| Page Properties | ||||
|---|---|---|---|---|
| ||||
|
| Iframe | ||||||||
|---|---|---|---|---|---|---|---|---|
|
| View file | ||
|---|---|---|
|
Purpose
The purpose of the data protection by design and default approach is to establish the key principles and requirements that will enable PKB to embed Information Security and Data Privacy into new services, systems, and/or software for all internal PKB services (including those that are customer facing) and customer-facing shared services.
...
Line managers are responsible for the day-to-day management of staff and advise on the implementation of Information Security and Data Privacy policies and procedures within their business areas and for ensuring compliance by their staff.
Policy
data Data protection by design and default is to be considered at the conception stage of each service and any non-functional requirements connected with information security or data privacy are to be made in the early stages of any information system design.
...
These principles are to be followed when developing or delivering a service, either internally for PKB or when developing or delivering a service for our customers.
Project Governance
Introduction
Staff that both lead and implement projects within PKB are responsible for the ongoing information security and privacy of their service and the ongoing confidentiality of information processed by the delivered service.
...
Project Managers are responsible for guiding projects to a successful conclusion either as part of a new initiative or to upgrade/replace a current system or service. This includes the integration of information security and data privacy controls that are required to deliver a secure system that processes information in a controlled and lawful manner.
Information Security and Data Privacy Requirements
It is inevitable that nearly all projects will have Information Security and Data Privacy requirements in some form or another, these requirements will vary from project to project depending on the functional requirements of the service and the information that is stored and processed. Some upgrade projects will have few if any security requirements above those of the original service, and compared to new services which may have a large number of requirements, the projects are differentiated as below:
...
A list of types of personal and special category information can be found in Appendix A.
Pre-Project
Data protection by design and default requirements are to be embedded into the design from inception, this includes the Information Security and Information Governance Teams and/or the Data Protection Officer understanding any potential high-risk areas at the outset of any project that may either impact the information security profile of PKB or the personal information of our customers, employees or partners.
...
How the personal information to be used has been obtained.
Where personal information is to be used.
Whether the purpose for which the personal information was initially collected is compatible with the project’s purpose.
Where one set of personal information is cross-referenced or aggregated to provide new information.
Where re-use is initially thought to be incompatible with the original purpose for which the personal information was collected.
In any of the above cases, further assessments will need to be carried out before the information can be used.
Project Initiation
During the initiation of a project, it will be clear whether the involvement of the Information Security and Information Governance Teams and/or the Data Protection Officer is required.
...
Refer to the Supplier Assurance Standard for further details.
Delivery
During the early part of the project delivery (or even in some cases the late part of initiation) it may be decided that the project cannot implement a specific control, this can be for a number of reasons:
...
Any remaining risks will be placed on the relevant risk register (depending on the type of risk and the area impacted) and either accepted or tracked through the solution's entire lifecycle.
Verification and Testing of Information Security and Data Privacy Controls
Protection Controls
High and Medium impact projects will have their control design and delivery verified and tested, this may include specific User Acceptance Testing (UAT) (for items such as access controls) vulnerability testing (for internal and externally facing projects), and penetration testing (for external or customer-facing projects). This testing is to be organised and completed within the project, and the results released to the Information Security and Information Governance team/DPO for verification and acceptance.
Where the project involves personal information, the project manager will be responsible for ensuring they have liaised with the Information Security and Information Governance team/DPO to ensure all information protection aspects have been considered and the effectiveness of the mitigating measures taken is to the satisfaction of the DPO.
Project Closure
The Data protection by design and default process will vary depending on the impact of the project and the potential risks with its implementation from an Information security and data privacy perspective.
High Impact Projects – The Information Security and Information Governance team and where appropriate the DPO will continue to be a stakeholder in the projects and its transition to BAU. This will involve confirmation by the Information Security and Information Governance team and where appropriate the DPO that any controls are in place and effective.
Medium Impact Projects - The Information Security and Information Governance team and where appropriate the DPO will continue to be a stakeholder in the projects and its transition to BAU. This will involve confirmation by the Information Security and Information Governance team and where appropriate the DPO that any controls are in place and effective.
Low-Impact Projects – With low-impact projects security should be advised, especially if there has been any change to information security and data privacy controls since delivery.
Change Control Board
When the final go-live is to take place before the project goes to the Change Control Board
...
The Change Control Board will be notified by the Project Manager, if the project manager or any member of the CCB believes the impact of the project is flawed then they are to discuss it with the Data Protection Officer depending on the focus of the impact.
