Information Security of Personal Data within the Welsh
1. This paper highlights the results of the Welsh Assembly Government’s self 1assessment facilitated by CESG against the Security Policy Framework and
Information Risk Return that was submitted to the Cabinet Office in June
2009. The paper outlines activities and plans taken in the areas of
information security and management of personal data by the Welsh
Assembly Government. It is recommended the Cabinet note the action taken.
2. The Welsh Assembly Government continues, as it has always done, to take data
protection seriously and has measures in place to ensure that the personal data
held within the Assembly Government and through the delivery chain is
safeguarded and privacy rights are respected.
3. The Assembly Government not only seeks to comply with the Data Protection Act,
but also to deliver the commitment to always respect privacy as contained within
our Code of Practice on Public Access to Information and Information Assurance
4. The Assembly Government is also certified to the Information Security standard
ISO 27001 and was successfully re-accredited to this standard in March 2009. The
standard covers all aspects of information security, from controlling access to
information to training and awareness of staff.
Security Policy Framework and Information Risk Return
5. At the end of 2008, the Cabinet Office replaced its security guidance with the
mandatory Security Policy Framework (SPF). The SPF contains the primary
protective security policy and guidance on security and risk management for HM
Government Departments and associated bodies. It sets out 70 mandatory
requirements. The SPF introduced an annual reporting requirement to Cabinet
Office which covered the 70 mandatory requirements and a specific section
relating to information risk. Whilst aspects of Information Security are devolved to
the Assembly Government, the SPF requirements mostly remain a reserved
matter for central government.
1 CESG is the National Technical Authority for Information Assurance
6. As a devolved administration, the Assembly Government is not mandated to report information risks to Cabinet Office but voluntarily completed the full return to demonstrate good practice and establish common standards for protective security. Assembly Government Sponsored Bodies’ compliance information was not
included in the 2008/09 return after consultation with Cabinet Office. This is being reviewed for 09/10.
7. The Assembly Government completed the Security Policy Framework (SPF) and Information Risk Report (IRR) for the Cabinet Office in June 2009. The report contained a comprehensive and objective report on the actions that the Welsh Assembly Government has taken during the year to manage information risks, along with any outstanding issues that need to be addressed.
8. The Assembly Government return showed that we met all 70 mandatory measures set out in the SPF and has a high compliance scoring against performance and progress made in implementing Information Assurance measures across the Assembly Government. In particular, we scored highly on the leadership, governance and communication aspects of the return.
The activities below have contributed to the outcome of the assessment: ; the Information Assurance Strategy was endorsed by the Strategic Delivery and
Performance Board. The strategy provides a framework to ensure that
information is protected, accurate and resilient and the accompanying action
plan ensures the Assembly Government continues to drive forward actions in
; the Information Asset Owner (IAO) role is starting to be embedded across the
Assembly Government. The aim of these key senior officials is provide
assurance that information risks are understood and managed and protection is
given at the right level across all Departments;
; IAOs wrote to all major party delivery partners and analysed the returns to
provide the organisation with assurance that delivery partners are securely
processing and storing the personal data they hold on our behalf. Whilst the
level of assurance is still not complete, the level of assurance has increased
throughout the year and the process is on-going;
; the Level 1 “Protecting Information” e-learning training course has been rolled
out as mandatory to all staff. To date 86% staff have registered for the course; ; completion of a security compliance questionnaire across all high and medium
risk systems enabled system owners to identify risks and put in place
appropriate remedial measures. IAOs have also been involved in the process to
ensure that all risks are known and managed appropriately;
; introduction of a monthly Security Bulletin to Director Generals, Directors and
IAOs has ensured awareness across the organisation of security incidents and
provided a greater understanding and ownership of security risks and issues; ; development of a number of policies and procedures to mitigate information risk
such as a strict policy governing the use of mobile devices i.e. laptops and
removal of personal data from site is now in place.
9. In order to continue to build on the results of our assessment Information Management Division continues to drive forward a number of activities to ensure that information is stored securely and that staff are provided with the knowledge and awareness needed to handle data in an appropriate way. These include: ; development of a Code of Practice for Sharing Personal Data. The Information
Commissioner’s Office will be invited to endorse it;
; further development of guidance for staff handling personal information; ; further embed the IAO role across all Departments and provide specific IAO
; consider the implications of embedding Privacy Impact Assessments across the
Assembly Government and how they can be applied to our processes; ; consider extending the principles of ISO 27001 (the International Standard for
Information Security Management) to new developments in the Assembly
; consider the options on Assembly Government Sponsored Bodies compliance to
the mandatory requirements in the Security Policy Framework;
; roll out the Level 2 “Protecting Information” e-learning training course to all
; ongoing audit and spot check programme to provide assurance that policies and
procedures are followed;
; roll out security compliance questionnaire to all low risk systems.
10. The Cabinet office will use our return for analysis, along with those from
Whitehall Departments, to report to Parliament in the Autumn on progress made
in information risk. Briefing to Assembly Government Ministers will be provided
once it is known what information will be contained in the final report to
Finance Requirements and Governance Implications
11. There are no additional financial implications as a result of this paper as the costs of delivering the actions set out in the Information Assurance Strategy Action Plan can be accommodated within existing and planned administration costs budgets for example, encryption is being met as part of the ICT Transformation Project, and ERDMS is included within the Knowledge Programme. FP clearance BP3508. Business Unit clearance PPCS/JJ/28-09-09
12. A security communication plan is in place and both the Information Security and
the Access to Information teams work with the PPCS and Internal
Communications teams to ensure awareness of security and data issues.
13. That you note actions being taken and future briefings will be provided when Cabinet Office determine what information will go to Parliament.
14. That you note that the Head of Information Security and the Departmental
Security Officer can provide specific advice and information in relation to
any issues raised by the above and advise on general threats and
challenges, and can provide one-to-one security briefings for Ministers and
their Private Offices.
15. That you note updates on information security and data protection matters to
Cabinet are on an annual basis.
16. Joined Up Working
Whilst there has been no direct consultation in producing this paper other than between the Access to Information Unit and the PPCS Resilience branch, the Departmental Security Officer and Information Security branch work regularly with all Departments across the Welsh Assembly Government, supporting them to comply with legislation and ensure interests of those whose information we hold is appropriately protected. Forums and a Community of Practice are regularly held to ensure engagement in the key issues.
Rt Hon Rhodri Morgan AM