Adult Care Payment Cards and GDPR / Data Protection

Posted on

1. Who is the data controller for personal data relating to payment cards?  If it is the card provider, is there a contract in place covering this data processing?

Devon County Council (DCC) has a contract with a company called Prepaid Financial Services (PFS) to provide the Devon card and Devon card system. In this relationship, PFS is the Data Controller and DCC is the Data Processor. The contract between DCC and PFS was updated in May 2018 to reflect the new GDPR requirements in relation to data protection.

DCC has a contract with Disability Focus (DF) to provide payroll/ managed accounts. They also access the PFS system when they make payments on behalf of individuals. The Service Level Agreement between the Council and Disability Focus dates to 2016, so pre-dates GDPR. However, they have provided us with confirmation that they are working to current data protection requirements, as outlined in Section 2.

2. Who has access to the data? What data protection training have these staff had? What organisational measures ‘ policies and procedures etc. – are in place to ensure that data is kept safe and not accessed by anyone without authorization? Please provide a copy of any written policies and procedures.

Staff from DCC, PFS and DF (Managed Accounts provider) have access to payment card data.

Devon County Council:

Staff employed by Devon County Council have access to the data, including Direct payments staff, identified members of the Health and Social care teams, Charging for Care teams and our partner agency Disability Focus who manage budgets to support people with their admin tasks.  Access to the data is restricted to those roles who require this information in order to fulfil their professional duties.

Access to the prepaid card providers portal has to be requested by an authorised officer within Devon County Council, as agreed with our card provider.

DCC staff are required to undertake mandatory Data protection training on a bi-annual basis.

DCC has a range of policies which are in place to support the appropriate handling of information.  Staff are required to read and comply with these policies which include the Data Protection Policy, Information Assurance Policy and Personal Information Security Policy.

PFS:

All access to PFS systems and data is based on the ISO27001:2013 ‘least privilege-based access’ permissions. Managers are responsible for approving minimum access required for members of staff to successfully complete their role. All accounts and actions are fully auditable with staff being accountable for each action taken.

Only PFS staff with permission to access the data are allowed, with the exception of a limited number of administrators, whose own access is logged and monitored by the Information Security Manager. Each member of staff is issued with a unique ID and P/W with strictly enforced password strength and duration.

All PFS staff undergo Employee training (mandated policy) which goes through a number of different aspects of the business and includes a section on Data Protection, the importance of handling such data, issues that may arise and how to handle different enquiries. All line managers have the responsibility of ensuring that their department staff are well informed of their responsibilities.

All PFS staff complete a ‘new’ IT Security and Compliance training ‘every 4 weeks’, among others, this includes Data Loss Prevention, Information & Data, Data Classification, GDPR and PCI.

Several policies are in place, including IT Security Policy, Data Classification Policy, Password Policy, Secure Media Policy, Privacy Policy, Data Protection Policy, Data Retention Policy which all provide measures to ensure data is secure and not accessed by non-approved personnel. Policies and Procedures have a data classification of ‘Internal’, so cannot be shared outside of the Company.

Disability Focus (DF):

Compliance in the Service Area to include Pension Auto-enrolment and GDPR.

DF processes and procedures ensure that we are compliant with the RTI (Real Time Information) reporting to HMRC electronically.

DF complies with the Pension Regulators declaration of compliance on work-based pension auto enrolment.

DF complies with GDPR compliance.

DF monitor all information that is processed and sent out to ensure that individuals are only receiving data that complies with GDPR rulings. Consent forms are kept on an electronic record so that should a request be made DF know that an individual has given consent to share certain information.

Approach to keeping information secure and information back up arrangements.

Disability Focus’s approach to keeping information secure is robust, from Induction training to all staff, managers and trustees, our clients/beneficiaries’ needs are the primary focus of our attention, together with that of our Contract Holders.

Disability Focus uses both paper-based files and data files containing personal data/information. The charity aims to move towards a paper-less system as part of our environmental based actions. Some paper copies will be retained when required however paper storage has greatly diminished.

Paper copies are kept in locked metal cupboards and cabinets which are fire resistant. These are within locked offices on the first floor of a building where the ground floor is already accessed via a steep driveway, so flooding is not generally a risk.

