Skip to main content

Departmental Data Protection

Volume 472: debated on Thursday 21 February 2008

To ask the Secretary of State for Environment, Food and Rural Affairs what audits his Department and its agencies have carried out in relation to personal data and IT equipment in each of the last 10 years. (176462)

DEFRA’s Internal Audit Division have not conducted any audits specifically focusing on personal data or IT equipment during the period. As departmental policy does not require business areas to undertake audits, information on any they may have carried out could not be collected without incurring disproportionate costs, but a thorough ‘wall-to-wall’ audit of IT equipment was carried out by IBM in October 2004 when ownership of DEFRA’s IT equipment was transferred under the terms of the IT outsourcing contract.

To ask the Secretary of State for Environment, Food and Rural Affairs what requirements his Department and its agencies place on contractors in relation to audit of personal data and IT equipment. (176625)

The Department’s IT services are provided mainly by IBM under an outsourcing arrangement. This contract includes provisions for DEFRA and its audit agents to have audit and access rights, including contractor premises, systems and records as may be required for the purposes of verifying the integrity, confidentiality and security of the Department’s data and/or personal data.

There are also provisions which require IBM and its sub-contractors to comply with all applicable parts of the Data Protection Acts, specifically the seventh data protection principle, which concerns the unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

Other contracts awarded by DEFRA include standard terms and conditions which place obligations on contractors including requirements for access to audit and compliance with the Data Protection Acts as stated above.