There used to be so many ways of classifying government data it was difficult to ensure data protection. Now there are much clearer rules, argues Microsoft.
Potential security breaches are an essential consideration for any organisation rolling out innovative new digital services, and the public sector must lead by example.
Until recently, rules around data security and privacy were complex and confusing. They were also increasingly unfit for purpose in the modern technology-enabled world with all its cloud-based service possibilities. This mismatch threatened to curtail the government’s own ambitions for a digital-first administration and public service.
But the situation is improving as simpler and clearer rules are set down about how to keep sensitive data safe.
New European data privacy rules, expected to be finalised as regulation in 2017, aim to provide a single set of rules on data protection across the European Union. The security-related requirements include:
• Those processing personal data (including third parties such as cloud providers) are responsible and accountable for safeguarding data – and for reporting any breaches promptly
• Owners should have ready access to their data and be able to transfer this easily to another service provider if needed
• Personal data won’t be transferred outside the European Economic Area (EEA) without adequate privacy protection.
Penalties for violating EU data protection rules range up to €1m. In the UK, the government has made its own controls on public sector data handling clearer and less onerous.
Previously, there were so many different ways of classifying government data that it was almost impossible for organisations to decide what could safely be held and managed where. The new government security classification policy (GSCP) and CESG’s cloud security principles (CSP), published last year, define much simpler data categories, and allow public sector organisations to interpret the levels of control needed for their own particular circumstances.
Public sector data is now broken down into three categories: official, secret and top secret. As much as 87% of data is classified as official, which frees government organisations to treat it with best-practice controls used by large commercial enterprises.
This improved clarity should help drive new public sector innovation, making it easier to use cloud-based technology services, for example – the CSPs offer guidance on how to ensure cloud solutions are appropriate for data classified as official.
“Public sector organisations are under increased pressure to generate cost savings, increase efficiencies and improve services, which is partly why the government has decided to embrace the potential of cloud computing,” notes Mark Thompson, privacy practice leader at KPMG.
“Taken together, the GSCP and the CSP can be seen as a concerted effort to prevent security being used as a blocker towards uptake,” comments Daniel Jones, senior analyst for defence and security at Kable, a public sector technology intelligence firm.
Potential suppliers promoting their services via the government G-Cloud must assert which of the 14 security principles they comply with. These include issues such as how data is protected when it is stored and when it is in transit, for example, is it encrypted as it passes across networks?
Suppliers must self-assess against each measure, providing complete transparency. Public sector organisations must also check their own particular compliance requirements – for example, if handling NHS medical data – and confirm that their trusted technology provider holds the appropriate certifications and accreditations.
Further considerations include whether data is segregated from other organisations’ content, and the provider’s policy for responding to law enforcement requests to access data. Vigilance must be ongoing. KPMG’s Thompson comments: “There needs to be an ongoing business relationship with the cloud provider, which must be able to adapt as the privacy and security landscape changes.”
New rules on security are there to help, not hinder, progress. Improving clarity over requirements, and how suppliers help meet them, will help the public sector make safer choices and innovate more confidently.
For more information, download the Cyber Security Demystified eBook