Connecting the Public Sector by Informed Publications Limited

November 2009

Connecting the Public Sector ‐ Safeguarding citizen data in an unsafe world

Published by LGITU magazine, with support from www.UKauthorITy.com, Tomorrow’s Town Hall and Government Connect. © Informed Publications Ltd, November 2009

Connecting the Public Sector

2009

Index Section

Page

Introduction ‐ Data Security, Frontline Services and Secure Communications

Executive Summary

2.1 What is the corporate attitude to sharing citizen data?

2.2 Is there truly a need to share sensitive citizen data?

2.3 So who shares with whom?

2.4 And how is this shared?

Methodology 3.1 Response: Quick Poll (total: 105)

3.2 Response: In‐Depth Survey (total: 103)

Results ‐ Quick Survey

4.1 Do you share sensitive information about citizens with other public sector organisations?

4.2 Do you ever share this data by post/paper/solid media?

4.3 Do you ever share this data by secure network communications?

4.4 Are all staff regularly trained regarding the sensitivity of citizen information and the importance of adhering to correct procedures for its handling?

4.5 Is there a need to share sensitive citizen data in order to improve the quality and efficiency of public service delivery?

4.6 Would accessing databases in other public sector organisations improve/help the way services are delivered?

4.7 Would trusted and secure data sharing be essential in order to deliver 'Total Place' public services?

Results ‐ In‐Depth Survey 5.1 Does the organisation's work involve collecting, using or storing information about citizens?

17 17

5.2 Does the organisation's work involve sharing this information?

5.3 How sensitive is the most sensitive information shared?

5.4 Handling information about the citizen

5.5 How do organisations share sensitive citizen data with the others?

5.6 Which policy agendas or initiatives impact the handling of sensitive citizen data?

5.7 Which legal requirements affect the way your organisation handles sensitive citizen data within its daily work?

5.8 Does your organisation share sensitive citizen data with other organisations?

5.9 Which databases would help your council to deliver services if they were accessible electronically from your local authority offices?

5.10 Additional comments on the issue of secure handling/sharing of sensitive citizen data 6

GC Communicate – 2009 highlights

25 27

6.1 Opportunities for improving service delivery using GCSX

6.2 The Public Sector Network –Partnership and Innovation

6.3 Aggregated Connection to GCSX Saves Kent £1m

6.4 In and Out of Work over GCSX

Page 1

Connecting the Public Sector

2009

Section (Cont’d)

Page

6.5 Tower Hamlets join the GCSX network and adopts In and Out of Work

6.6 Caerphilly County Borough and Gwent Police work together over GCSX

6.7 Preston looks forward to fast, secure data exchange

6.8 South Hams gets secure access to DWP systems

6.9 How secure is LA Remote Access?

6.10 Libra ‐ available soon over the GCSX

GCSX and Central Government

Government Connect Benefits Realisation Fund – Local Authority Pilots

8.1 Bristol City Council ‐ Trading standards and intelligence sharing in the South West (SWERCOTS)

8.2 Conwy County Borough Council ‐ Joint Asset Recovery Database (JARD)

8.3 Dartford Borough Council ‐ Kent Connects Kudos – tackling crime and antisocial behaviour

8.4 Devon County Council, on behalf of the Devon ePartnership ‐ Flexible Working

8.5 Dudley Metropolitan Borough Council ‐ Business Crime Partnership

8.6 Great Manchester Public Protection Partnership (GMPP) ‐ Business Compliance – Regulatory Services

8.7 Halton Borough Council ‐ ‘Place shaping’ through GIS data sharing

8.8 Hampshire County Council on behalf of the Hampshire and Isle of Wight Partnership ‐ Exploring a regional approach to employee authentication 8.9 Lancashire Council (Lancashire Constabulary & Police) ‐ Antisocial behaviour data sharing in Lancashire 8.10 Lichfield District Council ‐ Business data sharing in the West Midlands

8.11 London Borough of Islington ‐ No Recourse to Public Funds

8.12 London Trading Standards Authority (LOTSA) ‐ Trading Standards and Regional Intelligence in London

8.13 North Kesteven District Council, on behalf of the Lincolnshire Public Sector Working Group ‐ Customer Data Hub 8.14 Plymouth City Council on behalf of Devon ePartnership and Isles of Scilly ‐ Civil Contingencies/Emergency Planning 8.15 Rochdale Metropolitan Borough Council ‐ Blue Badge Scheme

8.16 South Lakeland District Council ‐ Information sharing to facilitate a needs led approach to older people 8.17 Sunderland City Council ‐ Births ‐ Tell Us Once

38 39

8.18 Torbay Council on behalf of Devon ePartnership ‐ Safeguarding Children ‐ GC Mail

Appendix I ‐ Quick Survey Response

38 38

i. Councils (Quick survey) – Total: 105 frontline organisations

ii. Job titles (Quick survey)

Appendix II ‐ In‐Depth Survey Response

i. Councils (In‐depth questionnaire) – Total: 103 frontline organisations

ii. Job titles (In‐depth questionnaire)

Appendix III ‐ Questionnaires

© Informed Publications Ltd, November 2009 All rights reserved. This survey was researched and written as a snapshot of local government and other frontline public services attitudes towards the safeguarding of citizen data within the context of transformation of local service delivery. Whilst every care is taken, the publishers and project partners accept no liability whatsoever for the content or accuracy of this research and the opinions expressed in this report.

