Get yourself connected

In April 2008 the Department for Work and Pensions (DWP) took over leadership of Government Connect. By July DWP had declared a new Data Access Policy stating that all exchanges of sensitive personal data with local authorities in England and Wales would be via the Government Connect network from April 2009. This policy has forced the hand of local government since virtually all councils rely on access to DWP systems and data to deliver Housing and Council Tax Benefits.
    
Government Connect is a pan-government programme providing an accredited and secure network between central government and every local authority in England and Wales. The network is known as GCSx (Government Connect Secure Extranet). GCSx is part of the wider Government Secure Intranet (GSi) and provides connectivity to nearly all central departments (Scottish local authorities have already established a similar network known as the Government Secure Extranet (GSx)).

Data handling in government

Local government has found Government Connect hard to accept because it imposes central government standards of information assurance and security into a culture that has historically placed greater emphasis on the use of open standards and the Internet as the means of delivering e-Government.
    
Whilst the network infrastructure is funded centrally, local government must comply with the Government Connect Code of Connection. The Code of Connection is a set of security controls defined by the Office of Government Commerce (OGC) on the advice of CESG (part of GCHQ and the national technical authority for information assurance) and broadly based on ISO 27000 – the international standard for information assurance. For some local authorities, complying with the Code of Connection represents a significant and unwelcome investment offering limited short term cash benefits.
    
From a central and broader government point of view the Government Connect Code of Connection represents the minimum standard of information assurance required of a local authority to be trusted with sensitive personal data. The Government Connect network is seen as a key enabler to rebuilding public confidence in government’s ability to protect citizen’s data and to delivering the service transformation agenda through programmes such as Tell us Once. Government Connect is no longer seen as nice to have, but an absolute necessity for the proper administration of public services.

Where we are now

Local government has responded positively to the challenge set by DWP’s revised data handling policy. All 410 local authorities have signed-up to Government Connect and all circuits will be technically provisioned early in 2009. By April three quarters of all local authorities are anticipating they will have achieved compliance with the Code of Connection and by October 2009, all the remaining authorities have stated they will be compliant. This remarkable turnaround shows the adaptability and flexibility of local government to accept the requests placed upon it.
    
The drive to improve information assurance does not stop with the GCSx Code of Connection. Government's Data Handling Review, led by Robert Hannigan, has introduced major cultural and organisational changes; local government has recently published its response and local authorities are assessing the impact. The review introduces the concept of Senior Information Risk Officers (SIROs) and Asset Managers, which are the norm centrally but new to local government.
    
In order to ensure its data is properly handled by local authorities, the DWP has introduced a Memorandum of Understanding setting out minimum standards to establish trust between the respective organisations. This caters for the needs of DWP, but is not a pan government response. Greater cross-government collaboration and policy development is necessary to avoid local government being subject to a proliferation of potentially confusing, conflicting or overlapping requirements.

The challenges ahead

Local authorities face a difficult task ahead to achieve compliance with the GCSx Code of Connection and the latest data handling guidelines. Many local authorities working towards GCSx implementation have in the past been highly innovative in achieving transformation, particularly through home and mobile working. This has, however, resulted in Code of Connection compliance issues – unfortunately, access to security advice has lagged behind innovation.
    
Government Connect is driving many local authorities to retro-fit security measures, such as virtual private networks (VPN) and dual factor authentication. Local authorities have also used Virtual LANs (VLANs) extensively to separate private and public traffic. Whilst VLANS provide separation without replicating network infrastructure they do introduce security risks that must be addressed.
    
Technical and management solutions exist to overcome these issues, but probably the biggest challenge is managing the cultural change to local government’s established approach to information security and data handling. Councils must ensure there is clear board level accountability for information assurance: it cannot be left to ICT staff alone. Training is also required for all staff handling sensitive personal data so that they understand the applicable security and information assurance policies.
    
Government Connect is working with Socitm (Society of Information Technology Management) and the LGA (Local Government Association) to develop a support service that will help local authorities tackle issues such as those described above. Funds in the order of £500k have been pledged by Government Connect and the LGA to provide the best possible advice and guidance. A senior steering group is being established comprising representatives from Socitm, the LGA, Government Connect and CESG together with the local authorities that have already achieved compliance.
    
Many of the detailed questions raised by local authorities have already been answered and the intention is to compile a ‘toolkit’ of advice, guidance and actual solutions. Socitm has created a web discussion forum and is running conference calls in which local authorities can engage directly with CESG and other experts on specific subjects.

The business case
When pressed, local government officials generally agree that improved information security measures and cross-government connectivity are a good thing, but are far less forthcoming about weaknesses in their own information security arrangements. From a local government point of view the business case for Government Connect can therefore be a hard sell. How do you justify the cost of improving information assurance?
    
For most authorities the immediate benefits of connecting are linked to risk management. For example, improved compliance with the data protection act and reduced likelihood of experiencing a data loss – combined with the embarrassment of being found culpable for such a loss. The Information Commissioner now has the power to carry out spot checks and impose fines. This is a powerful motivator, but can still fail to impress cash strapped councils that do not believe its information assurance measures are flawed.
    
As with many infrastructure projects the more attractive benefits are in the medium to long term. The service transformation agenda is critically dependent on trusted, robust and highly available connectivity across government. For programmes such as ‘Tell us Once’ and ‘In and Out of Work’ such connectivity can only be provided by Government Connect. Local government is enthusiastic about the service transformation agenda as such programmes have huge potential to improve public services.
    
Perhaps the greatest opportunity for cash savings from the Government Connect are for councils to use the network as a platform for shared services. Currently there are many regional shared service partnerships across local government supported by various network and IT infrastructures. Historically, the Government Secure Intranet has not positioned itself well as an enabler of shared services and has lost ground to independently procured regional networks. This is a great loss because the GSi and GCSx are national networks procured on the best commercial terms in the public sector.
    
Local government will soon need to position itself to participate in the Public Sector Network (PSN), which will eventually replace the GSi. Those councils able to operate shared services using nationally procured network infrastructure provided by Government Connect are likely to have the lowest costs and greatest flexibility to share services.
    
To encourage local government to embrace the business advantages of using GCSx Government Connect has created a £1.5m benefits realisation fund to be managed by the Improvement and Development Agency (IDeA). Local authorities may apply for awards in the order of £25k where their implementation of Government Connect is creating new best practise that can be shared with others. The scope of qualifying initiatives is virtually unlimited and includes both technical and business process projects. Qualifying business process projects might include reforming council services such as; Youth Offending Teams, Trading Standards, Registrar Services, Parking and Benefits. Examples of technical projects might include running shared services over GCSx, e-mail migration and file sharing.

For more information
Go to www.govconnect.gov.uk.

Please register to comment on this article