This is an HTML version of an attachment to the Freedom of Information request 'Documents relating to the Children's Safeguarding Profiling System'.

Project details,,,,,,,
,,,,,,,
Project to be assessed,Xantura,,,,,,
Revelant Information Asset,Various - Covered in Info. Gov. Overview - Doc Number 15271644,,,,,,
Information Asset Owner,Various - Covered in Info. Gov. Overview - Doc Number 15271644,,,,,,
Directorate,Children & Young People Services,,,,,,
Date,3/20/2015,,,,,,
Has a small-scale PIA already been carried out?,Yes,,,,,,
Has a detailed stakeholder analysis been carried out?,Yes,,,,,,
Do you have a stakeholder consultation plan? Are privacy risks included in the planned consultation?,Information Management and ICT are aware.,,,,,,
Have members of the public been consulted about this project? Are they in favour of the project?,No - this is an internal system for Hackney staff which will be secure due to Data Protection Agreements.,,,,,,
Section 1,Likelihood,Severity,Risk rating,Risk Decision,Project documents to be updated,,
Risk that an unauthorised staff member could access personal data (Breach of DPA Principle 7),2,4,8,Reduce Likelihood,Project Plan,Comms Plan,Risk Log
Issue,Action,,,,,,
"Assess who will have access to personal information, how will you ensure that only authorised staff will be able to access the information?",From the service level agreement; The Service Provider shall use and exercise reasonable care and skill in the performance of its obligations under this Agreement and shall ensure that only such of its employees who may be required by it to assist it in meeting its obligations under this Agreement shall have access to the Personal Data. ,,,,,,YES
How will you track who has accessed project related personal information?,Only those council employees who currently use similar data will have access to the information supplied by Xantura therefore current council vetting and tracking procdures will apply.,,,,YES,,
Section 2,Likelihood,Severity,Risk rating,Risk Decision,Project documents to be updated,,
Risk that personal information could be disclosed to an unauthorised external individual (Breach of DPA Principle 7),2,4,8,Reduce Likelihood,Project Plan,Comms Plan,Risk Log
Issue,Action,,,,,,
How will you ensure that personal information cannot be accessed by unauthorised external personnel?,Access to identifiable personal data will be through a secure application with user access controls ensuring that only authorised personnel can access this data. In addition identifiable personal data will only be made available if certain business rules (based on an assessment of risk and vulnerability) have been met. This approach will ensure that data is only shared with authorised personnel in cases where agreed rules have deemed this sharing to be proportionate.,,,,,YES,YES
Who will you contact when you receive requests to disclose personal information?,"Once risk vulnerability thresholds are met, referrals will be generated into existing triage and safeguarding processes, for example planned FAST processes and / or Chidlren's Safeguarding teams. Once referred into these business processes existing Information Governance arrangements will apply.",,,,,YES,
How will you log when personal information is disclosed externally?,All referrals generated by the system are recorded in a secure database.,,,,,YES,
What mechanisms will be in place to identify and report security and data protection breaches?,Xantura has Information Security policies in place that govern our approach to the identificatoin and reporting of security and data protection breaches. Also existing council data protection policiies/procedures apply.,,,,,YES,YES
Section 3,Likelihood,Severity,Risk rating,Risk Decision,Project documents to be updated,,
Risk that new personal information could be processed without a lawful reason (Breach of DPA Principle 1),2,4,8,,Project Plan,Comms Plan,Risk Log
Issue,Action,,,,,,
Will new personal information be processed as part of this project? (if not please move on to Section 5),No - Project based on existing personal information only,,,,,,
List legislation that allows this new personal information to be processed,Covered in Info. Gov. Overview - Doc Number 15271644,,,,,,
How are data subjects to be informed that their information will processed by the Council? ,"Data subjects will not be informed, informing the data subjects would be likely to prejudice the interventions this project is designed to identify",,,,,,
Where will a fair processing notice be available?,NA - Data subjects will not be informed,,,,,,
