Department seeks commercial support in meeting targets set out in independent review

Credit: Gerd Altmann/Pixabay

The Cabinet Office is seeking a commercial partner to fulfil a short-term £2m programme of work to address “weaknesses” in its handling of personal data.

The department underwent an independent review of its data-storage and -processing procedures in light of an incident in December 2019 in which personal details of those featured on the New Year’s honours list were leaked. 

That review, led by technology executive and former Home Office non-executive director Adrian Joseph, concluded in April. It identified some “concerning lapses” amid what was generally characterised as an inconsistent approach to data protection.

Six core recommendations were set out: improve accountability and governance; reward expertise and skills; establish a new data strategy; be transparent on progress; update guidance and training; and implement consistent standards and controls for technology and data.

Related content

• Cabinet Office to undergo independent review of data-handling after honours blunder
• GDPR blamed for doubling of Whitehall’s recorded data breaches
• Whitehall departments reported 500 personal data breaches to ICO in FY20

The Cabinet Office intends to make good on these recommendations by the end of 2020 and is seeking a supplier to support its work to do so.

The chosen bidder, with which the department will sign a contract worth up to £2.25m, will start work by 14 September.

“Delivering the Cabinet Office business strategy places a critical reliance on enhancing the capture, storage, management and use of personal and non-personal data. Recent events, however, have identified weaknesses in the Cabinet Office capabilities for managing personal data privacy,” the Cabinet Office said. “An independent review… identified systemic inconsistencies in data processes, controls and culture across Cabinet Office and that there is a significant risk that further and more impactful breaches will occur as the amount of personal data being handled by the department increases.”

The department added: “The independent review of the Cabinet Office’s personal data handling practices proposed recommendations to enhance the overall risk management of data privacy across the department. The Cabinet Office needs to implement this work prior to end December 2020.”

For the technical aspects of the programme, the Cabinet Office indicated that it would prefer to use cloud storage from Amazon Web Services or Microsoft Azure, rather than on-premises technology. 

Suppliers wishing to bid for the work have until 27 August to do so.