Transition into Business as Usual
Some but not all projects will need to go through a transition into BAU, in particular, but not restricted to projects delivering services with new functionality. Within the specific case of Information Security and Data Privacy, a number of key areas need to be transitioned to the relevant parties:
Any personal information will need to have a nominated Information Asset Owner responsible for the ongoing due diligence required through the entire lifecycle of the information, for example, the assurance of information retention policies.
Any specific security controls such as access control mechanisms, encryption, and other security controls will need to be transitioned to the relevant parties for ongoing management.
Any residual risk will need to be transferred to the relevant BAU department to ensure ongoing monitoring and continual acceptance and/or mitigation.
ISO 27001 Certification
PKB is ISO27001 compliant and the certificate is held by Google because all data is hosted within Google Cloud Platform (GCP) data centers (with the scope of certification including the physical security of the data centres). Further details can be found here.
Business as Usual
After go-live, the ongoing security maintenance is the responsibility of the BAU teams. After introduction into service, the solution will be auditable from an internal perspective and systems will be brought into the regular audit schedule of the Compliance Team, and for high-impact projects which will be audited on an annual basis.
...
New services that are deemed as high-impact will be scheduled for an internal audit within 12 months of go-live, medium and low-impact services will be moved into the ongoing internal audit schedule.
Innovation Governance
Information security governance and the implementation of security and data privacy controls in a period of innovation may sometimes seem problematic. However it is key to understand the specific risks and impact that any new service will have both on PKB and our customers, and the disruption that implementing these controls at inception may bring to the development process.
Supporting the Business
It is important to understand that PKB will only succeed by developing unique services to sell to its customers, security and data privacy requirements can curtail that development in the initial stages, hence when designing an innovative service it is more efficient to focus on the functionality and outcomes required. Therefore it is normal to start initial development without the additional burden of security and data privacy controls while developing functionality.
This is an accepted risk of doing business and at the beginning an appropriate response, however as the service gets closer to a deliverable state it is important to begin integrating control mechanisms to ensure the service can maintain the Confidentiality, Integrity, and Availability of the information it contains. To enable the Information Security and Information Governance Teams to run a system called Elastic Governance.
Elastic Governance
Elastic Governance allows for innovation to be trialed and refined early in the process without being encumbered with a large number of security controls at the outset. It divides innovation into three sections:
...
The middle stage can include multiple stages of development. The key principle is that for each stage the functionality becomes closer to release, and more data protection by design and default requirements and the related controls are integrated with the solution.
Use of Live Data for Development and Testing Purposes
The use of operational live information containing personal information or any other PKB confidential information for testing purposes is not permitted.
In cases where using live information containing personal information, special categories of personal information, or any other business confidential information for testing purposes cannot be avoided, the policy exception process must be followed.
Secure Development Practices
PKB shall ensure secure development practices are followed at all times in line with industry-recognised security standards, all developed code/applications shall undergo security tests such as static code reviews, vulnerability tests, and/or penetration tests to verify the security posture of the developed application/code.
Refer to the Supplier Assurance Standard for further details.
Document Management & Control
PKB systems and information remain the property of PKB at all times and PKB reserves the right to monitor compliance to policies in line with all applicable laws, with due regard and respect for the fair treatment of all employees, and to protect its network from systems and events that threaten or degrade operations.
PKB reserves the right to copy and examine any PKB-owned files or information resident on systems or devices. If the device or its use is in contradiction to PKB Policy or allegedly related to unacceptable use, those responsible may be subject to disciplinary action up to and including dismissal, and where applicable may be referred to the police for prosecution.
...
Examples of Personal Data and Special Category Data items are shown in the table below.
Personal Information | Special Category Information (sensitive personal data) |
Name | Health Data |
Personal Address | Biometric Data |
Personal Telephone Number | Genetic Data |
Personal Email Address | Race |
Date of Birth | Ethnic Origin |
National Insurance Number | Political Opinions |
Nationality | Religion |
Passport Details | Philosophical Beliefs |
Driving Licence Details | Trade Union Membership |
Personal IP Address | Data concerning a Natural Person’s sex life |
Signature | Sexual Orientation |
Job Title | Personal Financial Information |
Personal Vehicle Registration | |
Employment History | |
Personal Salary & Benefits Details | |
Criminal Records | |
Business Email Address | |
Business Address | |
Business Telephone Number | |
Skype ID |