Lowri Phillips 16 October 2017

Ensuring outsourced IT services are secure

Cyber security and ransomware attacks are becoming more common for public authorities. The recent ransomware attack on the NHS deployed malicious software blocking access to the computer system. A ransom was then demanded to release the data. This demonstrates that public sector organisations are prime targets for such attacks.

Local authorities in particular hold significant volumes of personal data, including sensitive personal data, which makes them vulnerable to attack. Recent responses to freedom of information requests made by The Times, suggest that 115 of 430 local authorities in the UK have been hit by ransomware type attacks in the past 12 months alone.

When it comes into force on the 25th May 2018, the General Data Protection Regulation will up the ante considerably in relation to the security of personal data and make it mandatory for local authorities to notify the ICO where a personal data breach occurs that would result in a risk to the rights of individuals.

The time limit for notification is tight, only 72 hours from becoming aware of the breach. A failure to do so could expose local authorities to the vastly increased fines under the GDPR. A failure to report a breach attracts the lower level of fine under the GDPR, but when you consider that lower level fines can amount to approximately £9m, this should be enough of a deterrent.

When it comes to data security, local authorities will need to ensure that they have adequate organisational and technical measures in place to maintain the security of personal data, including encryption, pseudonymisation and adequate fire walls. In addition, local authorities will need to carefully consider the engagement of processors such as IT contractors to whom they might outsource the provision of IT systems or services.

Such an arrangement between the authority and the IT contractor is likely to result in a contractor-processor relationship under the GDPR. Whilst it is currently the case under the Data Protection Act 1998 that controllers must have a written agreement with their processors, under the GDPR the list of provisions that must be included in that contract is greatly increased. In addition, the GDPR requires controllers to carry out certain due diligence on their processors. This will include ensuring they are satisfied that their processors have implemented appropriate measures themselves to meet the requirements of the GDPR, particularly in relation to the security of any personal data.

Whilst currently it may be the case that many data breaches are going undetected by controllers because IT contractors are not informing them of such breaches, this should change under the GDPR. This is because under the GDPR, processors will have their own obligations in relation to data protection compliance. One compliance aspect is the requirement to notify the controller, without undue delay, where they become aware of a data breach. Whilst this is an obligation imposed on the processor by the terms of the GDPR, it would be advisable for controllers, when they review/enter into contracts with their processors, to not only include the mandatory list of provisions required by the GDPR in the contract but to also reinforce the obligation to report a breach to the controller in the body of the contract itself.

That should hopefully deal with the issue of ignorance on the part of the controller as to when breaches occur. The next issue, and arguably a more important issue, for local authorities is whether, upon becoming aware of the data breach from a data processor, the local authority can comply with the notification timeframe of 72 hours. Within this short timeframe, controllers will need to take steps to contain the breach, if possible mitigate the effects of the breach and prepare a notification report.

It will be imperative therefore that local authorities have a procedure which guides them through the process to enable them to deal with the matter as efficiently and effectively as possible.

Lowri Phillips is partner at Geldards

SIGN UP
For your free daily news bulletin
Highways jobs

Data, Monitoring and Citizen Science Officer

Durham County Council
Grade 10 £37,035 to £40,476 p.a. (Pay Award Pending)
We are looking for an organised and reliable individual to join our team here at the North Pennines National Landscape in Stanhope for a period of 15 Stanhope
Recuriter: Durham County Council

Enhanced Teaching Assistant

Durham County Council
£25,584 - £27,711 pro rata
Enhanced Teaching Assistant Grade 5, £25,584 - £27,711 pro rata 37 hours per week, Term Time only + 2 weeks Permanent     Required from 1st September Ferryhill
Recuriter: Durham County Council

Structures Commissioner

Derbyshire County Council
Grade 14 £53,166 - £59,080 per annum (Pay Award Pending)
We are seeking an experienced and strategic leader to join our team as the Structures Commissioner. Derbyshire
Recuriter: Derbyshire County Council

Rough Sleeper Outreach Officer - WMF2139e

Westmorland and Furness Council
£31,067 - £31,586
We have an excellent opportunity for a motivated candidate to apply for the role of Rough Sleeper Outreach Officer. Penrith, Cumbria
Recuriter: Westmorland and Furness Council

Customer Operations Assistant

Wyre Borough Council
£12.26 Per Hour
Marine Hall is a vibrant and dynamic venue dedicated to delivering exceptional experiences for our audiences and customers. Poulton-Le-Fylde, Lancashire
Recuriter: Wyre Borough Council
Linkedin Banner