Disclosure Scotland: Risks to sensitive data: FOI release
- Published
- 25 November 2019
- Topic
- Public sector
- FOI reference
- FOI/19/02420
- Date received
- 29 October 2019
- Date responded
- 21 November 2019
Information request and response under the Freedom of Information (Scotland) Act 2002
Information requested
Details of any risks identified in the last six months to the safeguarding system or the PVG scheme or any risks to sensitive data or the data of the list of individuals barred from working with children. Please include any increased security risk identified in 2019 to do with basic disclosure, standard disclosure, enhanced disclosure or PVG Scheme.
Response
The answer to part of your question is contained within the table below. However please see the exclusion included in our response. Please note that the text below represents theoretical risks that were identified as part of the responsible governance of Disclosure Scotland. The identification of possible risks does not mean that these will, or have, transpired.
Date Raised |
Risk Description |
Mitigations/Controls |
18/6/19 |
Risk: The risk is the same person is able to join the PVG Scheme more than once, with more than one PVG Scheme number being created for this person. (This risk is only at the stage when a person is looking to join the Scheme)
If two applications for the same applicant enter the Person Match task, they will not present a customer profile and two profiles will be created upon submission. As a result of how the Person Match queue is currently managed; applications can sit at this task for extended periods of time, increasing the risk of this occurring Cause: Implementation of Person Matching software performing the search at an undefined period, before it is actually requested
Consequence: This has Safeguarding implications for Ongoing Monitoring purposes, which could lead to unsuitable persons having access to vulnerable groups as the correct |
The Technical Design Authority have approved a mitigation approach for this risk in 3 parts:
|
Date Raised |
Risk Description |
Mitigations/Controls |
|
criminal record/other information has not appropriately held against the correct person profile.
Proximity Current |
|
08/10/19 |
Risk: There is a risk that we are unable to recruit enough correct skilled staff to run the service and complete handover.
Cause: Unable to hire the right skills.
Consequence: This puts handover and the Operation service at risk. |
Mitigation Plan Establish a profile for staff required across the team to support handover activities - completed
Establish resource required to operate the service - completed Put in place recruitment programme for handover – Mid November Put in place recruitment plan for operate
Monitor plan through to completion and identifying specific areas of concern |
09/10/19 |
Risk: There is a risk that DS will not be able to retain the skills and acquired knowledge to allow us to run the service
Cause: Resource Retention
Consequence: Operational service at risk |
|
09/10/19 |
Risk: There is a risk that non handover activity that is required could impact handover.
Cause: Non handover activity clashes with priorities for handover.
Consequence: Operational service at risk |
|
Date Raised |
Risk Description |
Mitigations/Controls |
23/10/19 |
Risk: There is a risk to Programme Security Accreditation.
Causes(s): delays to planned security work may adversely impact our accreditation
Consequence(s): Loss of Accreditor and Police data providers confidence in DS’s ability to ensure compliance with required Security standards. In the worst case scenario this could lead to the removal of permission to operate |
Security prioritisation exercise has been completed, priorities identified and agreed with Accreditor.
High Level implementation plan created and agreed.
Oct/Nov 2019 - Delivery underway to address identified Security priorities
Long term planning for activity over next two years in progress |
REASONS FOR NOT PROVIDING INFORMATION
An exemption applies.
An exemption(s) under section(s) 30(c) of FOISA applies to some of the information you have requested.
The release of information relating to the security build and infrastructure could provide a means to expose the architecture/design and wider connectivity to other Government network including sensitive data on how our system is built or operates.
This exemption is subject to the “public interest test”. Therefore, taking account of the circumstances of this, we have considered the public interest in applying this exemption. We have found that, on balance, the public interest lies in favour of upholding the exemption. We recognize that there is a public interest in disclosing information as part of open, transparent and accountable government. However there is a greater public interest in protecting Disclosure Scotland systems and ensuring that Disclosure Scotland is able to conduct its business effectively.
About FOI
The Scottish Government is committed to publishing all information released in response to Freedom of Information requests. View all FOI responses at http://www.gov.scot/foi-responses.
Contact
Please quote the FOI reference
Central Enquiry Unit
Email: ceu@gov.scot
Phone: 0300 244 4000
The Scottish Government
St Andrews House
Regent Road
Edinburgh
EH1 3DG
There is a problem
Thanks for your feedback