GDS publishes principles for securing data across government departments

The UK government has published new guidance to help departments securely share personal data while complying with data protection laws, in a move designed to support more joined-up digital public services.

The guidance, developed by the Government Digital Service (GDS), sets out a series of principles intended to help delivery teams safely manage and share personal information across organisational boundaries while maintaining strong privacy protections.

“When government departments share data effectively, they can deliver better outcomes, more efficient public services, and reduced burden on citizens who shouldn’t need to provide the same information multiple times, said James Freeland, senior data and security architect, GDS.

“These principles focus on the operational challenges of managing datasets containing personal information that departments need to deliver essential services, such as managing benefits payments, tax, health records and vehicle and driver records. 

While UK law already provides safeguards through legislation such as the Data Protection Act 2018 and UK GDPR, GDS says additional operational guidance is needed to ensure departments apply these rules consistently when designing and running digital services.

“The principles provide consistent standards that give teams confidence when sharing data across organisational boundaries, ensuring that the benefits of better-connected services are realised ethically and securely,” said Freeland.

Ten principles for secure data sharing

The guidance sets out ten principles for securing personal data in government services: 

1. Plan your response to incidents before they occur – maintain robust plans to detect, respond to and recover from any data incidents quickly and effectively. 
2. Minimise data exposure when sharing – share only the personal data that’s genuinely needed for the specific purpose. 
3. Secure your supply chain – ensure third-party suppliers and partners maintain equivalent security standards when handling government data. 
4. Process data lawfully and ethically – handle personal data in line with legal requirements and ethical expectations, with clear justification for its use. 
5. Know who owns and is accountable for your data – establish clear accountability for each dataset, including responsibility for its protection and governance. 
6. Apply appropriate security controls – match security measures to the sensitivity and scale of the data being protected. 
7. Enhance privacy when combining data sources – use privacy-preserving techniques when linking datasets to protect individual identities. 
8. Use appropriate identifiers when matching data – handle personal identifiers carefully and proportionately. 
9. Consider the needs of all individuals – ensure security measures account for everyone, including those who may be in vulnerable circumstances. 
10. Ensure your team has the right skills and clearances – staff handling personal data must have appropriate training, expertise and security clearances for their role. 

Collaboration across government and industry

According to GDS, the guidance was developed through collaboration with experts across government, including the Cabinet Office Government Security Group and specialists from the National Cyber Security Centre.

The process also included more than ten months of consultation with stakeholders such as the Information Commissioner’s Office and wider data protection and cyber security communities.

To ensure the principles work in real-world scenarios, they were tested against existing data-sharing use cases between major departments including the Office for National Statistics, HM Revenue & Customs and the Department for Work and Pensions.

Senior leaders, delivery teams and data professionals across government are now being encouraged to adopt the principles when developing new services or updating existing systems.

Officials say embedding these practices early in the design of services will help departments share information more effectively while maintaining public trust in how personal data is handled.