Personal Data - Security and Confidentiality
Securing Personal Data in Kildare County Council
Background
We protect your information with procedural, physical and technological measures and controls to ensure (in so far as it is possible) a safe and secure location for your personal data. Kildare County Council are committed to securing personal data through a range of measures aimed at minimising risks of the following outcomes relating to personal data.
- Alteration
- Loss
- Damage
- Unauthorised processing
- Unauthorised access.
In determining security measures the Council first have regard to risks related to:
- the nature of the personal data (for example sensitive data should have less access and higher security arrangements);
- the context in which data is collected – for example whether there are risks related to how the data is collected – i.e. public areas etc.
Based on this assessment we then proceed to identify suitable organisational or technological options to address security, while having regard to the related cost of employing solutions.
Technological security actions
The IT department in Kildare County Council has a range of procedural and technological solutions in place to maintain (in so far as it is possible) a safe and secure location for your personal data. The following is a shortlist of the range of measures undertaken in this regard, this list is not exhaustive and is subject to amendment and review, related to emerging risks:
- Organisational Firewall solution in place to prevent external access to the Kildare County Council (KCC) network.
- Secure communications via the Government Virtual Private Network (VPN)
- Latest windows patches installed.
- Anti-Virus software
- Comprehensive data backup solution in place in case of accidental loss of data.
- Two factor authentication on all relevant systems authorised by relevant data owner in each section.
- Automatic PC lockout
- Internet access for staff authorised by Director of Service in writing and monitored using web access monitoring software
- Secure server room.
- Secure off site storage of backup media.
- Encryption of mobile devices, e.g. laptops, smartphones and flash drives.
- Non disclosure agreements with contractors accessing IT systems remotely or onsite
Physical and other organisational security actions
Personal data is secured from unauthorised physical access, loss etc. in a range of ways. The following is a shortlist of the range of measures undertaken in this regard, this list is not exhaustive and is subject to amendment and review, related to emerging risks:
- Segregation of public areas from the 'back office' where staff work. Depending on the nature of information being processed there are further restricted access to certain secure areas such as by use of control mechanisms such as card/badge access, confined to staff that need to access areas.
- Onsite monitored CCTV for building security and public safety, internally and externally
- Signed-in contractors only are allowed access to our building.
- Building security and access, including CCTV is monitored to ensure there are no system malfunctions.
- Operation of various policies and procedures supporting security such as IT Usage Statement, Clean Desk guidelines and various other Department specific protocols.
- Data Breach Management which require staff to report all suspected incidents of unauthorised access. Incidents include disclosure, loss, destruction or alteration of Customer Confidential Information, regardless of whether it is in paper or electronic form.
- Regular advisories on both IT Security and other best practice measures are communicated to staff
- Regular Data Protection and IT Security Training
- Employment contracts require staff to maintain confidentiality of data to which they have access
- Staff are trained to ensure they prevent unauthorised access to personal data by way of impersonation either over the phone or in person
- IT and local management processes to control access to systems to ensure access is role based
- Secure storage for certain types of data
- Provision of confidential waste bins, with disposal onsite
- Swipe card access to printers and scanners
- This list is not exhaustive and is subject to amendment and review, related to emerging risks.