −of −Service.−If−the −incident−occurs−or−is−−−−−−−−−discovered outside normal working hours, this should done as soon as ispracti6ãbI T h H é ä d ö f S ë i W h i t h f o r m e d fthiiidtThtädise—_−_−−thCDPO

(the Head of−LëWSerices) as soon thëincideñt is brought:t__his I her attention.

5.2 If the person who identifies an incident is a Head of Service, he or she mustinform either the Chief Executive or his I her Executive Director as appropriateand also the Corporate Data Protection Officer ('CDPO") as soon as possible.

5.3 The officer to whom a breach is reported, i.e. the Head of Service (or if theHead of Service has discovered the breach the Chief Executive and ExecutiveDirector), must ascertain whether, if the incident is a breach, the breach is stilloccurring. If the breach is still occurring, steps must be taken immediately tominimise its effect. An example might be to shut down a system, or to alertrelevant staff.

5.4 When a breach has been reported to a Head of Service, he I she must informhis / her Executive Director and the CDPO as soon as possible. Where abreach relates to loss of data held electronically the Head of Egasd shouldalso be informed.

5.5 The relevant Head of Service, in consultation with the relevant ExecutiveDirector and the CDPO will also consider whether the police need to beinformed. This would be appropriate where illegal activity is known or isbelieved to have occurred (including where there has been a theft or loss of alaptop or other mobile device) or where there is a risk that illegal activity mightoccur in the future. If bank details have been lost / stolen, the ExecutiveDirector of Financial Services must be contacted immediately to ensure thatappropriate steps are taken to limit I contain loss or damage.

5.6 The relevant Head of Service must quickly take appropriate steps to recoverany losses and limit the damage. Steps might include:

a. Attempting to recover lost equipment;

b. Contacting other officers as appropriate e.g. the Head of RevenueServices, to ensure that they are prepared for any potentiallyinappropriate enquiries;

C. Contacting the Head of Corporate Communications so that he / she isprepared to handle any press enquiries;

d. The use of back−ups to restore lost I damaged I stolen data; and

e. If the data breach includes any entry codes or passwords, then thesecodes must be changed immediately, and the relevant agencies andmembers of staff informed.

6. Investigation

In most cases, the next stage is for the relevant Head of Service to fully investigatethe incident. The Head of Service should ascertain whose data was involved in the

incident, the potential effect on.the data subject (s) and what further steps need.tobe−−taken −to −remedy −the situation. −−−−−−−−−−−____________−−

−− TTh t i ga t i shoü ld s d & t h t ë f 1ãtã1ts sensitiQit W h ä t t t i o n s are.−._−iñ p l ( è g encryp t ion)hà i äs happened−to thR iT−whether the datc5iJld be−−−−− −_ −put to any illegal or inappropriate use, how many peOple are affected, whattype of

people have been affected (the public, suppliers etc), what harm could come to thoseaffected and whether there are wider consequences to the incident.

The investigation should be completed urgently and wherever possible within 48hours of the breach being discovered / reported. A further review of the causes of thebreach and recommendations for future improvements can be done once the matterhas been resolved.

A clear record should be made of the nature of the incident, its cause, the actionstaken to mitigate it and the actions taken to try to prevent a recurrence of a similarincident should be provided to the CDPO as soon as possible.

7.Notification

7.1 Some people/agencies may need to be notified as part of the initial containment.However, the decision will normally be made once an investigation has taken place.

In the case of significant breaches, the Information Commissioner's Office (ICO) mayrequire to be notified. A decision in this regard will be made by the CDPO. Breacheswill be considered on a case by case basis. The COPO will take account of thefollowing in deciding whether or not to report to the ICO, other organisations (such asinsurers) and affected individuals.

• Will notification help prevent the unauthorised use of personal data?

• Could notification help the individual − could they act on the information tomitigate risks?

• Have a large number of people been affected, or are there very seriouspotential consequences, associated with the sensitivity of data (lost orstolen?)

• Are there any legal I contractual requirements to notify?

7.2 The relevant Executive Director / Head of Service will notify individuals whereappropriate. When notifying individuals, they should be provided with specific andclear advice on what they can do to protect themselves and what the service can andwill do to help them. They should also give them the opportunity to make a formalcomplaint if they wish (see the Council's Complaints Procedure).

8. Review and Evaluation

Once the initial aftermath of the breach is over, the Head of Service should fullyreview both the causes of the breach and the effectiveness of the response to it.

If systemic or ongoing problems are identified, then an action plan must be−drawn up − −− −−−−−−−−−to−put−these −right: −If −the−breach warrants a −disciplinary −investigation−−the −manager−−−−−− −

leading the investigation should liaise where appropriate with the CDPO and Head of−−−−−Human−This

protocol will be reviewed every other year commencing June 2014. It may alsobe reviewed following upon an incident, legislative changes, new case law or newguidance from a relevant agency.

9. Implementation

This protocol takes effect immediately. All service managers should ensure that staffare aware of the Council's Data Protection Policy, this protocol and theirrequirements. This should be undertaken as part of induction and supervision.

If officers have any queries in relation to the procedure, they should discuss this withtheir line manager.

Appendix C−.

NORTH LANARKSHIRE PRIVACY IMPACT ASSESSMENT GUIDELINES

Privacy Impact Assessment

What is a Privacy Impact Assessment (PIA)?

A PIA is a process which helps assess privacy risks to individuals in the collection, use anddisclosure of information. PIAs help identify privacy risks, foresee problems and bring forwardsolutions.

Who is required to complete a PIA?

There is no statutory requirement for any organisation to complete a PIA. However, centralgovernment departments have been instructed to complete PIAs by Cabinet Office. The ICO hasproduced the PIA handbook to help organisations assess privacy risks and liabilities.

Why should I do a PIA?

• To identify privacy risks to individuals.• To identify privacy and DP compliance liabilities for your organisation.• To protect your reputation.• To instil public trust and confidence in your project/product.• To avoid expensive, inadequate "bolt−on" solutions.• To inform your communications strategy.• Enlightened self−interest.

When should I start a PIA?

PIAs are most effective when they are started at an early stage of a project, when:

• the project is being designed;• you know what you want to do;• you know how you want to do it; and• you know who else is involved.

But ideally it should be started before:

• decisions are set in stone;• you have procured systems;• you have signed contracts/MOUs/agreements; and

−• while you can still change your mind!

Key Elements of a PIA

The ICO PIA Handbook

This helps you to conduct a PIA and is available at www.ico.gov.uk. It contains advice on thefollowing key features of a PIA.

Initial assessment

Examines the project at an early stage, identifies stakeholders, makes an initial assessment ofp r i v j y risk and decides which level of assessment is necessary.

• : . i i : : . 2− •. ___

− −−Conducts−a −more −indepth Internal assessment of privacy risks−and iiabilities:Analyses −privacy −−−−−−−−−−−risks,consults widely with stakeholders on privacy concerns and brings forward solutions to

accept, mitigate or avoid them. − − − − −

Small−scale PIA

Similar to a full−scale PIA, but is less formalised. Requires less exhaustive information gatheringand analysis. More likely to be used when focusing on specific aspects of a project.

Privacy law compliance check

Focuses on compliance with various "privacy" laws such as Human Rights Act, Regulation ofInvestigatory Powers Act and Privacy and Electronic Communications Regulations as well as theData Protection Act. Examines compliance with statutory powers, duties and prohibitions inrelation to use and disclosure of personal information.

Data protection compliance check

Checklist for compliance with DPA. Usually completed when the project is more fully formed.

Review and redo!

Sets out a timetable for reviewing actions taken as a result of a PIA and examines theireffectiveness. Looks at new aspects of the project and assesses whether they should be subjectto a PIA.

Top tips for conducting a Privacy Impact Assessment

Do I have to do a PIA for every project?

Not every project will require a PIA. The ICO envisages PIAs being used only where a project is ofsuch a wide scope, or will use personal information of such a nature, that there would be genuinerisks to the privacy of the individual. PIAs will usually be recommended where a change of the lawwill be required, new and intrusive technology is being used, or where private or sensitiveinformation which was originally collected for a limited purpose is going to be reused in a new andunexpected way. The screening questions in the ICO PIA handbook should provide a good guideas to which level of PIA, if any, is recommended.

Completing an initial assessment

Make sure you use an up−to−date version of documents such as the terms of reference or theproject initiation document. Create a team to oversee and conduct the PIA which represents theproject team and privacy professionals within your organisation. Start to list the people, groupsand organisations that might have a stake in the project, or be affected by it. The screeningquestions from the ICO PIA handbook should be completed by the PIA team to see which level ofPIA is required.

Completing a full−scale PIA

See which of the stakeholders are best placed to provide effective feedback and decide on yourlist of consultees. Hold some preliminary discussions with key stakeholders if this helps.

3−−Remember

that this consultation can be comp Lqted ongside other forms of consultation. UseW h ä t i r k b ë t f O r o U f c c ü ? ö U s , open meetings or −complete your−own, internal privacy risk analysis while the consultation is going on. Compare

−−−consultation −responses−with your−own −internal analysis −and −identify the−privacyproblems−and−−−−−solutions.Set out action points and a date when they will be revisited and reviewed.

−−−−−−Completing −a−small−scale PIA. −−−−−−−− _________− − −−− − − −−−−−− −−− . −

Remember this does not have to be as formalised or resource intensive as a full−scale PIA andcan be scaled up or down to suit the project being assessed. Think of how best to gather opinionsof stakeholders − can this be done in a meeting, with a letter or during a phone call? How will yourecord their views and feed them into your own analysis?

Legal compliance checks and data protection compliance checks

Remember that you do not need to have conducted a PIA in order to check that your project iscompliant with the Data Protection Act 1998 and other legal requirements.

Review and redo!

Once you have set a date for reviewing the action points, make sure it goes in everyone'scalendar!

.ppndix1PIA screening process

PIA screening process

Step _I − Criteria for full−scale PIA −• − − − − − −−− . − − −− • − −

The I I questions about key project characteristics

The set of answers needs to be considered as a whole, in order to reach a conclusion as to whether a full−scale PIA iswarranted. If it is, a conclusion is also needed as to whether the scope of the PIA should be wide−ranging, or focused onparticular aspects of the project. Before proceeding with a full−scale PIA, it is necessary to continue with steps three andfour of the screening process, to determine whether compliance checking should also be included in the projectschedule.

uestions Yes X−__

Technology: Does the project apply new or additional informationtechnologies that have substantial potential for privacy intrusion?

2.Identity: Does the project involve new identifiers, re−use of existingidentifiers, or intrusive identification, identity authentication or identity

management processes?

3.Identity: Might the project have the effect of denying anonymity andpseudonymity, or converting transactions that could previously beconducted anonymously or pseudonymously into identified transactions?

4.Multiple organisations: Does the project involve multiple organisations,whether they are government agencies (e.g. in 'joined−up governmentinitiatives) or private sector organisations (e.g. as outsourced serviceproviders or as 'business partners')?

5.Data: Does the project involve new or significantly changed handling ofpersonal data that is of particular concern to individuals?

6.Data: Does the project involve new or significantly changed handling of aconsiderable amount of personal data about each individual in thedatabase?

7.Data: Does the project involve new or significantly changed handling ofpersonal data about a large number of individuals?

8.Data: Does the project involve new or significantly changedconsolidation, inter−linking, cross−referencing or matching of personaldata from multiple sources?

9.Exemptions and exceptions: Does the project relate to data processingwhich is in any way exempt from legislative privacy protections?

10.Exemptions and exceptions: Does the project's justification includesignificant contributions to public security measures?

− Exemptions −and −−exceptions: rDoes—the : p r o j e c t i v ö L v e s y s t e m a t i cdisclosure

of personal data to, or access by, third parties that are not

Step 2 − Criteria for small−scale PIA

The 15 questions about project characteristics

Where the answers to questions are "Yes", consideration should be given to the extent of the privacy impact and theresulting project risk. The greater the significance, the more likely that a small−scale PIA is warranted.

