A series of reviews into huge data losses suffered by HMRC, the MoD and a Home Office supplier in 2007 and 2008...
have been a wakeup call for government, says a top government infosecurity officer.
"We realised there needed to be a sea change in governance, leadership and personal accountability," government information security community manager Nick Haycock told the first annual Human Factors in Information Security Conference in London.
He told delegates that the reviews into the data losses had all concluded that government had a patchy, fragmented and diluted focus on the role of people in security.
Since then government has made progress towards addressing this and other basic system failings, said Haycock, who acts as a co-ordinator in the Information Security and Assurance office.
"The most important change is a much stronger role for the 150 senior information risk officers [SIROs] across government to help people understand why security is important to them," he said.
SIROs have been given the job of leading and fostering a culture that values, protects and uses information for public good.
Another important development, Haycock said, is the appointment of around 9,000 information asset owners across government to identify risks for each category information and how to mitigate them.
"We are building an information security community, but it is still early days," he said.
Government has also made good progress in improving the personal accountability of department heads, he added, introducing frameworks for reporting between the departments and the Cabinet Office, and between the Cabinet Office and parliament, and training 450,000 civil servants on the basics of handling data securely.
However, he admitted that government still has a long way to go, especially in rebuilding citizens' trust in government's ability to protect their personal information.
Future challenges include maintaining momentum, keeping information security relevant to what people are doing, continually educating data handlers, dealing with third-party suppliers of data processing, and striking the right balance between reducing risk by protecting information and gaining the benefits of exploiting and sharing information.
"We have made a good start, but we haven't cracked it yet," said Haycock. "There is a lot of work going on behind the scenes and we are systematically changing the way government deals with information protection."