The Information Commissioner’s Office (the ICO) enforces and promotes compliance with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA18), which came into force in May 2018.
With the co-operation of sixteen universities the ICO’s assurance team under took detailed reviews of each provider’s information security (IS). The ICO’s report, Findings from ICO Information risk reviews of information security in the higher education sector, summaries the findings from the risk reviews undertaken.
The ICO’s report identifies relevant control areas for information security (IS) management, examples of good practice, its detailed findings and areas for improvement and key recommendations. The report is intended to assist the work of the higher education sector.
ICO suggests information management control areas comprise:
- Organisation
- Policy
- Training and awareness
- Incident management
- Compliance and monitoring
Good practice
The ICO report cites examples of good practice relating to aspects of governance:
- Information security incidents are discussed as a standing item at steering groups and escalated to higher-level committees, such as executive boards and audit committees, when appropriate, with involvement from the Senior Information Risk Owner (SIRO).
- Internal and external auditors conduct regular (IS) audits. Findings are reported to audit committees to ensure audit actions are implemented with an agreed timescale.
Recommendations
The ICO report sets out its detailed findings and makes a number of associated recommendations. Selected recommendations are reproduced below:
IS Policy:
Data Protection (DP)/IS policies and procedures should be reviewed on an annual basis to ensure they are accurate and fit for purpose. They should be version-controlled and formally approved by staff or boards who have the expertise and authority to do so.
All permanent, temporary and contract staff should be required to confirm they have read and understood all IS-related policies and procedures.
IS Training and awareness:
To ensure that staff are aware of their IS responsibilities when processing personal data, universities should ensure that new starters complete IS training in the first week of employment before being granted access to systems.
IS Incident management
Universities should formally document lessons learn from IS incidents.
IS Compliance and monitoring
IS and other internal audits involving the procession of personal data should be undertaken regularly to identify weaknesses in risk and control processes. Audit plans and schedules should formally document the audits to be carried out. Actions to tackle the risk identified should be documented.
Concluding remarks
While the findings published in the ICO report are drawn from assurance reviews conducted before May 2018, and therefore, in part, highlight the levels of preparation by the universities involved, the detailed finding and associated recommendations offer a useful list for governors and those advising governing bodies to use to check a provider’s compliance with GDPR and DPA18.
While the first half of the 2018 saw a major push by higher education providers on DP/IS compliance it is easy to forget both require continued attention to ensure providers remains fully compliant. The importance of DP/IS and the potential risk of reputational damage should a serious incident occur, means it a matter for the attention of governing bodies. In practice, the detailed oversight of DP/IS is often delegated to the audit committee, who will report back to the governing body on its work and the level of assurance that can be given.
If you would like to receive Governance News Alerts directly to your inbox, you can join our mailing list here.