If only one or two aspects give rise to privacy concerns, a small−scale PIA may still be justified. In these circumstancesthe PIA process should be designed to focus on the areas of concern. If, on the other hand, multiple questions areanswered "Yes", a more comprehensive assessment is appropriate.

.j .−..1.

Technology: Does the project involve new or inherently privacy−invasivetechnologies?

2Justification: Is the justification for the new data−handling unclear orunpublished?

3.Identity: Does the project involve an additional use of an existingidentifier?

4.Identity: Does the project involve use of a new identifier for multiplepurposes?

5.Identity: Does the project involve new or substantially changed identityauthentication requirements that may be intrusive or onerous?

6Data: Will the project result in the handling of a significant amount of

new data about each person, or significant change in existingdata−holdings?

7.Data: Will the project result in the handling of new data about asignificant number of people, or a significant change in the populationcoverage?

8.Data: Does the project involve new linkage of personal data with datain other collections, or significant change in data linkages?

9.Data handling: Does the project involve new or changed data collectionpolicies or practices that may be unclear or intrusive?

10.Data handling: Does the project involve new or changed data quality

assurance processes and standards that may be unclear orunsatisfactory?

. . .

Data handling: Does the project involve new or changed data security

arrangements that may be unclear or unsatisfactory? −− − −.12

−. . . Data handling: Does the project involve new or changed data access or − −−− disclosUrearrangemntcthatmaybeUnclearorprnissive?

13Data handling Doe t h i o j i c t involve new or c h ? i i d a t a retentionarrangements thaumaybeUndear or−extensive? − −

14.Data handling: Does the project involve changing the medium ofdisclosure for publicly available information in such a way that the databecomes more readily accessible than before?

15.Exemptions: Will the project give rise to new or changed data−handlingthat is in any way exempt from legislative privacy protections?

Step 3 − Criteria for privacy law compliance checks

If any of the following questions are answered 'Yes', then a privacy law compliance check should be conducted:üUons__

1. Does the project involve any activities (including any data handling),that are subject to privacy or related provisions of any statute or otherforms of regulation, other than the Data Protection Act?

2. Does the project involve any activities (including any data handling)that are subject to common law constraints relevant to privacy?

3. Does the project involve any activities (including any data handling)that are subject to less formal good practice requirements relevant toprivacy?

Step 4— Criteria for Data Protection Act compliance checks

If the following question is answered 'Yes", then a Data Protection Act compliance check should be conducted:

1. Does the project involve the handling of any data that is personal data, asthat term is used in the Data Protection Act?

Note: for further guidance on the questions please refer to the ICO's Privacy Impact Assessment Handbookavailable at www.ico.gov.uk.

Appendix 2 − Data protection.. −−− −−compliance −template

Appeidux 2

Data Protection Act Compliance Check Template

This Checklist aims to assist organisations proposing change to investigate whether the personalinformation aspects of their project comply with the Principles in Schedule 1 of the Data ProtectionAct (DPA).

It has been designed as a template to be deployed on desktops, portable computers (providedthey are secure) or internal websites for use by any employee proposing change. Where soadopted by agencies, the template may need to be modified to add organisatiori−specific details.

It should be noted that many terms used in the Schedule I Principles have meanings specific tothe Data Protection Act, and it would be prudent to refer to the Act for definition for those terms.Another useful reference in this regard is the Information Commissioner's Legal Guidance. Usersare also encouraged to seek guidance from sources such as the organisation's Data ProtectionOfficer, legal unit or external lawyers/consultants.

− BASIC INFORMATION − New or existing Project, System, Technology or Legislation

Organisation and Project

OrganisationBranch/DivisionProject

Contact Position and/or Name, Telephone Number and Email Address.(This should be the name of the individual most qualified to respond to questions regardingthe PIA)

Name, TitleBranch/DivisionPhone NumberE−mail

Description of the Program/System/Technology/Legislation (Initiative) being assessed.(Please note here if the initiative does not collect, use or disclose personal data*). If this isa change to an existing project, system, technology or legislation, describe the currentsystem or program and the proposed changes.

Purpose/Objectives of the initiative (if statutory, provide citation).

− −

Provide details of any previous PIA or other form of personal data* assessment done on thisinitiative (in whole or in part). −

IF THERE IS NO PERSONAL DATA INVOLVED, GO TO Ill DPA COMPLIANCE −CONCLUSIONS

*IMPORTANT NOTE:

"Personal data" means data which relate to a living individual who can be identified:

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to comeinto the possession of, the data controller,

and includes any expression of opinion about the individual and other indication of the intentionsof the data controller or any other person in respect of the individual.

(Data Protection Act, section 1)

II − DATA PROTECTION PRINCIPLES (DPPs)

I − Principle 1: Fair and Lawful Processing

Personal data shall be processed fairly and lawfully and, in particular, shall not be processedunless −

(a) at least one of the conditions in Schedule 2 is met, and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is alsomet.

For the Information Commissioner's guidance in relation to this DPP, see Legal Guidancepp 19.35

1.1.1 What type of personal data are you processing?

− . . . . . . . . . . −P l e a s e give−examples−of any sensitivepersonal data that you are−processing: − − − − − −

1.1.2 Are sensitive personal data being differentiated from other forms of personal data?

Yes/No

If yes, please specify procedures. If no, please indicate why not.

1.2 Schedule 2 − Grounds for Legitimate Processing of Any Personal Data

1.2.1 Have you identified all the categories of personal data that you will be processingand how?

Yes/No

If yes, please list them. If no, please indicate why not.

1.2.2 Have you identified the purposes for which you will be processing personal dataand how?

Yes/No

If yes, please list them. If no, please indicate why note.

1.2.3 Have you identified which of the grounds in Schedule 2 you will be relying on asproviding a legitimate basis for processing personal data?

Yes/No

− J y , _ p I e a s e list thernJf no, please indicate why not. − − −−

differ _

−Yes/No −−−−−−−−

If yeshow will this assessment be made?

1.3 Schedule 3 − Grounds for Legitimate Processing of Sensitive Personal Data

If this project does not involve the processing of sensitive personal data, please go tosection 1.4.

1.3.1 Have you identified the categories of sensitive personal data that you will beprocessing?

Yes/No

If yes, can you list them. If no, please indicate why not.

1.3.2 Have you identified the purposes for which you will be processing sensitivepersonal data?

Yes/No


1.3.3 Have you identified which of the grounds in Schedule 3 you will be relying on asproviding a legitimate basis for processing sensitive personal data?

Yes/No


1 . 3 : 4 A r e you re−lying"On i f f e r t sësitiël

− data?− −.

Yes/No

—lf−sorhow−will this assessment−be−made?−. −

1.4 Obtaining consent

1.4.1 Are you relying on the individual to provide consent to the processing as groundsfor satisfying Schedule 2?

Yes/No

If yes, when and how will that consent be obtained?

1.4.2 For the processing of sensitive personal data, are you relying on explicit consent asspecified in Schedule 3, sI of the Data Protection Act?

Yes/No

If so, when and how will that consent be obtained?

1.5 Lawful Processinga. If you are a public sector organisation:

1.5.1 Does your processing of personal data fall within your statutory powers?

Yes/No

If yes, please state what they will be. If no, please indicate why not.

1.5.2 How is compliance with the Human Rights Act being assessed?

T−−−−−13.

U. A I l i ä t i ö ñ1.5.3

Are you assessing whether any of the personal data being processed is held−under ädutyofconfidentiãlity? − −

Yes/No

If yes, how will that assessment be made? If no, please indicate why not.

1.5.4 How is that confidentiality maintained? (e.g. instructions on disclosure orshredding)

1.5.5 Are you assessing whether your processing is subject to any other legal orregulatory duties?

Yes/No

If yes, how is that assessment being made? If no, please indicate why not.

1.5.6 How are you ensuring that those legal duties are being complied with?

1.6 Fair Processing

1.6.1 Are individuals being made aware of the identity of your organisation as the datacontroller?

Yes/No

If yes, state how they are being made aware. If no, please indicate why not.

− − ._1 .6.2 −. How are individuals being made aware of how their personal data is being used?_____

15..

the −.purposes?

When is that opportunity offered?

1.6.4 Do you receive information about individuals from third parties?

Yes/No

If yes, please give examples. If no, please go to section (7).

1.6.5 How are individuals formed that the data controller is holding personal data aboutthem?

When are individuals informed?

1.7 Exemptions from the First Data Protection Principle

The Act requires that in order for personal data to be processed fairly, a data controller mustprovide the data subject with the followinginformation:−1.

the identity of the data controller

2. the identity of any nominated data protection representative, where one has beenappointed

3. the purpose(s) for which the data are intended to be processed

4. any further information which is necessary, having regard to the specific circumstances inwhich the data are or are to be processed, to enable processing in respect of the datasubject to be fair

Data Protection Act, Schedule 1, Part II, para 2(3)

− 1 :7.1 DO b j i dé iñd i i dU lWi th ll of thfrifOThätiOWiA t h b b i ã b b ? −

− If no, iwhch exemption'to:these provisions is b e i i i ë l i e d upon?

2 − Principle 2: Purpose Limitation

Personal data shall be obtained only for one or more specified and lawful purposes, and shall notbe further processed in any manner incompatible with that purpose or those purposes.

For the Information Commissioner's guidance in relation to this DPP, see Legal Guidance pp35−36

2.1 Uses of Personal Data within the Organisation

2.1.1 Are procedures in place for maintaining a comprehensive and up−to−date record ofuse of personal data?

Yes/No

2.1.2 How often is this record checked?

2.1.3 Does the record cover processing carried out on your behalf (e.g. by a subcontractor)?

Yes/No

2.1.4 What is the procedure for notifying (where necessary) the data subject of thepurpose for processing their personal data?

(Cross reference with section 1.6, Fair Processing)

17−−−2.2Uëöf

E * i t i ñ P é i ö l D ä t ã T f O f N é w Purposes

−−2:2:1—Does the project involve−the useof existing −personal data−for new−purposes? −−−−−−Yes/No

− − − − − − − − − − − −

If no, go to section (3).

2.2.2 How is the use of existing personal data for new purposes being communicatedto:−(a)

the data subject;

(b) the person responsible for Notification within the organisation;

(c) the Information Commissioner?

2.2.3 What checks are being made to ensure that further processing is not incompatiblewith its original purpose?

2.3 Disclosure of Data

2.3.1 Do you have a policy on disclosures of personal data within your organisation/tothird parties?

Yes/No−

Is it documented?

Yes/No

2.3.2 How are staff made aware of this policy/instructed to make disclosures?

18

_ − −2.3.3 How are individuals/data subjects made aware of disclosures of their personal−

2.3.4 Do you assess the compatibility of a third party's use of the personal data to bedisclosed?

Yes/No

If no, go to section 3.1

If yes, how do you make the assessment?

3 − Principle 3: Adequate, Relevant and Not Excessive

Personal data shall be adequate, relevant and not excessive in relation to the purpose orpurposes for which they are processed. For the Information Commissioner's guidance in relationto this DPP, see Legal Guidance pp 36−37.

3.1 Adequacy and relevance of Personal Data

3.1.1 How is the adequacy of personal data for each purpose determined?(Please give examples)

3.1.2 How is an assessment made as to the relevance (i.e. no more than the minimumrequired) of personal data for the purpose for which it is collected?

3.1.3 What procedures are in place for periodically checking that data collectionprocedures are adequate, relevant and not excessive in relation to the purpose forwhich data are being processed?

How often will these procedures reviewed?

− ..−−,−−=−−− −. .−−−==−−− 19−−−===−−−−−.−. .−−−−.−−−−−−−−−−−−−

for a particular urpose? −−−Yes/No

− −−− _____−− −If yes,−pIease−describe.−IfnopIease•indicate•whynot:− − − − − − − − − " − − .−−−−−−−−−−−−−−−3.1.5

Are items of personal data held in every case which are only relevant to a subset ofthose cases?

