The Society of IT Management (Socitm) has worked closely with the Local Government Association/ Welsh Local Government Association and central government to produce Local Government Data Handling Guidelines.
The Guidelines provide chief executives, senior managers and elected members with a guide and essential checklist to their responsibilities and accountability for secure and effective handling of personal information but recognises that councils are best placed to assess their own risk and put in the necessary safeguards which are often equivalent to, or exceed, those set out in this document.
The material in this document reflects good practice as set out in the ISO/IEC 27000 (Information Security Management System) series and is also aligned with Central Government Information Assurance policy , produced by CESG (the National Technical Authority for Information Assurance, part of GCHQ). It is not exhaustive and relies upon other initiatives, legislation and processes for completeness.
The standards outlined in the guidelines are challenging, but necessary to build public confidence in the local government’s ability to protect personal data. The Society of Local Authority Chief Executives and Senior Mangers (SOLACE) and the Information Commissioner have both welcomed the publication.
Commenting on the guidance, Richard Steel, President of Socitm and CIO of the London Borough of Newham said:
“It's a long time since data security could be considered as something for just the IT department to worry about. It’s a concern that should run through the entire organisation. If local government is to meet the challenge of improving public trust it will be firstly by creating the right culture and secondly, by having the right policies and procedures in place to provide accountability and scrutiny.”
Jointly commenting on the guidance, Paul Coen, Chief Executive of the LGA and Steve Thomas, Chief Executive of the WLGA said:
“These new guidelines show how seriously local government takes the issue of secure data-handling, by ensuring standards in councils are equivalent to, or exceed, the best practice identified in these guidelines, the public can be reassured that all reasonable steps are taken to preserve and protect their information.
“A lot of excellent work has already been done but there is still more to do; the pace of technological development means councils always need to be aware of new risks and threats.”
Richard Thomas, Information Commissioner, said:
“I welcome these guidelines as a significant step towards ensuring the consistent, proportionate and secure use of personal information by government at all levels.
“They make an important contribution to the aim of the Information Commissioner’s Office, which is that all organisations should inspire trust by collecting and using personal information responsibly, securely and fairly.
“I believe that if councils effectively implement the steps set out in the guidelines, they will significantly reduce the risk of incidents and problems, and in doing so, help build the necessary public trust in the handling of personal information that recent and well publicized incidents can only have eroded.
In addition to working with the LGA on the data handling guidelines, Socitm is also advising and supporting DWP’s Government Connect programme that is implementing a variant of the Government Secure Intranet (GSI) to all local authorities in England and Wales. This will enable the secure transfer of local government data through government-controlled networks, avoiding situations where data is put at risk when devices like memory sticks, CDs and laptops are lost in transit.
Socitm will be working with the LGA/WLGA and IDeA to provide advice and guidance to local authorities in achieving compliance with the Data Handling Guidelines and the Government Connect Code of Connection. This programme will be funded by a £250k grant from Government Connect and additional resource from the LGA/WLGA and IDeA.
The Local Government Data Handling Guidelines can be found at http://www.socitm.gov.uk/socitm/Library/Local+Government+Data+Handling+Guidelines.htm
Further information about Socitm’s work in the area of information assurance can be found at
http://www.socitm.gov.uk/socitm/Transformation/Information+Assurance/default.htm
Socitm’s Top 10 tips for Data Handling
1. Ensure you understand which legislation affects your business area.
2. Ensure a named individual in the business, not ICT, owns the risk.
3. Ensure there is an effective incident reporting mechanism in place.
4. Regularly monitor, measure, and audit your processes and procedures.
5. Establish a Corporate Information Governance group.
6. Ensure all staff are trained, updated and aware of their responsibilities.
7. Undertake regular risk reviews of all processes and procedures.
8. Ensure all key information assets are classified and are resilient.
9. Have robust risk driven processes in place for “ad hoc” situations.
10. Have documented policy-driven processes and procedures in place.