(2) what security controls are in place in respect of each data set his Department holds; and whether such controls are based on the level of risk.
The Department has an extensive range of policies, standards and procedures for the protection of information (including personal data), and the associated information technology systems. In common with all data controllers formally registered under the Data Protection Act, there are legal obligations placed on the Department to ensure that personal data is properly protected from theft or loss, and the Department takes these responsibilities very seriously. It is not in the interests of data subjects for the Department to publish the detailed methodologies, controls and processes which apply to the protection of information in general and personal information in particular, and the related security policies that apply to information technology systems. To do so could enable individuals to deduce how successful the Department is in protecting its systems, in identifying vulnerabilities, and detecting attacks, and might assist such persons in testing the effectiveness of the Department’s controls, and thus unlawfully procuring information and data. This would not be in the public interest.
In accordance with the Cabinet Office’s review of Data Handling Procedures in Government, the Department is required to conduct annual risk assessments of its information assets. A formal statement of the Accounting Officer’s overall assessment of the level of information risk will be given in the Department’s annual Resource Account for the year ending March 2009. However, it is not in the interests of data security for the Department to publish its detailed assessments of the level of risk attached to specific data sets. To do so could enable individuals to exploit any identified vulnerabilities, and thus unlawfully to obtain information and data. This would not be in the public interest.
Information on the numbers of staff in the Department for Work and Pensions that have been (a) investigated, (b) suspended and (c) dismissed for (i) losing and (ii) deliberately disclosing (A) data stored on departmental equipment and (B) confidential information in each year since its inception is not available in the format requested.
The Department for Work and Pensions records the numbers of staff investigated, suspended and dismissed for misconduct under general headings but does not record this information under the specific categories requested. To extract more detailed information from individual records under the categories requested would be at disproportionate cost.
Following publication of the Data Handling Review in June 2008, the Department is introducing changes to its disciplinary rules and standards of behaviour to reinforce security measures around the handling and safeguarding of customer data and equipment. The Department’s Discipline and Standards of Behaviour policies and procedures in relation to data loss are brought to the attention of staff via the Department’s intranet site.