We considered privacy very early in the Discovery phase and completed both a short and long Privacy Impact Assessment (PIA). The team is in dialogue with the data protection team in order to make sure the project complies with EU General Data Protection Regulation (GDPR) Act / Data Protection Act 2018. We identified that the primary impact of our service is our use of new technology in that we are creating a bespoke front-end and using MS Dynamics 365. We are not collecting new data, reusing existing data or generating algorithms via data.
We are in receipt of a security report and have enacted the security recommendations therein. We are now in a position to have the PIA signed off.
Callers are asked to provide answers to certain Data Protection Act (DPA) questions if they request sensitive information such as rent balances. A risk we identified was the possibility of agents forgetting to ask callers to provide such answers and effectively divulging information to an anonymous caller.. To mitigate this risk, agents are now prompted via copy on the interface to ask these questions at key moments along the relevant journeys.
We did not want to restrict all user journeys to callers who correctly answered DPA questions. We particularly wanted to enable so-called anonymous callers to pay rent - the use case is generally a partner who is not registered on the tenancy but is living at the address and wants to make a rent payment. Therefore we enable this but designed a system that did not dispense sensitive information such as rent balances in receipts.
Furthermore, information is obtained from the API only when it is relevant (e.g. transaction information is obtained when looking at transaction history). And any new contact information entered by the agent is saved to the CRM via the NCC API.
Security has always been our priority. We make sure we always deal with citizens' data in a safe environment and that our code is not exposing any security details. Furthermore, that we have appropriate authentication at the user level to make sure citizen data is appropriately tagged. We have run through all our code and had it reviewed by our Security Officer to make sure we do not have hacking threats in our system. We are also making sure our website is secure by having the appropriate security certificate installed on our web environments.
Going forward, we shall be including our Security Officer in our sprint planning meetings so that he and the developers can work together more closely.