New security rules will help the public sector keep data safe
There used to be so many ways of classifying government data it was difficult to ensure data protection. Now there are much clearer rules, argues Microsoft.
Potential security breaches are an essential consideration for any organisation rolling out innovative new digital services, and the public sector must lead by example.
Until recently, rules around data security and privacy were complex and confusing. They were also increasingly unfit for purpose in the modern technology-enabled world with all its cloud-based service possibilities. This mismatch threatened to curtail the government’s own ambitions for a digital-first administration and public service.
But the situation is improving as simpler and clearer rules are set down about how to keep sensitive data safe.
New European data privacy rules, expected to be finalised as regulation in 2017, aim to provide a single set of rules on data protection across the European Union. The security-related requirements include:
• Those processing personal data (including third parties such as cloud providers) are responsible and accountable for safeguarding data – and for reporting any breaches promptly
• Owners should have ready access to their data and be able to transfer this easily to another service provider if needed
• Personal data won’t be transferred outside the European Economic Area (EEA) without adequate privacy protection.
Penalties for violating EU data protection rules range up to €1m. In the UK, the government has made its own controls on public sector data handling clearer and less onerous.
Previously, there were so many different ways of classifying government data that it was almost impossible for organisations to decide what could safely be held and managed where. The new government security classification policy (GSCP) and CESG’s cloud security principles (CSP), published last year, define much simpler data categories, and allow public sector organisations to interpret the levels of control needed for their own particular circumstances.
Public sector data is now broken down into three categories: official, secret and top secret. As much as 87% of data is classified as official, which frees government organisations to treat it with best-practice controls used by large commercial enterprises.
This improved clarity should help drive new public sector innovation, making it easier to use cloud-based technology services, for example – the CSPs offer guidance on how to ensure cloud solutions are appropriate for data classified as official.
“Public sector organisations are under increased pressure to generate cost savings, increase efficiencies and improve services, which is partly why the government has decided to embrace the potential of cloud computing,” notes Mark Thompson, privacy practice leader at KPMG.
“Taken together, the GSCP and the CSP can be seen as a concerted effort to prevent security being used as a blocker towards uptake,” comments Daniel Jones, senior analyst for defence and security at Kable, a public sector technology intelligence firm.
Potential suppliers promoting their services via the government G-Cloud must assert which of the 14 security principles they comply with. These include issues such as how data is protected when it is stored and when it is in transit, for example, is it encrypted as it passes across networks?
Suppliers must self-assess against each measure, providing complete transparency. Public sector organisations must also check their own particular compliance requirements – for example, if handling NHS medical data – and confirm that their trusted technology provider holds the appropriate certifications and accreditations.
Further considerations include whether data is segregated from other organisations’ content, and the provider’s policy for responding to law enforcement requests to access data. Vigilance must be ongoing. KPMG’s Thompson comments: “There needs to be an ongoing business relationship with the cloud provider, which must be able to adapt as the privacy and security landscape changes.”
New rules on security are there to help, not hinder, progress. Improving clarity over requirements, and how suppliers help meet them, will help the public sector make safer choices and innovate more confidently.
For more information, download the Cyber Security Demystified eBook
Organisation building centralised team to help Whitehall manage the digital implications of leaving the EU while maintaining longer-term transformation goals
The first of a two-part recap of 2017 looks at the biggest stories and most significant developments in the first six months of the year
PublicTechnology editor Sam Trendall picks out three topics that may define the year ahead
Dr Simon Eccles becomes the health service’s most senior medical leader for technology, replacing Keith McNeil
BT's Amy Lemberger argues that having the right security in place to protect your organisation is no longer just an option. It is a necessity.
BT brought together some their top security experts and CIOs from well known UK organisations to discuss digital transformation and the impact that it’s having on organisations
Vodafone explores some of the ways IoT is significantly improving public sector service delivery