3. Have payment card users been asked to sign a privacy notice?

Devon County Council:

DCC has a generic Privacy Notice for all individuals who are eligible for adult social care funded support. This is covered as part of the assessment process for eligibility for adult social care.

PFS:

All Devon Card users are signposted to the PFS Privacy Policy

Disability Focus:

Individuals who have a Managed Account with Disability Focus are provided with a copy of their Data Protection policy.

What formats is the privacy notice available in?  Please provide a copy of the privacy notice.

The Devon County Council privacy notice is available on the DCC public website but can also be made available as a paper copy if requested.  Privacy Notices

4. What steps have been taken to keep payment card data secure?

PFS:

PFS are PCI DSS level 1 compliant. They carry out regular Firewall rule reviews, have Intrusion Detection / Prevention protection, best in class Web Application Firewalls, DDoS infrastructure protection, File Integrity Monitoring, active threat hunting, internal and external vulnerability scanning, supported by both a Crisis Management & IT Security Incident Management Process/Procedure.

As an FCA regulated and PCI DSS certified corporation, the PFS Rackspace environment meets numerous certifications such as PCI DSS, ISO27001:2013, ISO 9001:2008, ISO14001:2004, PCI DSS, Cyber Essentials Plus, SOC1/2. This means independent verification has taken place to evidence resilience, redundancy, power and generator testing at least annually to ensure backup services and providers meet and/or exceed the PFS contractual expectations.

Disability Focus:

Approach to keeping information secure and information back up arrangements.

The immediate offices are locked securely 24 hours a day, staff are trained to minimalize paperwork on desks and the majority of the storage is also locked 24 hours a day. The surrounding building is manned at the front door and all entrants are checked.

The wider site has 24-hour security with cameras and security officers patrolling. This site was chosen for Disability Focus partly because of the security for clients’ information.

Data files are saved to computers and servers on site but also backed up overnight to an offsite safe IT location. There is no remote access to the servers or data files at any time.

Staff members are trained to keep all data secure on their computer terminals and not to leave documents open that can be seen. The computers and desks are arranged in such a way so that oversight of other people’s work is minimalized. Computers are locked when staff are not at desks and automatically shut down after a period of time.

Staff members do not take any documents or data files off-site at all. Bags and personal effects are kept away from desks.

If any paper files are lost or destroyed, the charity policy is to log the loss of files including the circumstances surrounding the event, dates etc. All files are copied and retrievable, so work will continue, however, the police and any person/entity whose confidential information has been breached will be informed of such an event.

All emails and telephone calls are logged and added to the contract monitoring notes. All emails are received and answered via a secured email method. (NHS Email)

What protections are in place to guard against fraud?  How is the cardholder’s information (including information as to the account holder as well as any purchases) stored?

PFS:

Where appropriate cryptographic controls will be used to protect the confidentiality, authenticity or integrity of information that is considered at risk.

As a data controller, PFS ensure the confidentiality and integrity of data-at-rest is maintained due to multiple encryption algorithms and mechanisms that are employed on the basis of security standards recommended by the PCI DSS security council and NIST and SANS Institute. This encryption is also on all data backups.

Fraud enabled defences include monitoring of unusual spikes in activity, reputation and cyber threat intelligence supported by a dedicated and proactive Fraud team.

PFS also meets the requirement for secure data storage by ensure it is physically secure, and it is processed by and stored within the service and the legal jurisdictions of the UK. PFS data is currently stored in a Rackspace PCI DSS accredited data centres, on physical & virtual servers, in 2 locations (both in the UK). The data is held in its own private room, with specific access rights and controls and we operate a full data recovery and backup policy.