Page 2

Connecting the Public Sector

2009

1. Introduction Data Security, Frontline Services and Secure Communications Can local government and other frontline services keep citizen data safe in this new era of collaboration and service transformation? As the March 2009 deadline for joining up to the government secure extranet, GCSX, loomed, Richard Steel, former president of Socitm and CIO of Newham ‐ and GC Programme Board member ‐ wrote, “We are learning, through Government Connect, that central and local government can work well together. OK – mistakes have been made, and lessons have been learned, but in less than a year, spectacular progress has been made in joining‐up securely and efficiently. Good job too! If ever there was a need for secure, efficient and joined‐up government, high profile data losses and the credit crunch conspire to tell us it’s now! “Government Connect lays the foundation for a single pan‐government security infrastructure. It can’t make sense, and is spectacularly inefficient, for local government to engage separately with each central government department. I’m delighted, therefore, that the Government Connect team aims to work with the Public Service Network programme, and related developments to advance the vision, further enhancing our ability to deliver public services securely and efficiently and demonstrating that Government really can connect!” Government Connect extended the deadline for many councils to complete their CoCo (code of connection) until the end of September. Over the summer, LGITU magazine began to ask: • • • • • • • •

Is there a need to share sensitive citizen data outside the organisation? Are councils routinely sharing such data with other local authorities or other parts of the wider public sector? And if so, how are councils sharing this data? Is the sector implementing the LGA ‘best practice’ Data Handling Guidelines? Would the process of gaining what is essentially a ‘certificate’ acknowledging high security standards ingrain the importance of data security across the sector? Would all councils achieve this high level security assessment by the final deadline? Can the public sector therefore meet the dual needs of safeguarding sensitive citizen data whilst sharing information to deliver efficient, improved public services? Can connection to a secure pan‐public sector communication network bring ongoing benefits?

LGITU magazine, in partnership with its sister online publications, www.UKauthorITy.com and Tomorrow’s Town Hall, approached the Government Connect team for support in undertaking this project. Government Connect generously funded the data collection and research activities, ceding editorial control to the LGITU research team. The project aimed to gather views and opinions from senior frontline officers – from both the technology and departmental user perspective. The research was conducted in, and is reported on, an anonymous basis. However, details of councils participating and the job titles of respondents to the two research tools can be found in Appendices I and II. The following report, published in November 2009, outlines the key findings in an executive summary, the methodology and overall response rate to the research project, results, a round‐up of news from the Government Connect team in the run up to the final deadline and an update on the Government Connect Benefits Realisation Fund activities.

Page 3

Connecting the Public Sector

2009

2. Executive Summary Connecting the Public Sector In an era of high profile data loss and data leaks, why do local authorities still put sensitive citizen data in the post? Helen Olsen, managing editor of Informed Publications, reviews the findings of LGITU magazine’s survey assessing how sensitive citizen data is shared across frontline services today. As a citizen it is astonishing to learn from this research that, despite almost two years of media headlines covering the most basic and unbelievable ‘accidental’ data losses, local authorities up and down the country still consign sensitive citizen data to the vagaries of Royal Mail ‐ or worse, to unsecured laptops and removable media that then get left lying about. From the continuing crop of stories on the news pages of national and specialist press, the Information Commissioner is no less exasperated. A number of councils have had their knuckles rapped in the last couple of months, and a quick look at the excellent Public Sector Forums’ Public Sector Data Breach Log 2009 lists 23 such incidents occurring in UK local government alone in the three months prior to his report. LGITU’s research, conducted over the same time period ‐ late summer 2009 ‐ looked at who was sharing what, and with whom, across frontline services when it came to citizen data. With support from Government Connect, its sister online news services, UKauthorITy.com and Tomorrow’s Town Hall, LGITU magazine conducted two surveys: • •

an in‐depth questionnaire (103 respondents) a quick poll among those not participating in the in‐depth survey (105 respondents)

Both surveys had over one hundred respondents from the breadth of local authority types, from across the country, with a number of police, fire and health organisations also participating. The response rate for local government was 34.4% ‐ over one third of all UK authorities. Approximately two thirds of these responses came from departmental users, one quarter from heads of IT and IT seniors, and the remainder from chief executive/councillor/senior corporate officers.

Response

% of organisation type

Police

7.7%

Fire

8.8%

Health

4.8%

Local Authorities

43.9%

Unique authorities

34.4%

Unsurprisingly, over 98% of respondents dealt with citizen data – those that did not were in GIS, land charges or land & property gazetteer departments. Arguably, whilst their work would revolve around property‐based data, communication about this data with the citizen would still necessitate the collection and handling of citizen data. Across both surveys, almost eight in ten (79%) shared sensitive citizen information with other local authorities or other parts of the public sector. 2.1 What is the corporate attitude to sharing citizen data? The LGA published a set of Data Handling Guidelines for Local Government last November. These were developed in partnership with Socitm, and endorsed by Solace and the IDeA, in a bid to stem the flow of data loss from the public sector and foster a culture of data protection.

YES ‐ we share citizen data with: (source: indepth survey) Other local authorities Other frontline services

It was surprising therefore to learn that not all councils had an ‘Information Charter’ outlining how citizen data is handled – just 40% said that their council did. Researchers wondered at first whether this could be simply lack of awareness on the front line, but 23% were quite sure that there was no charter in place – in direct

contradiction of the Data Handling Guidelines. The remainder, nearly four in ten, were unsure.

90% 82%

Commercial organisations

78%

The third sector

77%

Central government

69%

Page 4

Connecting the Public Sector

2009

Reassuringly, over nine in ten (93%) were sure that all personal information was kept within secure ICT systems – in accordance with the guidelines.

