Non-compliant organisations risk being cut off from the PSN

Organisations not compliant with PSN security after the end-March deadline and who fail to engage for help are “effectively opting out”

Organisations that are not compliant with PSN security measures after the deadline, at the end of March, and who fail to engage for help are “effectively opting out” of the PSN.

John Stubley, operations director of the PSN programme at the Cabinet Office, said the government is working closely with organisations who are finding it difficult to achieve PSN compliance by the 31 March deadline.

The Public Services Network (PSN) is the new “network of networks” that will replace the old GSi/GCSX Government Secure Network infrastructure. Being disconnected from the PSN could mean a local authority is unable to fully carry out its public duties.

Speaking at the Local Public Services ICT Summit in London today, Stubley said around 30 organisations were not yet compliant with PSN security regulations, and of those around 12 were having difficulties.

“Some of those are going to achieve it [PSN compliance], maybe not by the March deadline, but within a few weeks after,” he said.

He said the government is working with organisations who are at risk of failing compliance through one-on-one discussions with CEOs to ensure there is a commitment to do the work needed to achieve compliance.

“So, yes, the threat is still there that if these organiations don’t make any progress, then can the rest of the public sector trust them to share information?” he said.

“If we find an organisation won’t engage, and has no intention of moving across, effectively they are opting out.”

Connection to PSN is required for public services that are centrally and locally managed or delivered, such as housing benefits. If a council lost connection to PSN, it would be unable to exchange benefits data with the Department for Work and Pensions, for example.

Last week, Computer Weekly reported that 60 out of the 588 organisations were yet to achieve PSN compliance with 37 organisations at “significant risk” to failing by the end of this month.

“We’ve got plans and we know what they’re doing,” Stubley said today. “There are cases where organisations genuinely have contracts and things like that they have to work through.”

Mike Kenworthy, director of ITC, Harrogate Borough Council was in the audience at the summit and during the Q&A session he said he had come across difficulties in achieving PSN compliance.

“From a political perspective it’s very difficult to get elected members to buy into this,” he said.

Kenworthy said he had to recently turn off the ability to sync emails to personal devices to achieve PSN compliance. “I had about five or six emails this morning and thirty yesterday saying: ‘That’s it, we don’t want to use corporate email anymore, we’re all going private.’ So the reality here is that there are real difficulties.”

Stubley responded, and said: “There are a few myths out there, PSN doesn’t say you can’t use your own devices, it doesn’t say you can’t do synching, it does say when that device has direct access to information shared across the public sector, then you need to put in place some sort of separation.

But Kenworthy said he had a direct conversation with the Cabinet Office about this problem, and even though Harrogate Council kept the PSN email separate from the corporate email system, it was told it was not allowed to sync to mobile devices.

“This is quite common. In other authorities I’ve spoken to, one person is saying one thing, another person is saying another,” said Kenworthy. “And we’re not actually having a clear understanding when you talk to people and representatives at the Cabinet Office of what is the right way to go, and what is the wrong way to go.”

Stubley said that Harrogate’s situation shouldn’t have been the case, and asked to discuss the matter at length after the event. He also admitted that a lot of the PSN communications had been wrong in the past.

“Zero tolerance is something we’ve got rid of now,” Stubley said. “And we’re trying to bring in an approach for the future where a collaborative approach of what the standards should be.”

John Jackson, CIO and digital strategy lead Camden Borough Council, was also sitting on the Q&A panel, and he called PNS a national treasure.

“It’s the way we will transform government through data sharing and connectivity,” he added.

But Jackson has issues with how the security and controls enforced by Cabinet Office are not proportionate to the risk.

“Are we using a sledgehammer to crack a nut? How real are the risks?” he asked.

He said that if councils spend a lot of time and effort in locking down services to become security compliant, they put in the wrong security controls, which people will then ignore. “People will say: ‘If I can’t get at my email, I’ll forward it to Google’. Forget it.”

But Jackson welcomed how the Cabinet Office have responded, listened and changed in the language they have used over the PSN journey; from zero tolerance to a collaborative approach to working with local government.

Read more on IT for government and public sector