New security rules will help the public sector keep data safe

Written by Microsoft on 13 April 2016 in Sponsored Article
Sponsored Article

There used to be so many ways of classifying government data it was difficult to ensure data protection. Now there are much clearer rules, argues Microsoft.

Potential security breaches are an essential consideration for any organisation rolling out innovative new digital services, and the public sector must lead by example.

Until recently, rules around data security and privacy were complex and confusing. They were also increasingly unfit for purpose in the modern technology-enabled world with all its cloud-based service possibilities. This mismatch threatened to curtail the government’s own ambitions for a digital-first administration and public service.

But the situation is improving as simpler and clearer rules are set down about how to keep sensitive data safe.

New European data privacy rules, expected to be finalised as regulation in 2017, aim to provide a single set of rules on data protection across the European Union. The security-related requirements include:

• Those processing personal data (including third parties such as cloud providers) are responsible and accountable for safeguarding data – and for reporting any breaches promptly

 Owners should have ready access to their data and be able to transfer this easily to another service provider if needed

• Personal data won’t be transferred outside the European Economic Area (EEA) without adequate privacy protection.

Penalties for violating EU data protection rules range up to €1m. In the UK, the government has made its own controls on public sector data handling clearer and less onerous.

Previously, there were so many different ways of classifying government data that it was almost impossible for organisations to decide what could safely be held and managed where. The new government security classification policy (GSCP) and CESG’s cloud security principles (CSP), published last year, define much simpler data categories, and allow public sector organisations to interpret the levels of control needed for their own particular circumstances.

Public sector data is now broken down into three categories: official, secret and top secret. As much as 87% of data is classified as official, which frees government organisations to treat it with best-practice controls used by large commercial enterprises.

This improved clarity should help drive new public sector innovation, making it easier to use cloud-based technology services, for example – the CSPs offer guidance on how to ensure cloud solutions are appropriate for data classified as official.

“Public sector organisations are under increased pressure to generate cost savings, increase efficiencies and improve services, which is partly why the government has decided to embrace the potential of cloud computing,” notes Mark Thompson, privacy practice leader at KPMG.

“Taken together, the GSCP and the CSP can be seen as a concerted effort to prevent security being used as a blocker towards uptake,” comments Daniel Jones, senior analyst for defence and security at Kable, a public sector technology intelligence firm.

Potential suppliers promoting their services via the government G-Cloud must assert which of the 14 security principles they comply with. These include issues such as how data is protected when it is stored and when it is in transit, for example, is it encrypted as it passes across networks?

Suppliers must self-assess against each measure, providing complete transparency. Public sector organisations must also check their own particular compliance requirements – for example, if handling NHS medical data – and confirm that their trusted technology provider holds the appropriate certifications and accreditations.

Further considerations include whether data is segregated from other organisations’ content, and the provider’s policy for responding to law enforcement requests to access data. Vigilance must be ongoing. KPMG’s Thompson comments: “There needs to be an ongoing business relationship with the cloud provider, which must be able to adapt as the privacy and security landscape changes.”

New rules on security are there to help, not hinder, progress. Improving clarity over requirements, and how suppliers help meet them, will help the public sector make safer choices and innovate more confidently.

For more information, download the Cyber Security Demystified eBook

Share this page


Related Articles

ICO appoints first-ever technology director
15 August 2018

Simon McDougall joins regulator in the role of executive director for technology policy and innovation


National technology advisor Liam Maxwell set to depart government for role at AWS
8 August 2018

Sources indicate that one of the civil service’s most high-profile digital and technology specialists is to take a job in the commercial sector

Government opted not to encrypt Cold War Kremlin hotline as £20,000 cost was deemed too high
31 July 2018

Newly published former top-secret documents reveal that a direct communications link between Downing Street and Mikhail Gorbachev was not encrypted – despite the wishes of the government’s ‘...

Related Sponsored Articles

Don’t Gamble with your password resets!
20 June 2018

The cautionary tale of the Leicestershire teenager who hacked high-ranking officials of NATO allies shows the need for improved password security

What it takes to build a smarter state
13 August 2018

The government must make use of emerging trends in technology to continue to deliver all its services in the future

Intelligent Connectivity: Boosting Flexibility and Control
13 August 2018

At BT, we realise that digital technology is changing the way we all do business. Make smart decisions with intelligent connectivity.

BT: Intelligent Connectivity is where it all begins. Smarter decisions are the end result
7 August 2018

At BT, we realise that digital technology is changing the way we all do business. Make smart decisions with intelligent connectivity.