Under David Cameron’s vision of the ‘Big Society’, a range of new bodies will come in to deliver public services. Ben Willis hears concerns over the security of public data – and ideas on how information can be secured.

One of the most concrete proposals yet to emerge from David Cameron’s multi-faceted ‘Big Society’ concept is that local bodies such as charities, social enterprises and mutuals take on the running of public services. Adding flesh to the idea’s bones in July’s Open Public Services white paper, the prime minister said he envisages devolving control over services to the lowest appropriate level, where they’ll be delivered by a range of different providers.

Of course, the prime minister’s proposed reforms are not without their risks – and one that will be of concern to many is the handling by these new providers of personal data. Running almost any service requires the safe management of large amounts of sensitive personal information about members of the public. And as the all-too-frequent headlines about lost laptops and missing disks attest, this is something that even central government – let alone an army of small, voluntary sector organisations – struggles to achieve consistently.

Last month, a round table convened by Civil Service World and sponsored by IT services company HP set out to debate the prospects for information assurance (IA) in the era of the Big Society. If hundreds of small, thinly-resourced local bodies step up to take on the roles of traditional service providers, are there greater risks of data being lost or falling into the wrong hands? Whose responsibility is it to ensure that the Big Society’s new service-delivery bodies safeguard information? And what needs to be done to ensure that the new generation of service providers is properly geared-up for the challenge of information assurance?

Risks and responsibilities
Participants began by discussing whether Big Society organisations carry greater risks than the traditional delivery agents of government. James Johns, director of strategy for civil government at HP Enterprise Services, noted that in recent years IA has improved dramatically in central government. “The culture has changed massively among departments and traditional suppliers to government,” he said. “The challenge is to take the practice established there, which is a combination of hard measures – changed contractual terms around IA – plus softer measures around awareness and cultural change, and apply them to the longer tail of public service delivery organisations.” Johns concluded with a question: will a new type and generation of service delivery bodies bring new risks when it comes to the safeguarding of data?

David Critchley, information assurance standards manager at the Home Office, thought not. “Can I throw a question back?” he said. “Say you’re dealing with rape victims: would you expect their information to be handled less securely by a charity like Victims of Crime than by a government department?”

Johns agreed this was unlikely to be the case, but pointed out that there is a difference between an expectation that an organisation will take good care of any data it holds, and the actual practices it adopts for doing that. “If you’re not familiar with government information-assurance practice you might think, for example, that merely locking the door of the office where the computer is kept, or taking the laptop home every night, is good practice,” he said.

He added that ultimately, however well any supplier protects the information it holds, if it’s delivering a government service there will always be some risk to the department commissioning that service. “If government has commissioned a service, then it takes some tacit responsibility for that service,” Johns said.

Critchley agreed, citing the 2008 incident in which a contractor working for the Home Office lost a memory stick containing details of some 90,000 prisoners in England and Wales. In this particular case, Critchley said, although the government was able to prove a contractual breach on the part of the company that had lost the data, it was still the Home Office that was guilty in the eyes of the public. “We were still the ones in the press with the headlines,” he said. “We will always be culpable in some way, and we have to insure ourselves against that happening as much as possible.”

Enforcing information assurance
So how can departments give themselves a sufficient level of assurance? A number of participants said they favour better guidance from central government, rather than legislation, as a means of ensuring sound IA practices among Big Society organisations. Rather than legislation, said Melanie McGrory, an HP defence and security specialist, “I’m more for guidelines, because that drives the right behaviour.”

As an example of departments enforcing good IA practice among external contractors, Clare Rees, information asset owner for one of the Department for Transport’s databases, said that access for suppliers who use the database is carefully controlled through contractually-agreed arrangements based on Cabinet Office guidelines. These have been backed up by physical inspection of the contractors’ premises. “When the contract was first written, our security officers visited the site and spoke with the IT experts there, and gave us the assurance that the facility was suitable,” she said. “We are quite regimented in how we look after data.”

Another tool available to departments in ensuring secure handling of information is the privacy impact assessment devised by the Information Commissioner’s Office (ICO). According to Critchley, this is one means by which the data risks of a particular project or transaction can be assessed and appropriate mitigation measures built into contractual terms.

However, Simon Lock, records manager at the Security Industry Authority, said the ICO’s current stance on privacy impact assessments is that they are non-mandatory – a situation that, he said, needs to change. “I think the ICO should now make these mandatory,” he said. “If we’re moving to a scenario where we’re going to be asking more third parties to take on management of personal data sets, maybe the ICO needs to look into that a bit further.”

Ian McCormack, senior IA consultant at CESG, the national authority for information assurance (see news article), said he is unsure whether further legislation is required to ensure that IA practices are brought up to date with government policy, but agreed that new governance arrangements are needed for information assurance. “The governance regimes where the Cabinet Office is saying: ‘Do this, do that’ only work for central government,” he said. “So from a common public sector delivery point of view, if you want assurance that personal data is being looked after properly, we can’t do it with the levers we’ve got available now.”

Great flexibility
Certainly, the view from the front line is that the current arrangements governing information assurance are not geared up for a Big Society-type environment. Michael Robins is head of the Ministry of Justice’s Independent Monitoring Board Secretariat, which supports over 1,800 volunteers working in prisons and immigration remand centres. He said at the moment volunteers are restricted from accessing data on individuals because they are governed by two sets of inconsistent policies.

