Skip to main content

Departmental Data Protection

Volume 486: debated on Monday 12 January 2009

To ask the Secretary of State for Work and Pensions whether responsibility for data security is assigned at a senior level and included within relevant job descriptions in his Department; and if he will make a statement. (240332)

The Department's Information Security Committee (a sub-committee of the Department's Executive Team) is responsible for information security issues across the Department. Operational responsibility for security is assigned to respective chief executives and heads of businesses. Other senior staff in the Department's agencies have specific responsibilities for promoting data security and report to their respective chief executives. Following the publication of the Cabinet Office's Review of Data Handling Procedures in Government, specific senior civil servants across the Department have been designated as information asset owners who provide assurance to the Department's senior information risk owner that data assets are properly protected.

To ask the Secretary of State for Work and Pensions what independent assurance he has obtained on the adequacy of data security and information governance arrangements across his Department and its associated agencies. (240341)

Independent assurance on the adequacy of the Department's controls is provided from a range of sources including internal audit reviews conducted in accordance with governance arrangements that are overseen by the Departmental Audit Committee, comprising an independent chair and independent members.

In addition, new procedures introduced as part of Cabinet Office's review of data-handling procedures in Government, have led to the designation of information asset owners—senior staff—who provide assurance to the Department's senior information risk owner on the adequacy of the arrangements for the management of information assets. The departmental security officer, who is independent of the operational management chain, also provides an annual assessment on the prevailing level of security, and the consequent assurance that can be obtained across the broad range of security risks, including those relating to information.

These assurances, along with other information, will be used to inform the statement of internal control which will be published in the Department's resource account for the year ending 31 March 2009.

To ask the Secretary of State for Work and Pensions what formal data owners there are for each dataset held by his Department and its agencies; and if he will make a statement. (240815)

In accordance with the Cabinet Office's report on Guidance on Mandatory Roles: AO, SIRO, IAO (accounting officer, senior information risk owner and information asset owner) published in April 2008, the Department has appointed a senior information risk owner and information asset owners who will have responsibility for meeting the requirements of the Cabinet Office data handling report.

To ask the Secretary of State for Work and Pensions what assessment he has made of the adequacy of (a) staff recruitment and management practices, (b) administrative processes and (c) technical controls in maintaining data security in his Department and its agencies. (241304)

The Department takes its responsibilities for data security very seriously. In the last year, the Department has made substantial and extensive improvements to its handling arrangements for such data including the implementation of the recommendations of the Cabinet Office review of data handling procedures in Government.

In respect of the specific information sought, the following measures have been introduced:

(a) Staff recruitment: the Department has introduced additional background checks on new recruits, including the checking of identity and criminal records.

(b) Administrative processes: new procedures have been introduced that have considerably tightened up the handling of information, including improvements in the way data is transferred across the Department, and exchanged with external partners. Staff have been provided with improved guidance; security and discipline policies are being reviewed and refreshed; and major steps have been taken to improve security awareness.

(c) Technical controls: all the Department's laptop computers have been encrypted, and strict IT controls implemented which prohibit the use of unencrypted media (memory sticks, disks, etc). Wherever possible, data is transferred electronically rather than relying on physical media.

To ask the Secretary of State for Work and Pensions what (a) procedures and (b) staff training programmes his Department has put in place on maintaining data security. (241305)

A wide range of new procedures has been developed and introduced, including implementation of encryption products for physical media and laptops, restrictions on the transfer of certain categories of information, and better control where paper documents are moved by courier services. All these changes have been supported by improved guidance to staff. In addition all new staff now undertake security awareness training as part of their routine induction. These activities are being supplemented by a concerted and significant campaign of staff awareness.

To ask the Secretary of State for Work and Pensions what records his Department maintains in relation to the classes of data held by his Department and its agencies. (241391)

The Department is registered as a data controller in accordance with the Data Protection Act, and the records maintained in relation to personal data comply with that registration. A very wide range of data records are necessary to deliver the extensive range of services and benefits administered by the Department. Such records as are held will vary according to the particular requirements of the related purpose under the legislation.

To ask the Secretary of State for Work and Pensions on how many occasions (a) information and (b) data was (i) lost and (ii) stolen from his Department in each year since 1997; and what estimate he has made of the cost to his Department of recovering such losses. (244045)

I refer the hon. Member to the written answer I gave the hon. Member for Ceredigion (Mark Williams) on 22 October 2008, Official Report, column 408W.