Yes/No

4 − Principle 4: Accurate and up−to−date

Personal data shall be accurate and, where necessary, kept up−to−date.

For the Information Commissioner's guidance in relation to this DPP, see Legal Guidance pp 37−8.

4.1 Accuracy of Personal Data

4.1 .1 Are personal data evaluated to establish the degree of damage to both the datasubject/data controller that could be caused through inaccuracy?

Yes/No

4.1.2 How, and how often, are personal data be checked for accuracy?

Please give examples:

4.1.3 In what circumstances is the accuracy of the personal data being checked with theData Subject?

Please give examples:

20

A t h u r c e s p a y −identified in the record?

Yes/No___________

− −−−If •so,−how?−Please−give examples: −−−−−−• −−− •− • −− −

4.1.5 Is there any facility to record notifications received from the data subject if theybelieve their data to be inaccurate?

Yes/No

If no, please indicate why not.

4.2 Keeping Personal Data Up−to−Date

4.2.1 Are there procedures to determine when and how often personal data requiresupdating?

4.2.2 Are personal data evaluated to establish the degree of damage to:

(a) the data subject

or

(b) the data controller

That could be caused through being out−of−date?

Yes/No

Please specify whether to data subject or data controller:

4.2.3 Are there procedures to monitor the factual relevance, accuracy and timeliness offree text options or other comments about individuals?

Yes/No

−

Personal data processed for any_ppqse or purposes shall not be kept for Jonger than isnecessary for that purposeor those purposes − − − −

−For the Information Commissioners guidance in relation to this DPP, see Legal Guidance p 39

5.1 Retention Policy

5.1.1 What are the criteria for determining retention periods of personal data?

How often are these criteria reviewed?

5.1.2 Does the project(s) include the facility to set retention periods?

Yes/No

5.1.3 Is the project subject to any statutory/sectoral requirements on retention?

Yes/No

If yes, please state relevant requirements:

5.2 Review and Deletion of Personal Data

5.2.1 Is there a review policy?

Yes/No

Is it documented?

−. 5.2.2 When dãtä'nobnger

− − − −−−−−−(a) −−−−How 'isa −review made −to −determine whether the 'data−should 'be 'deleted?

(b) How often is the review to be conducted?

(C) Who is responsible for determining the review?

(d) If the data is held on a computer, does the application include a facility toflag records for review/deletion?

Yes/No

5.2.3 Are there to be any exceptional circumstances for retaining certain data for longerthan the normal period?

Yes/No

If yes, please give justification:

5.2.4 Is there any guidance on deletion/destruction of personal data?

Yes/No

If no, please indicate why not.

• _ _ _ _• . − _ _ _ − . _ _ _ _

flificiOld'6−.−Ditasubj6a access

Personal

data shall be processed in accordance with the rights of data subjects under this Act.

− − .

− − −For−the information−Commissioner's guidance −in−relation −to this −DPP−see −Legal Guidance −pp −39−− − − − − − − − − −

40.

6.1 Subject Access

6.1.1 Are procedures in place to provide access to records under this Principle?

Yes/No

If yes, please specify proposed procedures. If no, please indicate why not.

6.1.2 How do you locate all personal data relevant to a request (including anyappropriate "accessible" records)?

6.1.3 Do you provide an explanation of any codes or other information likely to beunintelligible to a data subject?

Yes/No

If yes, how? If no, please indicate why not.

6.1.4 Are procedures in place to manage personal data relating to third parties?

Yes/No


6.1.5 How is data relating to third parties managed?

6:2− Withhöldiñöf önãl dãtâin responseiö àsubjèct access request

−−−−−6:2:1−Are−there−any−circumstances where you would withhold−personal datafrom−asubject access request?

− − − − − − − − − − − − − − − − − − − − − .. −−−−−−−−−−If

no, go to section 6.3. If yes, on what grounds?

6.3 Processing that may cause Damage or Distress

6.3.1 Do you assess how to avoid causing unwarranted or substantial damage orunwarranted and substantial distress to an individual?

Yes/No


6.3.2 Do you take into account the possibility that such damage or distress to theindividual could leave your organisation vulnerable to a compensation claim in acivil court?

Yes/No

6.4 Right to Object

6.4.1 Is there a procedure for complying with an individual's request to preventprocessing for the purposes of direct marketing?

Yes/No

−− 6.5 −−−−− −− −−− −.−−−−−−−−−. −.

— −−−−−−−6:5. I —Are−any decisions −affecting −individuals−made solely onprocessing by automaticmeans?

−

• •−−−−−−−−−−−−−−−YesINo−−−−−−−−−−−

If yes, what will be the procedure(s) for notifying an individual that an automateddecision making process has been used?

6.6 Rectification, Blocking, Erasure and Destruction

6.6.1 What is the procedure for responding data subject's notice (in respect of accessiblerecords) or a court order requiring:

(a) rectification;

(b) blocking;

(c) erasure; or

(d) destruction of personal data?

7 − Principle 7: Data Security

Appropriate technical and organisational measures shall be taken against unauthorised orunlawful processing of personal data and against accidental loss or destruction of, or damage to,personal data.


7.1 Security Policy

7.1.1 Is there a Data Security Policy?

Yes/No

If no, please indicate why not and then go to 7.1, question 5.

26

7 . 1 2 I f, rè fithDäta

−−Security Policy within the organisation?

7.1.3 Does the Data Security Policy specifically address data protection issues?

Yes/No

7.1.4 What are the procedures for monitoring compliance with the Data Security Policywithin the organisation?

7.1.5 Does the level of security that has been set take into account the state oftechnological development in security products and the cost of deploying orupdating these?

7.1.6 Is the level of security appropriate for the type of personal data processed?

7.1.7 How does the level of security compare to industry standards, if any?

7.2 Unauthorised or unlawful processing of data

7.2.1 Describe security measures that are in place to prevent any unauthorised orunlawful processing of:

(a) Data held in an automated format (e.g. password controlled access to PCs).

(b) Data held in a manual record (e.g. locked filing cabinets)?

:27:−

unauthorised or unlawful jrocessing?− −−− −− .− .. −

Yes/No

− − − − − − − • Jfyes.please describe−the.pIanned.procedureslf−no,−please −indicate −why−not−−.−−−. − ..........___

7.2.3 Describe the procedures in place to detect breaches of security (remote, physicalor logical)?

7.4 Destruction of Personal DataCross−reference with section 5.2

7.4.1 Describe the procedures in place to ensure the destruction of personal data nolonger necessary?

7.4.2 Are there different procedures for destroying sensitive personal data?

Yes/No

7.5 Contingency Planning − Accidental loss, destruction, damage to personal data

7.5.1 Is there a contingency plan to manage the effect(s) of an unforeseen event?

Yes/No

\J

28.

− 7 . 5 : 2 D e recoveTdäta(both áUtô ätëdJ

− −manual) wlmch may be damaged/lost through: −

• human error. computer wus

−. − − − − − network−failure= − − −− −− .−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−•theft

• fire• flood• other disaster

8 − Principle 8: Overseas Transfer

Personal data shall not be transferred to a country or territory outside the European EconomicArea unless that country or territory ensures an adequate level of protection for the rights andfreedoms of data subjects in relation to the processing of personal data.


8.1 Adequate Levels of Protection

8.1.1 Are you transferring personal data to a country or territory outside of the EEA?

Yes/No

If no, please go to Part Ill.

If yes, where?

8.1.2 What are the types of data that are transferred? (e.g. contact details, employeerecords).

8.1.3 Are sensitive personal data transferred abroad?

Yes/No

If yes, please provide details:

29

in thë t féföfpërsonaldátãto counttiê−−−.

− outside the EEA? .−. .

8.1.5 Are measures in place to ensure an adequate level of security when the data aretransferred to another country or territory?

8.1.6 Have you checked whether any non−EEA states to which data is to be transferredhave bee deemed as having adequate protection?

8.2 Exempt Transfers

8.2.1 Is your organisation carrying out any transfers of data where it has been decidedthat the Eighth Principle does not apply?

Yes/No

If yes, what are they?

8.2.2 To which country/territory are these transfers made?

8.2.3 What are the criteria set by your organisation, which must be satisfied before adecision is made about whether the transfer is exempt from the Eighth Principle?

e.g. consent (see DPA 1998, Schedule 4, for a full list)

30

8 . 3 C h i 6 D 5 t ä P r o c e s s o r − −− −

− − − − − − 8 3 : 1 −−What reasonable−steps −did you take to−ensure−that the−Data Processor complies−−−−−− − −with data protection requirements?

8.3.2 How did you assess their data security measures?

8.3.3 How do you ensure that the Data Processor complies with these measures?

8.3.4 Is there an on−going procedure for monitoring their data security measures?

Yes/No

If yes please describe. If no, please indicate why not.

III − DPP COMPLIANCE − CONCLUSIONS

Please provide a summary of the conclusions that have been reached in relation to this project'soverall compliance with the DPPs. This could include indicating whether some changes orrefinements to the project might be warranted.

............................(Proponent) Date:...........................................

............................(Data Protection Officer) Date−...........................................

\J

31:−'

Checklist template −− . − −

_ _ _ _ • _ , A p p e n d i x 3

− Privacyand Electron icCommun !cations Regulations−Direct 'Marketing Compliance−Check −−.−−− •−−Template

This Checklist aims to assist organisations proposing change to marketing arrangements toinvestigate whether their project complies with the requirements of the Privacy and ElectronicCommunications Regulations 2003 (PECR). The Regulations are designed to be technologyneutral, so will apply to most electronic communications.

− BASIC INFORMATION − New or existing Project, System, Technology or Legislation

(1) Organisation and Project

OrganisationBranch/DivisionProject

Contact Position and/or Name, Telephone Number and Email Address.(This should be the name of the individual most qualified to respond to questions regardingthe PIA)

Name, TitleBranch/DivisionPhone NumberE−mail

Description of the Program/SystemlTechnology/Legislation (Initiative) being assessed.If this is a change to an existing project, system, technology or legislation, describe thecurrent system or program and the proposed changes.

Purpose/Objectives of the initiative (if statutory, provide citation).

What are the potential privacy impacts of this proposal?

Do YoUi6beirid tOSèd d i t T h ? k t i h −e−mail, −text message and picture (including video) message or by using an automated calling

− −—system?

− − '− Yes No

If yes, then you will need to complete this Checklist

IMPORTANT NOTE

"direct marketing" means "the communication (by whatever means) of any advertising ormarketing material which is directed to particular individuals".(Data Protection Act 1998 section II)

Do you intend to send direct marketing messages only using Bluetooth?

Yes No

If yes, answer question 8, then go to Part Ill: PECR Marketing Compliance − Conclusions

IMPORTANT NOTE

The PEC Regulations only apply to messages sent over a public electroniccommunications network and Bluetooth messages are not sent using such a network.(PECR 2003 section 2)

Do you intend to process personal data in order to send your direct marketing?

Yes No

If yes, then you will also need to complete the Data Protection Checklist

IMPORTANT NOTE

"Personal data" means data which relate to a living individual who can be identified:

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely tocome into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication ofthe intentions of the data controller or any other person in respect of the individual.(Data Protection Act, section 1)

33_ _ _ _ _ −

A i u Y d i r e t T h k e t i n g cón i a t i Ô n i t o b e i r n e d −corporate subscribers?

Individual Corporate Both_________________

If−Individual or−Both−continue with Section −llrif−Corporate go toSection−lIl— −

IMPORTANT NOTE

The PEC Regulations apply different rules to individual subscribers and corporatesubscribers, although some rules apply to both. Where personal data is used the DataProtection Act 1998 always applies.

Your direct marketing communications should provide the recipient with information to makeeffective use of their rights as regards direct marketing communications. Describe theinformation to be provided and the mechanism by which it will be provided,particularly where the information provision is not via the same communicationmethod as the direct marketing communication.

