Information Security Statement

Recognising the value and importance of its information resources, and its statutory obligations to protect them against corruption or loss, the City of Bradford Metropolitan District Council will actively protect these assets in ways that are appropriate and cost effective. The Council will thereby fulfil its statutory responsibilities, protect citizens, customers and businesses, and maintain the effectiveness and continuity of its services.

The Council will:

• operate security governance to ensure senior management direction and promote compliance throughout the organisation
• ensure that controls are based on business requirements and are balanced against risk assessments that are reviewed on a regular basis
• maintain an effective, properly resourced information assurance group to monitor controls and assist user departments to safeguard their data.

To support this, we must:

• make sure that appropriate data is collected and then properly maintained and processed, and that its confidentiality and integrity are suitably preserved
• protect our information systems from a wide range of physical threats to minimise risk and maximise their value to the Council
• detect and protect against viruses and other malicious software, and correct security vulnerabilities
• protect critical business processes and online customer services against failures and disasters
• educate and train our staff to handle and process information securely, effectively and legally
• develop controls by a process of continuous monitoring and measure their effectiveness
• report all breaches of information security, actual or suspected, and deal with them in an appropriate manner
• conduct regular security risk assessments and audits.

Every individual in the Council with access to its information systems also has a responsibility to protect that information and prevent harm to businesses, citizens and customers. Information security is primarily about and for people, not technology.

Data security incident policy

Bradford Council is committed to fulfilling its obligations under the legislation and to ensuring that where data is misdirected, lost, hacked or stolen, inappropriately accessed or damaged, the incident will be properly investigated and, where necessary, reported to the Information Commissioners Office (ICO), or any other appropriate supervisory authority, and/or the data subject(s) in addition to taking any necessary action to rectify the situation.

The aim of this policy is to standardise the Council’s response to any personal data breach and to set out how the Council will manage reports of suspected data security incidents.

In summary the Council will ensure that all data security incidents are:

• reported swiftly so that they can be properly investigated
• appropriately logged and documented
• dealt with in a timely manner and normal operations restored
• risk assessed to ensure that the impact of the incident is understood, and action taken to prevent further damage
• appropriately reported to the ICO, affected data subjects informed or any other appropriate supervisory authority (as is required in more serious cases)
• reviewed, and lessons learned
• managed in accordance with the law and best practice.

You can read the full Data Security Incident Policy (PDF, 143 Kb).