Christmas Hours

Check when Council Services will be closing over this Christmas period.

Christmas hours

Example HTML document

Example HTML document

Guidance for users

1 Introduction

Information is a key asset that, like other important business assets, has value to Oldham council and consequently needs to be suitably protected. We have a responsibility and requirement to protect its information.

This policy

  • ensures information is protected to ensure that high confidentiality, integrity, availability and resilience standards of information are maintained
  • clarifies guidance on handling rules for Oldham council information, including personal data, Special category data, Crime data and information which originates from the Public Services Network (PSN), i.e. information supplied to us by central government, health, or occasionally other Local Authorities
  • meets the requirements of relevant legislation and in particular relates to elements of Principle f of the General Data Protection Regulation (GDPR). Readers should however, remember the importance and necessity of compliance with all 6 Principles of GDPR and the Data Protection Act 2018 – Appendix 1 refers
  • in addition, for those working in health and social care there is an obligation to follow the Caldicott Principles, National Data Guardian Standards (Appendix 3) and the law of confidentiality.
  • applies to all information that Oldham council collects, stores, processes, generates or shares to deliver services and conduct business, including information received from or exchanges with external partners

Owing to the potential for harm and distress from compromise, the impact on reputation and the potential for enforcement or regulatory action and / or monetary penalties, the protective measures required for use, storage, transfer, sharing of personal information, particularly when aggregated, are more stringent than for non-personal data.

In accordance with Part 6 of the Data Protection Act 2018, the maximum penalty that may be imposed is;

  • the amount specified in Article 83 of the GDPR;
  • the “higher maximum amount”: which is in the case of an undertaking, the higher of 20,000,000 EUR or 4% of the undertaking’s total annual worldwide turnover in the preceding financial year, or in any other case 20,000,000 EUR; or
  • the “standard maximum amount”: which is in the case of an undertaking the higher of 10,000,000 EUR or 2% of the undertaking’s total annual worldwide turnover in the preceding financial year, or in any other case 10,000,000 EUR.

Non-compliance with this policy could have a significant effect on the efficient operation of the council and may result in financial loss, fines, and / or an inability to provide necessary services to our customers.

It is an offence for a person knowingly or recklessly, without the consent of Oldham council, the data controller, to;

  • obtain or disclose personal data
  • procure the disclosure of personal data to another person
  • retain it without the consent of Oldham council
  • offer to sell or buy the personal data obtained
  • re-identify information that is de-identified personal data
  • alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure of all or part of the information that the data subject making the request for access or portability would have been entitled to receive

This policy applies automatically to the systems, people and business processes comprising the council’s information systems. This includes (but may not be limited to) all Oldham council Elected Members, committees, departments, partners, employees of the council, contractors, agency staff, voluntary agencies of the council that require access to council information systems; or information of any type or format, e.g. paper or electronic.

If you do not understand the implications of this policy or how it may apply to you, you must seek advice.

If your action (or inaction) causes a breach of this policy, you may be liable for the cost of resolving any issues or be liable for any fines relating to the loss of the information.

Suppliers of goods and services to the council are directly responsible for cascading this policy to their staff.

The term “council information” covers all information for which the council is the information asset owner – this is not limited to personal information (PII) but also includes any information which is not known to the public (business sensitive).

Oldham council is responsible for the information it holds, whether it is personal data, business information or information held on behalf of a third party. The council has a responsibility to ensure that there are no breaches in relation to:

  • Security
  • Data Protection Act 2018 / GDPR
  • Human Rights
  • Confidentiality
  • Freedom of Information
  • Intellectual Property
  • Copyright
  • Regulation of Investigatory Powers Act
  • Lawful Business Practice Regulations
  • Other related legislation
  • Standards of practice and conduct

2 Information Assets

The process of identifying important information assets should be sensible and pragmatic.

