Government sets out measures to raise information security and data protection standards in public sector

In a letter to the Science, Innovation and Technology Committee Chair, Dame Chi Onwurah MP, the Government’s Chief Security Officer, Vincent Devine, and its Chief Technology Officer, David Knott, noted that central to the measures would be a “step-change” in how data protection is coordinated in government.

They said: “Government Digital Service within the Department for Science, Innovation and Technology will take on responsibility for coordinating cross-government data protection risks and compliance.

“The Government Chief Data Officer (GCDO) will be the accountable individual responsible for managing cross-government data protection risks and compliance.

“We will establish a new, dedicated team reporting directly to the GCDO who will set consistent standards, respond swiftly to risks and advance privacy technology across government.”

New information management training will also be rolled out for all civil servants.

Alongside this, the letter confirmed that the Government is drawing up a “joint commitment” with the ICO to work together to raise standards.

It said: “The commitment will create a proactive mechanism for us to seek the ICO’s expertise and facilitate constructive feedback. Together, these measures will be a significant step towards building a more effective and accountable governance model for the protection of citizen data within government.”

Earlier this summer the Information Commissioner, John Edwards, called for the Government to go “further and faster” to ensure Whitehall and the wider public sector “put their practices in order”.

In a statement published earlier this week (20 October), Edwards wrote: ““[…] We are working on a joint commitment, in the form of a memorandum of understanding, that will explain how we will collaborate with government so its ambitions to use new technologies to transform public services, create a modern digital government, and drive economic growth are done so with the appropriate safeguards in place. We will agree with government on how my office can receive assurance on the delivery and impact of this work. 

“This is a single step forward, but it is a crucial one. Government must now carry through on these commitments, to ensure the public can trust and be confident when sharing their personal information with government, knowing that it will be handled responsibly and safely.”

Another measure outlined by the Cabinet Office letter is the establishment of a cross-government Technology Risk Group, to drive accountability for technology risk, “unifying all major technology risks under one clear and accountable governance structure”.

Additional measures across four key domains were set out as follows:

• Government policy and processes - We will ensure that the right senior officials across government are responsible for managing down risks of further data breaches, and that we get the response right if they do occur.
• Technology - Technological interventions can play an important role in mitigating the risk of data breaches. To drive full value from government’s critical IT partners, we’re strengthening strategic relationship management - starting with Microsoft, the backbone of government’s digital workplace.
• Culture - Fundamentally good information security also needs to become habitual for all civil servants. Accidental data breaches often result from general poor information handling. To help fix this, Government Digital Service (GDS) will support government information management professionals to ensure they have the authority and skills to help staff protect sensitive data.
• Relationship with the ICO - Underpinning all of this, we intend to strengthen our relationship with the ICO to ensure our work reflects the standards the regulator expects of us.

The letter noted that the ICO will periodically be invited to the Operations Board and Government Security Board “to support collaboration and continuous improvement”.

Lottie Winson