This article titled “Data protection by design: CIOs’ response to new security challenges” was written by Mark Samuels, for guardian.co.uk on Thursday 22nd March 2012 15.28 UTC

Protecting data is already a tough job for public sector chief information officers (CIOs) – and it’s only going to get tougher in future.

The European commission recently proposed a comprehensive reform of the EU’s 1995 data protection rules which, if it goes ahead, would have far-reaching effects for the way public sector bodies process personal data.

Such reforms would add a further layer of compliance for government CIOs, who must already deal with the demands of the information commissioner, freedom of information requests and the day-to-day need to keep user and staff data secure.

“It’s tough to know if public sector CIOs are already being more proactive in regards to information security,” says Dominic Batchelor, a partner at law firm Ashurst. “Data protection by design has only become fashionable during the past 12 to 18 months, but its popularity will continue to grow because of changes to the regulatory environment and the requirement for smarter data protection.”

Data protection by design aims to achieve a more proactive approach to security: it ensures no data is collected without the prior identification of a set business purpose and relies on a sound comprehension of the regulatory environment as well as a thorough understanding of organisational objectives.

Rather than being bolted on as an afterthought, privacy is set at the centre of a strategic approach that draws on a careful mix of technology, policy and people.

Kurt Frary, ICT architecture manager at Norfolk county council, says protection by design is the only possible way to manage public sector IT. “It’s not even a choice,” he says. “Modern CIOs have to create security by design if they want to do their job properly. We don’t have to convince people, either; security is absolutely core to our working culture.”

Frary’s strategy places security at the heart of every job role, with employees in Norfolk’s 240-strong IT department aware of their responsibilities. Job descriptions, for example, stipulate how and why an individual is responsible for a particular piece of kit, such as a server system. “We take a role-based approach to the way staff access systems. Security by design, and the opportunity to only access certain data defined by your specific role, is embedded in the way we work,” he says.

Dedicated managers, a security architect and an information architect report directly to Frary and help establish a security framework with different levels of policy. The framework is supported by a mixture of in-house technologies and tools provided through the council’s managed services agreement with BT.

The storage and use of an organisation’s information, rather than its security set up, creates a larger headache for public sector CIOs, Frary believes.

“When we’re considering whether to upgrade services, we have to take safe harbour considerations into account and make sure that data is not moving outside the EU,” he says, while potential fines from the information commissioner mean security must remain a priority for any public sector organisation.

Sander Kristel, CIO at Staffordshire county council, is also concentrating on information storage.

Data by design is theoretically the way forwards for information-swamped councils, but such an approach needs to be driven by customer need, according to Kristel, with attention directed towards the reasons for collecting, retaining and using customer data.

“Most organisations have taken the ‘protect all data’ approach, which is expensive from a technical perspective, but is easier from a process perspective,” says Kristel.

“Basically, government CIOs often secure a lot of data at the moment that is actually freely publicly available through freedom of information requests. If we do want to use cloud solutions in the public sector, it is really important to be more careful with the data we store before we make a decision.”

Centrally stipulated codes of connection are helping to create a platform for the types of technologies, policies and people processes that can drive data protection by design, the CIO says.

He believes codes stipulated through initiatives such as the Public Services Network will significantly improve customer service, while also working to reduce security risks and data duplication. But the continued use of such codes means CIOs must be proactive and understand how central policy impacts users at the local level.

“Data protection by design is going to be even more complex if we still need to comply with different codes of connection at the same time,” he says. “Cloud will inevitably mean that more of the information governance responsibilities will shift from IT teams to front line users. This shift will require simple, clear local policies and extensive training.”

This article is published by Guardian Professional. For weekly updates on news, debate and best practice on public sector IT, join the Guardian Government Computing network here.

guardian.co.uk © Guardian News & Media Limited 2010

Published via the Guardian News Feed plugin for WordPress.

Related posts:

1. Hacks focus CIOs on IT security
2. Pay freezes and cuts for CIOs at Whitehall’s biggest departments
3. Apple and big data on the Horizon: the tech transformation under way at TfL
4. Australian CIOs optimistic about future
5. NSW Govt can’t guarantee IT security

Tweet