“We have volunteers going into prisons and immigration centres [and] two different policies, one from the Prison Service and one from Home Office, that don’t quite tie up,” Robins said. “It’s centrally-driven, but it’s not practical in terms of the volunteers managing information. So for example the rules say volunteers are not allowed to take information away from prisons. They would say they need to take this information home, to work on it at weekends, but the department’s saying: ‘You can’t do that’. We would like to see more consistency across government departments around what you can and can’t do, and if there are some areas of flexibility, for them to be more specific about those.”

McCormack said that CESG, which oversees central government policy on information assurance for the Cabinet Office, is trying to move towards “outcome-based” policy requirements that allow departments greater room for manoeuvre in disseminating IA guidance. “So it’s telling you where you need to go, not how you get there – and then it allows flexibility within departments to do different things that are proportionate and appropriate and work for them,” he said.

Melanie McGrory commented that in Robins’ case, officials in the Home Office and Prison Service may be being excessively cautious: “It sounds like you’ve got someone interpreting [the guidelines] very harshly, and I would be sticking up my hand and saying: ‘This is what we’re trying to achieve here, so with a combination of people, process and technology, what’s the best way of going about it?’”

Robins questioned whether things will ever change, arguing that civil servants are likely to continue taking a risk-averse stance on data handling: “If the risk is always going to be with the departments in terms of who’s to blame [if things go wrong], you won’t get civil servants saying: ‘Let’s be a bit more flexible there,’ because their necks are on the line.”

However, Critchley said he hopes this reluctance by departments to be flexible when interpreting IA guidelines will ease as they develop relationships with new service providers. “The more confidence you have in… the organisation you’re sharing information with, the less you need to tie things down with process,” he said. “So departments are protecting themselves by keeping those reins very tight.”

Sharing best practice
McGrory said that as the Big Society concept beds down, she would like to see more sharing of good practice in IA between departments. “The nature of the beast we’re dealing with, around security, means that people tend to keep good practice to themselves,” she said. “If there’s a way of exchanging something that’s good in, say, the Home Office with something else that happens in the Ministry of Defence, I think that would be beneficial.”

Critchley said that some sharing does already take place across central government, but argued that in the future this will need to be more extensive: “I have sent a number of policies we’ve created to other departments. But I think you’re right: as you get further into the outer circle, there is much less sharing.”

As the round table neared its end, McCormack suggested a holy grail for embedding effective information assurance across Big Society organisations: the development of shared services that embed good IA practice into new service providers. “However much we get effective and efficient IA built into the commissioning process, if every department, local authority and health body contracts out individually, that’s a huge amount of waste across government,” he said. “So we’re keen to promote the idea of doing IA once, doing it well and then reusing it. We have to provide good shared services to a very cost-conscious part of the economy. It’s easy then for a charity They can just go and buy a service, and they don’t need to worry about it; they know it’s already got some assurance, and they don’t have to worry about asking all the awkward questions.”

We'd like to hear your thoughts on this issue - click here to take part in an online discussion considering some of the points and challenges raised at our round table.

At the table: participants and their concluding thoughts

David Critchley, information assurance standards manager, Home Office: “If we’re looking at culture change rippling out from the centre, I’d like to see an understanding of the assessment of risk as part of that. Because if you’re looking for flexibility without compromising security, then those are the skills that the culture change has to teach.”
James Johns, director of strategy for civil government, HP: “Commissioners have a role in how they specify IA requirements. Suppliers such as HP that provide technology to organisations that provide public sector services have a responsibility to provide access to that kind of knowledge and capability as well.”
Simon Lock, records manager, Security Industry Authority:“I would like to see some clarity over the powers of the Information Commissioner’s Office on this issue, and maybe a future change in legislation to improve its enforcement.”
Ian McCormack, senior information assurance consultant, CESG:“There’s a culture change required in how IA policy and guidance is used within organisations. We have to convince people of the case for good IA, and provide cost-effective shared services to those that need them. We aren’t going to be able to beat [this agenda] into people, absolutely not.”
Melanie McGrory, HP defence and security:“If there’s some kite-marking of good solutions so a charity could look and see where to go for some advice and guidance, that would be beneficial.”
Claire Rees, information asset owner, Department for Transport:“We should be open to having other suppliers, but if you look at your risk assessment, you’ll probably take the safe option and go with the supplier you already know and trust. It’s about how you support people who will probably give you the service [you want], but [who] you don’t have that background with.”
Michael Robins, head of the Ministry of Justice’s Independent Monitoring Board Secretariat:“My concern is around the voluntary sector and its ability to cope with loss of reputation. RBS might lose us billions of pounds, but how many people switched their bank accounts? Whereas with a charity, if it’s on the front page of the Daily Mail [for losing data], they can very quickly lose funding.”
Maria Grazia Luciano, research co-ordinator, Department for Transport: “It’s important to identify someone like an information asset owner who is responsible in an organisation for making sure information is handled securely.”

Click here to see all news and features from Civil Service World

Written by Ben Willis, CSW