Training for data

From the detailed survey, however, a disconnect starts to appear between the central/high‐level view and that in the technology and user departments. Looking at items from the LGA Data Handling Guidelines, corporate/chief executive respondents all answered either yes or ‘don’t know’ to questions about ICT systems being specified in line with government data security minimum standards; their council having a Corporate Information Risk Policy, and having all the council’s key Information Assets classified and allocated an ‘owner’. None of this subset answered no to these items.

at present. GC is changing this as we are required to actively train all staff accessing IT

In marked contrast, few of the technology or departmental respondents said ‘yes’ to the above. This group accounted for 38% of the total sample saying either they did not know or their council definitely did not specify minimum government data standards in ICT systems’ procurement. A total of 45%, again all technology or departmental respondents, said ‘no’ or ‘don’t know’ to their council having a Corporate Information Risk Policy. Twenty nine percent said that Information Assets were definitely not classified; with a further 42% not knowing whether or not they were. Thirty four percent said that information assets were not allocated owners, with a further 36% not knowing whether they were or not.

handling: “Piecemeal

systems.”

Training for data

In summary, the chief executive group was saying ‘yes’ to these questions; while the majority of the technology and user groups were saying either ‘no’ or ‘don’t know’. The intentions are evidently there, but the practice is not filtering through. One further question highlighted this disconnect from the centre: Do councils have a Senior Information Risk Owner (SIRO) owning information risk? Just one chief executive said no. However, two fifths of the technology group and nearly a third of the departments said no. In total, 30% of the sample said that there was no SIRO at their council; with a further 32% unsure. Worryingly, in light of the unending stream of data loss and data breach stories in the media over the last few years, whilst the majority of corporate/chief executives said that there was a clear incident reporting mechanism in place for such occurrences, 14% of the sample said that there was not, and 27% did not know.

handling: “Policy exists but formal and recurring training does not.”

It is disappointing, to say the least, that so few of those working with sensitive citizen data could answer ‘yes’ to this question.

Need to share?

More worryingly, just two thirds (66%) said that staff were regularly trained regarding the sensitivity of citizen information and the importance of adhering to the correct procedures for its handling.

need, as all headline cases of child abuse could have been prevented if agencies communicated with

The answer, of course, should have been 100% ‘yes’ in both the above instances. Indeed, not one chief executive respondent said that their council did not have such a policy or training mechanism in place. Which, of course, would be the correct answer: all should have both policy and training. Results from the quick poll verified this finding: 63.8% answered yes to the same question. But that leaves nearly four in ten either not sure or, worse, definitely sure that their council did not have regular training on how to handle sensitive data.

“There is clearly a

each other.”

One said that training was “piecemeal at present. GC is changing this as we are required to actively train all staff accessing IT systems.” Another, very honestly, replied: “Policy exists but formal and recurring training does not.”

Page 5

Connecting the Public Sector

2009

These results contrast starkly with the finding that 96% of respondents felt that the legal requirements of the Data Protection Act impacted they way in which they handle citizen data. Nearly eight in ten (79%) felt that the Human Rights Act, and 94% the Freedom of information Act, had an impact on the way their council handled sensitive citizen data. It is clear that the importance of keeping citizen data safe has permeated throughout local authorities. But the practicalities of ensuring that this be so – for example by implementing the LGA Data Handling Guidelines throughout the authority – are not filtering down to the troops.

2.2 Is there truly a need to share sensitive citizen data? Well, 77.1% of the quick poll said that in order to improve the quality and efficiency of public service delivery, yes, there was: “Immensely so – for place shaping, service take up, increased customer insight, offering of value added services and, most importantly, preventative services,” said one. Added another: “There is clearly a need, as all headline cases of child abuse could have been prevented if agencies communicated with each other.” In the long survey we explored the drivers for secure data sharing. Shared services would obviously require secure exchange of information according to 82% of respondents. Mobile and flexible working also required this capability in the minds of 81%. For 67% ‘Tell Us Once’ and for 61% MAPPA (Multi‐Agency Public Protection Arrangements) required secure exchange. One senior IT officer noted: “(The) personalisation agenda requires secure data sharing. Partnership activity also, he said, “appears to focus on protocols and high level contact. More detailed work is needed to make the partnerships more effective at a data sharing level.

Need to share?

“(The) personalisation agenda requires secure data sharing.”

Need to share?

“Immensely so – for place shaping, service take up, increased customer insight, offering of value added services and, most importantly, preventative services.”

“It would help if e‐GIF were treated seriously – local authorities actively rather than passively ‘encouraged’ to share information, and application suppliers forced to invest in integration and data exchange as a basic part of their packages not as expensive, bespoke add‐ons.”

Interestingly, in the long survey, just 13% felt that the new Total Place proposition would require secure sharing, with almost three quarters (73%) not sure. When the quick poll was conducted approximately six weeks later, however, the situation was reversed – perhaps more was by then known about this new approach – with 76.2% saying that, yes, trusted and secure data sharing would be essential in order to deliver ‘Total Place’ public services.

Total Place: “Unless

Stated one respondent: “Total Place looks at how a whole area approach to public services can lead to better services. In order to achieve this it requires data analysis across the whole area. This data will come from a range of service providers on a range of different criteria, ie information on crime and anti‐social behaviour. “Unless this data is shared an informed and holistic view cannot be taken on issues such as where services need to be better targeted. The approach must be evidenced based and cannot be delivered by a single agency or group.

this data is shared an informed and holistic view cannot be taken on issues such as where services need to be better targeted.”

“It needs a consistent and collaborative approach which eliminates duplication and joins up activity.” It is hard to see how this can be achieved without a secure information sharing platform. GCSX will inevitably play a key role ‐ how else can you uniformly and securely share necessary information or enable secure joint working across the police, NHS, local authority and central government within an area?

The common denominator, the secure government infrastructure, will, by 2012, become the next generation Public Service Network. It is hard to see how the public sector could justify missing the opportunity this presents in tough economic times.

Page 6

Connecting the Public Sector

2009

However, coming back to the drivers and the LGA Data Handling Guidelines, it is worth noting that just 58% of respondents said that the guidelines would require secure data sharing. Which, feel the researchers, rather misses the point. Indeed, whilst the value of information was recognised, researchers detected confusion as to what these guidelines were and how they should be implemented – how information security could be aligned with the business process. Said one departmental respondent: “Information security is not just about confidentiality. It is also about data quality and availability, which is the real key to cost‐effective frontline service provision.

