Local authorities have come under increased scrutiny following the recent publication of results from an audit of sixteen local authorities by the Information Commissioner’s Office (ICO), which found that collectively there was “clear room for improvement” in how they comply with the Data Protection Act.
With data loss never far from the news, protecting sensitive information is no longer the sole preserve of national security organisations – it has become a key concern for all levels of government organisation and indeed, private enterprise.
A data breach can greatly impact local government organisations – whether its direct harm caused to an individual or organisation as a result of disclosed information, in monetary terms due to ICO fines, loss of funding or negative publicity garnered by the news of a breach. As a result, it is no longer enough for local government organisations to treat data security as a ‘nice to have’, instead they must actively implement measures to protect both their staff and the information assets they hold.
Government Security Classification scheme
Central Government understands that it is vital to take measures to protect data and have rightly identified data classification as being increasingly important to help staff understand the value of the data they receive, handle and create. On the 2nd April 2014, the Cabinet Office launched the Government Security Classification (GSC) scheme, which aims to simplify classification of government data and make it easier and more cost-effective for material to be marked, handled and protected in a proportionate way.
However, in the lead-up to the changes, we were surprised to find only 20% of the government staff we spoke to had plans to transition to the new scheme and that there was a general consensus that clearer guidance is needed on how to implement, enforce and train staff to use the new classification system.
This guidance is still lacking months after the launch of the GSC and until the Cabinet Office addresses this, we will continue to see avoidable data breaches across government.
Making data security more people-centric
One of the ways in which organisations can protect their data and meet the requirements of GSC is through the use of data classification solutions, which empower staff to assign a value to data (whether it’s an email, document, image or CAD design file) they create and handle, so informed decisions can be made about how that information is managed, used and shared. The creator of the data is usually best-placed to make this value judgement, as they will be more aware of its context.
By putting the classification obligation in the hands of staff at all levels, you effectively draw them into an active role in data security, which provides a greater defence against the loss of sensitive information.
Technologies such as Data Classification and DLP can be combined as part of a layered security approach to help prevent government organisations from incurring the wrath of the ICO. Visual classifications can help to raise awareness of data security but only a data classification solution which translates these into metadata which can be used by other security technologies can be totally effective in enabling an organisation to control the sharing and release of information.
Education and best practice
Following the ICO’s audit of local authorities and the resulting recommendations, it is hoped the number of data breaches and subsequent fines is reduced. Certainly the recommendations and best practice examples supplied by the ICO should go some way to increase awareness of the need for all employees at all levels to protect data right through the cycle.
It is encouraging that the ICO is taking on more of an educational role, rather than being a solely punitive organisation slapping fines on local councils with little help to solve the underlying issues around data loss, yet we are still some way from a providing local government with enough support to make sure data leakage is plugged.
Martin Sugden is the MD of Boldon James