Documents

FRM(21)45.02 Data Protection Risk Register

FERMFERM Agendas & Papers Uploaded on October 7, 2021

Data Protection Risk Register                                    FRM(21)45.02

                                                                                               

 

Area of risk Risk Identified Date Updated Risk Level

H/M/L

Management of Risk Comment
All personal data Personal data falls into hands of a third party 07/10/21  

L

The council keeps very limited personal data in respect of employees, councillors, tradespeople, consultants, contractors and payroll processor. This is stored in hard copy files and electronic storage. Hard copy personal data is stored in locked filing cabinets and electronic data in password protected systems. The security arrangements in place are regarded as both reasonable and proportionate to the risk given the limited personal data held. Computer back up data is held securely in duplicate hard drives on site in the safe and off site; cloud storage is being used for documents for greater security as well.
  Publishing of personal data in the minutes and other council documents 07/10/21  

L

This is always avoided as far as possible.
Sharing of data Personal data falls into hands of a third party 07/10/21  

L

Personal data is only shared with (1) payroll provider under a signed agreement and (2) pension provider under their standard terms and conditions.
Hard copy data Hard copy data falls into hands of a third party 07/10/21  

L

Personal data is stored in line with the Retention of Documents policy. It is stored in a locked cabinet / room when not in use.
Electronic data Theft / loss of a laptop, or other device containing personal information 07/10/21  

L

All devices are password protected and daily backups are carried out. Duplicate hard drives are stored both in the office safe which is fire / flood proof and off site. Also electronic documents are now stored on OneDrive which provides cloud based storage.

 

E-news Lack of consent 07/10/21 L The e-news subscriber list is held in Mailchimp. Individuals must sign up and consent to receive MPC’s newsletters. Email addresses cannot be added by council staff or Members
Email security Unauthorised access to council emails 07/10/21  

M

All staff / councillors have parish council email addresses.

 

Risk that official email addresses are not always used and need for further guidance on:

  • Using blind copies to send emails to addressees outside the council
  • Use of encryption / redaction of personal information
  • Forwarding on emails from the public.

Also when a range of personal devices are used which may be shared with others / contain non-council material then there is a risk that security is compromised and this requires further consideration in line with ICO guidance.

General security

(office)

Unauthorised access to council computers and files 07/10/21  

L

All authorised users have their own passwords.

Up to date anti-virus protection software and firewalls are installed.

General security

(outside)

Unauthorised access to council computers and files 07/10/21  

M

All authorised users have their own passwords.

Up to date anti-virus protection software and firewalls are installed.

When personal devices are used e.g. in councillor’s homes or elsewhere, security may be compromised and this requires more consideration in line with ICO guidance.
Website security Personal information or photographs of individuals published on the website 07/10/21  

 

 

L

This is not published without consent. Photographs of staff and councillors are displayed subject to specific consent.

The website is hosted by NetWise who provide security measures. Privacy policy is on the website and cookie consent is active.

Disposal of computers and printers

 

Data falls into the hands of a third party

 

07/10/21  

L

These are not disposed without security measures.
Financial Risks Financial loss following a data breach as a result of prosecution or fines 07/10/21  

L

The Council has insurance cover of up to £1m in place to cover data breaches.
General risks Loss of third party data due to lack of understanding of the risks/need to protect it 07/10/21  

M

Staff have received training on data protection compliance. Risks in relation to councillors and the need to provide general training on data protection (largely around the use of personal emails and devices) in the context of ICO guidance is recognised and training is being offered by SALC.

 

 

 

Reviewed on:      __________________________

 

 

Signed:  __________________________________ (Chairman of Finance, Employment and Risk Management Committee)