Information Security:

“...is not just about confidentiality. It is also about data quality and availability, which is the real key to cost‐ effective frontline service provision.”

“Information security also needs to be aligned to the strategy of the organisation and built into its business process.”

But, he added, “Please give clear guidance on how to allocate a SIRO.”

2.3 So who shares with whom?

Data was currently shared by 78% of the sample with other local authorities, by 74% with the police, 71% with DWP, 64% with the Audit Commission, 59% with HMRC, 56% with HM Courts Service, 56% with health organisations, 51% with schools, 47% with CLG, 42% with DCSF, and 47% the Ministry of Justice.

Service

The organisations’ databases that most would find helpful to have electronic access to in their own office were: National Fraud Initiative (62%), National Blue Badge Register (60%), DVLA (59%), National Pupil Database (54%), Joint Asset Recovery Database (53%), Hospital Leavers & Admissions Database (52%), Persistent Offenders Register (50%), Electronic Patient Care Records (50%). Interestingly, only just under half, 48%, thought that access to ContactPoint would help. Indeed, the potential for service improvements was not lost on respondents: “If we are to improve health and social care as a whole there will be a need to share data across several organisations.” One fire authority said that sharing information with PCTs “will help us to identify vulnerable people... and enable us to target them with community safety initiatives to help drive down the incidence of accidental dwelling fire.” There is a definite opportunity for innovation in the use of data to improve services. Take the DWP’s CIS ‐ finding and fighting fraud is the obvious use, but what about using CIS data to inform a proactive concessionary parking service? It could check the status of invalidity benefit and DLA and simply issue a continuation of a blue badge, rather than making the resident go through the whole application – and proof of eligibility – process again.

3.4 And how is this shared? Whilst it was encouraging to see that, where appropriate, information was being shared, in many cases it was disappointing to see that not all use secure communication routes to share this data. A frankly astonishing 45.7% in the quick poll shared sensitive citizen data by post/paper or removable storage media. In the long survey, 44% regularly used paper/post/courier and 22% USB/CD/post/courier combinations to send sensitive citizen data to other local authorities. Almost three in ten (28%) and 12% respectively used these methods when sending data to central government.

improvement: “If we are to improve health and social care as a whole there will be a need to share data across several organisations.”

Service improvement: “(it) will help us to identify vulnerable people... and enable us to target them with community safety initiatives.”

In light of the constant haemorrhage of data loss suffered by the public sector in recent years this can be described, at best, as unfortunate.

Page 7

Connecting the Public Sector

2009

Apart from the risk of loss or theft there is also the unreliability of the post to consider ‐ CRB checks stuck in postal strikes will hold people up from starting jobs. Ongoing industrial action by the Communication Workers Union (CWU) in the second half of 2009 only increases the risk – with reports that much of the post held up in London industrial action late summer may never be delivered. The internet goes down, yes, but not as often as the post these days. In addition, the GSCX has back up and business resilience built in to its contracts. There is no reserve postal service waiting in the wings. On a more positive note, however, 54% of councils now use the secure government network (GCSX) and 15% a secure point to point connection when sending information to central government. And 41% used the GCSX to share sensitive data with other authorities. In the quick poll 61.9% said that they used the GCSX to share data. Indeed, from the comments relating to this section it would appear that the programme has gained significant traction in recent months. Many indicated that they would be using the infrastructure more often once everyone was connected at the end of September: “Not yet,” said one, “But we will begin to as we have just had our GCSX connection approved.” Another said that the network was “currently being rolled out throughout this authority”.

Awareness:

“Government Connect has helped raise some awareness, but many councils (connected and unconnected) remain in an immature IS‐capable state.”

The lack of uniform approach across the sector was recognised by one respondent, who suggested that base security levels would need to be mandated to see progress: “Until all councils have mandatory and auditable board‐level ownership of information security risk, the situation will remain unsatisfactory. “Government Connect has helped raise some awareness, but many councils (connected and unconnected) remain in an immature IS‐capable state.” This view was echoed by a departmental user: “There is still a perception among many people and organisations (not specifically local government) that ordinary email is a secure system.” Indeed there was, said one user, a need for a national forum: “There are so many agencies involved and with an interest. We need to get together to discuss best practice.” Organisations that should be around the table in such a form, suggested the user, include ALGIS (within the Local Authority Research and Intelligence Association), the National Association of Data Protection Officers, National Association of Information Management, Chartered Institute of Library and Information Professionals, Records Management Society, Socitm, and the Society of Archivists. However, from the end of September, when all local authorities are required to connect up to the secure government communications infrastructure, there should be no excuse for entrusting sensitive data to the post or courier either on paper or removable storage media. Indeed, speaking as a citizen, for all citizen data the preferred option should be a secure communication channel. How many parents wait nervously for the day those ‘lost’ child benefit disks turn up in a pub car park? For local‐to‐local or local‐to‐central/other frontline services, the secure routes provided by GCSX and the wider secure government network should be the first option considered.

Awareness: “There is still a perception among many... that ordinary email is a secure system.” Awareness: “There are so many agencies involved and with an interest. We need to get together to discuss best practice.”

Apart from the security, just think of the time and cost savings. Add in the carbon reduction element and, again, from a citizen point of view, it’s a winner. However, whilst many respondents had interesting views on the challenges around data security and frontline service delivery, the greatest was identified as “human behaviour (compliance)”. Although this was “partially mitigable by technological advances”.