IMPORTANT NOTE

The e−Commerce Regulations 2002 require that the recipient of a e−Commerce service,including direct marketing, must be provided, in a form and manner that is easily, directlyand permanently accessible certain informationincluding:−the

name of the service provider

the geographic address at which the service provider is established

the details of the service provider, including his e−mail address, which make it possible tocontact him rapidly and communicate with him in a direct and effective manner

the Regulations do not prescribe how the requirement to make information "easily,directly and permanently accessible" should be met.

II− INDIVIDUAL SUBSCRIBERS

Are your marketing communications directly invited or unsolicited?

Directly Invited Unsolicited

B9hätmechahisTh1"ave subëribërdetai lbeen obtãid?

How do you determine −whether the details−have teenprovided with −the −intention that −youshould send the subscriber direct marketing communications

IMPORTANT NOTE

If your marketing communications are directly invited (solicited) by the individualsubscriber to whom they are sent, i.e. they have asked you to send them marketingcommunications then many of the PEC Regulations do not apply.

If you are to use an Automated Calling System for marketing communications do you have theprior consent of the subscriber?

Yes No

If you have the prior consent of the subscriber, how do you audit and verify the accuracy of yoursubscriber records? How will you address withdrawal of consent?

IMPORTANT NOTE

In order to use Automated Calling Systems for marketing communications to individualsubscribers you must have prior consent. Prior consent on the other hand means that thesubscriber has given some positive indication of intention; this does not necessarilyrequire a tick box "opt−in" e.g. if the subscriber has clearly indicated their consent to thepurposes and to the receipt of marketing communications in some other fashion i.e.clicking on an "Accept" button at the end of a marketing notice.

If you are to use faxes for marketing communications do you have the prior consent of thesubscriber?

Yes No

the j b i b e r h d o 9 o u Udit ôur ' − −_ s c r i b e r records? Does your company currently subscribe to the Fax Preference Service?−−−

−− How will you −address−withdrawal −of consentor −a−subscriber override−ofthe−FPS—registration?

IMPORTANT NOTE

In order to use faxes for marketing communications to individual subscribers you musthave prior consent, and check with the FPS on a regular basis Unless the subscriber hasnotified you that such communications can be sent 'for the time being".

If you are to use live voice telephone for marketing communications have you been previouslynotified not to call certain subscriber numbers?

Yes No

How do you audit and verify the accuracy of your subscriber records? Does your companycurrently subscribe to the Telephone Preference Service? How will you address future "Donot call" requests, or a subscriber override of their TPOS registration?

IMPORTANT NOTE

In order to use live voice telephone calls for marketing communications to individualsubscribers you must honour subscriber "Do not Call" requests, and check with the TPSon a regular basis unless the subscriber has notified you that such communications canbe sent "for the time being".

If you are to use e−mail/SMS for marketing communications do you have "opt−in consent" of thesubscriber?

Yes No

If You−do−not h à ë ' t i ñ O O n s ë n t " , c b o m m u n i ä t i O n s b e perriiitted Tjiiderthe'soft 6 t i n " t e t ? −− − −−−−

− − − − − − − − − − − − − − − − Yes−−−−No−−−− − − −

− − −−−−−−−−−−−−−−How do−you collectrauditrand verify the−accuracy−of−your−opt−in−subscriber−records? − .−−−− − −

If "soft opt−in" is to be used, provide details of how this will be recorded and verified and describehow opt−out mechanisms will be provided

IMPORTANT NOTE

In order to use e−mailISMS for marketing communications to individual subscribers youhave the opt−in consent of subscribers OR meet the soft opt−in test:

Contact details are obtained during negotiation or sale of goods or services to therecipient;ANDmarketing is conducted by the same entity as previous dealings with the individual;ANDmarketing relates to "similar products and services";ANDan opt−out mechanism is provided at the point of data collection and is provided with eachnew communication.

III −CORPORATE SUBSCRIBERS

(1) Are your marketing communications directly invited or unsolicited?

Directly Invited Unsolicited

By what mechanism have subscriber details been obtained? How do you determine whetherthe details have been provided with the intention that you should send the subscriberdirect marketing communications.

−IMPORTANT NOTE −−−− − •−−−If

your marketing communications are _directlyj i _ ( o l i c i t e d ) y the corporate subscriber tothey a r e ë h t ( ë t h e y have asked i ô U t o n d them markëtin communications t h r many

−−ofthePEC−RegulationsdonotappIy.− ••−−−−− •−−−−"− . . . . . . . . . − −−−−− _______

If you are to use an Automated Calling System for marketing communications do you have theprior consent of the subscriber?

Yes No

If you have the prior consent of the subscriber, how do you audit and verify the accuracy of yoursubscriber records? How will you address withdrawal of consent?

IMPORTANT NOTE

In order to use Automated Calling Systems for marketing communications to corporatesubscribers you must have prior consent.

If you are to use faxes for marketing communications have you been previously notified not to callcertain subscriber numbers?

Yes No

If you have the prior consent of the subscriber, how do you audit and verify the accuracy of yoursubscriber records? Does your company currently subscribe to the Fax Preference Service?How will you address future "Do not fax" requests? Or a subscriber override of the FPSregistration?

IMPORTANT NOTE

In order to use faxes for marketing communications to corporate subscribers you must honoursubscriber "Do not Fax" requests, and check with the FPS on a regular basis unless thesubscriber has notified you that such communications can be sent "for the time being".

lf you fo k t i g c o r n u i áti s 11W u bbèn viôl

−. notified not to call certain subscriber numbers?−.

Yes No

How do you audit and verify the accuracy of your subscriber records? Does your companycurrently subscribe to the Telephone Preference Service? How will you address future "Donot call" requests?

IMPORTANT NOTE

In order to use live voice telephone calls for marketing communications to corporate subscribersyou must honour subscriber "Do not Call" requests, and check with the TPS on a regular basisunless the subscriber has notified you that such communications can be sent "for the time being".

If you are to use e−mails/SMS for marketing communications to corporate subscribers, describewhat measures will you take if corporate subscribers request to opt−out from future e−mails, oroverride their TPS registration?

IMPORTANT NOTE

There are currently no consent requirements applicable to the sending of e−mail/SMS marketingcommunications to corporate subscribers. However, it is good practice to provide and opt−outmechanism.

39

IV PECR DIRECT MARKETING −COMPLIANCE •CONCUSIONS−

Please −provide −asummary of the conclusions−that have been −reached in relation to this −project's −overall compliance with the Direct Marketing provisions of the PECR. This could include indicating__whether sornechangès or refinements−to thèproject might bewarräñtèd.

(Proponent)Date.................

(Data Protection Officer) Date−............

Pr

−−naJ

Information Security Policy

Version 1.1

This is a controlled document. Whilst this document may be printed, the electronicversion posted on the intranet is the controlled copy. Any printed copies of thisdocument are not controlled. As a controlled document, this document should not besaved onto local or network drives but should always be accessed from the intranet.

Information Security P o h c y−− − − I Version 1−2==−−−−I

Aug 2 0 1 4 =I

Document Control

Organisation−− − Title

− C á t ô − − . −OwnerSubject

ClassificationIdentifierDate Issued

North Lanarkshire CouncilInformationSecuritrPclicy−−−−−−−−−−−:ICTsecurityManL__

ICT Security ManagerThe Security Policy formalises Information security within NorthLanarkshire Council.OFFICIAL20140816 Information Security PolicyTuesday, 19 Auaust 2014

Revision History

Revision No. Originator Date of revision Revision Description1.1 Linda Caldwell 22/02/2013 Regular Review1.2 Linda Caldwell 16/08/2014 Document controls modified in

line with other informationgovernance policies

Document Approvals

Sponsor Approval Revision No. DatePolicy and Resources 1.1 14/03/2013Policy and Resources 1.2 18/09/2014


This document will be made available to all users. It is published on the corporate intranet.Staff will be informed by periodic staff notices and induction information.


− −Information Security Pohcy− −

Contents

IVersion+2 Aug014:j

1. IntiodUction ..... .:................................... ...........................................................................2Scop.3. Risks to North Lanarkshire Council...........................................................................6

4. Purpose ........................................................................................................................ 65. Responsibilities ............................................................ .............................................. 76. Review.......................................................................................................................77. Communication ........................................................................................................... 78. Policy Domains (Security Policy Subject Areas)........................................................79. Policy Domain 1: Information Security Policy .........................................................1010. Policy Domain 2: Risk Assessment........................................................................1111. Policy Domain 3: Organisation of Information Security............................................1212. Policy Domain 4: Asset Management......................................................................1313. Policy Domain 5: Human Resources.......................................................................1414. Policy Domain 6: Physical and Environmental Security...........................................1515. Policy Domain 7: Communications and Operations Management...........................1616. Policy Domain 8: Access Control............................................................................2017. Policy Domain 9: Information Systems Acquisition, Development andMaintenance......................................................................................................................2618. Policy Domain 10: Security Incident Management .................................................2819. Policy Domain 11: Business Continuity Management .............................................2920. Policy Domain 12: Compliance................................................................................30Appendix A: Glossary of Terms.........................................................................................31

Lanarkshire Council I Pacie 3 of 31

_ [ I n f o r m a t i o nSecurity Pohcy− −−=−−=−−− I Version−1=2−−−− − I Aug2O14=− I

1−1ntroduction−−−= •−:−.:−:r::•_..

_1 .1. ..._.Information is .a majorasset. .NorthianarkshireCounciLhasa .dutyand .responsibilityto_........protect this asset.

The council −must comply with all relevant data handling legislation and with recognised−−−−−good practice while doing so. In this respect, an indicative list of supporting legislation,policies, standards etc is provided in the information governance policy frameworkdocument.

1.2. Information Security Responsibilities

1.2.1. Information Security is a business responsibility shared by all members of themanagement team.

The Information Governance Working Group will:

• Initiate and control the development of the Information Security Policy;

• Actively support security within North Lanarkshire Council through clear direction,demonstrated commitment and acknowledgement of information Securityresponsibilities;

• Review and approve the Information security policy and associatedresponsibilities;

• Review and monitor exposure to major security threats;

• Approve major new initiatives to enhance information security and to reduce thelevel of security risk to which North Lanarkshire Council may be exposed.

Managers will be responsible for:

• The application of the Information Security Policy across their areas ofresponsibility;

• Ensuring their staff are aware of the policy and its implications to their operationalactivities;

• Managing any instances of policy non−compliance.

All employees will be responsible for;

• understanding the implications of the policy in relation to their individualresponsibilities;

• complying with the policy.

Security advice relating to the policy will be provided by the ICT Security Team(contact; e−mail— NLC IT Securitynorthlan.gov.uk).

1.3. The purpose and objective of this Information Security Policy is to set out a frameworkfor the protection of the Authority's information assets:

• Against all threats and vulnerabilities, whether internal or external, deliberate oraccidental.

• To ensure business continuity and minimise business damage.• In order to support delivery of the Council's strategic and operational objectives.


Information Security Policy − I Version−1−2− −IAug=2014

1.4. The Information Security Policy establishes a high level framework for information − −− securjythänagement_It is a singledocument which is m d e i i p o f−−−−A.high

level introduction and statement of.rationaIe.—_−−−−−−−−−−.−−_

−:−−− " . A —nuhibèFfinformation security policies exist. Policy domains have been defined as the keyel&ments of Information Seürity by the International Standard for InformationSecurity (IS027001 :2005). Each domain will contain multiple policies covering thedomain subject areas.

• Policies: each domain contains a number of individual policy statements, in theform of a mandatory set of instructions, rules or behaviours which, if followed, aredesigned to provide a high level of information security assurance, and to create asafe operating environment for delivery of North Lanarkshire Council's services.

1.5. Information Security Policies will be supplemented by:

• Standards, Guidelines and Procedures. These are low level, detaileddocumented statements or instructions, often technical or operational in nature,which provide specific information supporting the execution of the policies.

Standards, guidelines and procedures unlike policies, will be subject to periodic changeand review, as operating conditions and technology itself changes. They will bedeveloped on an ongoing basis.

Policies, as statements of principle, will require less frequent change but will be reviewedbiannually.

