Annex B: The Government's strategy for information assurance
Jump to
In 2003 the Cabinet Office prepared a National Information Assurance Strategy25 framework document for heads of government departments and public bodies, to help them understand the risks associated with information and communications technology.
In 2004 the Cabinet Office published Protecting our information systems.26 The document set out the Government’s approach to dealing with the risks relating to information and communications technology systems for those with security responsibilities within central Government. The key message was that trust and confidence in public sector information systems were essential to ensure the uptake of online public services. With that in mind, it recommended the appointment of Senior Information Risk Owners (SIROs) at board level in all government departments. The SIRO was to be responsible for ensuring information system risk was managed appropriately; the development of good risk management systems and procedures; and the awareness of information security issues to protect the delivery of public services.
In September 2006 the government published its Information sharing vision statement.27 The statement said that the government recognised that the more it shared information, the more important it was that people were confident their personal data was kept safe and secure. The government acknowledged that a lot of information was already being shared and that the sharing might grow.
In June 2007 the government updated the original National Information Assurance Strategy.28 The document broadened the government’s original approach to focus on three main objectives. To achieve the first of the objectives, it said that ‘Clear board-level ownership and accountability for information risks will be required’ and ‘Where information is shared, a single point of risk ownership will be identified’.
In June 2008 the Cabinet Office published Data Handling Procedures in Government: Final Report.29 The review into cross-government data handling procedures put in place measures to improve the way in which government departments manage and handle personal data. Among those measures were that all government departments would:
- deliver a basic level of training to all data users to be completed on appointment and annually;
- ensure that every information system had a Senior Responsible Owner (SRO)30 with responsibility for managing the associated risks;
- report to the Cabinet Office each financial year a summary of protected personal data‑related incidents formally reported to the Information Commissioner;
- report to the Cabinet Office each financial year a summary of centrally recorded protected personal data-related incidents not formally reported to the Information Commissioner;
- report to the Cabinet Office each financial year a summary statement of actions to manage information risk; and
- issue an Information Charter setting out the standards that people can expect when a department holds personal information, how an individual can access their personal data, and what an individual can do if they do not think that standards are being met.
In June 2008 the Cabinet Office also published details of an independent review of government information assurance. The report identified actions which would help the government deliver its vision of joined-up government and data sharing (Annex B, paragraph 3). In essence, the review found that information assurance within departments was progressing, but new thinking and new mechanisms needed to be put in place. Of relevance to the issues raised by Ms M’s case are the recommendations that government should:
- create a vision for information assurance laying out for citizens and stakeholders what it considers are acceptable parameters for the sharing, management, and protection of information held and managed by government departments;
- create clear rules on security across government and define minimum standards;
- enable independent monitoring for compliance; and
- measure security to a defined standard by mandating the reporting of incidents to an independent organisation responsible for capturing incidents and ensuring investigations are concluded and lessons are learnt.
In July 2008 Richard Thomas, the then Information Commissioner, and Dr Mark Walport, the Director of the Wellcome Trust, presented the government with their recommendations on the use of personal information in the public and private sectors in the Data Sharing Review Report.33 The report made 14 recommendations. It concluded that all organisations sharing significant amounts of data should: clarify their corporate governance arrangements; publicise their privacy policies; ensure their privacy policies included details of why an organisation held personal information, how it would be used, who would be able to access it, who it would be shared with, and how long it would be kept; and review and enhance the training given to staff on how to handle personal information.
In January 2010 the Cabinet Office issued the government’s first annual report on protecting information within government departments.34 The report outlined the progress made by government departments to manage information risk since 2008. It confirmed that the mandatory measures put in place at that time (Annex B, paragraph 5) had been achieved across government departments and said:
‘Should a loss or compromise of information occur, departments are now required to have a process to ensure that it can be dealt with as speedily and efficiently as possible. These processes focus on reducing any risk to those involved, minimising any impacts, swiftly learning lessons and implementing change where necessary.’
On 8 October 2010 the Information Commissioner’s Office launched a consultation on a new statutory code of practice on the sharing of personal data. The consultation runs for 12 weeks, ending on 5 January 2011. The draft code sets out a model of good practice for public, private and third sector organisations, and covers routine data sharing, as well as one-off instances where a decision is made to release data to a third party.
The code covers a number of areas including:
- what factors an organisation must take into account when coming to a decision about whether to share personal data;
- the point at which individuals should be told about their data being shared;
- the security and staff training measures that must be put in place;
- the rights of the individual to access their personal data;
- and when it is not acceptable to share personal data.