Important information assets will include, but are not limited to, the following:

  • Paper records
  • Computer databases
  • Information files and folders

It is important to inventory significant information assets that are relied on. Such an inventory identifies each asset and all associated information required for risk assessment, information / records management and disaster recovery. Such inventories include the following:

  • Type
  • Location
  • Designated owner
  • Security classification
  • Format
  • Backup
  • Licensing information

All important information assets must have a nominated owner and should be accounted for. An information asset owner must be someone whose seniority is appropriate for the value of the information asset they own. The owner’s responsibility for the asset and the requirement for them to maintain it should be formalised and agreed. Items of information that are of limited or no practical value do not automatically require a formal owner or listing on inventories.

Information should be destroyed if there is no legal or operational need to keep it and this must be done in way that is commensurate to the type of information, e.g. personal sensitive information on a computer hard drive should be securely wiped in line with ISO 27001 and the National Cyber Security Centre (NCSC) guidelines. Special category data or Crime data in a paper record should be cross shredded before disposal.

3 Classification of Personal Information

On creation, all personal information must be assessed and classified by the information asset owner according to their content.

The categorisation should indicate the sensitivity of the information in terms of likely impact resulting from compromise, loss or misuse. The categorisation will determine how documents and information should be protected and who should be allowed access to them.

Oldham council personal information may be categorised into five types:

  • Personal Data
  • Special category data
  • Crime data
  • Personal data for EU Law Enforcement Directive 2016 (LED) purposes
  • Personal information originating from the PSN network – see detail below

Each attracts a baseline set of information protection / security controls providing appropriate protection against typical threats. Additionally, ICT systems and services may require enhanced controls to manage the associated risks to aggregated information or to manage confidentiality, integrity and availability concerns.

Personal Data

As defined by GDPR, personal data means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. In summary, anything and everything that can relate to a living person.

Examples of personal data include:

  • Name
  • Postal address – business / home
  • Email address
  • Telephone / mobile number
  • Driving License Number
  • Date of birth
  • National Insurance Number
  • Financial Information
  • IP address

Special Category Data

This type of data could have more damaging consequences for individuals or the council if it were lost, stolen or published in the media. Special category data as defined by GDPR means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. In summary, these are the data categories that are subject to additional controls in order to prevent unauthorised collection, use, access etc.

Examples of Special category data within the council include:

  • Benefit or pension records
  • Health records
  • Care orders
  • Child protection records
  • Adoption records
  • Educational records
  • Ethnicity
  • Fingerprint

Crime data

Crime data as defined by GDPR means criminal offence data, e.g., alleged commission of offences or proceedings for an offence, (actual or alleged), including sentencing, where it is NOT USED for the purposes of the prevention, investigation, detection or prosecution of criminal offences, the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. In summary this type of personal data is subject to specific conditions and controls.

Personal data for LED purposes

Means the handling of personal data for the purposes the prevention, investigation, detection or prosecution of criminal offences, the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. In summary personal data used for this purpose is subject to specific data protection conditions and controls.

Information Originating from the PSN Network

Information originating from the PSN is information supplied to us by central government, health, or occasionally other Local Authorities. The council is required as a part of its compliance with being connected to the PSN, to honour the controls requested in relation to the information provided through this network. Some of these controls are in relation to the council’s ICT Infrastructure. Other controls are in relation to Information Management and Governance.

The controls that apply to all information originating from PSN must be adhered to unless an authorised originating Data Controller provides alternative written advice.

When assessing the information and use of information from a PSN source, it is important to be pragmatic. For instance:

  • A database of names and addresses that is a replication of information the council already creates and stores itself ought to be handled as council Personal Data
  • Information provided via PSN that would also be publicly accessible would not necessarily require the same level of controls as dictated by the overarching PSN requirements

Personal, Special category, Crime or information originated from PSN could have more damaging consequences for individuals or the council if it were lost, stolen or published in the media.

Bulk data stores make very tempting targets for attackers of all kinds and it is therefore essential to ensure they are adequately protected.

