CABINET OFFICE News
Release (CAB/070/08) issued by The Government News Network on 25
Sir Gus O'Donnell today published a review of information
security in government, putting in place a new framework for the
future to improve the rules, culture, accountability and scrutiny
of data handling.
The review, which was commissioned by the Prime Minister, sets
out the wide range of actions that have already been put in place
to improve data security, and outlines what will be done to
strengthen policies further by building on existing momentum.
The changes announced in the report fall into four groups:
* Core measures. A series of mandatory minimum measures is being
put in place across government including encryption and compulsory
testing by independent experts of the resilience of systems.
* Cultural change. All civil servants dealing with personal data
are to undergo mandatory annual training. The Government will
also introduce Privacy Impact Assessments, recommended by the
* Stronger accountability. Data security roles within
departments are being standardised and enhanced to ensure clear
lines of responsibility.
* Increased scrutiny. Departments will report on their
performance, the NAO will look at what they say, and the
Information Commissioner is already planning his first spot checks
The Cabinet Secretary said:
"To deliver the efficient, effective, joined-up services
that people in the 21st century expect, Government departments
must be able to share the information they hold - there are
countless benefits in doing so, from making everyday tasks easier
to saving lives.
"But we can only do this good work if the public trust us to
keep their personal information safe and secure.
"Recent data losses and thefts have underlined the need for
urgent action to improve data protection right across government
and to bring about a fundamental change in culture among those who
are entrusted with the public's personal records.
"Since November the Civil Service has responded with urgency
and vigour to improve data security, and I am proud of all that
has been achieved so far. However, I am under no illusion that
more still needs to be done to restore public faith in the
Government's ability to handle personal information safely.
"Although no organisation, public or private, can ever
guarantee that it will never make a mistake, I believe the
measures we are announcing today will ensure that the public can
be assured we are taking the necessary measures to keep
people's data secure."
Action already taken to improve security includes the Cabinet
Office issuing new, stricter guidelines on the handling of
sensitive personal data, 90,000 employees at HMRC being given
additional security training and the encryption of 20,000 laptops
at the MoD.
Publication of the review does not mark the end of the process.
Work will continue to implement the review's findings and
fresh guidance will be issued as and when circumstances change
Notes to editors
1. The Cabinet Secretary's review of Data Handling
Procedures in Government was commissioned by the Prime Minister on
23 November 2007, following the loss of two computer HMRC discs
containing sensitive personal data. An interim report was
published on 20 December 2007.
2. The review's terms of reference were to examine the
procedures in departments and agencies for the protection of data,
their consistency with current Government-wide policies and
standards and the arrangements for ensuring that procedures are
fully and properly implemented. The Cabinet Secretary was also
asked to make recommendations on improvements that should be made.
3. The review took place alongside two independent inquiries -
the Poynter Review looking at the circumstances of the HMRC loss
and the Burton Review of the MoD laptop loss earlier this year.
Both reviews are also being published today.
4. The review took into account the work being done by the
Information Commissioner and Mark Walport of the Wellcome Trust on
the security of personal data across society as a whole, a study
that began before the HMRC loss. This report will be published
later this year.
5. Independent consultant Nick Coleman has also been conducting a
long-term review of information assurance in the public sector,
commissioned in 2006. His final report is published today and has
helped to inform the Cabinet Secretary's report, and he will
play a continuing role in helping us monitor the implementation of
the measures announced today.
6. To complement today's report, Sir David Omand is
examining the handling of high security printed documents. The
Cabinet Secretary is studying the implementation of rules for
handling documents, and will take account of Sir David's findings.
Cabinet Office Press Office 22 Whitehall LONDON SW1A 2WH