1.6. The Information Security Policy framework will operate within an information securitymanagement system which includes:

• Policy compliance reviews:• Recording and management reporting of policy exceptions:• Risk assessment of policy exceptions:• Notification of changes to policy, standards, guidelines and procedures.

Policy exception risk assessments will be carried out within the framework of existingCouncil risk management processes.

2. Scope

2.1. This Information Security Policy outlines the framework for management of InformationSecurity within North Lanarkshire Council.

2.2. The Information Security Policy, Standards, Guidelines and Procedures will apply toeveryone who has access to information and systems used by, and for, NorthLanarkshire Council purposes. It will include all employees, workers, electedrepresentatives and third party organisations contracted to carry out services for NorthLanarkshire Council.Where North Lanarkshire employees or representatives are using other organisations'information, any obligations which have been agreed with NLC relating to our use of it,must be complied with.


Information Secunty Policy− − I Version 1 −2 −I Au 2014 I

−_•−−_ −2.3;lnformation−takes many −formsand:includes:iátà

printed. data stored electronically;

−−−− −.communications−sent−by:post−/ courier or using electronicmeans;−−−stOredtape, micofichë_br−Video;−

3. Risks to N9rth Lanarkshire Council

3.1.

3.2.

3.3.

Data and information collected, analysed, stored, communicated, reported and sharedwith other agencies may be subject to theft, misuse or loss and corruption.

Poor security awareness, misuse and breach of systems' information security controls,may result in information being put at risk.

Information security incidents can give rise to reputational loss, financial loss,non−compliancewith standards and legislation as well as possible judgements against North

Lanarkshire Council. −

4. Purpose

4.1

4.2.

It is the policy of North Lanarkshire Council to ensure that Information will be protectedfrom loss of:

• Confidentiality:− so that information is accessible only to authorised individuals.• Integrity:− safeguarding the accuracy and completeness of information and

processing methods.• Availability:− that authorised users have access to relevant information when

required.

The ICT Security manager will provide guidance on the standard process and executionof security incident investigation.

4.3. The ICT Security Manager must play a key role in the process for investigating securityincidents impacting the Council's IT Infrastructure. There will be occasions where closeliaison between the ICT Security Manager and Services with specific relatedresponsibilities will be required e.g. Data Protection.

4.4. Individual Security incidents may be investigated directly by Services but must bereported to the ICT Security manager to allow for assessment of indications of systemicor generic information security weaknesses in the Council's IT infrastructure or policies.

4.5.

4.6.

4.7.

Regulatory, legislative and contractual requirements will be incorporated into theInformation Security Policy, Standards, Guidelines and Procedures.

The requirements of the Information Security Policy will be incorporated into the council'soperational procedures and contractual arrangements.

North Lanarkshire Council will align its processes and standards with 1S027001, theInternational Standard for Information Security Management.

4.8. An Information Security Forum (1SF) with representation from all Services and CouncilTrusts that receive ICT services from the Council will be established and will supportInformation Security Policy promotion and Security awareness across all areas of NorthLanarkshire Council.


− −

. − I Information Security Policy − − Version 1 2 =iAug −2014 I

4.9. All breaches of information security, actual or suspected, must be investigated.

4.10. Business continuity plans must be developed, regularly maintained and tested by all

4 . 1 l l r T f 6 tiOnsëcUrity awareness t r in inWi l lbeoVidedflo?oingbis.−−−−5.

Responsibilities

5.1

7.

5.2.

The ICT Security Manager is the designated owner of the Information Security Policy andis responsible for the maintenance and review of the Information Security Policy,Standards, Guidelines and Procedures.

Services managers are responsible for ensuring that all employees and workers aremade aware of and comply with the Information Security Policy, Standards, Guidelinesand Procedures.

5.3. It is the responsibility of every member of staff, worker, contractor and related third partyto comply with the policy, as well as with the related security standards, guidelines andprocedures.

5.4. Failure to comply with the Information Security Policy, Standards, Guidelines andProcedures may lead to disciplinary action in accordance with HR procedures.

6. Review

6.1.

6.2.

6.3.

As a minimum there will be a biannual review of the Information Security Policy.

Consultation for major changes to the Information Security Policy will be co−ordinatedthrough an Information Security Forum (1SF).

The ICT Security Manager has ultimate responsibility for Information Security policycontent

Communication

7.1 The North Lanarkshire Information Security Policy and any subsequent changes will becommunicated to all parties to whom it applies.

8. Policy Domains (Security Policy Subject Areas)

8.1. Information Security PolicyAn Information Security Policy Document must be supported and approved bymanagement. It must be communicated to all employees, workers and relevant externalparties.

8.2. Risk AssessmentRisk assessment will be used in to assess the impacts from, and the likelihood ofsecurity breaches taking place. They will also be used in support of decisions relating tosecurity topics.

8.3. Organisation of Information SecurityThe Information Security Forum (ISA has reoresentation from all Services and Council

North Lanarkshire Council e 7 of 31

−−−−−−−−−−1informationSecurity Policy −− Version 1 2 − −Aug–= 2014

I.

receive ICTseMces−from the counciIThe:lSFisco:ordinated by.heiCT:—' −:Security Manager. The 1SF provides a vehicle for Information Security Policy.diseminationand for ra is inecunty awareness irfjhb7 Services.−

. _ _ — S p e c i a l i s t external advice will .be drawn upon, ..wherevernecessary,−in orderto.maintain

−.thë.Information Security. Pà1iy,.Standards, Guidelines and Procedures, and tbiddress− new aridThrgingihTts.− '− − −− _

8.4. Asset ManagementAll assets (data, information, software, computer and communications equipment,services and utilities) must be accounted for and have an owner. The owner shall beresponsible for the maintenance and protection of the asset/s concerned.

8.5. Human Resources SecurityEmployee, worker, contractor and third party terms and conditions of engagement mustexplicitly or implicitly indicate the need for compliance with council policies, including theInformation Security Policy.

8.6. Physical and Environmental SecurityPhysical security and environmental controls must be commensurate with the risks to thearea concerned. In particular critical or sensitive information processing facilities must behoused in secure areas protected by defined security perimeters with appropriatesecurity barriers and/or entry controls.

8.7. Communications and Operations ManagementResponsibilities and procedures for the purchase, management, operation and securityof all North Lanarkshire Council computer processing and network facilities must beestablished in line with the NLC ICT Strategy.

8.8. Access ControlAccess to information and information systems must be based upon business need.Access to information systems must not exceed that required to allow individuals to carryout the duties for which they have been authorised.

Specifications for new applications must record access control requirements andlimitations.

A formal user registration and de−registration process must be established to manageaccess to all information systems and services.

8.9. Information Systems Acquisition, Development and MaintenanceInformation security risks must be identified at the earliest stage in the development ofbusiness requirements for new information systems or enhancements to existinginformation systems.

Information systems acquired from, or developed by third party organisations, mustcomply with the council's security policies and controls, or with policies and controlsequivalent to those in place for North Lanarkshire Council.

Controls to mitigate security risks must be identified and implemented where appropriate.

Security issues identified during systems acquisition, development, maintenance orimplementation must be risk assessed.

8.10. Information Security Incident ManagementThere must be a formal process for managing Information Security incidents.The ICT Security manager is responsible for managing and maintaining the standardsupporting the council's Information Security Incident Management process.


−I Information Security Policy −_−−__− − Version 1 2

−1—Aug

2014

8.11. Business Continuity Management_ _ − −

−FormaVy documented and tésted contingency p r c ë s e s must be in place troect_critical council operations and services, from the effects of failures or disruptions.

− 8.12. −−Compliance−− − .

. − . . T h d e i n o p e t ä t i o n ; u s e arid rY ä i i g e m T i t f i i f atidnTid infrrnt ion systrffs −.must take into account compliance with all statutory, regulatory and contractual

− requirements.

− I North Lanarkshire Council I Pacie 9 of 31

I_InformationSecurity P o l i c y− − −

−−−−1_Version_1_2 — l A u g2014

− trf fSeciThtyPI icy=−−−−−−−9−t−−−−−lntroduction−−This

information Security Policy document sets out the framework of controls by whichNorth tanarkshireCounciVemployees −and related partieswillprotectitslnformation

92. Control ObjectiveTo provide management direction and support for information Securityin accordancewith North Lanarkshire Council's strategic objectives, Service requirements, andrelevant laws and regulations.

9.3. Policy Statements

9.3.1. North Lanarkshire Council will publish and maintain an Information Security Policy.

9.3.2. This Information Security Policy document has been passed by North LanarkshireCouncil and represents Management commitment that council employees and allrelated parties must adhere to the contents of the policy document as well asrelated Security standards, procedures and guidelines documents.

9.3.3. The implementation, management and maintenance of the Information SecurityPolicy will be in accordance with ISO 27001 and ISO 27002 (Codes of Practice forInformation Security Management).

ISO 27001 Section 4 : Policy Domain 1: Information Security Policy

North Lanarkshire CouncilI

Page 10 of 31

Informatiofi−−−−=1−Version

1.2 Aug−201410.

Policy Domain 2: Risk Assessment

10.1. Introduction− :Risk assessment is the methodology whichprovides an organisation with −the means of −

trnslating and.measuring.the potential and .actual.impacts of information.security−−events into meaningfUl risks to the organisation.

10.2. Control ObjectiveTo provide the organisation with a means of measuring the degree of damage or riskexposure, actual or potential, caused by a security event, incident or decisionimpacting information security information.

10.3. Policy StatementA standard risk management methodology must be deployed as a means of assessingsecurity risk.

• Security incident and event management processes must include a riskassessment.

• Significant technology development and operational decisions must be riskassessed.

• The project development lifecycle must include a risk management process.• Identified security risks must be recorded in a Services risk register and notified

to the ICT Security Team.• Risk management reporting will be included in regular management reporting.

ISO 27001 Section 4 : Policy Domain 2: Risk Assessment


Page 11 of 31

−77

− I Information SecurityP o l i c y − −

− −=−−−−I Version 1 2 − − − − I Aug 2014 −i −

i − 1 = P I i y Dorni −3FOt

A policy management infrastructure is required to ensure that policy reflects anyand remaii s current.−

11.2. Control ObjectiveTo ensure that North Lanarkshire Council manages information security within a clearand agreed framework applied across the organisation, and in all dealings with thirdparties.

11.3. Policy StatementsNorth Lanarkshire Council will manage information security within an approyedframework, through which the implementation and maintenance of the InformationSecurity Policy across the organisation will be co−ordinated. The Information SecurityPolicy will apply to third parties with whom the council does business. Wherenecessary, specialist external advice will be sought to raise awareness of new andemerging risks and security standards.

11.3.1. Internal Security Organisation• An Information Security Forum (1SF) will operate to give clear direction and

support for information security.• The 1SF will have representation from all Services, will review security policy

compliance, co−ordinate security initiatives and raise security awareness.• Responsibilities for the protection of individual assets must be clearly defined.• There must be a management authorisation process in place for the acquisition

and installation of new information processing facilities.• Confidentiality and non−disclosure agreements must be completed both internally

and externally in order to protect the Council's Intellectual property andinformation security.

• Wherever necessary Information Security advice will be sought in−house or fromexternal specialist advisors, and will be communicated throughout theorganisation.

• North Lanarkshire Council will maintain contacts with external security specialistse.g. law enforcement agencies and regulatory bodies.

11.3.2. Third party Access• All third party access to North Lanarkshire Council information systems must take

into account security risk implications and have agreed security controls applied tomitigate the risk.

• Anyone given access to North Lanarkshire Council information or assets mustcomply with North Lanarkshire Councils Information Security Policy.

• Contracts with third parties must document the security conditions and controls towhich they are required to adhere. Consideration must be given to recording thesein the council's Information Security Management Agreement (ISMA).

