DFID has a number of small databases which are maintained for internal operational purposes in its overseas offices, including some which contain personal data relating to DFID staff. No personal data for which DFID is responsible is either stored or processed overseas outside DFID offices.
Contracts awarded by DFID include standard terms and conditions which place obligations on contractors in relation to confidentiality of information, security of equipment and auditing requirements. These clauses specify contractors must have prior written consent from DFID to disclose any confidential information obtained during or arising from the contract, that DFID and the National Audit Office have unrestricted access to their accounts, files and records and that the Official Secrets Acts apply to them. For higher value IT contracts, DFID has built in additional data protection clauses, which require the contractor to comply with the Data Protection Acts.
Within the last 10 years, DFID has carried out the following specific audits relating to personal data and IT equipment:
Audit 1998 Information management Information systems configuration management 1999 Asset control 2006 Asset management, disposal and accounting 2007 Data security assurance
In addition, DFID's Internal Audit Department reviews the local operation of controls over IT assets and data management as part of a rolling programme of administrative audits across DFID's overseas offices.
The National Audit Office also reviews controls over information assets to the extent necessary for its audit of DFID's financial statements.