Why government data protection efforts need a post-pandemic reboot

With the use of personal data likely to continue increasing as governments build their digital transformation strategies, Sascha Giese, head geek at SolarWinds asks how can the public sector ensure its systems are safe

Posted 29 September 2020 by Christine Horton

Brought once again into focus by conversations around COVID-19 contact-tracing apps, the data the government holds on the public is a controversial topic.

Indeed, in July this year, the UK government admitted its contact-tracing programme was “unlawful,” having failed to carry out a data privacy impact assessment (DPIA) to prevent breaches of patient information before it was launched.

But that’s just the tip of a potentially enormous iceberg. Across the public sector, personal data is in use across departments from Social Security and health, to tax, education, and immigration. If cybercriminals gain access to any of those databases, there’s scope for malicious activity to quickly follow, with a serious impact on vital services and individual members of the public.

Historical cybersecurity challenges

The risks are longstanding and very real. A recent Freedom of Information (FOI) request, for example, found the UK central government reported almost 500 personal data breaches to the Information Commissioner’s Office in the 2020 fiscal year. In 2017/18, the Ministry of Justice alone suffered 3,184 data breaches, and back in 2007, HMRC lost personal data relating to 25 million citizens.

Last year, another FOI investigation found nearly a fifth of UK public sector organisations reported more than a 1,000 cyberattacks in 2018. This is despite more than 95 percent of respondents using firewalls, antivirus, and malware protection.

The main challenge experienced by public sector organisations was competing priorities (71 percent), followed by budget constraints (67 percent). Lack of manpower was third at 59 percent, followed by complexity of the internal environment at 48 percent. Budget concerns were more of a problem for healthcare organisations than for central government. Sixty-eight percent of NHS trusts and Clinical Commissioning Groups (CCGs) reported budget constraints as an issue, compared to 50 percent of central government respondents.

With the use of personal data likely to continue increasing as governments build their digital transformation strategies, how can the public sector ensure its systems are safe?

What makes data protection effective?

The starting point must be an understanding of what “safety” represents. In the context of information security, it’s a relative term. There can never be 100 percent security, so safety should always focus on minimising risks. As a result, foundational requirements should include securing perimeters, making sure software operating systems and devices are all up-to-date, maximising resilience against threats such as ransomware attacks, and delivering high levels of compliance.

Ultimately, as the arbiter of compliance policy across every sector—public and private—the government must be particularly focused on its data protection processes and safeguards. Failure to meet current standards—as in the contact tracing example—sets a poor precedent in the wider push for the responsible use of personal data. Public trust, a vital component of long-term successful digital transformation, is hard won and easily eroded. Ubiquitous adoption of digital services can only be achieved in the long term if there is widespread belief in the integrity of personal data held by the government.

Juggling legacy technology and increased regulations

Looking more closely at technology infrastructure, the public sector is particularly vulnerable to the security risks presented by old, outdated legacy technologies. One only needs to look back to the impact on the public sector of the WannaCry ransomware attack in 2017, which exploited a vulnerability in legacy NHS IT systems, forced the cancellation of thousands of appointments, and landed the government with a repair bill in the tens of millions.

The sheer size and breadth of responsibilities faced by the public sector means it must balance a range of historical emerging challenges. Take the issues presented by the use of face recognition technologies, for example. In February this year, the Metropolitan police began deploying live facial recognition systems to—in their own words—“help tackle serious violence, gun and knife crime, child sexual exploitation and help protect the vulnerable.” Those are important objectives, but it’s not that simple, and the subject has been followed by controversy for years. South Wales Police, for example, have been using it since 2017, but earlier this year were found to have unlawfully breached human rights and data protection rules.

This underlines the highly nuanced challenge faced by government in broadening the scope of digital technologies. Where are the boundaries? How much data should be collected? And for those technologies designed to protect the public, how can we be sure they don’t enter the realms of bias, unethical profiling, and a reduction of personal privacy?

As we look ahead to a post-pandemic recovery, where a return to “normal” IT security and data protection issues is possible, the government will have to refocus on these core security challenges. The effectiveness of government data protection will, quite rightly, remain under close scrutiny in the years ahead.

Applying the right technologies, partnering with experienced solutions providers, and focusing on the highest standards of compliance will determine whether the public view digitally powered society as progress or as a dystopian failure.