The ICO exists to empower you through information.

Control measure: There are appropriate security measures in place to protect the information received and transmitted.

Risk: If information is not kept secure during sharing, it may be lost or inappropriately accessed resulting in a data breach. This may breach articles 5(1)(f)and 32.

Ways to meet our expectations:

  • Analyse the risks to determine the appropriate security measures for information that is transmitted or received. For example, by assessing the nature and sensitivity of the shared information. Also assess the confidentiality of the shared information, or any protective marking scheme. For example, encrypt ‘confidential’ personal information.
  • Set out how information will be shared (and the agreed security standards) within written agreements and supporting procedures. For example, by recorded post, encrypted email or secure file transfer protocol (SFTP).
  • Actively obtain regular assurance on the security of any intermediate platform used for sharing information that is not under your direct monitoring and control.
  • Establish a back-up process to ensure you can restore access to information in the event of a breach. 
  • Review and re-confirm security measures and assurances between sharing partners on a regular basis or when any of the partners make changes to its IT systems or security protocols.
  • Document and implement overarching information security policies and procedures across the organisation.

Options to consider:

  • Build a culture of compliance and good practice across your organisation to help share information securely. 
  • Complete spot checks to ensure operational staff are adhering to shared information security controls.

 

Control measure: There are appropriate levels of access control in place if information is shared by giving third parties direct access to systems.

Risk: If access control is not in place, there is a risk that information may be accessed inappropriately. This may breach articles 5(1) (f), 5(2) and 32.

Ways to meet our expectations:

  • Ensure sharing partners provide documented access control policies.
  • Obtain assurances that access control is formally implemented by all sharing partners.
  • Obtain assurances from sharing partners that only agreed points of contact or specific categories of employee have access to the shared information.
  • Regularly test, assess and evaluate the effectiveness of the access control measures that you have implemented.

Options to consider:

  • Set role-based access levels across all sharing partners.
  • Keep access levels under review and implement proactive monitoring systems to automatically detect any anomalies.

 

Control measure: There are effective incident management procedures in place with all sharing partners.

Risk: If an incident occurs where there are not effective incident management procedures in place, the effects can be made substantially worse for both the controller and the people affected. This may result in breaches of articles 5(1)(f), 32, 33, and 34.

Ways to meet our expectations:

  • Ensure sharing partners provide documented incident management procedures.
  • Obtain assurances that formal incident management procedures are implemented and regularly tested.
  • Ensure there are procedures in place to promptly report, investigate, and resolve security incidents.
  • Establish key points of contacts with all sharing partners so that incidents can be reported quickly and investigated.
  • Keep a log of actual and potential security incidents relating to data sharing.

Options to consider:

  • Create a standard incident reporting form for all sharing partners to use to report security incidents.
  • Develop standard procedures for notifying those affected (ie sharing partners and people) about a security incident.