ISO 27001 Section 6 : Policy Domain 3: Organisation of Information Security


Page 12 of 31

−I Information Security Policy .− − I Version 1:2 − −− I

Aug2014−==I−−=−−

− −

−

12A;—IntroductionThis policy sets out North Lanarkshire Council commitment to protect information and

− − − − − related information processing assets−There−are−many−types−of assetsincluding−−•

Information: databases and data files, contracts and agreements, systemdocumentation, user manuals, training material, operational or support

− −procedures, business continuity plans audit trails and archived information;• Software assets: application software, system software, development tools

and utilities;• Physical assets: computer equipment. telecommunications equipment,

removable media and other equipment;• Services: computing and communications services, general utilities, e.g.

heating, lighting, power and air−conditioning;• People: and their qualifications, skills and experience;• Intangibles: reputation and image of North Lanarkshire Council.

12.2. Control ObjectiveTo provide assurance that North Lanarkshire Council achieves and maintains anappropriate level of protection for information and information processing assets.

12.3. Policy StatementsAll information and assets associated with information processing facilities must beaccounted for and have a designated owner.

12.3.1. Responsibility for Assets• An inventory of assets must be maintained. This includes, software,

databases, information stores, physical assets and services.• An owner, either an individual, area or a team, must be formally assigned to all

information and assets connected with information processing. The owner hasresponsibility for controlling the production, development, maintenance, useand security of a named asset.

• Documented rules must be established and maintained for the acceptable useof information and assets associated with information processing facilities.

ISO 27001 Section 7 : Policy Domain 4: Asset Management


Page 13 of 31

IInformationSecurity Policy— − − −− − − I Version1 − 2 = = i − 3 P I i b y

13.1.IntroductionThis policy sets out North Lanarkshire Council commitment to reduce the risk of

.employe,,contractor,.or .third −party_user_theft, −fraud −or_misuse −of −information −and

− information .processing facilities. . .._.._ − − . . . . . ..._..... −,. − − . •_−−13.2.Control ObjectiveTo ensure that North Lanarkshire Council employees, workers, contractors and thirdparty organisations understand their responsibilities, having been adequately assessedas suitable for their role, and provided with adequate resources to safeguard thecouncil's information assets.

13.3. Policy Statements

13.3.1. It is the responsibility of all managers to ensure that the correct notificationprocedures are followed when employees, workers, contractors and any thirdparties end their contracted relationship with the council.

13.3.2. Access to information and information systems must be appropriate to theresponsibilities applicable to particular job roles. It is the responsibility of managersof employees or workers moving to another role or job, to ensure that any accessesapplicable to former roles are terminated.

13.3.3. North Lanarkshire Council requires that employee, worker, contractor and thirdparty terms and conditions of engagement reflect the requirement for compliancewith all council policies, including the Information Security Policy.

13.3.4. There must be appropriate screening and background verification checks, relatingto references, and where appropriate, health checks, criminal convictionsdeclarations and disclosure checks should be carried to determine suitability foremployment.

13.3.5. North Lanarkshire Council's elected members, employees, workers, contractors andthird party users must receive information security awareness training and regularupdates to changes in Policies, Standards and Guidelines.

13.3.6. Breaches and violations of the council's Information Security Policy may lead toformal disciplinary action in accordance with normal Human Resources procedures.

13.3.7. North Lanarkshire Council will maintain clearly defined and assigned procedures inrespect of leavers, which must be followed by all managers at all times.

13.3.8. Members, employees, workers, contractors and third party users must return allinformation assets in their possession upon termination / cessation of theiremployment, placement, contract or agreement.

13.3.9. The access rights of all members, employees, workers, contractors and third partyusers of information and information processing facilities must be removed anddeleted, upon termination/cessation of their employment, placement, contract oragreement.

ISO 27001 Section 8 : Policy Domain 5: Human Resources


Information Security Pocy− − I Version 1 2 — I Aug 2014−j

4 ' Pol aTd ET Vi e r t I :Security−−14.h—Introduction

This policy sets out North Lanarkshire Council commitment to prevent unauthorised− − − physical a c c s s d a m a g e i h e f t =and interference −to−North−−Lanarkshire− Council −− −

14.2. Control ObjectiveThis policy intent is to prevent unauthorised physical access, damage and interferenceto council premises and information.

14.3. Policy StatementsCritical or sensitive information processing facilities must be housed in secure areas,defined by security perimeters, with appropriate security barriers and entry controls.

14.3.1. Secure Areas• Areas that contain information and information processing facilities must be

protected by security perimeters.• Entry controls must protect secure areas to ensure that only authorised

personnel have access.• Offices, rooms and facilities must be designed taking Information Security

requirements into account.• North Lanarkshire Council must have guidelines to design facilities with

protection against damage from fire, flood, earthquake, explosion, civil unrest,and other forms of natural or man−made disaster.

• There must be physical protection and guidelines for working in secure areasfor employees, workers, contractors and third parties.

• Access points, such as delivery and loading areas and other points whereunauthorised persons may enter premises must be controlled and isolatedfrom Information processing facilities.

14.3.2. Equipment Security• Information processing equipment must be sited with a view to minimise loss

or damage from environmental threats and hazards or opportunities forunauthorised access.

• Key items of equipment must be protected from power failures and otherdisruptions caused by failures in supporting utilities.

• Computer cabling must be protected from interception or damage.• Equipment must be maintained in accordance with manufacturer's

recommendations to ensure continued availability and protection of supportwarranties.

• Appropriate controls must be applied to equipment removed from Councilpremises in terms of its security and that of any information stored on it.

• When computer equipment, including all types of static and moveable storagemedia, such as memory sticks, is removed for disposal from North Lanarkshirepremises all information and software must be permanently removed fromthem.

• Council equipment, information or software must not be taken off−site withoutprior permission.

ISO 27001 Section 9 : Policy Domain 6: Physical and Environmental Security


Page 15 of 31

Information Security Pocy− − − −−−=−−−− −.I

Version 1−2=−−−− I Aug −2014I

15.−t−−−−−lntroduction−−−−−−This Policy sets out North Lanarkshire Council's commitment to ensure the correct and

−−−secure−operation−of information −processing facilities acrossallof:itstelecommunicationsnetworks.

15.2. Control ObjectiveTo ensure that North Lanarkshire Council can deliver its services and carry out itsbusiness accurately and securely, using its information processing facilities andtelecommunications networks.

15.3. Policy StatementsResponsibilities must be allocated for the management and operation of all informationprocessing facilities and documented procedures must be in place covering allinformation processing related activities.

15.3.1. Operational Procedures and ResponsibilitiesThere must be detailed operating procedures managed through formal changeprocesses authorised by management. Coverage must include:

• Processing and handling of information;• Backup processes;• Scheduling requirements including any interdependencies with other systems,

earliest job start times and latest job completion times;• Error handling and exception processing;• Support contracts;• Special output handling and media handling instructions, including arrangements

for secure disposal of any output from failed jobs;• System restart and recovery procedures;• Management of audit−trail and system log information.

15.3.2. Change ManagementChanges to information processing facilities must be formally managed andcontrolled. Change management procedures must include:

• Identification and recording of significant changes;• Planning and testing of changes;• Risk and impact assessment of changes;• Formal approval procedures;• Communication of changes to all key stakeholders and effected parties:• Fallback procedures, including responsibilities for aborting processing and

recovering from unsuccessful changes.

15.3.3. Segregation of DutiesWherever possible, duties and areas of responsibility must be segregated toreduce opportunities for unauthorised or unintentional modification, or misuse, ofinformation. Where it is not possible to strictly segregate activities additionalmitigating controls must be put in place to reduce the risk of exploitation.

15.3.4. Separation of Development, Test and Operational facilitiesDevelopment, test and operational environments and facilities must be separatedto reduce the risks of unauthorised access or changes to operational systems.

ISO 27001 Section 11: Policy Domain 7: Communications and Operations Management


Page 16 of 31

−−=1 Information Security Pohcy− − − − − − − − − I Version −1!2−.. I Aug−2014−−1−−−−−15:4: .:Third :Party:ServiceDelivery:Managernent−−

15.41_Service Delivery −Security controls, service definitions and delivery levels included in third−party

__rvice.agreements must .beimplemented, operated and .maintainedbytet−−−−−−−−−party._..

15.4.2. Monitoring and review of third party servicesServices, reports and records provided by third parties must be regularlymonitored, reviewed and audited.

15.4.3. Managing changes to third party servicesChanges to the provision of services must be managed, taking into accountsystems and processes criticality and the re−assessment of risks.

15.5. System Planning and Acceptance

15.5.1. Capacity ManagementThe use of resources must be monitored, tuned, and projections made for futurecapacity requirements to ensure an acceptable level of system performance.

15.5.2. System AcceptanceAcceptance criteria for new systems, upgrades and new versions must beestablished, and suitable tests carried out during development and prior toacceptance.

15.6. Protection against Malicious and Mobile code

15.6.1. Malicious CodeDetection, prevention and recovery controls against malicious code, as well asuser awareness processes must be implemented.

15.6.2. Mobile CodeWhere mobile code is used, configuration must conform to a clearly definedsecurity policy, and controls must be in place to prevent the execution ofunauthorised mobile code.

15.7. Backup

15.7.1. Backup copies of information and software must be taken and tested regularly inaccordance with an agreed backup policy.

15.7.2. Restores from backup must be tested regularly.

15.8. Network Security Management

15.8.1. Network Security ControlsNetworks must be managed and controlled in order to be protected from threats,and to maintain security for information systems and applications using thenetwork, including data in transit.

Operational responsibility for networks must be separated from computeroperations management.Responsibilities and procedures for management of remote equipment,including equipment in user areas, must be established.Special controls must be established to safeguard the confidentiality andintegrity of data passing over public networks, or over wireless networks, and



Page 17 of 31

−Information Security_Pohcy− I Version−1−2 − I−Augb4− L

— − r _ _ t o : p r o t e c t c o n n e c t e d systems−and applications−Speciai −controls must also :beapplied to maintain the availability of the network services and the devices and

mputers connected.

− −•− −− − − − − ._1 5 . 9 : 1 M a g r n t b f RemoVbleStOage Media −− −

The management of removable computer media, e.g. tapes, disks, cassettes, CDsPDAs, mobile phones, memory sticks, cameras, digital pens/recorders and printedreports, must provide a level of protection against exposure to unauthorisedaccess, appropriate to the sensitivity of the information held, and which providesassurance of compliance with the Data Protection Act.

15.9.2. Disposal of MediaWhen no longer required, any form of removable media or storage devices mustbe disposed of securely including permanent removal of any resident data orsoftware.

15.9.3. Information HandlingProcedures for the secure handling and storage of information must beestablished and maintained, to protect against unauthorised disclosure or misuse.

15.9.4. Security of System DocumentationSystems documentation must be protected against unauthorised access.

15.10. Information Exchange

15.10.1. Exchanges of information and software between organisations must be basedupon a formal exchange policy e.g. The Lanarkshire Data Sharing Partnership(LDSP) Information Sharing Protocol (ISP), Government Public Services Network(PSN). Exchanges must be executed in line with exchange agreements and mustbe compliant with relevant legislation.

15.10.2. Procedures and controls must be in place for the following areas of vulnerability:

• Information being exchanged must be protected against interception, copying,modification, misrouting and destruction.

• Controls and procedures must be in place to protect against malicious codetransmitted through the use of electronic communications.

• Sensitive electronic information in the form of attachments must be protectedby controls and procedures.

• Electronic communications are subject to the council's Acceptable Use Policy.• Wireless communications must only be deployed with security controls

activated.• Suitable cryptographic techniques must be used to protect the confidentiality,

integrity and availability of sensitive information.• There must be retention and disposal guidelines for all forms ofbusiness−related

correspondence in accordance with legal requirements.• There must be procedures covering the removal of sensitive or critical

information from printing facilities, such as printers, copiers and fax machines.• There must be controls and restrictions covering forwarding of communications

facilities e.g. automatic forwarding of e−mail to external mail addresses.• Sensitive information must not be left on answering machines.• Employees and workers must be made aware of the dangers of discussing

confidential matters, or of sharing personal information with others in publicplaces or open offices.



