Published: 27 June 2008
Cabinet Secretary publishes Plan to improve Data Security
Cabinet Secretary Sir Gus O'Donnell published a review of information security in government, putting in place a new framework for the future to improve the rules, culture, accountability and scrutiny of data handling.
The review, which was commissioned by the Prime Minister, sets out the wide range of actions that have already been put in place to improve data security, and outlines what will be done to strengthen policies further by building on existing momentum.
The changes announced in the report fall into four groups:
- Core measures. A series of mandatory minimum measures is being put in place across government including encryption and compulsory testing by independent experts of the resilience of systems
- Cultural change. All civil servants dealing with personal data are to undergo mandatory annual training. The Government will also introduce Privacy Impact Assessments, recommended by the Information Commissioner
- Stronger accountability. Data security roles within departments are being standardised and enhanced to ensure clear lines of responsibility
- Increased scrutiny. Departments will report on their performance, the NAO will look at what they say, and the Information Commissioner is already planning his first spot checks
The Cabinet Secretary said:
"To deliver the efficient, effective, joined-up services that people in the 21st century expect, Government departments must be able to share the information they hold - there are countless benefits in doing so, from making everyday tasks easier to saving lives.
But we can only do this good work if the public trust us to keep their personal information safe and secure.
Recent data losses and thefts have underlined the need for urgent action to improve data protection right across government and to bring about a fundamental change in culture among those who are entrusted with the public's personal records.
Since November the Civil Service has responded with urgency and vigour to improve data security, and I am proud of all that has been achieved so far.
However, I am under no illusion that more still needs to be done to restore public faith in the Government's ability to handle personal information safely.
Although no organisation, public or private, can ever guarantee that it will never make a mistake, I believe the measures we are announcing today will ensure that the public can be assured we are taking the necessary measures to keep people's data secure."
Action already taken to improve security includes the Cabinet Office issuing new, stricter guidelines on the handling of sensitive personal data, 90,000 employees at HMRC being given additional security training and the encryption of 20,000 laptops at the MoD.
Publication of the review does not mark the end of the process. Work will continue to implement the review's findings and fresh guidance will be issued as and when circumstances change
In the same week, the Independent Police Complaints Commission has published a report that found that the processes for data handling were woefully inadequate at HM Revenue and Customs' Child Benefit Office in Washington, but individual members of staff were not to blame for losing the missing Child Benefit data CDs.
The IPCC's investigation uncovered failures in institutional practices & procedures concerning the handling of data. It revealed the absence of a coherent strategy for mass data handling and, generally speaking, practices & procedures were less than effective. Staff found themselves working on a day-to-day basis without adequate support, training or guidance about how to handle sensitive personal data appropriately.
The IPCC found that there was:
- a complete lack of any meaningful systems
- a lack of understanding of the importance of data handling and
- a ‘muddle through' ethos
In addition, The Ministry of Defence (MOD) has published Sir Edmund Burton's report into the stolen laptops containing the personal details of individuals who expressed interest in joining the Armed Forces.
Sir Edmund Burton found MOD policies & procedures are generally fit for purpose and cited examples of good practice by the Department, particularly the measures introduced after the loss which were effective in preventing similar damaging losses. But he identified a number of areas where MOD needs to do better in protecting personal data.
The MOD has accepted all of Sir Edmund's 51 recommendations and has prepared a comprehensive action plan to implement them.
Further information
To find a business you can trust, click on the related categories below: