Government data security slammed in new report

The National Audit Office has issued a damning report of the UK government's approach to digital security.

The central teams and departments dedicated to protecting information were found to be operating without cohesion and governance.

There are 73 teams and 1,600 staff across government with data security responsibilities.

However there was a lack of awareness among staff about who to contact for guidance, the NAO said.

"None of the departments we interviewed understood the specific roles of the various bodies involved, making it difficult to identify any single arbiter of standards or guidance," the report stated.

The Cabinet Office came under fire for failing to establish leadership in the area.

A Cabinet Office spokesperson said the majority of the data breaches cited in this report were "very minor", but acknowledged it needed to do more.

"The Cabinet Office conducted its own review of government security in early 2016 and many of our findings are consistent with the NAO report.

"So we are already well under way in strengthening oversight of information security by bringing together nine separate central teams into just two.

"We have also appointed the government's first ever Chief Security Officer to bring together all disciplines of government security under central leadership," they added.

In addition three major projects: the Government Security Classifications (GSC) system, the Public Services Network (PSN) and Foxhound, which were supposed to have delivered significant financial savings, had yet to do so, the report found.

The PSN, a network designed to limit duplication in the public sector by allowing various organisations to share data, was forecast to save £200m - £400m per year in 2012. By 2014 it had saved just £103m and no further savings are expected, according to the NAO.

It was also criticised for its lack of security.

"The increased security requirements, for example around encrypting data, proved problematic and too costly for many local authorities," the NAO noted.

"For example, many local authority staff used mobile digital devices that represented 'unsecured endpoints', potentially allowing unauthorised access to the PSN."

The report also described the reporting of security breaches within government as "dysfunctional".

"Departments must report data breaches in their annual reports, but each organisation reports its breaches in different ways," it stated.

"Protecting information while re-designing public services and introducing the technology necessary to support them is an increasingly complex challenge," said Amyas Morse, head of the National Audit Office.

"To achieve this, the Cabinet Office, departments and the wider public sector need a new approach, in which the centre of government provides clear principles and guidance and departments increase their capacity to make informed decisions about the risks involved."