Does the fair processing notice make it clear who will be processing their information?,NA - Data subjects will not be informed,,,,,,
Is this processing covered by the Council's ICO notification?,Yes; 'the provision of social services' and 'Crime prevention' are listed in the Council's ICO notification of purposes,,,,,,
Section 4,Likelihood,Severity,Risk rating,Risk Decision,Project documents to be updated,,
Risk that personal information could be processed without a valid purpose (Breach of DPA Principle 2),1,4,4,,Project Plan,Comms Plan,Risk Log
Issue,Action,,,,,,
What is the purpose of collecting or reusing this information?,"The aim of the CSPM project is to share all relevant information each organisation has about families with early years children so that service options and required actions for increasing the safety, health and wellbeing of these children e.g. identifying early intervention.",,,,,,
Have the data subjects been informed of this purpose in the fair processing notice?,No - the processing of data is in line with goverment guidance as outlined in Doc Number 15271644,,,,,,
"If the project involves the reuse of information, have the data subjects been explicitly informed of this and given an opportunity to opt out?",NA - This would be incompatible with the aims of the project,,,,,,
"If new information is to be collected, how will you ensure that this information is only used for the stated purpose?",No new information will be collected,,,,,,
Section 5,Likelihood,Severity,Risk rating,Risk Decision,Project documents to be updated,,
Risk that excessive information is collected (Breach of DPA Principle 3),1,4,4,,Project Plan,Comms Plan,Risk Log
Issue,Action,,,,,,
Is the personal information needed for the project clearly defined?,Yes,,,,YES,,
"Do the information collection methods (questionnaires, online forms etc) reflect the above definition (i.e. Only information needed for the prokect is collected) ",NA,,,,YES,,
"If the project entails a redesign of a current system, will there be a review of what data is collected to ensure that it is not excessive to the current needs?",NA,,,,,,
Section 6,Likelihood,Severity,Risk rating,Risk Decision,Project documents to be updated,,
Risk that information is not kept up to date (Breach of Principle 4),1,4,4,,Project Plan,Comms Plan,Risk Log
Issue,Action,,,,,,
How will the information be kept up to date?,Will be up-to-date via monthly sharing of info. from existing internal systems,,,,YES,,
Will there be a procedure to provide notice of correction or modification of information to third parties?,NA,,,,,YES,YES
Section 7,Likelihood,Severity,Risk rating,Risk Decision,Project documents to be updated,,
Risk that information is transferred out of the EEA without adequate controls (Breach of DPA Principle 8),1,4,4,,Project Plan,Comms Plan,Risk Log
Issue,Action,,,,,,
Who will inform the Information Management Team if information needs to be transferred out of the EEA?,"No information will be passed outside of the European Economic Area unless specific requirement exists and the originating organisation makes that decision for a particular reason in relation to the safeguarding of a child, young person or adult with a safeguarding need. ",,,,,YES,
Section 8,Likelihood,Severity,Risk rating,Risk Decision,Project documents to be updated,,
Risk that data subjects rights are not upheld (Breach of Principle 6),1,4,4,,Project Plan,Comms Plan,Risk Log
Issue,Action,,,,,,
Who will communicate requests for personal information from data subjects (subject access requests) to the Information Management Team?,NA,,,,,YES,
How will requests for personal information to be removed from the system be handled?,NA - An opt out option would be incompatible with the aims of the project,,,,,YES,
Section 9,Likelihood,Severity,Risk rating,Risk Decision,Project documents to be updated,,
Risk that personal information is held longer than necessary (Breach of DPA Principle 5),1,4,4,,Project Plan,Comms Plan,Risk Log
Issue,Action,,,,,,
How will information be marked for destruction?,Covered by form of agreement dated - 01/11/14,,,,YES,,
Have the retention periods for all personal data been established?,Covered by form of agreement dated - 01/11/14,,,,YES,,
Does the retention and disposal schedule need to be updated?,Covered by form of agreement dated - 01/11/14,,,,YES,,
,,,,,,,
Sign Off,,,,,,,
Further comments,,,,,,,
Signature,Project Sponsor/ Head of Service (or delegated officerÂ’s) signature.,,,,,,
Information Management sign-off,,,,,,,
Job title,,,,,,,
Date,,,,,,,