Police Scotland issued with ‘amber alert’ over flaws in its handling of data
Police Scotland does not have a force-wide system of knowing what data it holds and whether it is secure, according to an audit by the Information Commissioner’s Office (ICO).
Despite advanced notice that it was going to be audited, when the regulator carried out a site visit its team found that it was “limited in its ability to gain assurance across the organisation”. The ICO said in its report: “The audit would have benefited from further access to key staff and documents.”
Before the visit, the force discussed its scope with the regulator and arranged a series of interviews. It had agreed to a “consensual audit” of its processing of personal data. It focussed on the security of personal data, including technical and organisational measures in place, and on training and awareness.
The ICO’s team found that Police Scotland does not have an information asset register in place to ensure that data is identified, logged, and “continually risk assessed”. So-called information asset owners have only been established for some types of data held.
Other shortcomings identified were a lack of data protection and information security training for new employees, and a failure to make sure training is “fit for purpose”.
Data protection and information security training is not refreshed, said the report, and “it is possible for a member of staff to be employed for over 25 years and not receive any additional training in data protection or information security following the induction course”.
It added: “[Police Scotland] does not conduct training needs analysis for staff responsible for processing personal data which poses a risk that staff groups have not received an appropriate level of data protection and information security training”.
Justice Innovation 2018 Summit: Innovation Through Digital Transformation
Hosted by FutureScot, the summit in Edinburgh on 8 March will provide delegates with the opportunity to examine the implications of the digital revolution for Scotland’s justice system.
The audit was carried out under the existing Date Protection Act, but the ICO will be responsible for enforcing the forthcoming EU General Data Protection Regulation (GDPR) in the UK.
The ICO has four categories of audit result; ‘high assurance’ (green), ‘reasonable assurance’ (yellow), ‘limited assurance’ (amber), and ‘very limited assurance’ (red). Police Scotland was rated amber.
The report did identify areas of good practice. Police Scotland has implemented a “vulnerability management system” to log new technical vulnerability updates. It is using “hacking tools” to identify any additional technical vulnerability. There is a “vulnerability assessment and penetration testing” process to identify, test, and apply solutions to vulnerabilities.
It also has an internal audit programme in place which takes a risk-based approach. These include audits for key systems and processes such as transaction monitoring of the Police National Database and the Driver Validation Service database to ensure compliance with their use.
But the report concluded: “There is a limited level of assurance that processes and procedures are in place and delivering data protection compliance. The audit has identified considerable scope for improvement in existing arrangements to reduce the risk of non-compliance”.
Assistant Chief Constable Alan Speirs told FutureScot: “Police Scotland welcomes the Data Protection Audit Report by the Information Commissioner’s Office which recognises both our good practice and some areas for improvement. We will consider the recommendations in the report and note its conclusion.”
Please mind the gap… or healthcare may fall
Imagine sharing a lengthy train journey with others. From beginning to end, imagine how often you might hear ‘mind the gap’ messages about embarking and disembarking safely. Picture how navigating…
Women Lead: My journey from Dragons’ Den to Silicon Valley
Following her appearance on Dragons’ Den, Sheila Hogan, serial entrepreneur, founder and chief executive of digital legacy vault, Biscuit Tin, shares her experience of her time in the Den and…
Look anywhere – the future is ‘aged tech’. But Scotland needs to be more adventurous
Scottish Care, as the representative body of independent social care providers of care home, care at home and housing support services, has been working over several years with colleagues in…
Women Lead: Engineer turned entrepreneur
We are always fascinated by other people’s stories. It’s how we connect, grow and learn from each other. Until very recently I always felt like I didn’t have a story to tell. Who…
‘Women – together we will change the dynamic in tech’
I was inspired to start a career in technology when personal computers were in their infancy and the internet decades away. My childhood dream of becoming a scientist was shaped by…
It’s time to change the future of tech apprenticeships – and we need your help
In his latest exclusive column for Futurescot, Ross Tuffee, chair of the Skills Development Scotland (SDS) Digital Economy Skills Group, calls on tech employers to get involved in shaping the…
What AI difference a year makes
Amazingly, it’s been one year since the publication of Scotland’s AI Strategy. And what a year it has been. Demanding but rewarding, with good progress made and great foundations laid…
International Women’s Day: It’s time to harness power of women in technology
As we celebrate International Women’s Day, I hope to be part of a future where barriers that prevent women from competing on a level playing field in the work environment…