Safe data sharing

Richard Steel, President of Socitm, discusses what should be done to share information securely across government agenciesI believe that Socitm can and must provide a central role in delivering the vision of a joined-up public sector, using common infrastructure and sharing services to facilitate the delivery of efficient citizen-centred public services that are secure, ensure the integrity of individuals data and, most of all, are trusted.
    
When it comes to sharing information across government agencies, I believe what’s lacking is the articulation of a high-level vision that can be shared with, and gain the trust of, the ‘man on the street’. Things like:

  • We will ensure the security and integrity of information we hold about you.
  • We may use that information to protect society from the costs of criminality and fraud. 
  • We will only ask you to give us any information once. 
  • With your permission, we will share information among government agencies to provide you with better services. 
  • We will help you to stay in control of your own identities.

Helping the individual
We all must shift the level of debate on data sharing and security to deal with the real issues on a pragmatic basis. Let’s be realistic; the totally secure system will never exist. The more sophisticated our systems, the more sophisticated our criminals.
    
Individuals therefore need to be helped to understand the real issues, and how they can protect themselves. This could be achieved by:

  • Keeping an eye on their credit status; the government could mandate notification of changes to individuals.
  • Better managing personal information that is broadcast through credit and loyalty card trails, mobile phone records and discarded paper correspondence.
  • Taking responsibility for their own security and managing access to their own information.     

Most of all, this citizen awareness-raising and communications campaign needs to be matched by commitment to a high-level vision for maximising the security and integrity of personal data – information should only be shared through systems expressly designed for the purpose.
    
Socitm supports the development of Government Connect (GC) because it is such a system – albeit one that, initially at least, does not implement federated identity management and authentication.  

Getting the system right
The Government Connect team, and other government bodies like the department for Children Schools and Families (DCSF) that are working on authenticated access to student records, have agreed to work with Socitm on developing that over-arching vision and communications plan. Socitm is setting up collaboration forums to facilitate these goals. As we develop the vision, our expectation is that other key principles will emerge. For example:

The information sharing system must be capable of operating over the Internet for citizen access – not reliant on a firewalled network infrastructure.
    
It must be possible to both vouch for the identities of people who access information systems and authenticate their entitlement to access information according to their roles in relation to the information being accessed.

Individuals must be in control of their own identities. Information sharing systems must implement federated identity management so that individuals can use the same identities in different systems, if they wish to.
    
Too often, I believe, government develops tactics in the absence of vision and strategy. Tactical approaches such as secure data transfer may have a place in tightening-up security until a strategy for the achievement of the vision can be put in place. However, my view is that access to information in a system designed to facilitate the sharing of information will be in-situ.

Ultimately, secure information sharing has to work over the ‘network of networks’, recognising the increasing blurring of business and social networking boundaries, and the anytime, anywhere culture that’s emerging.
Recently published reports, such as the ‘Data Sharing Report’ (Richard Thomas, and Mark Walport, 11 July) and the ‘Review of Criminality Information’ (Sir Ian Magee, 16 July) touch on many of these points. However, they respond to terms of reference that were very specific to incidents that gave rise to the requirements for investigation. By and large the reports don’t address the messages to the ‘man on the street’, they don’t address the required over-arching vision or the emerging technical and social contexts, and they seem uninformed by work already undertaken by bodies like the National Information Assurance Forum.

Guiding the public sector
Socitm has in fact had considerable input to the shaping of technical advice and guidance to the public sector on matters concerned with the handling and security of personal information. It was represented on the Cabinet Office GIPSI (General Information Assurance Products and Services Group) – a pan-government Cabinet Office Security group, which has become the National Information Assurance Forum (NIAF). The NIAF has been involved in the drafting of the National Information Assurance Strategy, which has a local government delivery approach, drafted after detailed work and consultation with Socitm.
    
The data handling review has involved Socitm through the Local Government Association to work on producing a set of data handling guidelines for local authorities. We have also been involved with the Department of Health (DoH) working on producing an integrated version of the Information Governance toolkit. The DoH is also reviewing its information strategy around adult social care. Socitm is involved in the work of that group.
 
Among my concerns, however, is that it often seems that good work undertaken by government remain its ‘best kept secrets’. The government has to engage all stakeholders in constructive dialogue that contributes to the development and understanding of public sector security strategy that our citizens can trust in. At the beginning of April Socitm established the Local Government CIO Council and we have signalled our determination to be as open and transparent as possible in the work we do with government on ICT and public sector transformation.  

And finally
I think it’s worth quoting from Philip Littleavon’s introduction to the Socitm facilitated discussion forum on the over-arching vision and communications plan:
    
“Few IT programmes in local government have generated more debate than Government Connect. There are good reasons for this; Government Connect is not simply an IT programme delivering technology – it is a business change programme. Government Connect is about changing some fundamental aspects of the relationship between local and central government and about establishing a new level of trust enabling secure channels of communication and ultimately better ways of working and improved services to citizens.
    
“I believe passionately that Government Connect is a project of national importance and will pave the way for many future innovations in UK government’s IT and business service delivery. But for Government Connect to succeed the programme must build and maintain relationships with a vast array of stakeholders across the wider public sector – often with conflicting views and constraints. Whilst there is much still to do, the credibility of the programme has never been greater. Not only is there a general belief Government Connect is going to happen, but our influence in areas such as government IT strategy and direction of major central government departments is increasing.”
    
Socitm was commissioned by Philip to undertake a study of local government readiness to adopt Government Connect. This has been completed and delivered, and includes recommendations on the help that's required by some authorities. Socitm will offer a service to support implementation where help is required, and we look forward to continuing to support the goal of building public trust in effective joined-up government.

Please register to comment on this article