Government and IT- "A Recipe For Rip-Offs": Time For A New Approach - Public Administration Committee Contents

7  Security and privacy

91. We heard during our inquiry that government's special security requirements increase commercial and technical complexity, thereby increasing cost and reducing competition. The Government argued that its status meant that it was more likely to be the subject of hostile attack than private sector organisations.[120]

92. IBM highlighted security as one area where "gold-plating" of specifications often takes place:

    The security arena is often an area where excessive constraints may distance the programme from the original operational need.[121]

93. Similarly one SME argued that government needs to be more realistic about its security needs and "not ask for American Defence Department standards for systems that no one is going to want to hack."[122] Another described it as being equivalent to using "a sledgehammer to crack a nut."[123] Bracknell Forest Council said that the current arrangements were "too draconian and seen as a hindrance by most outside of the security industry."[124] We were also told that "overly prescriptive security conditions limit adoption of newer technologies and limit data exchange."[125] Soctim concurred with this view. [126]

94. Logica argued that:

    Security issues also pose a challenge to the co-ordination of technology policy. Different government departments can interpret security policies in a way that can mean that solutions agreed by one department are not accepted by another.[127]

95. However, we also heard some encouraging evidence from SMEs who had spoken with CESG[128] and believed they were in the process of adopting a more pragmatic approach. The BCS were also less critical of the current arrangements saying that the "Government's approach to information security and information assurance has improved significantly over the last decade and policy is more pragmatic and generally understood by users". However, they also raised concerns about the lack of a holistic approach to data security. [129]

96. A number of organisations expressed concerns about the Government's record in guarding the personal information it holds, with particular reference to incidents where disks or laptops had been lost.[130] The Information Commissioner emphasised the importance of Privacy Impact Assessments (PIAs), which assess the data protection implications of new projects, stating that these needed to be "more than mere paper exercises."[131] The BCS recommended that Government should have "…broader and deeper adoption of the 'Privacy by Design' principles espoused by the Information Commissioner's Office".[132]

97. The over-classification of data was another problem highlighted. Protectively marking information when not required has enormous cost implications and prevents Government taking advantage of commodity products and services, including the adoption of commercial cloud services.

98. Following a number of high profile data losses by departments a number of reviews were undertaken examining and strengthening in the Government's information assurance capability.[133] In its guidance the Government recognises that over classifying data has negative consequences:

    Applying too high a protective marking can inhibit access, lead to unnecessary and expensive protective controls, and impair the efficiency of an organisation's business.[134]

99. Governments have learnt that they must secure both personal data and data relating to national security, whilst also guarding against gold-plating its security requirements - which can greatly inflate costs without delivering any tangible benefits. Over-classifying routine administrative and operational information causes unnecessary technology and operational costs, and prevents the public sector taking advantage of the economies and efficiencies of commodity software and new opportunities. It also acts as a further barrier to more effective use of SMEs in the supply of IT goods and services. Government must do more to demonstrate how a risk-based approach is helping achieve a better balance in information assurance.

120   Q 516  Back

121   Ev w131 Back

122   Ev w3 Back

123   Ev w4 Back

124   Ev w13 Back

125   Ev 91 Back

126   Ev 102 Back

127   Ev w50 Back

128   CESG is the Information Assurance (IA) arm of GCHQ. It is the UK Government's National Technical Authority for IA, responsible for "enabling secure and trusted knowledge sharing" Back

129   Ev 96 Back

130   Ev w43, Ev 98 Back

131   Ev w43 Back

132   Ev 98 Back

133   See for example Cabinet Office, Data Handling Procedures in Government: Final Report, June 2008 Back

134   Error! Bookmark not defined.para 19 Back

previous page contents next page

© Parliamentary copyright 2011
Prepared 28 July 2011