GLD Vacancies

New approach "needed to protect information when public services redesigned"

A new approach is needed in the public sector to protecting information while public services are re-designed and technology is introduced to support them, the National Audit Office has said.

In a report, Protecting information across government, the spending watchdog said the Cabinet Office had yet to establish a clear role for itself in coordinating and leading departments’ efforts to protect their information.

The report also said the Cabinet Office’s ambition to undertake such a role was weakened by the limited information that departments collected on their security costs, performance and risks.

The NAO acknowledged that the UK Government enjoyed a strong international reputation in some areas of information security and digital government.

But the spending watchdog said:

  • Protecting the information departments hold from unauthorised access or loss was a critical responsibility for departmental accounting officers. Departments were, however, increasingly required to balance this responsibility with the need to make this information available to other public bodies, delivery partners, service users and citizens via new digital services. Increasing dependencies between central government and the wider public sector meant that the traditional security boundaries had become blurred.
  • Too many bodies with overlapping responsibilities operated in the centre of government, “confusing departments about where to go for advice”. As at April 2016, at least 12 separate teams or organisations in the centre of government had a role in protecting information, the NAO said, many of whom produced guidance. While the new National Cyber Security Centre (NCSC) will bring together much of government’s cyber expertise, the NAO said it believed wider reforms would be necessary to further enhance the protection of information.
  • With accountability for information security devolved to departments, government did not collect or analyse its overall performance in protecting information on a routine basis. “This means it has little visibility of information risks in each department and has limited oversight of the progress departments are making to better protect their information.”
  • Reporting personal data breaches was “chaotic, with different mechanisms making departmental comparisons meaningless”. The Cabinet Office did not have access to robust expenditure and benefits data from departments, in part because they did not always collect or share such data. The Cabinet Office believed that actual security costs are ‘several times’ the reported figure of £300m.
  • Some government departments had made significant improvements in information governance, but most had not given it the same attention as other forms of governance. “The Cabinet Office does not currently provide a single set of standards for departments to follow, and does not collate or act upon those weaknesses it identifies.”
  • In the context of a challenging national picture it had been difficult for government to attract people with the right skills. Demand for skills and learning across government was growing and was likely to continue to grow.

The NAO noted how the Cabinet Office was taking action to improve its support for departments, but needed to set out how this would be delivered in practice.

The watchdog called on the Cabinet Office to “further streamline the roles and responsibilities of the organisations involved, deliver its own centrally managed projects cost-effectively and clearly communicate how its various policy, principles and guidance documents can be of most use to departments”.

Amyas Morse, head of the National Audit Office, said: “Protecting information while re-designing public services and introducing the technology necessary to support them is an increasingly complex challenge. To achieve this, the Cabinet Office, departments and the wider public sector need a new approach, in which the centre of government provides clear principles and guidance and departments increase their capacity to make informed decisions about the risks involved.”