Lowri Phillips 16 October 2017

Ensuring outsourced IT services are secure

Cyber security and ransomware attacks are becoming more common for public authorities. The recent ransomware attack on the NHS deployed malicious software blocking access to the computer system. A ransom was then demanded to release the data. This demonstrates that public sector organisations are prime targets for such attacks.

Local authorities in particular hold significant volumes of personal data, including sensitive personal data, which makes them vulnerable to attack. Recent responses to freedom of information requests made by The Times, suggest that 115 of 430 local authorities in the UK have been hit by ransomware type attacks in the past 12 months alone.

When it comes into force on the 25th May 2018, the General Data Protection Regulation will up the ante considerably in relation to the security of personal data and make it mandatory for local authorities to notify the ICO where a personal data breach occurs that would result in a risk to the rights of individuals.

The time limit for notification is tight, only 72 hours from becoming aware of the breach. A failure to do so could expose local authorities to the vastly increased fines under the GDPR. A failure to report a breach attracts the lower level of fine under the GDPR, but when you consider that lower level fines can amount to approximately £9m, this should be enough of a deterrent.

When it comes to data security, local authorities will need to ensure that they have adequate organisational and technical measures in place to maintain the security of personal data, including encryption, pseudonymisation and adequate fire walls. In addition, local authorities will need to carefully consider the engagement of processors such as IT contractors to whom they might outsource the provision of IT systems or services.

Such an arrangement between the authority and the IT contractor is likely to result in a contractor-processor relationship under the GDPR. Whilst it is currently the case under the Data Protection Act 1998 that controllers must have a written agreement with their processors, under the GDPR the list of provisions that must be included in that contract is greatly increased. In addition, the GDPR requires controllers to carry out certain due diligence on their processors. This will include ensuring they are satisfied that their processors have implemented appropriate measures themselves to meet the requirements of the GDPR, particularly in relation to the security of any personal data.

Whilst currently it may be the case that many data breaches are going undetected by controllers because IT contractors are not informing them of such breaches, this should change under the GDPR. This is because under the GDPR, processors will have their own obligations in relation to data protection compliance. One compliance aspect is the requirement to notify the controller, without undue delay, where they become aware of a data breach. Whilst this is an obligation imposed on the processor by the terms of the GDPR, it would be advisable for controllers, when they review/enter into contracts with their processors, to not only include the mandatory list of provisions required by the GDPR in the contract but to also reinforce the obligation to report a breach to the controller in the body of the contract itself.

That should hopefully deal with the issue of ignorance on the part of the controller as to when breaches occur. The next issue, and arguably a more important issue, for local authorities is whether, upon becoming aware of the data breach from a data processor, the local authority can comply with the notification timeframe of 72 hours. Within this short timeframe, controllers will need to take steps to contain the breach, if possible mitigate the effects of the breach and prepare a notification report.

It will be imperative therefore that local authorities have a procedure which guides them through the process to enable them to deal with the matter as efficiently and effectively as possible.

Lowri Phillips is partner at Geldards

Making payment processes smarter  image

Making payment processes smarter

It can be challenging to find the right software to streamline payment processes. Lewis McKenna-Crisp argues SmarterPay has the ideal solution for councils.
SIGN UP
For your free daily news bulletin
Highways jobs

Director of Public Health

Royal Borough of Greenwich
Up to £131,210
The Public Health department is at the heart of the council’s business. Greenwich, London (Greater)
Recuriter: Royal Borough of Greenwich

Head of Regeneration and Growth

Plymouth City Council
£68,387 - £74,411 (MFS and relocation available, pay award pending)
This is a unique opportunity to lead our award-winning development team and directly deliver hundreds of millions of pounds of projects. Plymouth, Devon
Recuriter: Plymouth City Council

Director of Adult Social Care

Wiltshire Council
£119,390 - £127,137
Join us as the Director of Adult Social Care and make a real difference to people’s lives. Wiltshire
Recuriter: Wiltshire Council

Assistant Director Planning, Performance & Engagement

East Sussex County Council
up to £97,700
With strong local communities, unspoilt countryside and vibrant coastal towns, East Sussex offers an exceptional quality of life to many. East Sussex
Recuriter: East Sussex County Council

Director of Finance & Commerce

Lancashire County Council
Up to £114,339
You will play a critical role in driving the organisation through complex change and innovation. Lancashire
Recuriter: Lancashire County Council
Linkedin Banner