Multifactor Authentication (MFA)

In order to comply with articles 13 and 14 of the General Data Protection Regulation (GDPR), where personal data relating to a data subject is collected, Lancashire County Council would like to provide you with the following details.

Identity and contact details of the Data Controller

  • Lancashire County Council, PO Box 78 County Hall, Fishergate, Preston, Lancashire, PR1 8XJ

Contact details of the Data Protection Officer

  • Our Data Protection Officer is Paul Bond. You can contact him at dpo@lancashire.gov.uk or Lancashire County Council, PO Box 78 County Hall, Fishergate, Preston, Lancashire, PR1 8XJ.

Purposes for processing

Lancashire County Council has introduced new measures to help protect LCC systems and data held within its systems. These include multi-factor authentication (MFA) (i.e. requiring system users to verify their identity using additional factors alongside the current use of usernames and passwords.

MFA is already generally used to manage public access to services such as banking, and therefore widely accepted as an expected level of protection in many sectors. The ICO expect organisations to justify and explain any decision not to use available security measures. MFA is becoming a standard or expected security measure, along with regular password-reset.

In this context LCC has carefully assessed the risks and benefits of introducing the MFA and automatic password reset processes. We consider that it is necessary to use MFA and SSPR to ensure appropriate protection for LCC systems.

How the personal information is held by LCC

The details you provide will always be kept securely within Microsoft 365. The information will only be used for authentication. The information will only be accessible to you (via your LCC login to Microsoft 365 services) and to a small number of LCC privileged administrators. (These administrators will have access to the contact information you provide but not any answers you provide for security questions).

Why LCC are doing this

LCC has ongoing legal obligations to ensure the integrity of its systems and protect personal data and other information held within its systems. Cyber-attacks on organisations’ systems are becoming increasingly common and have a very significant impact on organisations and individuals. A cyber security incident could result in loss of personal information of LCC staff, service users, and third parties (e.g. suppliers and providers), lock users out of LCC systems and resources, and disable key operations. A worst-case scenario could involve LCC being unable to access and use core systems for a significant period. This could affect all of our systems and business processes and may prevent us from providing statutory public services. Successful cyberattacks very often start through use of a compromised email or system account, i.e. where the attacker is able to log into the system using the account details of an authorised user. MFA and password reset are intended to make that much more difficult.

The authentication process must by definition use some information which is personal to you or personally accessible only by you. As set out below, the personal data you provide for these purposes will be kept secure and used minimally. However, we encourage you to use the authentication app for MFA, as this reduces the amount of personal contact information you need to input each time while still providing the direct personal verification required for security purposes. LCC have provided guidance for staff on how to keep personal devices secure.

For these purposes, we ask all system users (employees, members, workers (including agency, casual and contracted staff) volunteers, trainees, staff , and external partners who access LCC systems) to complete a registration process for MFA and an automatic password re-set service (SSPR).

This asks users to provide personal contact details (personal email address and phone number other than an LCC number) and other personal information which will be used as the answers to security questions. Users can also choose to use an authenticator app (the Microsoft Authenticator app) as an authentication factor, by downloading the app to their smartphone and entering a code provided by the app when prompted by the LCC system.

Lancashire County Council takes the processing of your personal data seriously. Please be assured that your information will be used appropriately in line with data protection legislation; will be stored securely and will not be processed unless the requirements for fair and lawful processing can be met.

We use personal data in accordance with our Information Governance policies and specifically to:

  • To protect LCC systems and the personal information held within those systems from unauthorised or unlawful processing and against accidental loss, destruction or damage, as required by Article 5 (1) (f) UK GDPR.

Pseudonymisation and anonymisation

Lancashire County Council is committed to using pseudonymised or anonymised information as much as is practical, and in many cases, this will be the default position. Pseudonymisation is a procedure by which the most identifying fields within a data record are replaced by one or more artificial identifiers, or pseudonyms. There can be a single pseudonym for a collection of replaced fields or a pseudonym per replaced field. Anonymisation is the process of removing identifying particulars or details for statistical or other purposes.

We may collect your personal information through:

  • electronically through an online questionnaire form
  • paper questionnaire form
  • electronically if you contact us from an email address
  • face-to-face interview with an interviewer using a paper or electronic questionnaire
  • letter response that you send us

We may use external providers for consultations and surveys. Our electronic annual staff survey data is hosted by Snap Surveys on behalf of Lancashire County Council. The data is stored securely as specified in the Snap Surveys privacy policy.

All information you provide is treated in confidence and in accordance with the Data Protection Act 2018 and the UK General Data Protection Regulations (UK GDPR).

No personal information which can identify you, such as your name or address, will be used in producing reports. We will follow our Data Protection policies to keep your information secure and confidential. Your equality data will be anonymised before it is sent to other teams.

Category of personal sata being processed

  1. Personal data (information relating to a living, identifiable individual)

Legal basis for processing personal data

The legal basis for processing your personal data, in accordance with Article 6 (1) of GDPR is:

(f) Legitimate Interests: pursued by the controller or by a third party.

the legitimate interest pursued by LCC is ensuring the security and appropriate protection of LCC systems and the information held within those systems. We consider that this interest is not outweighed by the interests or rights of the data subjects, taking account of the secure way in which, we will hold the data (see below) and the fact that the data subjects (staff, members and external third parties) would themselves be likely to experience adverse impact from any security breach of LCC systems.

Furthermore, LCC has a legal obligation to comply with UK GDPR, specifically in complying with Article 5 (1) (f) UK GDPR (Principle of 'integrity and confidentiality') which states:

''Personal data shall be processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures''

Your rights

You have certain rights under the UK General Data Protection Regulation (K GDPR), these are the right:

  • to be informed via Privacy Notices such as this.
  • to withdraw your consent. If we are relying on your consent to process your data then you can remove this at any point.
  • of access to any personal information the council holds about yourself. To request a copy of this information you must make a subject access request in writing. You are entitled to receive a copy of your personal data within 1 calendar month of our receipt of your subject access request. If your request is complex then we can extend this period by a further two months, if we need to do this we will contact you. You can request a subject access request, either via a letter to Information Governance Team, address below.
  • of rectification, we must correct inaccurate or incomplete data within one month.
  • to erasure. You have the right to have your personal data erased and to prevent processing unless we have a legal obligation to process your personal information.
  • to restrict processing. You have the right to suppress processing. We can retain just enough information about you to ensure that the restriction is respected in future.
  • to data portability. We can provide you with your personal data in a structured, commonly used, machine readable form when asked.
  • to object. You can object to your personal data being used for profiling, direct marketing or research purposes.
  • in relation to automated decision making and profiling, to reduce the risk that a potentially damaging decision is taken without human intervention.

If you want to exercise any of these rights then you can do so by contacting:

Information Governance Team
Lancashire County Council
PO Box 78
County Hall
Preston
PR1 8XJ

Or email: dpo@lancashire.gov.uk

To ensure that we can deal with your request as efficiently as possible you will need to include your current name and address, proof of identity (a copy of your driving licence, passport or two different utility bills that display your name and address), as much detail as possible regarding your request so that we can identify any information we may hold about you, this may include your previous name and address, date of birth and what council service you were involved with.

Further information

For more information about how we use personal information see Lancashire County Council's full privacy notice.

If you wish to raise a complaint on how we have handled your personal data, you can contact the Information Governance team who will investigate the matter.

Lancashire County Council, PO Box 78 County Hall, Fishergate, Preston, Lancashire, PR1 8XJ or email: dataprotection@lancashire.gov.uk

If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law you can complain to the Information Commissioner’s Office (ICO).