Page 8

Connecting the Public Sector

2009

Data sharing was expected: “Citizens only want to tell us things once. The organisational and departmental divides within the public sector are not understood by the citizen when they are accessing services. However, this does place a very high profile on data integrity, security and methods of data sharing. “There have been too many highly publicised data breaches for the general population to have full confidence in public sector data handling. However, whereas technical solutions can be introduced and improved the biggest challenge, from my perspective, is the education of data handlers.” Whilst there is no doubt that understanding of the importance of safeguarding sensitive citizen data has permeated to the highest level, and that the technology infrastructure is now in place, our research finds that the cultural change needed to underpin data security is lagging behind the ‘logical move’ to secure electronic communications. To fulfil the vision of data security that both the citizen can have faith in and that the organisation can trust to underpin efficient citizen‐centric service delivery, the message of just how important citizen data is must be communicated to every public service worker – from top to bottom. Citizen data is not just sensitive to the citizen whose data is lost, it is also one of the public sector’s greatest assets – capable of informing and transforming service delivery. As such it should be safeguarded and nurtured by all those involved in public services. As this report is published, in November 2009, all councils are connected to GCSX.

Cultural change:

“There have been too many highly publicised data breaches for the general population to have full confidence in public sector data handling. However, whereas technical solutions can be introduced and improved, the biggest challenge, from my perspective, is the education of data handlers.”

It will be interesting to see how this new capability to communicate securely between frontline services and across the wider public sector can help improve public service delivery over the coming year. With GCSX in place the barriers to close working between organisations are no longer technical or cost. Culture, as ever, may be the biggest barrier facing joint working teams or shared services initiatives as the sector faces perhaps its most difficult times. The perfect storm of spiralling demand for services in the face of inevitable budget cuts will prove one of frontline services greatest challenges. Will the sector look to existing infrastructure to make the most of available resources?

Page 9

Connecting the Public Sector

2009

3. Methodology ‘Connecting the Public Sector’ aimed to explore how frontline public service organisations currently handled and shared sensitive citizen data.

Response

No. of orgs surveyed

Total response to both surveys

% of organisation type

7.7%

Fire

8.8%

Health

189

4.8%

Local Authorities

433

190

43.9%

Unique authorities

433

149

34.4%

Police

Over the summer of 2009 two research exercises were run: an initial in‐depth questionnaire, followed up by a quick survey aimed at those who did not complete the main questionnaire.

The surveys were targeted at three distinct groups: chief executive/corporate; head of IT/IT senior; and senior departmental officers. Individuals from each authority in each of these groups were invited to participate in the research by email. In the case of the in‐depth survey participation was by online survey; in that of the quick poll respondents were asked to reply to an email with a limited number of questions on it. A total of 103 frontline service officers answered the in‐depth questionnaire, with a further 105 answering the quick survey. Responses came from the breadth and depth of the country, across frontline services. The greatest response rate came from local government – with 190 individuals from 149 authorities answering. This represents a response rate of 34.4% of unique authorities answering. A number of authorities submitted more than one response from different survey groups – thus the total response was 190, offering an ‘illustrative’ response rate of 43.9%. Response rates from the Police (7.7%), Fire & Rescue Services (8.8%) and Health organisations (4.8%) surveyed was significantly lower. Although the response from these groups was not statistically robust the answers were of interest to researchers.

3.1 Response: Quick Poll (total: 105) The quick poll elicited 105 responses from officers ranging from chief executives (and councillors) to heads of IT/IT seniors and senior user department representatives. Response broken down by group/seniority:

Chief executives/ councillors

7% 25%

Respondents in London, the south east and east midlands were more enthusiastic, with markedly less response from councils in the south east. More districts than unitaries/boroughs/counties replied, but as a proportion of type the larger authorities were more keen to participate. Response broken down by region:

London

18%

South East

13%

East Midlands

12.5%

North West

10.5%

Yorkshire & Humberside

10.5%

West Midlands

9.5%

East

8.5%

South West

5.5%

Scotland

Wales

North East

2% 0%

10%

20%

Heads of IT and IT seniors Departments

68%

Response broken down by organisation type:

29%

English District English Unitary London Borough English County Metrpolitan District Scottish Unitary PCT Fire Police Welsh Unitary Local Health Board Drug Action Team

16% 16% 9% 9% 5% 4% 4% 3% 2% 2% 1% 0%

10%

15%

20%

25%

30%

Page 10

Connecting the Public Sector

2009

3.2 Response: In‐Depth Survey (total: 103) The in‐depth survey elicited 103 responses – with the profile of respondents by seniority closely matching that of the quick poll exercise. Response broken down by group/seniority:

South East East North West London Yorkshire & Humberside South West East Midlands West Midlands Wales North East Scotland Unknown LA

18%

66%

English Districts

30% 23%

Metropolitan Districts

18.5%

London Borough

11.5%

English Counties

Welsth Unitary

Scottish Unitary

5% 4% 4% 3% 2%

Unknown LA

10%

15%

English Unitaries

8% 8%

Departments

Response broken down by organisation type:

14.5% 11.5% 11.5% 10.5%

Heads of IT and IT seniors

26%

Response by organisation type and region varied slightly but were on the whole in line with the quick poll. Again the English districts and unitaries topped the list in terms of response. Response broken down by region:

Chief executives/ councillors

Fire

Local Health Board

Police

1% 0%

20%

10%

15%

20%

25%

30%

This report purports to be no more than a snapshot in time as to the attitudes and practice towards sharing and handling sensitive citizen data within frontline public services. It was conducted predominantly among local government due to the news worthiness at the time of survey (summer 2009) of the roll out of the Government Connect Secure eXtranet – GCSX.

