Friday 27 Jun 2008 @ 14:23
Scottish Government
Scottish Government
Printable version | E-mail this to a friend |
Review of data handling
A review of information security policies and data handling arrangements in Scotland has been published recently by the Scottish Government.
Public bodies in Scotland generally maintain high standards of data handling - but there can be absolutely no complacency to ensure information continues to be handled appropriately, John Swinney said today.
The Cabinet Secretary for Finance and Sustainable Growth was speaking as the review was published. It showed that there were generally high standards across the public sector, but identified areas where improvements could be made.
Mr Swinney said:
"People in Scotland have the right to expect that personal or sensitive information will be handled in accordance with the very highest standards. Recent problems, both in Scotland and at a UK level, including those at the Scottish Ambulance Service, have highlighted the importance of ensuring all those charged with handling sensitive public information adhere to these standards.
"This review was ordered to address justified public concern and also to identify any areas where we needed to improve.
"Notwithstanding events this week the review shows that public bodies across Scotland generally have high standards of data handling - but I am clear that there can be no complacency. There are some areas where improvements can be made and we will work with other public sector bodes in Scotland to ensure these improvements are made."
On November 23, 2007, the Scottish Government announced it would conduct a co-ordinated review of information security policies and data handling arrangements in Scotland. The Scottish Government's Strategic Board set up a team, led by the Director-General Justice and Communities, to support and co-ordinate this review.
The review team were to consider:
* The procedures currently in place for the protection of data
* Their consistency with Government-wide standards and policies
* The arrangements for ensuring that policies and procedures are being fully and correctly implemented
The team were also asked to identify areas of good practice and to make recommendations on improvements that should be made.
The second phase of the review was also intended to identify examples of good practice across the public sector in Scotland and make recommendations on improvements in risk management.
The completed responses to the review of information security policies and data handling arrangements were analysed in detail and an action plan created to target areas of concern.
A follow-up review will be carried out with some organisations. This exercise will identify further remedial action that should be taken to address problems. A number of random audits are also planned to validate the accuracy of responses from medium/high scoring organisations.
The key recommendations are:
* The Scottish Government should provide more leadership and act as the source of centralised, authoritative guidance and assistance for Scottish public bodies
* The Scottish Government should be more proactive in its efforts to ensure compliance with security standards, and by actively monitoring compliance through audits or health checks
* The Scottish Government's expectations of public bodies with regards to information security, risk management and data sharing must be clearly defined and easily accessible with minimum standards on information security, risk management and data sharing
* The Scottish Government should ensure policies and procedures do not impede legitimate access to information and data sharing in ways that are detrimental to the efficient operation of business
The assessment of the review team was that there in a need for further measures to improve the security of sensitive information. In line with the conclusion of the earlier update and the stated views of the respondents to the questionnaire, we believe that there is a need to have higher levels of oversight and guidance - rather than these bodies devising their own policies, procedures and guidance.
Related Information
Public bodies in Scotland generally maintain high standards of data handling - but there can be absolutely no complacency to ensure information continues to be handled appropriately, John Swinney said today.
The Cabinet Secretary for Finance and Sustainable Growth was speaking as the review was published. It showed that there were generally high standards across the public sector, but identified areas where improvements could be made.
Mr Swinney said:
"People in Scotland have the right to expect that personal or sensitive information will be handled in accordance with the very highest standards. Recent problems, both in Scotland and at a UK level, including those at the Scottish Ambulance Service, have highlighted the importance of ensuring all those charged with handling sensitive public information adhere to these standards.
"This review was ordered to address justified public concern and also to identify any areas where we needed to improve.
"Notwithstanding events this week the review shows that public bodies across Scotland generally have high standards of data handling - but I am clear that there can be no complacency. There are some areas where improvements can be made and we will work with other public sector bodes in Scotland to ensure these improvements are made."
On November 23, 2007, the Scottish Government announced it would conduct a co-ordinated review of information security policies and data handling arrangements in Scotland. The Scottish Government's Strategic Board set up a team, led by the Director-General Justice and Communities, to support and co-ordinate this review.
The review team were to consider:
* The procedures currently in place for the protection of data
* Their consistency with Government-wide standards and policies
* The arrangements for ensuring that policies and procedures are being fully and correctly implemented
The team were also asked to identify areas of good practice and to make recommendations on improvements that should be made.
The second phase of the review was also intended to identify examples of good practice across the public sector in Scotland and make recommendations on improvements in risk management.
The completed responses to the review of information security policies and data handling arrangements were analysed in detail and an action plan created to target areas of concern.
A follow-up review will be carried out with some organisations. This exercise will identify further remedial action that should be taken to address problems. A number of random audits are also planned to validate the accuracy of responses from medium/high scoring organisations.
The key recommendations are:
* The Scottish Government should provide more leadership and act as the source of centralised, authoritative guidance and assistance for Scottish public bodies
* The Scottish Government should be more proactive in its efforts to ensure compliance with security standards, and by actively monitoring compliance through audits or health checks
* The Scottish Government's expectations of public bodies with regards to information security, risk management and data sharing must be clearly defined and easily accessible with minimum standards on information security, risk management and data sharing
* The Scottish Government should ensure policies and procedures do not impede legitimate access to information and data sharing in ways that are detrimental to the efficient operation of business
The assessment of the review team was that there in a need for further measures to improve the security of sensitive information. In line with the conclusion of the earlier update and the stated views of the respondents to the questionnaire, we believe that there is a need to have higher levels of oversight and guidance - rather than these bodies devising their own policies, procedures and guidance.
Related Information