Question to the Cabinet Office:

To ask the Minister for the Cabinet Office, what steps he plans to take to improve the clarity of advice to government departments on protecting data.

The Government’s Security Policy Framework has clear requirements on Information Assurance which are mandatory for departments. They include a range of measures including the Classification Policy which set out expectations of how government will protect the wide variety of information that it generates, collects, processes, stores and exchanges appropriately and effectively. As the NAO report acknowledges, the UK government is acknowledged as a world leader in this area.

However, we are conscious that these policies and structures have grown organically over time and need to keep pace with Government’s digital transformation plans. So the Cabinet Office conducted its own review of Government security in early 2016 and many of the findings are consistent with the NAO report. We are already starting to implement the recommendations in the review.

For example, we are already well underway in strengthening oversight of information security by bringing together nine separate central teams into just two. We have also appointed the Government’s first ever Chief Security Officer to bring together all disciplines of government security under central leadership. As part of this work Cabinet Office is working with GCHQ and the Government Digital Service to rationalise and clarify the guidance to departments on information security and protecting data. The National Cyber Security Centre which is due to stand up in the autumn will also play a lead role in advising departments on cyber security.

But we can and will do more and we will respond fully to this report in due course.