Page 11

Connecting the Public Sector

2009

4. Results ‐ Quick Survey

4.1 Do you share sensitive information about citizens with other public sector organisations? (eg local authorities, health, fire, police, central government) Yes No Don't Know No Answer

1% 4% 16%

Almost eight in ten (79%) of the sample said that they shared sensitive information about citizens with other public sector organisations. Just five percent said that they did not, or did not answer the question. Sixteen percent were confident that they did not share sensitive citizen information about citizens with other organisations. A number of respondents made comments in relation to this question suggesting that understanding of the sensitivity of handling such data and related security concerns were high. A representative selection of these is in the table below.

79%

Comments: Do you share sensitive information about citizens with other public sector organisations? “Information is shared with other authorities in line with joint working protocols. Through our various partnerships, we share information to provide improved services to our residents. Our data sharing is covered by protocols setting out what is being shared, why it is being shared, and how the data are kept secure.” “We currently share sensitive data with the local authorities, Health Service, Police at multi agency meetings. Some information that is sent out has the names and ages of victims redacted.” “The trust shares information with many bodies where patient care requires this. Great care is taken that sharing takes place only in conformity with the Data Protection Act, national requirements and guidelines or with specific consent.” “Yes, but only for operational coordination on an individual.” “But only within the NHS, not external organizations.” “Yes, for example, with CAB through a 'trusted partner' secure network.” “Local authorities at present but plans are in place to expand this over time.” “With consent if possible but it can be shared if there is a concern about safety.” “Only where legislation permits.”

4.2 Do you ever share this data by post/paper/solid media?

Yes No Don't Know No Answer

47% 42%

Almost half of the respondents said that they did share this data by post/paper/solid storage media with other public sector organisations. Just over four in ten (42%) said that they did not. The remainder of the sample either did not know (3%) or did not answer the question (8%). A number of comments were made relating to this question. A representative sample of these can be seen in the table below. However, comments suggest that postal and courier delivery of sensitive data is no longer a desired solution – with many commenting how this ‘used’ to be an option and how officers had been ‘told not to’ do this anymore.

Comments: Do you ever share this data by post/paper/solid media? “We share data by paper. When we send information by post steps are taken to ensure that it is secured in line with Government guidance. Printed personalised data for specific meetings is governed by a strict protocol within our Regional Information Sharing Protocol. Any electronic information sent by post would be encrypted and sent through a bonded courier.” “Encrypted solid media; paper; email by a secure web service. Will continue to use to send secure email to individuals and organisations not on secure email.” “FOI information sent in the post, by email and solid media. Data files are sent via email and solid media.” “Especially if this is the most secure method for the type of data.” “Sometimes when no secure network communications option is available.” “Yes, but have told everyone not to do this.” “We used to, but not anymore.”

Page 12

Connecting the Public Sector

2009

4.3. Do you ever share this data by secure network communications? (eg GCSX) Yes No Don't Know No Answer

12% 3%

Over six in ten of the sample (62%) sometimes used secure network communications to share this data with other organisations. Less than a quarter (23%) never used secure communications such as GCSX. More than one in ten (15%) however either did not know the answer, or did not answer, this question.

23%

A number of comments were made relating to this question. As can be seen from the representative sample in the table below, many of the respondents were starting, or planning to start, using the government secure network infrastructure via the GCSX once they had their connection live.

62%

Comments: Do you ever share this data by secure network communications? (eg GCSX) “Yes. Our internal communications are secure. In line with GovConnect, our secure GCSX CoCo will go live at the end of September.” “Currently not GC.” “In the pipeline.” “Not yet but will begin to as we have just had our GCSX connection approved.” “Not yet, but planning to.” “We do not currently have a secure network communication in place.” “A set of secure email addresses has been set using GCSX.” “Exclusively.” “Starting to replace the preceding with GCSX” “Via encrypted e‐communication only.” “We have implemented GC Connect.” “Data is shared in a variety of ways, both via secure network and via email/fax/post.” “This is being developed and will go live this month.” “This network is currently being rolled out throughout this authority.”

4.4 Are all staff regularly trained regarding the sensitivity of citizen information and the importance of adhering to correct procedures for its handling? Yes No Don't Know No Answer

16% 4%

16% 64%

In light of the LGA Data Handling Guidelines, researchers had expected the answer to this question to be emphatically ‘Yes’. However, just over six in ten (64%) were able to say that all staff were trained regarding the sensitivity of citizen information and the importance of adhering to correct procedures for its handling. Sixteen percent were clear that regular training did not happen in their organisation. Almost two in ten (20%) were either unsure or did not answer this question. A number of respondents made additional comments, a representative sample of which are in the table below. However researchers were interested to note the extremes: from admission that whilst such policy would be preferred, practice was less than perfect through to solid explanations of robust organisational policy and practice.

Comments: Are all staff regularly trained regarding the sensitivity of citizen information and the importance of adhering to correct procedures for its handling? “As a newly established unitary authority we are assessing our position as staff will have had training and awareness within their previous authorities. An appropriate programme will be developed to meet needs.” “Organisation‐wide e‐learning in place and regular communications about information security, plus additional training for staff handling sensitive data regularly.”

Page 13

Connecting the Public Sector

2009

“A programme of staff training is being established and managers receive regular updates.” “At induction and followed up by mandatory training in addition to service‐specific requirements.” “Integral part of induction process and is mandatory training module for all staff annually.” “Online IDeA training currently being rolled out and class room training provided to council members.” “We deliver mandatory Information Governance awareness training and all our staff are expected to attend refresher training periodically.” “Training is provided to some staff with specific responsibilities for handling sensitive information, such as those dealing with benefits, but for the remainder the council relies on policy and communication.” “Daily signup to adherence to the security policies.” “I wouldn't describe it as regular training ‐ more likely to be included as a staff briefing item.” “Induction training but no regular training after that.” “Piecemeal at present. GC is changing this as we are required to actively train all staff accessing IT systems.” “Policy exists but formal and recurring training does not.” “We aspire to but not as regularly as we should.”

4.5 Do you feel there is a need to share sensitive citizen data in order to improve the quality and efficiency of public service delivery?

