DWP Central Freedom of Information Team

Our Ref: VTR101

10 February 2009

Dear Mr White

Freedom of Information Request - VTR 101

Dear Mr White,

I am responding to your further letter of 21 January in which you requested copies of the employee guidance on how to report an actual or suspected breach of Principle 7 of the Data Protection Act - or any guidance on what employees should do where any manifest breach of the DPA is suspected or known to be occurring.

In my letter to you of 18 December, I explained that the Department follows the published guidance from the Information Commissioner in reporting to the Commissioner serious breaches of the Seventh Data Protection Principle where these arise. The Department takes its responsibilities under the Act very seriously. Although the Department has not given any specific guidance to employees to report breaches under the Seventh Data Protection Principle as such, we have nevertheless published for several years guidance to staff on when to raise what are known as `security incidents'.

Security incidents (as you will see from the extracts from the Security Incident Guide on the Department's Intranet that I am enclosing at the end of this letter), include any attempt to compromise assets, and any accidental loss of assets. In this context, the word `asset' includes any information (including personal data), and documents. You will note from the examples in paragraph 2.5 of the Guide that the types of issues which would arise under the Seventh Principle, are reportable as security incidents under the Department's guidance.

I hope that this document answers your enquiry.

If you are not satisfied with my reply to your request, please tell me why within two calendar months of the date of this letter. I will then arrange for someone to conduct an internal review of your request and my decision. The review will be conducted by another officer, usually of a more senior grade to myself. This person will have taken no part in my original decision. The reviewing officer will advise you of their decision in writing.

If you are not content with the outcome of the internal review you have the right to apply directly to the Information Commissioner to look into the way your request has been handled.

The Commissioner can be contacted at:

FoI Complaints Resolution

Information Commissioner's Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Fax: 01625 524 510

email: [email address]

Yours sincerely,

Sent by e-mail

DWP Central FoI Team

Extracts from Security Guidance on DWP Intranet as at January 2009

PART 1

INTRODUCTION

BACKGROUND

1.1 Central Government requires that all Departments should have processes in place to enable the types, volumes and costs of security incidents and malfunctions to be recorded and monitored. The information gathered is used to identify and analyse any trends, to identify potential process weaknesses and identify where there is a need for additional or enhanced controls.

1.2 The Department for Work and Pensions (DWP) therefore has a duty to capture all relevant information involving security incidents. Departmental Security Group acts as the focal point within the Department.

1.3 Incidents are monitored to identify trends and to ensure that remedial action, where appropriate, is taken. Wider security implications for the Department as a whole are considered and annual reports are prepared on the state of security within DWP. This report is made available to the Departmental Audit Committee (DAC), senior management and the Permanent Secretary. It fulfils the Departmental Security Officer's (DSO) obligation to provide assurance to senior management.

PURPOSE OF THE SECURITY INCIDENTS GUIDE

1.4 This guide contains advice on how to identify security incidents and instructions on how to report them for all DWP staff. It replaces all previous guidance.

1.5 The incident reporting procedure contained in this guide aims to capture information in order to provide an overall view of incidents affecting the security of all Departmental assets including personnel, IT, information and property. The

definition of an asset is provided at paragraph 2.2 of this guide. Some incidents

may need to be reported elsewhere for business purposes in addition to being

reported as security incidents. For example: all thefts and break-ins should be

reported to the LS Trillium Customer Service Centre.

1.6 The purpose of this guide is to provide advice on a range of matters including:

Roles and responsibilities;

How to identify security incidents;

How to report security incidents.

WHO SHOULD READ THIS GUIDE?

1.7 All staff should be made aware of and have the opportunity to read this guide. In particular Unit Heads, Managers, Security Advisors, Internal Fraud Service, Investigations Managers, HR Business Partners and other relevant personnel should be aware of these procedures.

PART 2

DEFINITION OF A SECURITY INCIDENT

WHAT IS A SECURITY INCIDENT?

2.1 A Security Incident is defined as:

a deliberate attempt, whether successful or not, to compromise Departmental assets;

any accident resulting in a loss of departmental assets.

DEFINITION OF AN ASSET

2.2 An asset is any item of Departmental property that has a value. Assets include:

People;

Buildings;

Physical; property and equipment;

all information and documents; and

other Departmental valuables.

2.3 The definition includes information held clerically, or electronically and owned by the Department. It covers any case of suspected dishonesty or corruption on the part of Departmental staff in connection with their official position. The definition excludes external benefit fraud and accidental benefit overpayment, which are reported by other means.

CONCEPT OF LOSS

2.4 The concept of loss is not solely concerned with the physical loss of an asset. It also includes, loss:

of confidentiality of information through accidental or deliberate disclosure to someone not authorised to receive it.

because the asset is not available for use; this may be because it has been lost or stolen, or accidentally deleted from a PC disk and there is no backup copy. It may be because it is damaged and cannot be used until it is repaired, replaced or there may be some other fault that makes the asset unusable.

of trustworthiness and reliability (integrity) of information.

2.5 EXAMPLES OF SECURITY INCIDENTS

Disclosure

When information is deliberately or accidentally divulged to unauthorised persons.

Eg. Customer details sent to wrong customer

Inappropriate disclosure to a third party (staff or customer data)

Leaks - where protectively marked or sensitive information is disclosed

without authority to the media

Unauthorised access to data

When information is accessed without a valid business reason but the information

is not disclosed to other persons.

Eg. Accessing records to obtain a friends address.

Inappropriate access to your own records.

Sharing access controls - eg sharing a Smartcard with a colleague

Loss

When any type of asset has been lost that could have security implications. This

includes documents lost within the office or remote storage facilities.

Eg. Missing official receipt pad

Loss of security passes/name badges/warrant cards

Loss of customer records or supporting documents (after formal lost

document procedures have been followed)

………

Damage

Any incident that causes damage or loss to a service or asset.

Eg. Member of staff deliberately destroys a computer.

Server room flooded.

Fire in the office.

………

Bogus contacts

A suspicion where a request for information is not genuine.

Eg. Telephone call where caller fails to confirm security identity checks.

Fax received unconfirmed source.

PART 3

ROLES AND RESPONSIBILITIES

STAFF

3.1 All staff should ensure that they are aware of how to identify and report a suspected security incident, including instances of suspected internal fraud or abuse. Suspected security incidents must be immediately reported directly to the Security Advisor (SA).

Staff should ensure that they know who the Security Advisor or nominated officer is for their area and how to contact them.

3.2 Staff can also contact the Whistleblowers Hotline with their concerns if

they are uncomfortable reporting incidents locally.

……….