The Prime Minister commissioned the Cabinet Office in 2007 to review and assess procedures for the use and storage of data by and within government departments.
The ultimate goal was to reduce the risk of data misuse and loss, improve the quality of public services and minimize the incidences of theft and fraud, bringing the “right people to the right information.”
While the Data Protection Act and Human Rights Act provides the legal framework for governing data, the Cabinet, HM Treasury and Ministry of Justice set the guidance for managing information and providing assistance to meet those requirements.
However, the ultimate responsibility is with the individual departments and their agencies to enact the appropriate procedures and technologies to ensure these requirements are met.
The findings of the Cabinet Office and the guidance of requirements are delineated in the “Data Handling Procedures in Government: Final Report,” which was released on the 25th of June, 2008.
Who should comply
The report outlines how all departments and agencies that use and store personal data can follow a set of minimum requirements to safeguard their information and demonstrate continued compliance and, by extension, be held accountable to that effort. The Cabinet Office calls on departments to:
- Understand and manage information risk by identifying the key individuals responsible for information assets and setting their responsibilities
- Submit quarterly assessments of the confidentiality, integrity and availability of information
- Conduct mandatory training for all staff involved in handling personal data, with training taking place on appointment and reinforced annually
- Submit Privacy Impact Assessments when introducing new policy or processes that involve the use of personal data
- Submit information risk in Statements on Internal Control, which will be scrutinised by the National Audit Office and through spot checks by the Information Commissioner
- Provide annual reporting to Parliament on progress and the use of Information Charters which provide clarity to citizens about the use and handling of personal data