Report commissioned after New Year Honours blunder cites need for greater senior accountability and finds widespread use of free consumer tools
Credit: Karl-Josef Hildenbrand/DPA/Press Association Images
An independent review has identified an inconsistent approach to data protection across the Cabinet Office, with “pockets of best practice” offset by “concerning lapses” in behaviours and processes.
The review was commissioned following the department’s accidental publication of the home addresses of more than 1,000 people garlanded in the New Year Honours. The leak was attributed to “human error”.
But the review, conducted by BT executive and former Home Office non-executive director Adrian Joseph, finds causes for concern that go beyond a one-off blunder.
The biggest problems flagged up in the report include patchy engagement with data-protection guidelines, a lack of senior accountability, and common use of paper files or consumer software with limited security functionality.
“One interviewee remarked that ‘officials with credit cards’ posed the biggest risk to the department, procuring software-as-a-service products freely, with no consideration given to subsequent data risk. This was particularly common with the use of products such as SurveyMonkey and Trello. They are used widely… with very limited controls to protect data.”
Joseph reviewed four key aspects of the department’s data-handling: policies; processes; practices; and culture.
He found that the Cabinet Office has “adequate guidance and policies to advise officials on data-handling processes”. Information available to staff via the organisational intranet covers all relevant legislation and, if the advice and practices detailed were consistently followed, this would immediately “strengthen compliance” with data-protection obligations.
However, internal documents are often overly complex and need to be updated more frequently and promoted more effectively, the review found.
Another issue is the lack of coordination of data-protection resources and expertise.
“Unlike other departments, the Cabinet Office has no corporate data protection team,” the review said. “All data protection advice is currently provided by lawyers or the data protection officer, a statutory office required to carry out its tasks in an independent manner. The DPO is supported by a network of GDPR leads in each business unit, but their GDPR responsibilities are in addition to their existing job roles.”
It added: “Greater coordination of data protection resource could support the DPO’s existing work and more proactively drive a consistent approach to data handling in the department.”
The lack of a pool of centralised expertise is compounded by the fact that there is no member of the Cabinet Office’s executive committee that holds responsibility for data-handling. This means there is no “clear escalation route for data-handling concerns”.
The review noted, however, that this situation should be rectified by the planned appointment of the government chief digital and information officer – a position that will sit within the Cabinet Office.
Joseph said that the primary process through which the department exerts control on the handling and storage of data is through restricting employees’ access to files – a function that is available on Google Drive, which is the department’s “standard platform” for the storage of information classed as Official or Official-Sensitive.
But the application of these controls is “inconsistent”.
The report said: “In one team interviewed, access restrictions are removed immediately after individuals leave the team and the most sensitive personal data is restricted to just two team members. Across the board, however, such restrictions are often imposed too late and there are examples of personal data being accessible to whole teams. One business unit has run its recruitment process through an inbox with few access restrictions and subsequently held personal HR data, including some special category data, in a file accessible by the entire department.”
Another problematic process identified in the report is the continued storage of information that either has no clear owner – characterised as ‘orphaned data’ – or that guidance dictates should be deleted, but is retained by officials wrongly adopting “a ‘just in case’ approach to retention and deletion”.
“Growing volumes of orphaned data and ‘digital hoarding’ leave the department vulnerable to further breaches and weakens its ability to comply with FOI and public records requests,” the review said.
In his assessment of practices, Joseph identified civil servants’ need to deliver outcomes rapidly with minimal personnel resources as the primary “impediment to better data handling” at the Cabinet Office.
The report also found that leaks are sometimes chalked up to human error without proper recognition that “it would be possible to eliminate human error altogether by fixing failings in IT systems”.
There is also an issue with various teams across the department holding “personal data sets that are not appropriately defined as such”.
The review said: “All business units hold at least a small quantity of personal staff data on their shared Google Drives. Interviewees also mentioned data sets such as lists of business stakeholders and guest lists. Very few teams had considered whether or not they were protecting this information adequately, and some had not identified it as personal data.”
An area of significant concern is the use of paper and legacy systems.
“One business unit has run its recruitment process through an inbox with few access restrictions and subsequently held personal HR data, including some special category data, in a file accessible by the entire department.”
Sometimes information is recorded and kept in physical form simply because an employee prefers to do so or “because they do not trust the electronic system”.
“Much of this hard copy information is not protected sufficiently,” the review said. “There are also a number of legacy electronic systems to which no one in the department currently has access. In most cases teams do not know the volume or sensitivity of the data held on those systems. The teams in question are working with IT and security to decide what to do with these legacy systems.”
Another major issue is the widespread use of “free versions of online tools which have not been subject to information-assurance checks”.
“One interviewee remarked that ‘officials with credit cards’ posed the biggest risk to the department, procuring software-as-a-service products freely, with no consideration given to subsequent data risk,” the report said. “This was particularly common with the use of products such as SurveyMonkey and Trello. They are used widely – either paid or free products – with very limited controls to protect data.”
Culture and recommendations
Joseph reported that “there is potential for a positive data culture in the Cabinet Office”.
Most employees have the desire to improve how the department handles data, the review found, with the barriers to doing so being practical and procedural. If and when these issues are addressed, the culture will improve accordingly.
The review concludes with six key recommendations:
- enhance accountability and governance;
- reward the right behaviours and recognise skills;
- confirm a new data strategy;
- be transparent on progress;
- refresh training and guidance;
- and establish consistent standards and technology controls.
Among the individual measures encouraged by Joseph is that existing data protection and compliance teams to be given a department-wide remit. The accountability of individual employees should also be clarified and formalised, he said.
A quarterly review of standards and practices is also urged, as is the creation of a central repository of data-handling incidents – a resource which does not currently exist.
A chatbot tool to provide automated advice on data-handling queries would also help employees, the review said, as would interactive training modules.
As a matter of urgency, the department must “resolve priority issues relating to: shared passwords to access personal data; personal data being stored in publicly access Google Drives”.
In his response to the review, Cabinet Office permanent secretary John Manzoni – who is shortly to leave the civil service and be replaced as departmental head by Alex Chisholm – said that Joseph had made “some very sensible recommendations about how we can balance making better use of personal data with more robust safeguards”.
“With today’s new technologies, how we use personal data is changing how we work,” Manzoni added. “Sharing personal data more quickly and more easily allows us to make better decisions about the services we offer and how we offer them. But doing so brings some risks that we need to mitigate against. Across the Cabinet Office, we need to continue to handle personal data in ways that are appropriate, secure and protect privacy. Getting that right is not always easy, but it is vital to maintaining public trust.”