Page 18 of 31

Information Sectirity Policy − −=−=−−−− −I−Verôn−1 :2 −I A64201 4

−

.15;1O;3:Exchange−Agreements − − − − −Management should ensure that there are formal agreements for the exchange of −

− inf5rmaonand software between North Lanarkshi(eCouncil and e x t e j p a r t i ê s −Agreements should include:

._Management responsibilities and procedures_for.controlling and notifying.—.−− − − −

• Procedures to ensure traceability and non−repudiation;• Minimum standards for packaging and transmission;• Escrow agreements;• Courier identification standards;• Responsibilities and liabilities in the event of information security incidents;• Ownership and responsibilities for data protection, copyright and software

licence compliance.

15.10.4. Physical media in transitPhysical media containing information must be protected against unauthorisedaccess, misuse or corruption during transportation beyond the council's physicalboundary.

15.10.5. Electronic MessagingThere must be a secure operating framework in place to protect communicationvia electronic messaging including measures covering:

• Unauthorised access, modification or denial−of−service;• Correct addressing and transportation of messages;• Protective marking of messages;• General reliability and availability of the service;• Legal considerations, including electronic signatures;• Obtaining approval prior to using external public services such as instant

messaging or file sharing;• Stronger levels of authentication controlling access from publicly accessible

networks.

15.11. Electronic Commerce

15.11.1. Information used in the conduct of electronic commerce passing information overpublic networks must be protected from fraudulent activity, contract dispute,unauthorised disclosure or modification.

15.11.2. Information transmitted in respect of on−line electronic services must be protectedagainst incomplete transmission, misrouting, unauthorised alteration anddisclosure, duplication or replay.

15.11.3. The integrity of information made available to North Lanarkshire Council users isprotected against unauthorised modification.

15.12. Monitoring

15.12.1. Systems must be monitored and information security events recorded andactioned.

15.12.2. Audit logs recording user activities, exceptions and security events must beproduced and retained for an agreed period.

15.12.3. Logging facilities and log information must be protected against tampering andunauthorised access.



Page 19 of 31

−IInformation Security Policy −

−I Version 1 2− −−I−Aug −2014 I −

−−−−−16.1 —Introduction−−−−−− −−−−−−−−−−−− −−−−−−−−− •− _________− − _______This policy outlines the rules for accessing information.

− − − − 1 6 . 2 . _ Control Obje.ctive.. _______ − • • •___• .

− ______− To ensure that access to North Lanarkshire Council information and systems is − −

authorised, appropriate to the level of authority to carry out the job, and managed.

16.3. Policy StatementsAccess to Information and information systems must be controlled, authorised and keptcurrent. Levels of access granted to employees, workers, members, contractors andthird parties must be driven by Services operational requirements, and must notexceed the levels of authority required to allow them to carry out their authorisedactivities, nor to expose information to unacceptable levels of security risk.

16.3.1. Business Requirements for Access Control

Services must ensure that:

• Access control takes account of both business operational need and securityrequirements. Access rights for individuals must not exceed the levels ofsystem authority required for individual job roles, and must not exposeinformation to unacceptable levels of security risk;

• Access granted to information must not breach legislation e.g. Data ProtectionAct;

• Access to information systems must take account of the necessity forsegregation of duties;

• Management of access must not compromise segregation of access controlroles e.g. access request, access authorisation and access administration;

• There must be a formal documented process for access requests;• There must be periodic review of access control lists;• Employees' resignation or cessation processes must provide notification to

access removal processes.

16.3.2. User Access Management

16.3.2.1. User Registration


• There must be a formal user registration and de−registration procedure forgranting and revoking access to provide a means of maintaining useraccess rights and managing redundancy;

• Users must have unique User−IDs to enable them to be linked to, and beaccountable for their actions;

• Group or generic User−IDs must only be used in exceptionalcircumstances and must be risk assessed;

• The allocation of user rights and systems privileges must be controlledand be commensurate with their authorised operational roles;

• The allocation of passwords must be controlled through a formal releaseprocess and take account of the protection of password content;

• User administration processes must immediately respond to requests forremoval or blocking of access rights where users have changed roles,jobs or left the organisation;

• There must be periodic checks for, and removal of, redundant User−IDsand accounts;

ISO 27001 Section 12: Policy Domain 8: Access Control


==== Information −Policy − −−−−− −=1Vers ion12 −−1ug−2O14 I

.Redundant:UserlDsmust not bere:issued:tonew'users. _

16.3.2:2.PrivilegeManagenht

−. Services must.ensure−that:−−−−−− − − − − − − ..•−−−−−−− __________

• U s é r accounts w i t h i h l / e I s ô f t e m biIycontrolled;

• Privileged accounts must be managed separately from ordinary userapplication accounts;

• Privileged accounts must be allocated on a need−to−use and on anevent−by−eventbasis for a specified duration, under a request, release and

revoke process;• Wherever possible system support user accounts must be tailored to

include privileged features which do not exceed functional supportrequirements;

• The development and use of programs which avoid the need to operatewith "super−account" privileges must be actively discouraged;

• The use of privileged accounts must be reviewed on a regular basis.

16.3.2.3. User Password Management


• Passwords must not be shared between users;• When users maintain their own passwords, the initiation process for

setting up a new user account must create a secure temporary passwordwhich users must change before being granted access to systems;

• There must be a process for user identity authentication before passwordscan be issued to new or existing users;

• Passwords must be communicated to owners by secure means;• Passwords must be communicated directly to users and not via third

parties;• Unprotected (clear text) E−mail messages must not be used for password

distribution;• Passwords must not be stored on computer systems in an unprotected

form;• Default vendor passwords must be changed as soon as systems become

operational.

16.3.2.4. Review of user access rights

• User access rights must be reviewed annually.• User access rights must be reviewed when users move from one functional

role to another, or when a user leaves the organisation.• User access rights for special privilege accounts must be reviewed at more

frequent intervals than ordinary user accounts.−• Changes to privileged accounts must be logged for periodic review.

16.4. User Responsibilities

16.4.1. Password Use• Each user must keep their passwords confidential.• Users must not keep a record of passwords ( e.g. post−it, paper, software file,

handheld device etc.) unless the method of storage is secure and has beenapproved.



IInformationSecurity Policy −=−−=− Version 1.2

− I Aug 2014I

=Passwords −must:be7changed wheneverthereThas −been any:possibilityof.system or password compromise.

− : − − −

−−−=−16.4.2Unattended UserEquipment −−−.−− −− −−−−− − . − − − − − − . −. −−−−−−−− −Active sessions must.beterminated when finished unless secured byan−−aF6?iatèa u t o m a t i l 6 i ñ échaFiism:

16.4.3. Clear Desk and Screen• Sensitive or critical council information (e.g. paper or electronic storage media)

must be locked away when not required or if the office location is leftunattended.

• Computers and terminals must be logged off, or protected by a screen andkeyboard locking mechanism if unattended.

• Incoming and outgoing mail points and unattended fax machines must beprotected.

• Unauthorised use of reproductive technology e.g. photocopiers, scanners,digital cameras etc. must not take place.

• Documents containing sensitive information must be removed from printersimmediately.

• Documents containing sensitive information must be securely disposed ofwhen no longer required.

16.5. Network Access Control

16.5.1. Use of Network Services• Users must only be provided with access to those services which they have

been authorised to use.• There must be formal authorisation procedures and criteria for determining

who is allowed to access which networks and which network services.• There must be management controls and procedures to protect access to

network connections and network services.

16.5.2. User Authentication for External ConnectionsThere must be appropriate authentication methods deployed to control access byremote users in accordance with identified risk.

16.5.3. Equipment Identification and Authentication in NetworksAutomatic equipment identification must be used as a means to authenticate fromspecific equipment and locations.

16.5.4. Remote Diagnostic and Configuration Port protectionPhysical and logical access to diagnostic and configuration ports must becontrolled.

16.5.5. Segregation in NetworksGroups of information services, users and information systems must besegregated on networks.

16.5.6. Network Connection ControlFor shared networks, especially those extending across North LanarkshireCouncil's boundaries, the capability of users to connect to the network must berestricted.

16.5.7. Network routing ControlRouting controls must be implemented to ensure that connections and information



Page 22 of 31

IInformationSecurity Policy

−−−=−−1Version1.2 −−−−I −Aug −2014

'flows−do not .breach :the−access requirements−and policies o f t h e : b u s i n e s s _ − −applications.

• − − perations System Access Control−−− − − − − − − − − − −−.−−. −− _− − ____

− . − 16:6:1Secure Log:InP?ocediires − − −... − "−_−−. − − − . −−••−−−−−Accessto operating systems must be controlled by secure log−in procedures.

16.6.2. User Identification and AuthenticationOperating System users must be provided with a unique User−ID to ensureaccountability and traceability for all actions undertaken.

16.6.3. Password Management System

• A suitable password management system must be used.• Users must be allowed to select their own passwords.• Password complexity must be activated.• Regular changing of passwords must be enforced.• At first Log−in temporary passwords issued to set up User−IDs must be

changed.• A record of previously−used passwords must be maintained to prevent

constant re−use of the same passwords.• Password characters must not be displayed on typing them in.• Passwords must be stored separately from application system data.• Passwords must be stored and transmitted in protected form (e.g. encrypted or

hashed form).

16.6.4. Use of System Utilities

• There must be strict controls over the use of system utilities.• System utilities must be segregated from applications software.• System utilities must only be available to a small number of suitably qualified

and authorised people.• Ad hoc use of system utilities must follow an authorisation procedure.• System utilities must be released only for a specific agreed time period and

then access must be revoked.• The use of all system utilities must be strictly logged.• Authorisation for access to system utilities must be documented.• Software utilities and system software not required for operational support

activities must be disabled or removed from servers.• Users who have operational access to application software where segregation

of duties is necessary, must not have access to system utilities.

16.6.5. Session Time−out

• Sessions which have been inactive for a period of time must be automaticallytimed−out.

• Consideration must be given to the use of pre−determined time−slots e.g. forbatch file transmissions, or regular interactive sessions of short duration.

• Wherever possible connection times should be limited to discrete time slotse.g. office hours.

• Consideration must be given to re−authentication at timed intervals.



IInformation Security Policy—=−−−−− −I Version 1.2 −− I Aug 2014−I −

For high−risk or highly sensitive applications e.g. those housed in public areas outsideof managed securitiäreas the use of pre−deteriTiined time−slots or restricted

− −connection times outside of normal office hours, or re−authentication at timed intervals,must be dep!oyed. _ − _ _ ............... −− −−−−−:−−.

16:7:1:lnformati6nAsRestrictionInformationsystems must be designed and constructed to limit application and

support access only to authorised activities: This may be done by:

• Providing menus to control access to application business and supportfunctions.

• Designing menus which users may not abort or escape without exiting thesystem completely.

• Creating tailored accesses which exactly match application role profiles and donot exceed the functional requirements of each role.

• Designing applications which manage application support accesses through atied menu system.

• Controlling the rights of other applications to access shared informationresources.

• Controlling and monitoring use of system utilities and low level software tools.

16.7.2. Sensitive System Isolation

• Sensitive systems must operate in a dedicated (isolated) environment.• Interaction or resource−sharing with other applications or systems must take

place within a formal set of trust relationships.

16.8. Mobile Computing and Remote working

16.8.1. Mobile Computing and CommunicationsControls must be employed to ensure that information stored, processed, orcommunicated via mobile computing devices or mobile storage devices, isprotected against exploitation. The types of protection available include:

• Physical protection;• Access Controls;• Cryptographic techniques i.e. encryption;• Backups;• Virus protection.

16.8.2. Remote working (Working outside of council premises e.g. home working)

• A detailed remote working policy (i.e. Flexible Workstyle Options Policy) mustbe in existence for remote working to be operated.

