The Department's Information Security Committee (a sub-committee of the Department's Executive Team) is responsible for information security issues across the Department. Operational responsibility for security is assigned to respective chief executives and heads of businesses. Other senior staff in the Department's agencies have specific responsibilities for promoting data security and report to their respective chief executives. Following the publication of the Cabinet Office's Review of Data Handling Procedures in Government, specific senior civil servants across the Department have been designated as information asset owners who provide assurance to the Department's senior information risk owner that data assets are properly protected.
Independent assurance on the adequacy of the Department's controls is provided from a range of sources including internal audit reviews conducted in accordance with governance arrangements that are overseen by the Departmental Audit Committee, comprising an independent chair and independent members.
In addition, new procedures introduced as part of Cabinet Office's review of data-handling procedures in Government, have led to the designation of information asset owners—senior staff—who provide assurance to the Department's senior information risk owner on the adequacy of the arrangements for the management of information assets. The departmental security officer, who is independent of the operational management chain, also provides an annual assessment on the prevailing level of security, and the consequent assurance that can be obtained across the broad range of security risks, including those relating to information.
These assurances, along with other information, will be used to inform the statement of internal control which will be published in the Department's resource account for the year ending 31 March 2009.
In accordance with the Cabinet Office's report on Guidance on Mandatory Roles: AO, SIRO, IAO (accounting officer, senior information risk owner and information asset owner) published in April 2008, the Department has appointed a senior information risk owner and information asset owners who will have responsibility for meeting the requirements of the Cabinet Office data handling report.
The Department takes its responsibilities for data security very seriously. In the last year, the Department has made substantial and extensive improvements to its handling arrangements for such data including the implementation of the recommendations of the Cabinet Office review of data handling procedures in Government.
In respect of the specific information sought, the following measures have been introduced:
(a) Staff recruitment: the Department has introduced additional background checks on new recruits, including the checking of identity and criminal records.
(b) Administrative processes: new procedures have been introduced that have considerably tightened up the handling of information, including improvements in the way data is transferred across the Department, and exchanged with external partners. Staff have been provided with improved guidance; security and discipline policies are being reviewed and refreshed; and major steps have been taken to improve security awareness.
(c) Technical controls: all the Department's laptop computers have been encrypted, and strict IT controls implemented which prohibit the use of unencrypted media (memory sticks, disks, etc). Wherever possible, data is transferred electronically rather than relying on physical media.
A wide range of new procedures has been developed and introduced, including implementation of encryption products for physical media and laptops, restrictions on the transfer of certain categories of information, and better control where paper documents are moved by courier services. All these changes have been supported by improved guidance to staff. In addition all new staff now undertake security awareness training as part of their routine induction. These activities are being supplemented by a concerted and significant campaign of staff awareness.
The Department is registered as a data controller in accordance with the Data Protection Act, and the records maintained in relation to personal data comply with that registration. A very wide range of data records are necessary to deliver the extensive range of services and benefits administered by the Department. Such records as are held will vary according to the particular requirements of the related purpose under the legislation.