The government is facing calls to explain why it has yet to implement all the recommendations from a 2023 review into a spate of serious public sector data breaches, including the exposure of Afghans who worked with British military, victims of child sexual abuse and 6,000 disability claimants.
On Thursday ministers finally published the information security review, which was triggered by the 2023 leak of personal data of about 10,000 serving officers in the Police Service of Northern Ireland.
The review by Cabinet Office officials into 11 public sector data breaches, encompassing the HMRC, the Metropolitan police, the benefits system and the MoD, found three common themes:
-
A lack of controls over ad hoc downloads and exports of aggregations of sensitive data.
-
The release of sensitive information via “wrong recipient” emails and failure to use bcc properly.
-
Hidden personal data emerging from spreadsheets destined for release.
The release of the review, 22 months after it was completed and a month after the leak of an database of 18,700 Afghans became public, was welcomed by Chi Onwurah, chair of the science, innovation and technology committee. But she said: “It’s concerning that it took an intervention from my committee and the information commissioner to make this happen.”
The Afghan data breach led to people fearing for their safety under the Taliban and to the UK government offering relocation to thousands of Afghans under a secret scheme.
The government said it had delivered on 12 of the 14 recommendations about toughening up data security. Onwurah said: “The government still has questions to answer about the review. Why have only 12 of the 14 recommendations been implemented? And why has it kept the very existence of this review a secret for so long, even after the 2022 Afghanbreach became public?
“For the government to fulfil its ambitions of using tech to boost the economy and transform our public sector, it needs the public to trust that it can keep their data secure. If it can’t, how can anyone be comfortable handing over their personal information?”
The information commissioner, John Edwards, called on the government to go “further and faster to ensure Whitehall, and the wider public sector put their practices in order”.
He told the Cabinet Office minister, Pat McFadden, on Thursday that “as a matter of urgency, the government should fully implement the recommendations of the Information Security Review”.
It was not immediately clear which of the 14 recommendations had yet to be implemented. The full list included the government working with the National Cyber Security Centre to assess existing guidance on technical controls for products and services hosting information marked “official”, the need to launch a cross-government “behavioural influence communications campaign to address persistent poor information handling practices”, and the necessity of a “review sanctions for negligence”.
McFadden and Peter Kyle, the secretary of state for science, innovation and technology, told Onwurah in a letter on Thursday: “Good progress has been made but we must guard against complacency. This is an area on which we must keep a consistent focus to ensure standards continue to improve.”
A government spokesperson said: “This review concluded in 2023 under the previous government.
“Protecting national security, including the security of government data, is one of our primary responsibilities. Since taking power, we have strengthened security guidance across departments, updated mandatory training for civil servants, and announced plans to upgrade digital infrastructure across the public sector as set out in our Blueprint for Modern Digital Government.”
