Government data security hobbled by cost dispute

Whitehall has failed to roll out compulsory security safeguards two years after HM Revenue & Customs lost CDs containing highly sensitive details of 25...

Whitehall has failed to roll out compulsory security safeguards two years after HM Revenue & Customs lost CDs containing highly sensitive details of 25 million people.

Plans to introduce a raft of mandatory security improvements across government have run into the buffers following contractual disputes with IT suppliers which do not want to carry the cost.

The Data Handling Review, carried out by cabinet secretary Sir Gus O'Donnell, laid down a series of compulsory data security precautions described as the "minimum" necessary to prevent another disastrous exposure of people's personal details.

They were designed to prevent a repeat of the alarming incident when HMRC CDs containing the details of 25 million people on the child benefit computer system went missing after staff sent them by courier to the National Audit Office.

Eighteen months since the Cabinet Office mandated the measures the government has hit a significant obstacle in its attempts to raise security levels on data held across government.

Suppliers have agreed to more stringent data security measures under contracts signed since July 2008.

But the government has been unable to reach agreement with suppliers which handle government data under contracts signed before the urgent reforms were introduced - which govern the bulk of government data.

Sureyya Cansoy, associate director of suppliers' body Intellect, said suppliers are doing all they can to assist the government.

"It should be done in such a way that it doesn't burden suppliers unnecessarily and that any changes to contracts are done under the commercial arrangements already agreed," she said. "But we've not really tackled it yet."

Ross Cattell, head of enterprise risk at Deloitte, said suppliers felt unfairly criticised by the government. "Suppliers are saying, 'Gold standard is not what you asked for when you outsourced. If you want that, you have to pay more.'

"It is difficult for government departments which are trying to raise the information assurance standards," he said.

Andy Vernon, information assurance consultant at PA Consulting, said suppliers argue that measures to secure the transport, back-up and destruction of data, and the certification of suppliers handling personal data on behalf of government, are too expensive to implement without compensation.

These very procedures were the breadth of the Data Handling Review's core minimum security measures. The other key requirement to come out of the review - to establish a way to monitor information assurance precautions - has also still not been applied down the IT supply chain.

The revelation comes just as the Cabinet Office prepares to publish the first annual progress report of the Data Handling Review.

The report is expected to reveal only how well departments have managed to implement the measures within their own fiefdoms, not what proportion of data is handled under less stringent precautions under old contracts.

Neil Fisher, vice chair of the Information Assurance Advisory Council, a think tank of government, industry and security bodies, said it is unrealistic of the government to attempt to change terms on contracts that still have years to run. Changing contracts stirs up the difficult issue of who carries the risk of something going wrong, he said.

"Industry will be quite robust about this," he said. "They are not a charity. They do work for payment and they do it against clear instructions from the client, and that is the way these relationships work. By doing so, they limit their liability.

"What the government would like is for industry to try to meet it half way somewhere. I'm not sure that's a clever way of doing it or one which will contractually will be enforceable," he added.

Read more on Privacy and data protection