10%

Yes No Don't Know No Answer Sometimes

2% 6%

77%

Nearly eight in ten (78%) felt that yes, there was a need to share sensitive citizen data in order to improve the quality and efficiency of public service delivery. Just six percent said no. The remainder, either did not know (2%), did not answer, or thought that yes, sometimes, this was necessary (5%). A number of comments were made. Again, these tended to polarise, however this was between an emphatic recognition of the need to share – and the benefits thereof ‐ and of the need to share this data in a safe and appropriate manner.

Comments: Do you feel there is a need to share sensitive citizen data in order to improve the quality and efficiency of public service delivery? “Immensely so ‐ for place shaping, service take‐up, increased customer insight, offering of value added services and most importantly, preventative services.” “Absolutely.” “The need to share sensitive citizen data within and between public sector agencies is an essential requirement of effective and efficient service delivery. This must take place within statutory, ethical and procedural frameworks.” “But not globally, only to selective agencies.” “However there are challenges here regarding the Data Protection Act; does place limits on the use that can be made of personal information. Information Governance becomes an issue. Caldicott requirements need to be considered.” “In terms of delivering the best healthcare for patients/clients.” “It is essential for efficient and effective delivery.” “Particularly within social care (both adults and children).” “Systems and data sharing protocols need to be developed if service improvements, particularly for more vulnerable people, are to be achieved.” “Not at this stage but possibly in the future through the development of the esd toolkit and through our Customer Insight project.” “In theory yes. However, how it is put into practice could have the opposite effect.” “There is clearly a need as all cases of headline cases of child abuse could have been prevented if agencies communicated with each other. This will continue and it will be the same story. It only takes a phone call to discuss a case, however it often gets missed. Cases of domestic abuse may be more detected earlier allowing intervention and help to be offered to the victim and children.”

Page 14

Connecting the Public Sector

2009

4.6 Do you feel that accessing databases in other public sector organisations would improve/help the way you deliver services? (eg local authorities, health, fire, police, central government) Yes No Don't Know No Answer Sometimes

1% 12% 2%

Three quarters (75%) of the sample felt that being able to access databases from other public sector organisations would help improve the delivery of services. Ten percent said that accessing such databases would not help with improving service delivery. The remainder did not know (12%) or did not answer (2%). One percent said ‘sometimes’.

10%

Researchers were particularly interested in those that said ‘no’ and why. Of these there were no real patterns in area of service or seniority. However, three were senior officers: a director of children's social care, a head of environmental health services and assistant director of strategy & performance. Interestingly, one was a Government Connect Lead, who said, “The case is not proven. There is already controlled access to information.” 75%

From reading the remainder of the comments researchers surmised that whilst the benefits of accessing information from other organisations was deemed beneficial great concern remained as to how this could be proven and securely enacted. A sample of comments relating to this question can be found in the table below. Comment: Do you feel that accessing databases in other public sector organisations would improve/help the way you deliver services? “We think that the sharing of information with agencies such as PCT’s will help us to identify vulnerable people within our community and enable us to target them with Community Safety initiatives to help drive down the incidence of accidental dwelling fire.” “Shared information with shared databases would probably help and certainly allow a more joined up approach to dealing with sensitive issues. Too often staff, possibly through lack of training or uncertainty, will not pass on information.” “Absolutely.” “Accessing databases ‐ No. Having some of the relevant information available from these databases ‐ Yes.” “But only if the data is presented in existing systems so that systems update each other ‐ adding another separate system into the equation means that it simply won't be used.” “If we are to improve health and social care as a whole there will be a need to share data across several organisations.” “Joined up working and shared services/information is the way forward.” “Particularly in Children & Young People's services where multi‐agency working is not always supported by information sharing facilities.” “Databases don't record data retrievable in a useful way (except by host); the RELEVANT info needs to be extracted for sharing.” “The case is not proven. There is already controlled access to information.” “We work on the premise that you have a central information / intelligence hub with links to partner databases (where relevant) and that you input once and use many times.” “In theory yes. However, how it is put into practice could have the opposite effect.” “It would improve service to citizens and allow joined up view of service provision.” “Not at a cost of privacy.” “We do not share access to databases. If such an arrangement was needed, data would be shared within a secure space and this would only occur within statutory and ethical frameworks.” “There are pro and cons in sharing data bases within the Public Sector and presently this is not encouraged for obvious reasons. Also there are serious issues and concerns with regards to accessing databases in terms of the Data Protection Act and other Parliamentary legislation that all need to be considered. Guidance will need to be sorted from the Information Commissioners Office (ICO) and the National Information Governance Board (NIGB) including independent Information Security Risks Assessments and Audits based on ISO27001 and BSI 10012 (Data Protection) and BS 25999 (Business Continuity).” “We do to some extent now but not to the extent where we can log in to each other's databases on a daily basis.” “Whilst access to partners' information is very useful and important, better would be single shared records.”

Page 15

Connecting the Public Sector

2009

4.7 Would trusted and secure data sharing be essential in order to deliver 'Total Place' public services? Just 4% of respondents thought that trusted and secure data sharing would not be essential in order to deliver ‘Total Place’ services.

Yes No Don't Know

10%

No Answer

Over three quarters (76%) felt that it would be essential in order to deliver the ‘whole area approach to public services’ inherent within the Total Place pilots.

10%

Ten percent did not answer this question, and a further ten percent did not know whether or not Total Place would impact the need to share sensitive citizen data.

The comments (below) to this question were interesting – ranging from enthusiastic (and informed) explanation as to the Total Place approach to dismissal of the initiative as a political public relations ‘spin’.

