Information Security Policy

13. Incident reporting and auditing

13.1. Definition of an incident

An information security ‘incident’ is:

A suspected breach of confidentiality resulting in unauthorised disclosure of, or access to, information, e.g. from theft or loss of case files, or accidentally sending confidential information to third party.
A suspected breach of integrity, where there is an unauthorised or accidental alteration of personal data e.g. the website being hacked, or unauthorised changes to records.
A suspected breach of availability where there is an accidental or unauthorised loss of access to, or destruction of, personal data, e.g. from fire or flood, or loss of equipment due to theft.

Any member of staff who finds a suspected breach must report it immediately to their line manager, who will inform the Data Protection Officer (DPO) so the incident can be logged. Do not delay. Notify another manager if the usual line manager is unavailable. There is a time limit of 72 hours to report more serious breaches to the Information Commissioner, so suspected breaches must be reported promptly. Please use the Data Security Incident Reporting Form available on ECHO and on the Intranet and email it to dataprotection@lgo.org.uk.

For serious breaches, please also report the breach to the DPO or failing them, another member of the Executive Team by telephone. A serious breach could include, but is not limited to, large volumes of data being disclosed, suspected hacking/system ransom, data loss that could put someone in imminent danger physically or financially.

Staff must notify all suspected breaches even if we are not the source/cause of the breach. For example, where a Body in Jurisdiction shared personal data with us that it should not have done. In these circumstances, the person notifying the breach must also tell the BinJ.

In addition:

If information is sent to the wrong address, the user will attempt to prevent further dissemination by recalling the message (not currently possible within ECHO) and/or asking the actual recipient(s) to delete it and confirm back to the user they have done so.
If IT equipment or usage is involved, the line manager will also inform the IT Manager.
Users who receive, identify how to, or accidentally gain access to unauthorised information on our system must immediately report this to their line manager, who will inform the IT Manager.
Report the loss or theft of access devices such as swipe cards or ID badges to the Operational Support Manager immediately, and to the line manager.

There is a procedure for reviewing suspected or actual breaches which is overseen by the SIRO, working with the DPO. The IT Manager will investigate and keep a record of actual or suspected incidents in computer security such as misused permissions or passwords and virus infection. They will have documented procedures for dealing with incidents.

Depending on the severity, nature and impact of the incident or breach, a small incident response team of senior officers may be appointed. Any serious breaches will be reported to the ICO.

See further guidance on reporting and reviewing data security incidents. Audit and review

13.2. Audit

The IT Manager will undertake penetration tests and security audits at regular intervals (normally annually) to maintain a high level of information assurance, and to ensure we identify and resolve vulnerabilities in security. The Information Working Group will also monitor understanding of and adherence to this policy and report as necessary to IAOs.

Assistant Ombudsmen will monitor confidential papers removed from LGSCO offices via ECHO, using the Document tracking Function, and other checks and report to the Senior Information Risk Owner (SIRO) as necessary.

IAOs will provide annual assessments of the adherence to this policy and highlight any areas of concern to the SIRO.

The SIRO will incorporate annual assessments of performance into the information risk aspects of the Accounting Officer’s statement of internal control.

13.3. Information Working Group

The group is responsible for ensuring good practice is followed on how we manage personal and confidential information. The group monitors and reviews information policies and guidance, as well as monitoring information security incidents and makes recommendations based on what has been learned from these.

The full terms of reference of this group are available on the intranet, or on request.

September 2023

Cookie name	Description	Action
ASPSESSIONID	This helps the site to function smoothly during your visit. For example, remembering your display settings and online complaint form preferences.
CookieNotice.Analytics	Used to remember your choice for analytical cookies.
TH_TOOLBAR_SETTINGS	Stores an object containing user specific settings for the Browsealoud toolbar such as dialog positions and button states. No personally identifiable data is stored.
API_SETTINGS	Stores an object containing user specific API settings for the Browsealoud toolbar such as voice and language selection, user preferences set in the toolbar settings panel and selected styles for word highlighting. No personally identifiable data is stored.
audioalert	Stores a value ‘audioalert = true’ after the first Browsealoud audio alert.
__utma	Used to distinguish users and sessions. The cookie is created when the javascript library executes and no existing __utma cookies exists. The cookie is updated every time data is sent to Google Analytics.	BrowseAloud v.3 documentation Privacy policy
__utmt	Used to throttle request rate.	BrowseAloud v.3 documentation Privacy policy
__utmb	Used to determine new sessions/visits. The cookie is created when the javascript library executes and no existing __utmb cookies exists. The cookie is updated every time data is sent to Google Analytics.	BrowseAloud v.3 documentation Privacy policy
__utmc	Not used in ga.js. Set for interoperability with urchin.js. Historically, this cookie operated in conjunction with the__utmbcookie to determine whether the user was in a new session/visit.	BrowseAloud v.3 documentation Privacy policy
__utmz	Stores the traffic source or campaign that explains how the user reached your site. The cookie is created when the javascript library executes and is updated every time data is sent to Google Analytics.	BrowseAloud v.3 documentation Privacy policy
_ga	Used to distinguish users. The ID is used only to identify the session for the statistics and is completely anonymous.	BrowseAloud v.3 documentation Privacy policy
_gat_UA-4669579-11	Used to throttle request rate. If Google Analytics is deployed via Google Tag Manager, this cookie will be named _dc_gtm_.	BrowseAloud v.3 documentation Privacy policy
_gid	Used to distinguish users.	BrowseAloud v.3 documentation Privacy policy

Company	Description	Action
Google Inc = _ga	Google Analytics tracking cookie. Helps us to know how many people visit our site by tracking if you've visited before.	Terms and conditions Privacy policy
Google Inc = _gid	Google Analytics tracking cookie. Helps us to know how many people visit our site by tracking if you've visited before.	Terms and conditions Privacy policy
Google Inc = _gat	Google Analytics tracking cookie. Used to manage the rate at which page view requests are made.	Terms and conditions Privacy policy

13.1. Definition of an incident

13.2. Audit

13.3. Information Working Group

Review your privacy settings