The data centre has the following physical and electronic security measures:

  • Security perimeters (barriers such as walls, access card-controlled entry gates, security patrols or manned reception desks) are used to protect areas that contain information processing facilities.
  • Walls are of brick or concrete construction and not partition type walls.
  • An Environmental Monitoring System(s) is in place to monitor temperature, humidity, shock, water, intruder, UPS, smoke, air conditioning, door contact and fire panel is in place with remote management software.
  • CCTV covers the Data Centre.
  • Secure areas are protected by appropriate entry controls to ensure that only authorised personnel are allowed access.
  • Access points such as delivery and loading areas and other points where unauthorised persons may enter the premises are controlled and isolated from information processing facilities to avoid unauthorised access.
  • Equipment is protected from power failures and other disruptions caused by failures in supporting utilities and dedicated independent generators are in place.

For other electronic information held on computers /servers is it backed up on a daily basis. All data is stored on servers offsite within the Rackspace data centre which is backed up and provide a back-up system should the operating servers go down.

PFS has a robust shredder located in the office which allows for the safe and secure disposal of any information that is held on paper. No information is held on DVDs.

Only senior members of staff can access paper records as they are held in fireproof cabinets which are locked. The office is situated on the 5th floor of an office block. There is a reception at the 1st floor level. PFS operates a receptionist from 8.00am to 6.00pm at the opening of the office. The office is accessed from a lift. Access to the ground floor is by a security key pass issued to employees. Anyone visiting the office needs to ring the office and a video camera allows the receptionist to view the caller. A buzzer will allow the visitor access to the building. Then they need to take the lift to the 5th floor where they are met by the receptionist. If the visitor elects to take the stairs they cannot gain entry to the office without the security fob that allows entry. There is also an industry recognized intruder alarm system.

The contract between the Council and Disability Focus (DF) to provide payroll/ managed accounts also acts as a safeguard against fraud.

Disability Focus:

Disability Focus strive to ensure that all policies and regulations are being adhered to. When GDPR was enforced in 2018 Disability Focus spoke to numerous people to ensure the charity knew what action needed to be taken to ensure the new policy was followed and the charity was compliant.

This data protection policy that was put in place ensures:

  • Complies with data protection law and follow good practice
  • Protects the right of staff, customers and partners
  • Is open about how it stores and processes individual’s data
  • Protects itself from risk of a data breach

All staff and any contractors that work for Disability Focus must adhere to the GDPR policy and actions.

All personal information is stored securely and removed once there is no further involvement with the client and the audit holding guidelines are passed. The personal data that Disability Focus hold includes:

  • Name of individuals
  • Postal address
  • Email addresses
  • Telephone numbers
  • …plus, any other information relating to individuals

Responsibilities:

Everyone who works for or with Disability Focus has some responsibility for ensuring data is collected, stored and handled appropriately.

Each member of staff that handles personal data must ensure that it is handled and processed in line with this policy and GDPR principles.

However, these staff members have key areas of responsibly:

The Board of Trustees are ultimately responsible for ensuring that Disability Focus meets its legal obligations.

Storing data:

When data is stored on paper it should be kept in a secure place where unauthorised people cannot see it. Paper is stored in a locked office overnight where only Disability Focus staff have access to with a key.

These guidelines also apply to data that is stored electronically. Disability Focus carry out a yearly Cyber Audit to ensure that there is no threat of a cyber-attack and the possibility of a data breach.

Providing information:

Disability Focus aims to ensure that individuals are aware that their data is being processed and that they understand:

  • How the data is being used
  • How to exercise their rights

To these ends, Disability Focus has a privacy policy, setting out how data relating to individuals are used by the Charity. This policy is available on the charities website.

What technical and organisational measures are in place in respect of the payment card platforms and any associated network and information systems, e.g. to prevent cyber- attacks?

Being PCI DSS level 1 compliant, PFS carry out regular Firewall rule reviews, have IDS/IPS protection, best in class Web Application Firewalls, DDoS infrastructure protection, File Integrity Monitoring, active threat hunting, internal and external vulnerability scanning, supported by both a Crisis Management & IT Security Incident Management Process, Procedure. PFS maintains full intrusion and antivirus software on its systems. We run quarterly internal and external vulnerability scans and at least an annual independent penetration test, together with our disaster recovery and anti-virus protection systems have to be audited every year by MasterCard.

