My Department's core IT infrastructure is provided by the Office of the Government Chief Information Officer (OGCIO) under the 'Build to Share Managed Desktop' shared service. The services provided by the OGCIO are compliant with GDPR. In reference to your question which points to in Article 29 of the GDPR in particular, OGCIO processes data under instruction from my Department. I have been advised by OGCIO that as a data processor, they have taken all reasonable measures to prevent unauthorised access to personal data through the use of appropriate security processes and controls. These processes and controls include the ability to ensure the ongoing confidentiality, compliance, integrity, availability and resilience of processing systems and services; and the ability to restore the availability and access to Personal Data in a timely manner in the event of a cybersecurity, physical or technical incident.
The OGCIO has adopted a defence-in-depth security strategy which is achieved by utilisation of people, processes, and technology to support the implementation of ICT security services. The threat landscape is constantly evolving and significant effort is expended to continually enhance and strengthen ICT security to mitigate against emerging threats, risks, vulnerabilities and cybersecurity issues. In addition to deploying perimeter security measures, such as intrusion protection systems, software vulnerabilities are managed by maintaining up-to-date versions and aggressively deploying updates and patches to endpoints and applications as they become available.
The OGCIO has employed a policy of least privilege security principle. IT staff are only assigned security roles with levels of access which are essential to perform the tasks and duties associated with their functions. The allocation and usage of privileged user accounts are reviewed and monitored.
The OGCIO has developed an Information Security Management System (ISMS) aligned with the industry security standard ISO27001. This ISMS provides an overall governance framework for information security and sets out security policies, objectives, management oversight, practices and governance and ensures continual improvement of information security management.