The government has been warned it needs to go “further and faster” in improving data security.
The government on Thursday published a previously-secret internal review into information security carried out by the Cabinet Office in 2023 under Rishi Sunak’s administration – which was launched following a series of high-profile public sector data breaches in the summer of 2023.
The review was published in response to requests from Dame Chi Onwurah, chair of the Science, Innovation and Technology Committee, for clarity about the government's work to prevent a repeat of the 2022 Ministry of Defence Afghan data breach – which was itself revealed less than two months ago.
Writing to ministers Pat McFadden and Peter Kyle on 24 July – a week after it was revealed that an MoD official had in 2022 accidentally shared the data of more than 18,000 Afghans seeking relocation to the UK – Onwurah asked for further information on the government’s processes for handling sensitive data.
Responding on 28 August, McFadden, the chancellor of the Duchy of Lancaster, and Kyle, the science, innovation and technology secretary, said he was publishing the 2023 information security review, the existence of which was not previously public knowledge.
He added: “The review made a number of recommendations, these have been taken forward under the previous administration and under the current government. Good progress has been made but we must guard against complacency. This is an area on which we must keep a consistent focus to ensure standards continue to improve.”
In a separate letter, senior officials told Onwurah that twelve of the review's fourteen recommendations had been implemented.
Cat Little, the Cabinet Office permanent secretary and civil service chief operating officer, and Emran Mian, the perm sec at the Department for Science, Innovation and Technology, said the government has “taken concrete action to improve data security across government in a broad range of areas” including:
- Strengthening policies
- Creating better governance processes
- Enhancing technological solutions
- Placing greater emphasis on handling personal data securely in training and communications since the Afghan Relocations and Assistance Policy data incident.
The Science, Innovation and Technology Committee has published the exchange of letters alongside a letter from information commissioner John Edwards to McFadden, sent on 25 July, where he called on the government to fully implement the recommendations of the information security review "as a matter of urgency".
Edwards said the government needs to go “further and faster” to raise standards and prevent further harm, highlighting the need for a central board to assume responsibility for "establishing a strong senior leadership voice for consistent data protection practice across government".
“Central coordination across government is essential for avoiding further incidents of this seriousness,” he added. The information commissioner also last month issued guidance to help organisations disclose documents securely following the MoD Afghan security breach.
Commenting on the publication of the information security review, Onwurah said she was “glad” that it has “finally been made public”, but added that it is “concerning that it took an intervention from my committee and the information commissioner to make this happen”.
Onwurah said the government still has questions to answer about the review, including: “Why have only 12 of the 14 recommendations been implemented? And why has it kept the very existence of this review a secret for so long, even after the 2022 Afghan Breach became public?”
She has asked McFadden and Edwards to appear before the committee to explain the circumstances around the review and how far its recommendations have been implemented.
“Proper scrutiny on this is desperately needed, and it’s crucial we have a better understanding of how the government plans to stop these dangerous data breaches,” Onwurah added.
“For the government to fulfil its ambitions of using tech to boost the economy and transform our public sector, it needs the public to trust that it can keep their data secure. If it can’t, how can anyone be comfortable handing over their personal information?”
What did the review find?
The Information Security Review looked at a series of data breaches the public sector in 2023 and across the previous five years – at organisations including the Department for Work and Pensions, HM Revenue and Customs and the MoD – and found that they had three themes in common:
A lack of sufficient controls over ad-hoc downloads / exports of aggregations of sensitive data from databases.
The release of sensitive information via ‘wrong recipient’ emails, and the release of membership of sensitive groups through the placing of their addresses in visible fields.
The presence of hidden personal data within spreadsheets destined for publication or release.
It found that in all the incidents public servants “were acting in good faith in pursuit of a legitimate business objective”, and suggested a set of short and medium term interventions “which we could make across the civil service to help reduce the risk of similar incidents occurring”.
The 14 recommendations in the review were grouped into four categories: process and governance; technology; policy; and culture and training.
The 14 recommendations were:
Process and governance
1. The civil service chief operating officer should write to permanent secretaries providing guidance on practical, user-friendly and business efficient actions to mitigate information security risks.
2. Permanent secretaries/accounting officers should assure themselves that key principles and processes within their departmental guidance on information security and data protection (including risk management responsibilities) have high visibility on staff intranets.
3. Perm secs/AOs should assure themselves that lead responsibility for data protection in their department is clear and is at the right seniority level relative to the department’s risk environment.
4. The Civil Service Operations Board should commission the Central Digital and Data Office to provide recommendations on strengthening the cross-government approach to information governance, and to deliver an initial scoping action plan.
Technology
5. Perm secs/AOs should commission internal business change advice on the adoption of data protection controls set out in the ‘Microsoft 365 Guidance for UK Government – Information Protection’ and report back to the civil service COO on their intentions by end-January 2024.
6. The Government Security Group and the Central Digital and Data Office in consultation with the National Cyber Security Centre should jointly undertake a review exercise to assess existing guidance on technical controls for products and services hosting OFFICIAL information.
Policy
7. The Civil Service Operations Board, or an alternative cross-government board with appropriate decision-making authority, should assume sponsorship from the civil service COO’s network of the Cross Government Data Protection Committee’s review of the data protection community.
8. The Government Security Group should issue an interim update that addresses clear inconsistencies in its published guidance on the mandated information asset owner role in departments.
9. The Government Security Group and Central Digital and Data Office should jointly review the information asset owner role.
10. The Government Security Group should update the description in the Government Security Classifications Policy of the Additional Marking ‘Personal Data’, as part of a scheduled review of the GSCP policy.
11. The National Security Secretariat should update and strengthen the requirements and the guided best practice for information management and data protection practices in departmental crisis management arrangements, which are set in the lead government department guidance.
Culture and training
12. The Government Security Group with the National Technical Authorities should deliver a cross-government and wider public sector behavioural influence communications campaign to address persistent poor information handling practices. This activity should be reviewed and repeated when appropriate.
13. The Government Security Group should review, and strengthen where appropriate, the guidance given on data protection and handling of aggregated data sets in the security and data training course (which is mandated training for all civil servants).
14. The Government People Group should review sanctions for negligence, including in contexts beyond information security, and make January 2024 recommendations accordingly, with a particular focus on situations in which serious injury or loss of life might result from the release of personal data.
The review also noted that good information security is “at the heart” of the recommendations but they are also “designed to support responsible information sharing and effective cross departmental working”.
In the letter to Onwurah, Little and Mian did not outline which 12 recommendations the government has implemented, but did confirm action taken in relation to recommendations 5, 8, 9, 10, 11 and 12.