PFS are PCI DSS Level 1 certified which means numerous Policies, Standards, Procedures, Tools, Controls, Resources must all be in place and independently verified. PFS also have Cyber Essentials certification, the Data Centre is also ISO/27001:2013, SOC1/2, OHSAS 18001:2007, ISO 9001:2015, ISO 14001:2015 certified.

There are numerous IT Security controls in place at the perimeter, down to the endpoints (Laptops/PC’s), using a 7-layer robust Security strength in depth approach. A high-level view of the framework can be found below showing some of the additional Security controls and policies in place.

*What action is taken in the event of a data breach?

PFS:

In addition to GDPR responsibilities to the FCA, PFS have a Crisis Management & IT Security Incident Management Policy/Process. Together this is used to ensure the right committee members are put together in a timely manner to determine short/long term risk effects and consequences of the data breach, work with internal, external partners/clients, agencies, including the police and media if necessary. Clients are kept informed via their regular Account Management team.

If a data breach is reported, PFS will report this to the relevant supervisory authority (Company DPO) and FCA within 72 hours of the organisation becoming aware of it. In addition, PFS has an internal Disciplinary Procedures Process which sets out the policies and processes for dealing with any disciplinary offences by employees. A forensic root cause investigation will commence and any areas of procedures that can be improved are documented and re-issued to staff together with further training as required.

Devon County Council:

Information Security Incidents will be handled in accordance with DCC’s Security Incident Management Policy and Procedure.  Where an incident meets the requirements as specified in GDPR, DCC will notify the Information Commissioner’s Office (ICO) and/or the affected data subject(s).

Disability Focus:

Should there ever be a breach of data Disability Focus are aware they should contact the below:

Telephone: 0303 1231113: Email: casework@ico.org.uk

What arrangements are in place to enable access to funds in the event of a system failure?

PFS:

In addition to live production services, PFS take pride in our high-level system uptime and comprehensive business continuity planning processes. We have a resilient live service with quick failover in the event of system failure. In addition, PFS have a Disaster recovery plan/process which includes physical backup systems replicated in a 2nd UK based data centre. This includes different utility and service providers allowing PFS to ensure quick recovery in the event of complete system failure.

5. Have you carried out a Data Protection Impact Assessment?

PFS:

Each Department Head is responsible for monitoring the performance of the individuals in their department and for keeping them informed of any developments relating to Data Protection. Each Department head also is responsible for monitoring the performance of individuals.

In its call centre, calls are recorded for monitoring and training purposes and a random selection of calls are reviewed on a monthly basis to ensure compliance with all our policies including data protection. This also applies to e-mails.

Disability Focus:

A Data Protection Impact Assessment has not been carried out.

Devon County Council:

A Data Protection Impact Assessment has not been carried out.

What risks have you identified? And what mitigating action are you taking?

PFS:

A breach is reported to the relevant supervisory authority (Company DPO) within 72 hours of an organisation becoming aware of it. Depending on the scale of the breach, it may be impossible to investigate a breach fully within the given timeframe, so organisations will be allowed to provide information in phases. Any identified risks are added to the Company risk register which is reviewed by the Board of Directors on a quarterly basis.

If you have identified any high level risks that you are unable to mitigate what action are you taking as a result?

PFS:

Departmental risks are regularly reviewed with high risk items aggregated up to the Board of Directors who review quarterly. There are currently no high-level risks that do not have mitigating controls in place.

6. What processing operations do you actually carry out on the personal data collected?

Devon County Council:

DCC uses the individual’s information to open prepaid card account for the individual which they use to make payments for services received.

PFS:

PFS is a Data Controller under this structure.

Disability Focus:

Setting up the payroll:

Direct Payment Agreement received from the Direct Payment team.

  • DF will contact client/family to introduce themselves and send a managed payroll pack to the client/family for completion.
  • DF receives the payroll pack back from the client/family.
  • DF will apply for HM Revenue and Customs (HMRC) reference Accounts Office Number, Pay as You Earn (PAYE) reference.
  • DF will act as a payment agency for all employer liabilities, including but not limited to; PAYE, Statutory payments, Holiday accruals.
  • DF will arrange the required insurance, on behalf of the Contract Holder, with the preferred provider.
  • DF will set up nominated bank account if PFS (Prepaid Financial Services Card) is not available.
  • DF will set up Employers payroll on their payroll system.
  • DF will set up the Employers on National Employment Savings Trust (NEST) government auto-enrolment work-based pension scheme.
  • DF will set up the employer with the Pension Regulator.
  • DF will establish the status of the personal assistant.

