How can public sector organisations best protect and manage their personal and sensitive data

Information governance should be a key priority for all public sector organisations as the risks associated with managing information are increasing. So what steps should your organisation be taking to protect and safeguard your information?

All government and public sector organisations hold significant volumes of personal and sensitive data. We live in an increasingly data rich society where information is highly valued, more accessible and shared more than ever before. With this comes associated risks for storing, protecting and securing information.

We have seen over recent years a number of high profile incidents where information and data security breaches have hit the headlines, generating negative publicity for public sector organisations and in some cases the resignation of senior officials.

Information governance should be a key priority for all public sector organisations as the risks associated with managing information are increasing. So what steps should your organisation be taking to protect and safeguard your information?

Understand your information landscape
Many organisations are starting to implement or strengthen control measures to protect data. But if an organisation does not have a clear picture of its information landscape, how can it set an appropriate strategy to protect this information? It is essential to have a comprehensive understanding of - What data do you hold? Where the data is held? When and how is data transferred between locations? Understanding your information landscape enables you to better consider how to protect and manage it effectively.

Assessing your risks
Organisations may hold many different data sets and have an array of controls to protect this data, but do the controls effectively target the risks faced? Developing a comprehensive data map and assessing the risks to your data sets enables you to understand the threats that exist and the potential value of your data. Control improvements can then be targeted towards the areas of higher risk to generate a focused and prioritised plan for improvement.

Evaluating the control environment - it’s not just IT
There is a common misconception that information governance breaches only occur due to weaknesses in technology or IT security. Inadequate controls over technology can be a factor, but weak processes and/or inappropriate behaviours adopted by the people responsible for handling sensitive data are also critical. The fact remains that many breaches still result from simple human errors and process failings.

Focus on sustainable solutions and not just quick fixes
Improvements to your organisation’s approach to managing information governance are not just a point in time exercise. It is essential to make sure you have an overall strategy and implementation plan for information governance. It is important that the changes are embedded throughout the organisation to bring out the cultural change required. It is also imperative that you assess the effectiveness of these activities.

To improve data handling and security, mandatory guidance has been issued by the Cabinet Office - ‘Data Handling Procedures for Government’. There have been further guidelines issued by the Local Government Association and there have been communications from the Department of Health for health bodies

Following the HMRC disc loss, PricewaterhouseCoopers then Chairman, Kieran Poynter, was asked to lead the independent review of information security at HMRC. With the Poynter report being seen as one of the most comprehensive views of the information security agenda, the firm is in a unique position to share its knowledge and depth of understanding around this topic, as well as give practical and prioritised steps to manage information governance.

Contact details
Email: Neil Austin
Tel: +44 (0)191 269 4029