• Remote working activities must be authorised by management.• Remote working must only be operated in environments where due

consideration has been given to the following:

• The provision of suitable equipment and storage facilities;• A definition of the work permitted, the hours of work, the type of

information that may be held and the internal systems and services thatthe remote worker is authorised to access;

• The provision of suitable communication equipment, including methods ofsecuring remote access and encryption of information;

• The physical security of the remote site;



I Information Security Policy−−− − I Version 1.2−−−−2−=−−−− − −

−IAug 2014 − I−−=−=

−Environmental conditions−and :Health −and −Safety.−considerations−at theremote site;

−−

•−

R u l e i n d guidance on family and visitor acce sjQequipment aninformation;−−−A −−The provision of hardware −and software support and maintenance; −−−−−

− −− ._.__.. . •lnsurance.provision;−. −

Revocation of authority and access rights, and the return of equipmentwhen the remote working activities are terminated.

ISO 27001 Section 12 : Policy Domain 8: Access Control


Page 25 of 31

_ −− .

− − − − − − −−

.−−.

IInformationSecurity Pohcy−==−− − −−−=− − I Version 1−2 − − − −−− 1 Aug

2014−−−i

9 I nfO tiiatibhSyt:Maintenance −−•−.−− −−− −

introduction−− Information systems security requirementsmust be identified at the earliest stage

− −−−−−−−−−. .−−typically therequirementsphase ofaprojectand justified, agreedand −documented as −part of the overall business case for the system.

17.2. Control ObjectiveTo ensure that security is an integral part of information systems.

17.3. Policy StatementsInformation systems including operating systems, infrastructure, business applications,off−the−shelf products, services and user−developed applications must have securityrequirements specified at the earliest stages of definition of functional and technicalrequirements.

17.4. Security Requirements Analysis and SpecificationStatements of functional/business requirements for new information systems, orenhancements to existing systems must specify the requirements for security controls.

17.5. Correct processing In ApplicationsAppropriate controls must be designed into applications, including user developedsystems to ensure correct processing. These must include input data, internalprocessing and output data validation controls:

• Data input to applications must be validated to ensure that it is accurate, correctand complete;

• Internal processing in applications should include validation checks to detect anycorruption of information through processing errors or deliberate acts;

• Message Integrity − Controls must be deployed to ensure the authenticity andintegrity of message content;

• Data Output from an application should be validated to ensure that it is correct.

17.6. Cryptographic ControlsWhere the sensitivity of information requires suitable robust controls, cryptographictechniques must be deployed to ensure the confidentiality, integrity, authenticity andnon−repudiation of information stored, processed or transmitted.All laptops and removable devices require to be encrypted due to their vulnerability toloss or theft. Any exceptions to this must be assessed, approved and recorded by theICT Security Team.Secure key management processes must be deployed in support of the cryptographysolutions applied.

17.7. Security of System Files

17.7.1. Operational SoftwareThere must be procedures in place to control the installation of software on operationalsystems.

17.7.2. Protection of System Test Data• Copying operational databases containing personal information should be

avoided.• There must be a separate authorisation request for each time an operational

database or file is copied from a production environment.

ISO 27001 Section 12: Policy Domain 9: System Acquisition, Development and

Maintenance


−I Information Security Policy=−−− −−−−−−−−−−−−−I Version 1−2 −1 Aug 2014−I

from testenvironments1mmediately−−==−−=−−aftertesting is completed.

17.7.3. Access Control to Program Source Code

. P r o g r a m source code should be treated as a highly sensitive −and valuable_− .

. −.procedures.

• There rifust bean authorisation prbcess to manage access to program code• Maintenance and copying of program source libraries must adhere to strict

change control procedures.

17.8. Security in development and Support Processes

17.8.1. Change Control ProceduresChanges must follow a strict set of change control procedures.

17.8.2. Technical Application Review after Operating Environment ChangesWhen operating systems are changed, key or business−critical systems must bereviewed and tested to ensure that there is no adverse operational impact fromthe change.

17.8.3. Restrictions on Changes to Software PackagesModifications to third party software packages must be avoided except where acontractual agreement has been reached with the software vendor and strictconditions and limitations have been defined and agreed between NorthLanarkshire Council and the vendors.Cognisance must be taken of the impact, legal and support implications ofchanging packaged software.

17.8.4. Outsourced Software DevelopmentOutsourced Software Development must be actively managed and deliver code toan agreed standard. In contracts with external software suppliers or developersconsideration must be given to inclusion of the followingcontrols:−•

Licensing arrangements, code ownership, and intellectual property rights;• Certification of the quality or accuracy of the work carried out;• Escrow agreements in the event of failure of the third party;• Rights of access for audit of the quality or accuracy of the work done;• Contractual requirements for the quality and security functionality of the code;• Testing before installation to detect malicious and Trojan code.

17.9. Technical Vulnerability ManagementThere must be a process for reacting to and addressing published technicalvulnerabilities. This should include the following steps:

• Notification of vulnerabilities from internal or external sources;• Recording of vulnerabilities into Log;• Risk assessment of IT environments in relation to known vulnerabilities.• Recording of vulnerabilities in Risk Registers;• Prioritised, risk−based action plan for patching including timescales for resolution;• Execution of patching process including testing of patches.

ISO 27001 Section 12: Policy Domain 9: System Acquisition, Development andMaintenance


−−Information SecurityPóUëy−− − − −1 Version − I Aug−2O14'=1

− −.

−−−− 1 8 1 I n t r o d u c t i o n −−−−−−_ _ _ _ _ _ _ _ _ − − − −−−−− −−Information security events, incidents and weaknesses associated with information

− i tems expose iFfóTffition systems and t i ô ñ i t ô i k i i i ñ i t béfôiñlly__addressëd iñi i iñ iely manner in l inë' i t l i those levels of risk18.2.

ObjectiveTo ensure that there is a process in place for managing security incidents in a timelymanner equal to the level of risk identified.

18.3. PolicyFormal procedures to report, assess, escalate, communicate and address informationsecurity incidents and events must be in place and communicated to all employees,workers, contractors and third party users.

18.3.1. Reporting Information Security EventsThere must be a formal security incident reporting process which includes:

• Standard information security event reporting forms to record essential details;• Predefined process steps through the incident management process;• Documented procedures for handling potential evidence material;• Reference to established formal disciplinary procedures.

18.4. Reporting Security WeaknessesAll employees, workers, contractors, third party users of information systems, alongwith all third parties contracted to provide services to North Lanarkshire Council mustnote and report any suspected security weakness.

18.5. Management of Information Security incidents and Improvements

• Standard Security Incident Management roles and responsibilities must beestablished to ensure a consistent approach to every event.

• Security event management processes must include assessments of the riskswhich events pose to the organisation and its operations.

• Actions taken in response to security risks must include a process of continuousimprovement to prevent re−occurrence of the same or similar events.

• The collection of evidence must be handled in a way to comply with legalrequirements.

• Appropriate external organisations such as the Police must be included atpredetermined points in the incident process.

ISO 27001 Section 13: Policy Domain 10: Security Incident Management


Page 28 of 31

Information Security Pohcy − I Version−1=2−=I

Aug2014j

Management

−− 19.1 −−lntroducti6n−−Business Continuity Management is the set of procedures and processes designed tocounteract:interruptionstotheoperationsof North Lana rkshi re−Coo ncil:Itis −also

− _ −

−− •

. . e g o J p p I ? Q t c . [ i t i c a l e s from the eff (J o fmpjojrt4j[urps ofinformation systems or disasters, and to facilitate a managed resumption of business.

19.2. ObjectiveTo counteract interruption of business activities, to protect critical processes againstthe worst effects of failures or disasters and to ensure timely resumption of normaloperating activities.

19.2.1. Policy Statements• There must be a formal standard process in place for Business Continuity

Management across the authority.• All Services must follow the Business Continuity Planning process and

complete the standard documentation set.• Business Continuity Plans must be communicated to all affected parties.• Business Continuity Plans must be tested regularly to ensure effectiveness of

individual plans.• Continuity plans must identify critical operational processes based on risk, and

address workarounds and resumption of activity on a prioritised basis.

ISO 27001 Section 15: Policy Domain 12: Compliance


Page 29 of 31

_ j : i n f o r m a t i o nS e c u r t y f c y : −

I V e r $ j Q j Z 1AqgO141T

−−−−−−2Ot−−−−−Introduction−The design, operation, use and management of information systems may be subject tostatutrrreTgiilatory and c o n t r ä c t U l U r i t y requirements−−− − − − −−− − −−−20.2.

ObjectiveTo avoid breaches of any law, statutory, regulatory or contractual obligations and of any securityrequirements.

20.3. Policy StatementsAppropriate procedures must be implemented to ensure compliance with legislative, regulatoryor contractual obligations.

Procedures must be implemented to ensure compliance with legislative, regulatory orcontractual requirements on the use of Intellectual property rights and on the use of proprietarysoftware.

Important records must be protected from loss, destruction, and falsification, in accordance withstatutory, regulatory, contractual and business requirements.

Personal information must be protected against unauthorised access.

Users must not use information processing facilities for unauthorised purposes.

Cryptographic controls must be used in accordance with all relevant laws, agreements andregulations.

20.3.1. Compliance with security policies and standards, and technical compliance.

• Managers must ensure that all security procedures within their area of responsibility arecarried out.

• Information systems must be checked regularly for compliance with securityimplementation standards.

• Security testing must take place before live operation.• Both external and internal periodic security testing of the IT infrastructure must be

carried out to detect any vulnerabilities.

20.3.2. Information Systems Audit.Access to Information Systems Audit tools must be protected to prevent possible misuse.Audit requirements and activities involving checks on operational systems must becarefully planned and agreed to minimise the risk of disruption to operational processingand processes.

ISO 27001 Section 15: Policy Domain 12: Compliance


IInformationSecurTy.folIcy − − = ' j − − I V e s j n 1 2— I Ag14: I −

Appendix A: Glossary of Terms

Term

• Business ContinuPlarThin'g..−Confidentiality

DataGuidelinesICTInformation

Information Asset

Integrity

Intellectual Property

1SF

ISO

Malicious Code

Mobile Code

Policy

Policy DomainPolicy ExceptionProcedures

Standards

Third Party

Description..................................− . .. . .

Pdn.niffg processes, procedures andL documentation d é ñ ë d to ensure that orgâiiiätion cali respondtödiütivè...

−events and disasters, and continue to carry on their operations.Information confidentiality is the need to restrict access to information, only to

−those who have authorisation or a right to access it.

− .A specific fact or characteristic

−Documents which detail information security best practice and advice.

−Information Communications Technology

−Data being used in a context and for decision makingInformation is of value to any organisation and therefore can be regarded as anasset. It should be treated with the same level of management and care as anyasset.Integrity of information for the purposes of this context, is the requirement toprotect information against tampering with the content, and assurance that it is

−consistent and correctIntellectual property is the ownership of a set of rights arising fromSomeone's idea, invention, creation, etc., which can be protected by law from

−being copied.Information Security Forum is a body comprising representatives from eachService. Members have responsibilities for co−ordinating implementation of this

−policy and for assisting in security awareness initiatives within their Service areas.

−International Standards OrganisationA piece of hostile programming code designed to interfere with the normaloperation of computers and networks, and possibly replicate itself acrossnetworks to other connected computers e.g. a virus or worm.Mobile code is code obtained from remote systems, transferred across networksand them downloaded and executed on local systems without explicit installation

−or execution by the recipient.A high level set of regulations or rules which govern people's activities. They are

−usually based upon an underlying set of principles.

−A set of policies covering a common subject area.

−An instance where a policy is not complied with.Step by step instructions detailing how policy and standards will be implemented

−in an operating environmentMandatory activities, actions, rules or regulations designed to support policieswith the specific technical or operational detail required to make them meaningfuland effective. The standards are derived from the international security standardfor Information Security Management ISO 27001and the BS17799 the British

−Standard for Information Security Management.An organisation, individual or group of individuals who are not North LanarkshireCouncil employees or workers, but who are contracted to provide some servicesto the Council and in so doing may have access to Council Information orsystems.
