Lowri Phillips 16 October 2017

Ensuring outsourced IT services are secure

Cyber security and ransomware attacks are becoming more common for public authorities. The recent ransomware attack on the NHS deployed malicious software blocking access to the computer system. A ransom was then demanded to release the data. This demonstrates that public sector organisations are prime targets for such attacks.

Local authorities in particular hold significant volumes of personal data, including sensitive personal data, which makes them vulnerable to attack. Recent responses to freedom of information requests made by The Times, suggest that 115 of 430 local authorities in the UK have been hit by ransomware type attacks in the past 12 months alone.

When it comes into force on the 25th May 2018, the General Data Protection Regulation will up the ante considerably in relation to the security of personal data and make it mandatory for local authorities to notify the ICO where a personal data breach occurs that would result in a risk to the rights of individuals.

The time limit for notification is tight, only 72 hours from becoming aware of the breach. A failure to do so could expose local authorities to the vastly increased fines under the GDPR. A failure to report a breach attracts the lower level of fine under the GDPR, but when you consider that lower level fines can amount to approximately £9m, this should be enough of a deterrent.

When it comes to data security, local authorities will need to ensure that they have adequate organisational and technical measures in place to maintain the security of personal data, including encryption, pseudonymisation and adequate fire walls. In addition, local authorities will need to carefully consider the engagement of processors such as IT contractors to whom they might outsource the provision of IT systems or services.

Such an arrangement between the authority and the IT contractor is likely to result in a contractor-processor relationship under the GDPR. Whilst it is currently the case under the Data Protection Act 1998 that controllers must have a written agreement with their processors, under the GDPR the list of provisions that must be included in that contract is greatly increased. In addition, the GDPR requires controllers to carry out certain due diligence on their processors. This will include ensuring they are satisfied that their processors have implemented appropriate measures themselves to meet the requirements of the GDPR, particularly in relation to the security of any personal data.

Whilst currently it may be the case that many data breaches are going undetected by controllers because IT contractors are not informing them of such breaches, this should change under the GDPR. This is because under the GDPR, processors will have their own obligations in relation to data protection compliance. One compliance aspect is the requirement to notify the controller, without undue delay, where they become aware of a data breach. Whilst this is an obligation imposed on the processor by the terms of the GDPR, it would be advisable for controllers, when they review/enter into contracts with their processors, to not only include the mandatory list of provisions required by the GDPR in the contract but to also reinforce the obligation to report a breach to the controller in the body of the contract itself.

That should hopefully deal with the issue of ignorance on the part of the controller as to when breaches occur. The next issue, and arguably a more important issue, for local authorities is whether, upon becoming aware of the data breach from a data processor, the local authority can comply with the notification timeframe of 72 hours. Within this short timeframe, controllers will need to take steps to contain the breach, if possible mitigate the effects of the breach and prepare a notification report.

It will be imperative therefore that local authorities have a procedure which guides them through the process to enable them to deal with the matter as efficiently and effectively as possible.

Lowri Phillips is partner at Geldards

For your free daily news bulletin
Highways jobs

Highways Operative - Barrow x4

Cumbria County Council
£22,571 – £23,484
We are looking to recruit a new Highways Operative to our Highways Service. Cumbria
Recuriter: Cumbria County Council

Refugee Resettlement Interpreter - Ukrainian and Russian

Cumbria County Council
£28,226 - £29,174
‘Homes for Ukraine’ is the Government’s initiative to supporting those fleeing the conflict in Ukraine. Cumbria / Countywide
Recuriter: Cumbria County Council

Safer Spaces Community Safety Enforcement Officer

Royal Borough of Greenwich
£31,122 - £32,112
Our Community Safety Enforcement Officers are responsible for improving community safety outcomes throughout the Royal Borough’s main Town Centres. Greenwich, London (Greater)
Recuriter: Royal Borough of Greenwich

Enforcement Support Officer

Royal Borough of Greenwich
£31,122 - £32,112
The Royal Borough of Greenwich are looking for dedicated, enthusiastic, and compassionate individuals. Greenwich, London (Greater)
Recuriter: Royal Borough of Greenwich

Communications and Engagement Officer

Royal Borough of Greenwich
£38,385 to £41,586
We’re looking for an enthusiastic and dedicated communications professional to join our team. Greenwich, London (Greater)
Recuriter: Royal Borough of Greenwich

Partner Content

Circular highways is a necessity not an aspiration – and it’s within our grasp

Shell is helping power the journey towards a circular paving industry with Shell Bitumen LT R, a new product for roads that uses plastics destined for landfill as part of the additives to make the bitumen.

Support from Effective Energy Group for Local Authorities to Deliver £430m Sustainable Warmth Funded Energy Efficiency Projects

Effective Energy Group is now offering its support to the 40 Local Authorities who have received a share of the £430m to deliver their projects on the ground by surveying properties and installing measures.

Pay.UK – the next step in Bacs’ evolution

Dougie Belmore explains how one of the main interfaces between you and Bacs is about to change.