In preparation for PAT July 2015 – Protecting information assets

Provider Assurance Testing (PAT) is carried out by the Department of Work and Pensions (DWP) to provide assurance to the Permanent Secretary that:

  • public funds and participant data are protected; and
  • value for money has been obtained.

It applies to all DWP Contracted Employment Provision (CEP) providers and their sub-contractors, as we have DWP contracts this applies to learndirect.

The main activity of the DWP PAT team is to review and test our internal control systems and check how effective we are at managing risk to DWP in relation to expenditure and data security. The review will begin in July 2015 and field testing will commence in August. One area covered by the review is data security and so in this article we provide details on how to ensure information is adequately protected.

What do we mean by an information asset?

An asset is any information or collection of information that is processed, transmitted and stored, this can include personal or sensitive data regarding individuals and also commercially sensitive information. It can also be software and physical assets such as computers or buildings.

  • Information and data electronic, paper based and media in any form.
  • Client records – anything from a name to National Insurance Number, date of birth, health records, address etc.
  • Employee information – anything from a name, address, date of birth, health record etc.
  • Physical assets IT, laptops, mobile phones, machinery or premises.

Handling electronic information

Electronic information is subject to many types of threats, and it is imperative that it is appropriately protected at all times. Typical measures include:

  • System access controls, which include login details and password credentials
  • Enforcing the need to know principle (if someone doesn’t need access to do their job or fulfil then this should not be provided)
  • Data encryption to protect sensitive data, this scrambles the data to prevent it being read by unauthorised individuals unless they have the key to decrypt or unscramble the information. It is important to note that encryption products must be validated to the FIPS 140-2 standard.

When sensitive information is being emailed it must always be protected via a secure email service such as egress switch. Please also exercise caution if using the autocomplete feature within email systems, and ensure that it is being sent to the correct recipient.

Handling hard copy learndirect information

Despite the threats which electronic information may be subject to, it can be more difficult to protect hardcopy information such as paper files. We should ensure that the same basic principles around access control and ‘need to know’ are in place. A secure and fully tracked service or approved courier should always be used when transporting personal / sensitive personal data, i.e. National Insurance Number, financial records, work history, personal email, etc.

It may sound obvious but all staff must ensure that correct courier or postal addresses are used.

Security Incidents

Suspected incidents should be reported as soon as possible to your supply chain manager.

An incident can be described as:

  • Any activity that causes or could potentially affect the availability, confidentiality or integrity of the physical or electronic information assets

Examples of which are:

  • Unauthorised disclosure or transfer of information, loss of data i.e. paper records or laptop/USB or misuse of information.

This can have very serious consequences for both the individuals concerned and the organisation, and is essential that incidents are reported to learndirect via your supply chain manager as soon as possible.

Subject Access Requests

One of the rights of individuals under the Data Protection Act is the right to see information which an organisation may hold about them, this is commonly referred to as a subject access request. All subject access requests associated with learndirect contracts must be referred to learndirect for processing as soon as received via your supply chain manager.

Lastly, please remember when leaving the office…

Remember that a Clear Desk Policy is not just about clearing everything from your desk, it is a good idea to remember to check the following:

  • Check if there is anything left on the printer, photocopier or fax machine.
  • Lock papers away before leaving.
  • If you are last to leave, make sure windows and cupboards are locked and the keys are secure.
  • Remove paper on faxes to avoid receiving messages when unattended.
  • Switch off faxes, photocopiers and printers where possible. Are there any papers, files or information on desks or in post trays?
  • Check that all cabinets and cupboards are locked and keys are removed and stored safely.

Further advice and guidance

The links below provide free information security e-learning for small and medium sized businesses and some further advice and guidance.