The NCSC is a recognised UK Government technical authority on cyber threats and exists to bridge industry and government together by providing support, advice and guidance on cyber security. It is important you are aware of guidance provided by the NCSC and have steps and measures in place to ensure you follow recommended standards The NCSC has provided good practice measures which provides a set of indicators against which the security of information assets can be objectively appraised.

This is not a definitive set of measures. The list managed by the NCSC will necessarily change over time, as the attacks and techniques used by adversaries change. It is therefore important that good practice measures are not seen as an alternative to a risk management strategy designed to protect bulk personal data.

To assist the council in protecting information in line with the Data Protection act, the council expects all Suppliers / Contractors acting on behalf of the council to follow at a minimum the following guidance;

4 Cyber Security

ICT systems need to keep information confidential whilst maintaining the confidentiality, integrity, availability and resilience of the information and / or services. The degree of impact on the council from a loss of confidentiality, integrity, availability or resilience may vary and should be considered as part of a comprehensive risk assessment process. Aggregation, accumulation and association of information within ICT systems and on removable media must be considered as part of the risk management process.

Appropriate security controls should be in place for any network or systems storing council information and, in the case of information originated from the PSN these controls should be compliant with PSN Code of Connection. Personal and special category data should be stored and managed according to ISO 27001 and NCSC guidelines.

Data protection legislation has specific security obligations that need to be evidenced. These are identified as;

  • Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Oldham council and any entities processing information on its behalf shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
    • the pseudonymisation and encryption of personal data
    • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
    • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
    • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing

In assessing the appropriate level of security, account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

All data containing personal information whether in transit between networks/the internet, stored at rest, or in use, must be subject to the technical control measures of ISO27001 and the NCSC.

5 Sharing Information

Any sharing or transfer of council personal, Special or Crime data with other organisations must comply with all Legal, Regulatory and council policy requirements. In particular, this must be compliant with the Data Protection Act 2018, GDPR, The Human Rights Act 2000, Criminal Justice and Immigration Act 2008, Civil Contingencies Act 2004 and the common law of confidentiality.

Where personal and / or Special category data and / or Crime data is disclosed / shared it should only be done so on the basis of a genuine “need to know” and some information transfers / sharing may be subject to a risk / data privacy impact assessment and required documentation to provide assurance of information governance controls.

Information must only be disclosed to any other person or organisation via the most secure method available.

For instance, where information will be classed as information originating from the PSN e.g. DWP, and when sharing or transferring this ‘PSN Information’ to other organisations, this information should be assessed and categorised for handling, ensuring that any controls required by the information owner are put in place. In the absence of any controls being communicated, the person using or handling that information should attempt to classify the information according to the above guidelines.

Where information is being shared with a supplier, sub-contractor or partner for the purposes of storing or processing, the prime organisation must ensure that the 3rd party organisation recognises and understands the risks and has the systems and processes in place to comply with Oldham Council’s requirements for the handling of its information as detailed within this policy.

6 Suppliers / Contractors Commitment

In order to protect Oldham council information appropriately, our suppliers must provide security measures and safeguards appropriate to the nature and use of the information that they are provided with.

The supplier / partner ‘s authorised Data Controller must agree in writing to comply with these policies and standards – see Appendix 2 for a sample letter of agreement.

Each supplier must also appoint a named officer who will act as a first point of contact with Oldham council for information governance and security issues, where applicable, this must be the suppliers’ Data Protection Officer. In addition, all staff working for the supplier and where relevant sub-contractors, with access to Oldham council ICT Systems, services or Oldham council information must be made aware of these requirements and must comply with them.

Appropriate security controls should be in place for any network or systems storing Council information, minimising the risk of information loss. Personal, Special and Crime data should be stored and managed according to ISO 27001, NCSC guidelines and Data Protection Act 2018 / GDPR requirements.

