25 Jun 2008 01:23 PM
Cabinet Secretary publishes plan to improve data security

CABINET OFFICE News Release (CAB/070/08) issued by The Government News Network on 25 June 2008

Cabinet Secretary Sir Gus O'Donnell today published a review of information security in government, putting in place a new framework for the future to improve the rules, culture, accountability and scrutiny of data handling.

The review, which was commissioned by the Prime Minister, sets out the wide range of actions that have already been put in place to improve data security, and outlines what will be done to strengthen policies further by building on existing momentum.

The changes announced in the report fall into four groups:

* Core measures. A series of mandatory minimum measures is being put in place across government including encryption and compulsory testing by independent experts of the resilience of systems.

* Cultural change. All civil servants dealing with personal data are to undergo mandatory annual training. The Government will also introduce Privacy Impact Assessments, recommended by the Information Commissioner;

* Stronger accountability. Data security roles within departments are being standardised and enhanced to ensure clear lines of responsibility.

* Increased scrutiny. Departments will report on their performance, the NAO will look at what they say, and the Information Commissioner is already planning his first spot checks

The Cabinet Secretary said:

"To deliver the efficient, effective, joined-up services that people in the 21st century expect, Government departments must be able to share the information they hold - there are countless benefits in doing so, from making everyday tasks easier to saving lives.

"But we can only do this good work if the public trust us to keep their personal information safe and secure.

"Recent data losses and thefts have underlined the need for urgent action to improve data protection right across government and to bring about a fundamental change in culture among those who are entrusted with the public's personal records.

"Since November the Civil Service has responded with urgency and vigour to improve data security, and I am proud of all that has been achieved so far. However, I am under no illusion that more still needs to be done to restore public faith in the Government's ability to handle personal information safely.

"Although no organisation, public or private, can ever guarantee that it will never make a mistake, I believe the measures we are announcing today will ensure that the public can be assured we are taking the necessary measures to keep people's data secure."

Action already taken to improve security includes the Cabinet Office issuing new, stricter guidelines on the handling of sensitive personal data, 90,000 employees at HMRC being given additional security training and the encryption of 20,000 laptops at the MoD.

Publication of the review does not mark the end of the process. Work will continue to implement the review's findings and fresh guidance will be issued as and when circumstances change


Notes to editors

1. The Cabinet Secretary's review of Data Handling Procedures in Government was commissioned by the Prime Minister on 23 November 2007, following the loss of two computer HMRC discs containing sensitive personal data. An interim report was published on 20 December 2007.

2. The review's terms of reference were to examine the procedures in departments and agencies for the protection of data, their consistency with current Government-wide policies and standards and the arrangements for ensuring that procedures are fully and properly implemented. The Cabinet Secretary was also asked to make recommendations on improvements that should be made.

3. The review took place alongside two independent inquiries - the Poynter Review looking at the circumstances of the HMRC loss and the Burton Review of the MoD laptop loss earlier this year. Both reviews are also being published today.

4. The review took into account the work being done by the Information Commissioner and Mark Walport of the Wellcome Trust on the security of personal data across society as a whole, a study that began before the HMRC loss. This report will be published later this year.

5. Independent consultant Nick Coleman has also been conducting a long-term review of information assurance in the public sector, commissioned in 2006. His final report is published today and has helped to inform the Cabinet Secretary's report, and he will play a continuing role in helping us monitor the implementation of the measures announced today.

6. To complement today's report, Sir David Omand is examining the handling of high security printed documents. The Cabinet Secretary is studying the implementation of rules for handling documents, and will take account of Sir David's findings.

Cabinet Office Press Office 22 Whitehall LONDON SW1A 2WH