Data Protection Risk Register FRM(21)45.02
Area of risk | Risk Identified | Date Updated | Risk Level
H/M/L |
Management of Risk | Comment |
All personal data | Personal data falls into hands of a third party | 07/10/21 |
L |
The council keeps very limited personal data in respect of employees, councillors, tradespeople, consultants, contractors and payroll processor. This is stored in hard copy files and electronic storage. Hard copy personal data is stored in locked filing cabinets and electronic data in password protected systems. | The security arrangements in place are regarded as both reasonable and proportionate to the risk given the limited personal data held. Computer back up data is held securely in duplicate hard drives on site in the safe and off site; cloud storage is being used for documents for greater security as well. |
Publishing of personal data in the minutes and other council documents | 07/10/21 |
L |
This is always avoided as far as possible. | ||
Sharing of data | Personal data falls into hands of a third party | 07/10/21 |
L |
Personal data is only shared with (1) payroll provider under a signed agreement and (2) pension provider under their standard terms and conditions. | |
Hard copy data | Hard copy data falls into hands of a third party | 07/10/21 |
L |
Personal data is stored in line with the Retention of Documents policy. It is stored in a locked cabinet / room when not in use. | |
Electronic data | Theft / loss of a laptop, or other device containing personal information | 07/10/21 |
L |
All devices are password protected and daily backups are carried out. Duplicate hard drives are stored both in the office safe which is fire / flood proof and off site. Also electronic documents are now stored on OneDrive which provides cloud based storage.
|
|
E-news | Lack of consent | 07/10/21 | L | The e-news subscriber list is held in Mailchimp. Individuals must sign up and consent to receive MPC’s newsletters. Email addresses cannot be added by council staff or Members | |
Email security | Unauthorised access to council emails | 07/10/21 |
M |
All staff / councillors have parish council email addresses.
|
Risk that official email addresses are not always used and need for further guidance on:
Also when a range of personal devices are used which may be shared with others / contain non-council material then there is a risk that security is compromised and this requires further consideration in line with ICO guidance. |
General security
(office) |
Unauthorised access to council computers and files | 07/10/21 |
L |
All authorised users have their own passwords.
Up to date anti-virus protection software and firewalls are installed. |
|
General security
(outside) |
Unauthorised access to council computers and files | 07/10/21 |
M |
All authorised users have their own passwords.
Up to date anti-virus protection software and firewalls are installed. |
When personal devices are used e.g. in councillor’s homes or elsewhere, security may be compromised and this requires more consideration in line with ICO guidance. |
Website security | Personal information or photographs of individuals published on the website | 07/10/21 |
L |
This is not published without consent. Photographs of staff and councillors are displayed subject to specific consent.
The website is hosted by NetWise who provide security measures. Privacy policy is on the website and cookie consent is active. |
|
Disposal of computers and printers
|
Data falls into the hands of a third party
|
07/10/21 |
L |
These are not disposed without security measures. | |
Financial Risks | Financial loss following a data breach as a result of prosecution or fines | 07/10/21 |
L |
The Council has insurance cover of up to £1m in place to cover data breaches. | |
General risks | Loss of third party data due to lack of understanding of the risks/need to protect it | 07/10/21 |
M |
Staff have received training on data protection compliance. | Risks in relation to councillors and the need to provide general training on data protection (largely around the use of personal emails and devices) in the context of ICO guidance is recognised and training is being offered by SALC. |