Written Ministerial Statement
Data Handling Review
25 June 2008
On 21 November, the Prime Minister announced that he had asked the Cabinet Secretary, with the advice of security experts, to work with Departments to ensure that all Departments and all agencies check their procedures for the storage and use of data. An Interim Report, published on 17 December, summarised action taken across Government, and set out initial directions of reform to strengthen the Government's arrangements.
I am today placing a final report in the libraries of both Houses. The final report summarises work conducted in Departments to improve data handling.
It further sets out how the Government is improving information security by putting in place:
- core measures to protect personal data and other information across Government;
- a culture that properly values, protects and uses information;
- stronger accountability mechanisms within Departments; and
- stronger scrutiny of performance.
The measures being put in place, which represent a new set of minimum mandatory standards for Departments, include:
- introducing new rules on the use of protective measures, such as encryption and penetration testing of systems;
- standardising and enhancing the processes by which Departments understand and manage their information risk, identifying the key individuals responsible for information assets and setting out their responsibilities;
- requiring quarterly risk assessment within each department of the confidentiality, integrity and availability of information;
- introducing mandatory training for all staff involved in handling personal data, with training taking place on appointment and reinforced on an annual basis;
- requiring the use of Privacy Impact Assessments when introducing new policy or processes that involve the use of personal data;
- introducing greater scrutiny and monitoring through the inclusion of information risk in Statements on Internal Control, which are scrutinised by the National Audit Office and through spot checks by the Information Commissioner;
- further enhancing transparency of arrangements, through annual reporting to Parliament on progress and the use of Information Charters which provide clarity to citizens about the use and handling of personal data; and
- a range of other measures to improve information security across Government.
The Cabinet Secretary's work was informed in part by a review of information assurance by Nick Coleman, which is also published today, with copies being placed in the libraries of both Houses. To complement today's report, Sir David Omand is examining the handling of highly classified documents. The Cabinet Secretary is looking at the implementation of the rules for handling documents, and will take account of Sir David's findings.
Progress in implementing the new measures and actions announced today will be overseen by the Cabinet Sub-Committee on Personal Data Security. Departments will report each year on their individual position and the Cabinet Office will report annually to Parliament on progress across Government as a whole, with the first report following the end of the 2008/09 financial year.
Effective public services depend on information about the people they serve. But in order to command public confidence, that information needs to be safely stored and protected. The Government is determined to take the necessary steps to improve data security. The measures outlined today are an important part of that process.
