Skip to main content

Departmental Data Protection

Volume 488: debated on Tuesday 3 March 2009

To ask the Secretary of State for Health whether his Department uses WPA2 encryption protocol on all its wireless networks. (259717)

To ask the Secretary of State for Health what auditing his Department undertakes to ensure that IT security policies are being followed; and on how many occasions (a) IT security policies have been breached by employees and (b) a member of staff has been sanctioned for a breach of such policies in the last 12 months. (259718)

Compliance audits are routinely and regularly undertaken. These include but are not limited to checks for removable computer media being left unsecured, passwords not carelessly written down and that accounts are being used in accordance with the Acceptable Use of information technology (IT) policy. These are either promoted in advance, but without giving a specific time or area, or carried out without warning. There are three types of compliance audit, one type focuses on IT security and six of these were performed in the last year. The Department is regularly reviewed against the Information Security Management Standard, ISO 27001.

On 154 occasions there were minor breaches of the IT security policies such as storing personal photographs or poor housekeeping. None warranted referral to HR. However, on each of these occasions the individual concerned was notified of the area of concern via their section head, was reminded of the relevant security policy and asked to modify their future behaviour.

To ask the Secretary of State for Health if he will place in the Library a copy of his Department’s IT security hierarchy. (259719)

Following is an organisational list showing the Department’s information technology (IT) security hierarchy. The Departmental Security Officer reports both to the Director of Information Services and to the Permanent Secretary as appropriate, for instance for leak inquiries.

Department of Health Security Organisational List:

Permanent Secretary

Director General of Finance, Chief

Operating Officer and Senior Information Risk Officer

Director of Information Services

Departmental Security Officer

IT Security Office