UK government department seeks digital suppliers to roll out £2.25m data protection programme following New Year’s honours breach

The UK Cabinet Office is seeking digital service providers to deliver a £2.25m data protection programme, following a high-profile breach last year.

The department, which supports the prime minister and cabinet, is acting after it inadvertently released a version of the New Year’s Honours list in 2019 which revealed the addresses of the recipients.

It is now planning to implement six recommendations made in a subsequent review into the department’s data protection weaknesses. The review found gaps in governance and organisation, inconsistent application and a lack of monitoring ability to protect against and respond to data breaches. The six recommendations (detailed below) are intended to fix these issues.

The Cabinet Office has in the last week published a market notice inviting suppliers to apply to work on the project. The deadline for applications is 27 August and the work is expected to be complete by the end of the year.

The notice said: “The Cabinet Office needs to mobilise a programme to respond to the findings of a data handling review through enhancing capabilities, standards and controls across the department to manage data privacy risk.

It added that “there is a significant risk that further and more impactful breaches will occur as the amount of personal data being handled by the department increases”

The New Year’s Honours list, in December 2019, was released online as a comma separated variable (CSV) spreadsheet with address details of the recipients. It was online for 40 minutes before it was taken down. More than 1,000 people were affected, the BBC reported at the time.

 

Recommendations for improvement

Below are the recommendations the Cabinet Office is looking to implement as set out in its data handing review.

Recommendation 1: Enhance accountability and governance

Aim: Establish unified leadership for personal data handling supported by extension of existing best practice delivery in Cabinet Office to increase consistency of delivery.

Specific example: Confirm new Group Chief Data and Information Officer role as accountable for Personal Data Handling culture and controls

Recommendation 2: Reward the right behaviours and recognise skills

Aim: Strengthen existing business unit responsibilities through active identification and promotion of personal data handling experts.

Specific example: Identify, document and list the names of Cabinet Office staff with significant experience and knowledge of personal data handling on the intranet.

Recommendation 3: Confirm a new data strategy

Aim: Define a new data strategy aligned to Cabinet Office values and Digital Government ambitions which will inspire current and future Cabinet Office resource

Specific example: Define strategic design principles and control standards that provide guidance and capture the future value of data usage

Recommendation 4: Be transparent on progress

Aim: Develop the execution oversight and data analysis required to demonstrate progress on maturing data delivery capabilities to all stakeholders.

Specific example: Build a Cabinet Office data incident management system as a single repository of logged personal data handling issues. –

Recommendation 5: Refresh training and guidance

Aim: Rebuild training and guidance to become accessible on a sustained basis by all Cabinet Office resource.

Specific example: Build an integrated ‘how to’ guide for handling personal data targeted at all Cabinet Office staff.

Recommendation 6: Establish consistent standards and technology controls

Aim: Achieve consistent leading standards and controls across personal data handling processes.

Specific example: Undertake urgent action to resolve priority issues relating to the use of shared passwords and inadequate access restriction on Google Drive


Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.

Reserve your place before 2nd October, and receive VIP access to PrivSec Global which includes priority access to limited space sessions, workshops, networking opportunities and exclusive content.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.