National Audit Office Press Releases
Protecting information across government
The Cabinet Office has not yet established a clear role for itself in coordinating and leading departments’ efforts to protect their information, according to the National Audit Office.
Today’s report found that its ambition to undertake such a role is weakened by the limited information which departments collect on their security costs, performance and risks. It also notes, however, that the UK Government has a strong international reputation in some areas of information security and digital government.
Protecting the information departments hold from unauthorised access or loss is a critical responsibility for departmental accounting officers. Departments are, however, increasingly required to balance this responsibility with the need to make this information available to other public bodies, delivery partners, service users and citizens via new digital services. And increasing dependencies between central government and the wider public sector mean that the traditional security boundaries have become blurred.
According to the NAO, too many bodies with overlapping responsibilities operate in the centre of government, confusing departments about where to go for advice. As at April 2016, at least 12 separate teams or organisations in the centre of government had a role in protecting information, many of whom produce guidance. While the new National Cyber Security Centre (NCSC) will bring together much of government’s cyber expertise, in the NAO’s view, wider reforms will be necessary to further enhance the protection of information.
As accountability for information security is devolved to departments, government does not currently collect or analyse its overall performance in protecting information on a routine basis. This means it has little visibility of information risks in each department and has limited oversight of the progress departments are making to better protect their information.
Reporting personal data breaches is chaotic, with different mechanisms making departmental comparisons meaningless. In addition, the Cabinet Office does not have access to robust expenditure and benefits data from departments, in part because they do not always collect or share such data. The Cabinet Office has recently collected some data on security costs, though it believes that actual costs are ‘several times’ the reported figure of £300 million.
Some departments have made significant improvements in information governance, but most have not given it the same attention as other forms of governance. The Cabinet Office does not currently provide a single set of standards for departments to follow, and does not collate or act upon those weaknesses it identifies.
In the context of a challenging national picture it has been difficult for government to attract people with the right skills. The government established a security profession in 2013, and has undertaken some initial work to establish professional learning and development. Demand for skills and learning across government is growing and is likely to continue to grow. According to the NAO, plans to cluster security teams may initially share scarce skills, but will not solve the long-term challenge.
According to the NAO, the Cabinet Office is taking action to improve its support for departments, but needs to set out how this will be delivered in practice. The NAO recommends that to reach a point where it is clearly and effectively coordinating activity across government, the Cabinet Office must further streamline the roles and responsibilities of the organisations involved, deliver its own centrally managed projects cost-effectively and clearly communicate how its various policy, principles and guidance documents can be of most use to departments.
Amyas Morse, head of the National Audit Office said:
“Protecting information while re-designing public services and introducing the technology necessary to support them is an increasingly complex challenge. To achieve this, the Cabinet Office, departments and the wider public sector need a new approach, in which the centre of government provides clear principles and guidance and departments increase their capacity to make informed decisions about the risks involved.”
Full Report: Protecting information across government
Notes for Editors:
- 200 – Number of cyber national security incidents dealt with by GCHQ per month in 2015, up from 100 per month in 2014.
- 8,995 – Number of data breaches recorded by 17 largest departments in 2014-15
- £300m – Limited government estimate of annual spend on security in 34 departments. Actual costs are thought to be ‘several times’ this figure
- 12 – Number of separate organisations in the centre of government with responsibility for aspects of protecting information
- £28m – Estimated annual government expenditure on external IT security support
- £200-£400m – Savings estimated, by 2014, from adopting the Public Services Network, as outlined in the 2011-12 business case. Actual PSN savings in 2014 were £103.4 million. No further savings are expected.
- 73 – The number of teams covering security in central government departments
- 1,600 – Number of protective security staff (information, physical and personnel) in central government departments
- The Prime Minister is ultimately responsible for the security of the UK Government. She is supported in this by the Cabinet Secretary, who chairs a permanent secretary committee which sets the overall direction and strategy for government security. Across departments, responsibility for information security lies with the respective ministers, permanent secretaries and their management boards.
- Press notices and reports are available from the date of publication on the NAO website. Hard copies can be obtained by using the relevant links on our website.
- The National Audit Office scrutinises public spending for Parliament and is independent of government. The Comptroller and Auditor General (C&AG), Sir Amyas Morse KCB, is an Officer of the House of Commons and leads the NAO, which employs some 785 people. The C&AG certifies the accounts of all government departments and many other public sector bodies. He has statutory authority to examine and report to Parliament on whether departments and the bodies they fund have used their resources efficiently, effectively, and with economy. Our studies evaluate the value for money of public spending, nationally and locally. Our recommendations and reports on good practice help government improve public services, and our work led to audited savings of £1.21 billion in 2015.
Direct line: 020 7798 7208 Mobile: 07985 274421 Email: firstname.lastname@example.org
Latest News from
National Audit Office Press Releases
The production and distribution of cash21/09/2020 11:15:00
The National Audit Office (NAO) recently (18 September 2020) reported that HM Treasury and the public bodies responsible for overseeing the cash system need to work together more effectively to achieve the government’s goal of safeguarding access to cash.
Financial sustainability of colleges in England17/09/2020 11:15:00
Tthe National Audit Office (NAO) yesterday reported that while the Department for Education (DfE) has spent significant amounts of money aimed at helping individual colleges in financial difficulty, core funding for the sector as a whole has fallen and its financial health remains fragile.
Progress report: Terminating the Magnox contract11/09/2020 12:05:00
Today the NAO reports that the Nuclear Decommissioning Authority (NDA) has incurred additional costs as a result of the failure of its Magnox contract, with the NDA agreeing to pay up to £20 million to exit the contract early, reduce risk and support a smooth transition. The total cost of the work needed to put the Magnox sites into the care and maintenance stage of the decommissioning process has also increased by up to an estimated £2.7 billion since the NAO last reported on the contract in 2017.
Childhood obesity10/09/2020 11:15:00
Successive governments have struggled to tackle rising childhood obesity and it is not clear that the Department of Health & Social Care’s (DHSC) current programme will be able to make the step change needed in the timescale available, according to yesterday’s report by the National Audit Office.
NAO responds to the publication of the Redmond Review09/09/2020 15:15:15
Gareth Davies, head of the NAO has responded to the publication of the Redmond Review into the Oversight of Local Audit and the Transparency of Local Authority Financial Reporting.
Learning for government from EU Exit preparations07/09/2020 11:15:00
In the recent (04 September 2020) report the National Audit Office (NAO) draws on the breadth of its work on EU Exit to share its perspectives on what government can learn from this experience.
Tackling the tax gap22/07/2020 16:15:00
Today the National Audit Office (NAO) reports that HM Revenue & Customs’ (HMRC’s) work to improve taxpayers’ compliance with the tax system has achieved high rates of return.
Review of the Town Deals selection process21/07/2020 14:15:00
Today’s review by the National Audit Office describes the process by which the Ministry of Housing, Communities & Local Government (the Department) selected the 101 towns that in September 2019 it invited to bid for up to £25 million, or up to £50 million in exceptional circumstances, from the £3.6 billion Towns Fund for England (The Towns Fund).