London – The UK government has been urged to accelerate its efforts to improve data security after it released a previously confidential internal review that detailed systemic failings behind recent high-profile data breaches.
The 2023 Cabinet Office review, commissioned under the Rishi Sunak administration, was made public on Thursday in response to pressure from lawmakers and the UK’s data privacy watchdog. The findings highlighted three recurring weaknesses across government departments, including the Ministry of Defence (MoD) and HM Revenue & Customs (HMRC).
Review Findings & Key Themes
The internal report analyzed public sector data breaches over the past five years, identifying common themes despite public servants “acting in good faith.” According to the review, security lapses stemmed from:
- Ad-hoc Data Exports: A lack of controls over sensitive data downloaded or exported from databases.
- Mishandled Emails: The release of confidential information via emails sent to the “wrong recipient” or through visible email address fields.
- Hidden Data: The presence of personal data concealed within spreadsheets intended for public release.
The review’s 14 recommendations were grouped into four categories: process and governance, technology, policy, and culture and training. A subsequent letter from senior civil servants to the Science, Innovation and Technology Committee confirmed that 12 of the 14 recommendations have been implemented.
Pressure from Watchdog & Lawmakers
The Information Commissioner’s Office (ICO) has warned that the government needs to go “further and faster” to raise data protection standards. In a letter dated July 25, Information Commissioner John Edwards called for a central board to take charge of consistent data protection practices across government, stating that “central coordination…is essential for avoiding further incidents.”
The push for transparency and reform was led by Dame Chi Onwurah, chair of the Science, Innovation and Technology Committee. The review’s existence was not public knowledge until it was published in response to her requests for information following the 2022 MoD Afghan data breach, which affected more than 18,000 individuals seeking relocation.
“It is concerning that it took an intervention from my committee and the information commissioner to make this happen,” Onwurah said. She has asked ministers and the Information Commissioner to appear before the committee to explain why two recommendations remain unimplemented and why the review’s existence was kept secret.
Economic Implications
The government’s data security challenges pose a significant risk to its broader economic ambitions. Onwurah noted that for the government to fulfill its goal of using technology to boost the economy and transform the public sector, it must first earn the public’s trust in its ability to secure their data.
The government’s actions, or lack thereof, on data protection will be closely watched as it seeks to digitize services and handle increasingly sensitive information. The ongoing scrutiny from parliamentary committees and regulators underscores the high stakes for public trust and the economic implications of data governance failures.
