My right honourable friend the Minister of State, Cabinet Office (Angela E. Smith) has made the following Written Ministerial Statement.
On 25 June 2008 (Official Report, col. 26WS) the former Minister for the Cabinet Office, Ed Miliband, placed a report on government data-handling procedures before Parliament. That report put in place reforms to strengthen the Government’s data-handling capability and management of risks to information. As part of this, the report committed to the publication of an annual report on information risk to be placed before Parliament. I am today placing the first annual report on Protecting Information in Government in the Libraries of both Houses.
The data-handling report set out measures to improve the handling of information by putting in place a set of core measures to protect personal data and other information across government including:
the use of protective measures, such as encryption and penetration testing of systems;
identifying the key individuals responsible for managing departmental information risk and information assets and setting out their responsibilities;
mandating regular training for all staff involved in handling personal data;
introducing greater scrutiny and monitoring through statements on internal control, which are scrutinised by the National Audit Office and through spot checks by the Information Commissioner; and
enhancing transparency, through the reporting of data loss incidents in departments’ annual resource accounts and this first annual report to Parliament on progress and information risk as a whole.
The report published today lays out the progress that has been made to meet these new data-handling requirements; how we will continue to drive improvements in our data handling and information risk-management capability, and the challenges which lie ahead.
The report highlights the considerable work that has been carried out across government in relation to improving data handling such as:
the roll-out of enhanced data security training to over 450,000 public servants;
the establishment of a network of more than 150 senior information risk owners at board level within organisations and over 9,000 people who are now responsible for ensuring that data are handled responsibly at a working level;
the extent of the encryption of mobile devices including laptops and removable media with over 100,000 devices encrypted to date;
penetration testing of ICT systems to protect systems from electronic attack and other threats (to date over 650 tests have been conducted), and;
work to conduct privacy impact assessments across government with over 270 PIAs carried out on new projects handling personal data.
But the report also recognises that ensuring personal and sensitive information is treated as a valuable asset is a continuous task. It also highlights the remaining challenges and the work that is under way to build our information-assurance capability across government.