Data security in Government: a briefing on Sir Gus O'Donnell's report

Out-Law News | 26 Jun 2008 | 1:11 pm | 4 min. read

Sir Gus O'Donnell wrote one of the four reports published yesterday on the security of Government information systems. The report will have a major impact on both the public and private sectors.

OUT-LAW published a summary of all four reports yesterday. Here, Rosemary Jay, head of the information law team at Pinsent Masons, the law firm behind OUT-LAW.COM, provides a briefing on Sir Gus O'Donnell's Report. We have also published a briefing on the Poynter Report today.

Significant actions arising from Sir Gus's review of data handling in Government have been highlighted previously:

  • The introduction of mandatory minimum security measures across government when handling personal data, including encryption and compulsory testing by independent experts of the resilience of systems;
  • A new requirement that civil servants dealing with personal data undergo mandatory annual training;
  • An increased role for the use of Privacy Impact Assessments;
  • The standardisation of data security roles within departments to ensure clear lines of responsibility, according to the report; and
  • A requirement for Departments to report on their performance under the scrutiny of the National Audit Office and the right of the Information Commissioner to perform spot checks.

The Report (46-page / 218KB PDF) does not cover the incidents which led to the loss of the HMRC disks; it does not cover Government policy on the use and sharing of personal data; and it does not cover the legal obligations of those who handle personal data. These matters are the subject of other current or imminent reports.

It does cover the practicalities of what Government Departments, Non Departmental Public Bodies (NDPBs) and private sector contractors who work for Government are going to have to do from now on when handling information about identifiable individuals.

The application of these new requirements will extend to contractors working for the public sector as well as local authorities and other public bodies. It will therefore have a major impact outside the public sector.

The Report is divided into three sections: Scene-setting; Better data handling; and Implementation.

Scene setting

This section sets out the relationship with other initiatives and departments. There is no change in responsibility for the policy or law in the areas of data protection but there will be a new Cabinet Committee to oversee the implementation of the data handling requirements.

On policy, the report reiterates the Government's commitment to increasing the sharing and use of information as a matter of public policy but acknowledges that this policy, combined with the increased sophistication of the technology, presents challenges which have to be met.

It does not describe the problems or failings that led to the review and report, other than in the broadest terms; instead it sets out what it regards as best practice in the area of handling personal information. This has been drawn from a variety of sources.

Good practices are classified under the headings Specific measures, Culture, Accountability and Scrutiny and Transparency. These are reflected in the next section on data handling which sets out the good practice approaches to be adopted in the future.

Better data handling

This is the meat of the report. In this section the new concept of "protected personal information" is introduced as personal information which merits protection. The report explains that this covers:

  • Any identifiable personal information where disclosure has a significant risk or harm or distress; and
  • Any data set of over 1,000 records of identifiable personal information.

An entirely new approach to the handling of such information is required. The key components of the new approach are:

  • A set of core security and management measures to deliver consistent protection;
  • A change in attitudes fostered by mandatory training and the use of Privacy Impact Assessments for new initiatives;
  • Accountability for the information in the possession of the Department; and
  • Transparency and scrutiny of Departmental data handling.

Each of the key components is set out in detail with the steps to achieve it.

Implementation

As an interim Report was delivered in December which flagged many of these issues the process of implementation has already started. Sir Gus's report explains that the progress of implementation within Government will be faster than outside but that it expects to cascade the requirements throughout all those who are part of its supply chain.

It states:

"Many Government Departments engage with private sector companies to contract out elements of the services they provide or to provide Departments themselves with services which support their organizations. Contractors will, as part of their service provision, handle information belonging to the Department or to the public for whom the Department serves (sic).

"Departments will build into new contracts the new requirements set out in this report. In addition, Departments are working with contractors under existing contracts to apply the same controls and to monitor their performance. Contact so far with contractors suggests that they recognize the shared interest in achieving high levels of data security"

The timescales for the implementation of specific measures such as the adoption of penetration testing and training for staff are set out with some ambitious targets for departments.

Comment

There is a sense of the swing of the pendulum in the new approach and it might be regarded as heavy-handed, but the recognition that data handling involves risks is welcome. There is an interesting emergence of the concept of Government as the custodian of people's information, rather than having a general right to regard it as the Government's information.

The report does not address the question of whether a straightforward solution would be for the Government to collect less data. Nor does it address the risks being run by the consolidation of datasets. But that was never intended to be the focus of the exercise.

The focus is highly practical. It does not consider the specifics of the legal regimes, or refer to any breach of the Data Protection Act (DPA) in the failure of security. It never mentions the specific legal obligations under the DPA or uses any terms from that Act. On the contrary, it deals with security as a management issue for Government and eschews the language of data protection. It refers to Departments as "custodians" of information, develops a new reference to "protected personal information" and clearly states that the same standards are to be applied to all information, however held.

For organisations outside the public sector the main impact of Sir Gus's report will be on those with public sector contractual relationships. We have already seen the impact on those who currently have large central Government contracts but eventually this will cascade through the entire public sector and all those involved will need to be prepared.

Training for you: Pinsent Masons is running a course on Law, Security and Data Handling (2-page / 146KB PDF), which looks at minimising the regulatory risks through good governance.