Publication - FOI/EIR release

Disclosure Scotland: Risks to sensitive data: FOI release

Published: 25 Nov 2019
Part of:
Public sector

Information request and response under the Freedom of Information (Scotland) Act 2002

Published:
25 Nov 2019
Disclosure Scotland: Risks to sensitive data: FOI release
FOI reference: FOI/19/02420
Date received: 29 Oct 2019
Date responded: 21 Nov 2019
Information requested

Details of any risks identified in the last six months to the safeguarding system or the PVG scheme or any risks to sensitive data or the data of the list of individuals barred from working with children. Please include any increased security risk identified in 2019 to do with basic disclosure, standard disclosure, enhanced disclosure or PVG Scheme.

Response

The answer to part of your question is contained within the table below. However please see the exclusion included in our response. Please note that the text below represents theoretical risks that were identified as part of the responsible governance of Disclosure Scotland. The identification of possible risks does not mean that these will, or have, transpired.

Date Raised

Risk Description

Mitigations/Controls

18/6/19

Risk: The risk is the same person is able to join the PVG Scheme more than once, with more than one PVG Scheme number being created for this person. (This risk is only at the stage when a person is looking to join the Scheme)

 

If two applications for the same applicant enter the Person Match task, they will not present a customer profile and two profiles will be created upon submission. As a result of how the Person Match queue is currently managed; applications can sit at this task for extended periods of time, increasing the risk of this occurring

Cause: Implementation of Person Matching software performing the search at an undefined period, before it is actually requested

 

Consequence: This has Safeguarding implications for Ongoing Monitoring purposes, which could lead to unsuitable persons having access to vulnerable groups as the correct

The Technical Design Authority have approved a mitigation approach for this risk in 3 parts:

 

  1. Change the point at which a search is invoked and so extensively reduce the chances of the problem occurring.
     
  2. A subsequent change to business process to have the Agent who completes a Review Task follow on to also complete the Person Match Task therefore minimising delays and the chances of the problem occurring.
     
  3. Create daily Management Information Reports identifying potential duplicate members, for review and action by the service team.

Date Raised

Risk Description

Mitigations/Controls

 

criminal record/other information has not appropriately held against the correct person profile.

 

Proximity Current

 

08/10/19

Risk: There is a risk that we are unable to recruit enough correct skilled staff to run the service and complete handover.

 

Cause: Unable to hire the right skills.

 

Consequence: This puts handover and the Operation service at risk.

Mitigation Plan

Establish a profile for staff required across the team to support handover activities - completed

  • Production support and ITSM Development
  • Test
  • Dev Ops (platform)

 

Establish resource required to operate the service - completed

Put in place recruitment programme for handover – Mid November

Put in place recruitment plan for operate

 

  • Production support and ITSM
  • Development
  • Test
  • Dev Ops (platform)

 

Monitor plan through to completion and identifying specific areas of concern

09/10/19

Risk: There is a risk that DS will not be able to retain the skills and acquired knowledge to allow us to run the service

 

Cause: Resource Retention

 

Consequence: Operational service at risk

  • Conduct an analysis of what skills are most at risk
  • Document processes and procedures to ensure that handover can take place
  • Transition to a resource model with a greater reliance on permanent rather than interim members of staff
  • Ensure that knowledge of the system is spread around a team rather than resting with individuals

09/10/19

Risk: There is a risk that non handover activity that is required could impact handover.

 

Cause: Non handover activity clashes with priorities for handover.

 

Consequence: Operational service at risk

  • Clear articulation of handover and non-handover activity
  • Clear separation of duties between handover and non-handover
  • Priority between handover and non- handover activities detailed
  • Robust and complete plan to ensure that we are correctly allocating resource

Date Raised

Risk Description

Mitigations/Controls

23/10/19

Risk: There is a risk to Programme Security Accreditation.

 

Causes(s): delays to planned security work may adversely impact our accreditation

 

Consequence(s): Loss of Accreditor and Police data providers confidence in DS’s ability to ensure compliance with required Security standards. In the worst case scenario this could lead to the removal of permission to operate

Security prioritisation exercise has been completed, priorities identified and agreed with Accreditor.

 

High Level implementation plan created and agreed.

 

Oct/Nov 2019 - Delivery underway to address identified Security priorities

 

Long term planning for activity over next two years in progress

REASONS FOR NOT PROVIDING INFORMATION
An exemption applies. 

An exemption(s) under section(s) 30(c) of FOISA applies to some of the information you have requested. 
The release of information relating to the security build and infrastructure could provide a means to expose the architecture/design and wider connectivity to other Government network including sensitive data on how our system is built or operates. 
This exemption is subject to the “public interest test”. Therefore, taking account of the circumstances of this, we have considered the public interest in applying this exemption. We have found that, on balance, the public interest lies in favour of upholding the exemption. We recognize that there is a public interest in disclosing information as part of open, transparent and accountable government. However there is a greater public interest in protecting Disclosure Scotland systems and ensuring that Disclosure Scotland is able to conduct its business effectively.

About FOI

The Scottish Government is committed to publishing all information released in response to Freedom of Information requests. View all FOI responses at http://www.gov.scot/foi-responses.

Contact

Please quote the FOI reference
Central Enquiry Unit
Email: ceu@gov.scot
Phone: 0300 244 4000

The Scottish Government
St Andrews House
Regent Road
Edinburgh
EH1 3DG