In accordance with the requirements of the General Data Protection Regulation (GDPR), my Department has implemented a range of appropriate organisational and technical measures to safeguard privacy and protect personal information. These measures include the ability to ensure the ongoing confidentiality, integrity and availability of systems and services.
Since the coming into effect of the GDPR in May 2018, my Department has taken a number of steps to establish a comprehensive compliance framework. A dedicated Data Protection Officer (DPO), as required under Article 37 of the Regulation, has been appointed. The DPO leads a Data Protection Unit (DPU) and Information Officers have also been identified across the Department to assist with ensuring data protection compliance.
The DPU has been rolling out a programme of work over the past three years, which includes providing assistance to business units in addressing any potential data protection risks. The Unit has developed a GDPR e-Learning Programme for staff, to help raise awareness and provide training to staff on compliance with the legislation. Articles 28 and 29 of the GDPR set out the requirements for data controllers and data processors in relation to the processing of personal data on behalf of the controller. The DPU works with business units on an ongoing basis to advise on the requirements of the articles, including entering into legally binding contracts governing the processing and security of personal data.
My Department uses the principle of least privilege access in line with industry best practises and guidance and advisories issued by the Office of the Government Chief Information Office (OGCIO) and the National Cyber Security Centre (NCSC) of the Department of Communications, Climate Action and Environment (DCCAE). IT staff are only given access which is essential to perform the tasks and duties associated with their roles and responsibilities. IT staff with privileged user accounts are reviewed and monitored on a regular basis.
