Question to the Cabinet Office:
To ask the Minister for the Cabinet Office, what steps his Department is taking to ensure that Government data which is shared with third-party organisations is protected.
The Central Digital and Data Office, in the Cabinet Office, sets the policy and leads the cross-government approach to the safe, ethical, legal and secure sharing of government data. They work with the Government Security Group, who also lead on the topic of Supply Chain Security.
When sharing personal data with third party organisations, departments must make sure data is used fairly, lawfully and transparently, in compliance with the data protection principles set in UK GDPR and the Data Protection Act 2018. This includes having the requisite data protection controls and governance in place and working with vendors and partners to identify and remediate any risks. All government contracts with suppliers must consider the security of all information and set expectations for how it should be protected.
Departments are responsible for managing their security risks, including the risks to their information that is held and processed by authorised third-parties. The Government Security Standard, local security policies and assurance frameworks such as the Cyber Assessment Framework set out how they should do this. These frameworks and good practice have been collaboratively developed by the Cabinet Office, the National Cyber Security Centre and Departments themselves.