All suppliers of services to Oldham council must comply, and be able to demonstrate compliance, with Oldham council’s relevant policies and standards and in the case of information originating from PSN, comply with and demonstrate compliance with any additional standards and requirements communicated to them in writing.

Whenever a processor is used (a third party who processes personal data on behalf of the controller) a written contract needs to be in place. Similarly, if a processor employs another processor it needs to have a written contract in place. The GDPR sets out what needs to be included in the contract.

Contracts between controllers and processors ensure that they both understand their obligations, responsibilities and liabilities. They help complying and demonstrating compliance with the GDPR and the Data Protection Act 2018. The use of contracts by controllers and processors may also increase data subjects’ confidence in the handling of their personal data.

Controllers are liable for their compliance with the GDPR and the Data Protection Act 2018 and must only appoint processors who can provide ‘sufficient guarantees’ that the requirements of the laws will be met and the rights of data subjects protected. In the future, this may include using a processor which adheres to an approved code of conduct or certification scheme when such schemes become available.

Processors will however have some direct responsibilities under the GDPR and may be subject to fines or other sanctions if they don’t comply.

Processors must;

  • act on the written instructions of the council
  • not use a sub-processor without the prior written authorisation of the council
  • co-operate with the council on matters in relation to the processing
  • keep records of its processing activities
  • employ a Data Protection Officer if required, in accordance with Article 33 of the GDPR
  • assist the council in providing subject access and allowing data subjects to exercise their rights under the GDPR
  • assist the council in meeting its GDPR obligations in relation to the security of processing (article 32 of the GDPR), the notification of personal data breaches to the council as soon as it becomes aware of a breach and data protection impact assessments
  • return all personal data to the controller as requested at the end of the contract; and/or delete and provide evidence of destruction/method used
  • submit to audits and inspections, provide the council with whatever information it needs to ensure both are meeting their Article 28 obligations under GDPR, and tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state

The following are key considerations:

  1. People
  • Staff recruitment in accordance with regards to pre-employment checks, e.g. Baseline Personnel Security Standard (BPSS)
  • Staff training and awareness of information security and any specific contract requirements
  • Systems access control and a policy of least privilege
  1. Places
  • There should be data separation between customers, unless an information sharing agreement is in place between the customers
  • Encrypted portable media used when transporting council information -
  • Council information should be kept within secure premises and systems
  • Offshoring: The council’s Personal or Marked / Categorised information must not be processed or stored outside the European Union without the prior written consent of Oldham council and must at all times comply with the Data Protection Act 2018
  1. Processes
  • Physical and electronic handling, processing and transferring of personal information, including secure access to systems, back up procedures and systems and the use of encryption
  • The transfer of information should be carried out via secure means
  • Ensure the secure disposal of personal information
  1. Procedures
  • Risk reporting procedures in place
  • Regularly checks of policies and procedures
  • Annual security checks / audits / tests
  • Security incident management: includes the identification, management and agreed reporting procedures for actual or suspected security breaches

All suppliers must implement appropriate arrangements which ensure that the council’s information and any other council assets are protected in accordance with prevailing statutory and where appropriate PSN requirements. These arrangements will clearly vary according to the size of the organisation.

It is the supplier’s responsibility to monitor compliance of any sub-contractors and provide assurance to Oldham council.

Failure to comply with any of these guidelines could result in termination of the contract.

7 Authority for this Policy

This policy is owned by the Information Security Manager on behalf of the council’s Senior Information Risk Officer.

This delegation is to establish and approve internal policies dealing with all aspects of the management of all Oldham Council’s information security, records and information governance.

8 Policy Governance

The following table identifies who within Oldham Council is Accountable and Responsible with regards to this policy. The following definitions apply:

  • Accountable – the person who has ultimate accountability and authority for the policy.
  • Responsible - the person(s) responsible for developing and implementing the policy.

Accountable

Senior Information Risk Officer

Responsible

Information Security Manager