Data Protection Risk Register

Data Protection Risk Register

Area of riskRisk IdentifiedDate UpdatedRisk Level
H/M/L
Management of RiskComment
All personal dataPersonal data falls into hands of a third party07/10/21LThe council keeps very limited personal data in respect of employees, councillors, tradespeople, consultants, contractors and payroll processor. This is stored in hard copy files and electronic storage. Hard copy personal data is stored in locked filing cabinets and electronic data in password protected systems. The security arrangements in place are regarded as both reasonable and proportionate to the risk given the limited personal data held. Computer back up data is held securely in duplicate hard drives on site in the safe and off site; cloud storage is being used for documents for greater security as well
Publishing of personal data in the minutes and other council documents07/10/21LThis is always avoided as far as possible.
Sharing of dataPersonal data falls into hands of a third party07/10/21LPersonal data is only shared with (1) payroll provider under a signed agreement and (2) pension provider under their standard terms and conditions.
Hard copy dataHard copy data falls into hands of a third party07/10/21LPersonal data is stored in line with the Retention of Documents policy. It is stored in a locked cabinet / room when not in use
Electronic dataTheft / loss of a laptop, or other device containing personal information 07/10/21LAll devices are password protected and daily backups are carried out. Duplicate hard drives are stored both in the office safe which is fire / flood proof and off site. Also electronic documents are now stored on OneDrive which provides cloud based storage.
E-newsLack of consent12/10/22LThe e-news subscriber list is held in Mailchimp. Individuals must sign up and consent to receive MPC’s newsletters. Email addresses must not be added by council staff or Members
Email securityUnauthorised access to council emails12/10/22MAll staff / councillors have parish council email addresses. Risk that official email addresses are not always used and need for further guidance on:
• Using blind copies to send emails to addressees outside the council
• Use of encryption / redaction of personal information
• Forwarding on emails from the public.
Also when a range of personal devices are used which may be shared with others / contain non-council material then there is a risk that security is compromised and this requires further consideration in line with ICO guidance. All Councillors are advised to use webmail to access their emails.
General security
(office)
Unauthorised access to council computers and files 07/10/21LAll authorised users have their own passwords.
Up to date anti-virus protection software and firewalls are installed.
General security
(outside)
Unauthorised access to council computers and files 07/10/21MAll authorised users have their own passwords.
Up to date anti-virus protection software and firewalls are installed.
When personal devices are used e.g. in councillor’s homes or elsewhere, security may be compromised and this requires more consideration in line with ICO guidance.
Website securityPersonal information or photographs of individuals published on the website12/10/22LThis is not published without consent. Photographs of staff and councillors are displayed subject to specific consent.
The website is hosted by NetWise who provide security measures. Privacy policy is on the website and cookie consent is active.
2step authentication has been installed for Council staff website login.
Disposal of computers and printersData falls into the hands of a third party07/10/21LThese are not disposed without security measures.
Financial RisksFinancial loss following a data breach as a result of prosecution or fines07/10/21LThe Council has insurance cover of up to £1m in place to cover data breaches.
General risksLoss of third party data due to lack of understanding of the risks/need to protect it18/10/23MStaff wish to receive updated DP training. Clerk to look at SALC offering. Risks in relation to councillors and the need to provide general training on data protection (largely around the use of personal emails and devices) in the context of ICO guidance is recognised and training is being offered by SALC.