The Cabinet Office has set out a programme to improve its capabilities and controls for personal data handling – with the aim of completing it by the end of the year.
It comes in response to a review of its performance in the area, published in April, following a data breach in December of last year over the impending Honours List.
The department has published a market notice for support in putting the programme into effect, saying it is directed at improving the capture, storage, management of personal and non-personal data.
The review acknowledged that the Cabinet Office has adequate guidance and policies in place, and there are good examples of processes and controls. But there are also gaps in its governance and organisation, inconsistent application and lack of monitoring, all of which is making it harder to protect against data breaches.
There have also been variations in how different teams have been handling personal data.
Six recommendations came out of the review:
- Enhance accountability and governance with a unified leadership for personal data.
- Reward right behaviours and recognise skills.
- Confirm a new data strategy.
- Be transparent on progress.
- Refresh the training and guidance provided to staff.
- Establish consistent standards and technology controls.
The latter would include resolving priority issues such as the use of shared passwords and inadequate access restrictions on the department’s Google Drive.
The initial response has been to contract a few individuals to work on the various issues, but the Cabinet Office has now decided to aim for a consolidated approach to work with its data protection office and teams for information management, assurance and security.
Image from iStock abluecup