(Self Employed or Employed)

  • DF will process P46/P45 for the personal assistant.

Running the payroll:

  • DF receives the hours/timesheets from clients/family.
  • DF will check the timesheets are correctly calculated.
  • DF will check the hours claimed relate to the Direct Payment Agreement.
  • DF will calculate holiday pay, Statutory Payments if applicable
  • DF will process the payroll.
  • DF will send all relevant submissions to comply with HMRC requirements.
  • DF will process the pension if applicable.
  • DF checks (PFS) Prepaid Financial Services Card or the designated clients bank account held by DF for available funds.
  • DF makes payments to Employees, Agencies, Invoices, HMRC and NEST.
  • DF to send payslips to employees.
  • DF to comply with Year End closures.

Who reviews the data and how often?  Are reviews ad hoc or routine? 

Devon County Council:

Card accounts are monitored by the Direct payment teams to ensure payments are being made for services as identified within the persons care and support plan.

Annually reviews are carried out by the Health and Social care Teams. There are also ad hoc reviews in line with DCC Direct Payments policy regarding amount over on the surplus reclaims.

PFS:

Any member of staff whose access has been approved by Management may review this on a daily basis. Security application logical access reviews take place to ensure only approved accounts can access systems with account re-certification regularly taking place. Changes to permissions/ applications can only be approved by line Manager and logged in an industry leading Incident and Change management tracking system.

Reviews are both routine, and Ad Hoc. Robust security defences provide Clustered Firewalls, Web Application Firewall’s, Intrusion Detection/Prevention systems in place at the perimeter to ensure only approved transactions/devices can access the PFS data. Quarterly reviews are/will be completed to validate access rules, device firmware and policies to prevent all unauthorised access.

If ad hoc, what triggers a review?  

Devon County Council:

Direct Payment teams have access to a report within the PFS card providers portal which identifies potential surplus’s or low balances on individual accounts.

PFS:

PFS can, and will, call Ad Hoc reviews where unforeseen events arise, which PFS believe require an urgent review of the circumstances surrounding the event to be reviewed, in detail.

Are card holders notified of a review?

Devon County Council:

If an individual has 5 weeks of unspent direct payment accruing, we will contact them to understand why this is. We will look at how they can be best supported if they are struggling to manage their direct payment and are not able to arrange care and support to meet their eligible needs.

When we contact an individual, we may also check that their direct payment is the right amount for the way in which they choose to meet their eligible needs within the scope of best value. We will know this if they have accrued money and their eligible needs are still being met and they are meeting any employer obligations that they might have.

In these circumstances it is likely that their direct payment and their personal budget will be reduced to reflect the choices that they are making that are gaining better value. We will also recoup any part of their direct payment that remains unspent once they have met their eligible needs and any employer obligations that they might have i.e. HMRC payments, Personal Assistants accrued annual leave payments or payment for Replacement Care, (if applicable).

We won’t reclaim a surplus without talking to the individual first as there may be other reasons for a surplus amount i.e. an accrual of monies to be used within college holidays., if this is the case a note will be made so we are aware of this for future reference.

PFS:

Where PFS deem that a real risk to the card holders security exists, PFS will notify card holders of such review being performed.

7. Which organisations, if any, is this data shared with? Have you drawn up an Information Sharing Agreement (ISA) to govern this sharing activity?

There is a Data Protection Agreement in place between the Council and PFS, which adheres to the GDPR.

PFS: – Please see below the list of sub-processors, PFS shares their data with:

Devon County Council and Disability Focus:

We also share information with our partner agency Disability Focus who manage budgets to support people with their admin tasks. There is no formal ISA in place, but the service level agreement between Disability Focus and Devon County Council contains terms and conditions in relation to:

* Confidentiality, transparency and publicity

* Freedom of information

* Data protection and data security