76%

Comment: Would trusted and secure data sharing be essential in order to deliver ‘Total Place’ public services? “’Total Place’ looks at how a whole area approach to public services can lead to better services. In order to achieve this it requires data analysis across the whole area. This data will come from a range of service providers on a range of different criteria ie information on crime and anti‐social behaviour. Unless this data is shared an informed and holistic view cannot be taken on issues such as where services need to be better targeted. The approach must be evidenced based and cannot be delivered by a single agency or group. It needs a consistent and collaborative approach which eliminates duplication and joins up activity.” “Developing trusted and secure data sharing is essential to wide roll out of a total place approach to public services. We are a total place pilot site, and are seeking to share Customer Insight data across providers in order to inform our work: it is vital we do this in a way that ensures the safety of citizen data.” “Absolutely, trusted and secure data sharing is the way forward in order to prevent data breaches and restore public confidence.” “No, but there is clearly a need for a more joined up approach to information sharing.” “Information has to be accurately input and fully understood on receipt ‐ fully trusted systems encourage bypassing of key staff who can interpret data.” “Not necessary if 'total place' moves forward sensitively.” “Only a good team of spin doctors can deliver Total Place public services.”

Page 16

Connecting the Public Sector

2009

5. Results ‐ In‐Depth Survey 5.1 Does your council's work involve collecting, using or storing information about citizens? 100 80 60 40 20 0

Yes

Just two percent of the sample said that their work did not involve collecting, using or storing information about citizens.

26 8

The only group not sharing data were a subset of departmental users that worked in land charges, with land and property gazetteers or with GIS.

5.2 Does your council's work involve sharing this information with the following? YES ‐ we share citizen data with: … Other local authorities

90%

Other frontline services

82%

Commercial organisations

78%

The third sector

77%

Central government

Ninety percent of those participating in the in‐depth survey said that they shared this sensitive citizen information with other local authorities. Nearly seven in ten (69%) shared this data with central government, 82% with other frontline services and 77% with the third sector. Almost eight in ten (78%) shared information with commercial organisations (such as care providers, outsourcers etc).

69%

Local authorities

Yes

Technology

Corporate

Users

Frontline

Total (%)

Other frontline service organisations

Yes

Third sector organisations

Yes

Central government

Yes

Commercial organisations

Yes

5.3 How sensitive is the most sensitive information that you share with the following types of organisation? All respondents shared sensitive citizen data with other organisations. Most felt that the most sensitive citizen data they shared was that with other local authorities; that shared with the third sector was seen by the group as less sensitive. However, from looking at the breakdown of answers from different groups it is interesting to note that technology respondents felt that the most sensitive data their organisation shared was that which they shared with central government. Indeed, in general, technology respondents viewed the sensitivity of the data they were handling as ‘higher’ than other groups.

Page 17

Connecting the Public Sector

2009

Chief executives/councillors, for example, felt that the data shared with commercial organisations or other frontline services was not that sensitive – in marked contrast to the weightings given to this by other groups. However, chief executives/councillors perceived the data shared with other local authorities to be more sensitive than did either technology or departmental respondents.

Commercial organisations

All

Central government

Other Frontline

Third sector organisations?

Users

Other frontline service organisations

Corporate

Other local authorities Technology

1 2 3 4 0 = not sensitive / 5 = extremely sensitive

5.4 Handling information about the citizen Does your council have an 'Information Charter' outlining how citizen data is handled? 50 40

40 26

30 20 10

9 11

10 5

Yes

Don't Know

1 3

0 Technology

Corporate

User

Total %

Just four in ten respondents said that their organisation had an Information Charter outlining how citizen data is handled. More heads of IT/IT seniors said their council had no charter than said they did – arguably the group most likely to be aware of such a charter.

Is personal information kept within secure ICT systems? 93

100 80

Yes

60 40

1 0

2 5

1 3

0 2

Don't Know

0 Technology

Corporate

User

Total %

The vast majority of respondents were confident that their organisation kept personal information within secure ICT systems. Just a handful of chief executive/councillor and end user respondents were either unsure or did not believe that this was so.

Are Government data security minimum standards (eg ISO 27001/CoCo) incorporated within ICT systems' specification/ procurement?

70 60 50 40 30 20 10 0

17 5 3 Technology

0 2

Corporate

3 User

Yes No

Total %

Don't Know

Just eight percent of respondents said that their organisation did not incorporate government data security minimum standards within ICT systems’ specification/ procurement. Sixty one percent were confident that they were, with 31% overall unsure. It is worthy of note that 5% of the ‘no’ came from IT heads themselves.

Page 18

Connecting the Public Sector

2009

Does your council have a Corporate Information Risk Policy? 55

60 50 40

14 7

Don't Know

2 1 0

0 0

Yes

Just over half of all respondents said that their organisation had a Corporate Information Risk Policy. Whilst every chief executive/corporate said their council had a policy, 16% in user and technology groups stated that they did not.

0 Technology Corporate

User

Other Frontline

Nearly three in ten (29%) did not know if their council did or not have such a policy.

Total %

Are all the council's key 'Information Assets' classified? 45

50 36

30 20 10

12 4

29 Yes

1 1 1

Don't Know

0 Technology Corporate

User

Other Frontline

None of the ‘corporate’ group said that their organisation did not have key Information Assets classified. However, overall, 29% were clear that the organisation did not. A further 45% were unsure whether this task had been undertaken.

Total %

Are the owners of each information asset clearly identified in a corporate document? 50 40

20 10

Yes

12 4

1 1 1

Don't Know

0 Technology Corporate

User

Other Frontline

Again, none of the corporate group said no to this question. In marked contrast to the 34% in technology and user departments saying no, information asset owners were not clearly identified in a corporate document. Nearly four in ten (39%) did not know either way.

Total %

Does one person (Senior Information Risk Owner ‐ SIRO) 'own' information risk at your council/organisation? 40 35 30 25 20 15 10 5 0

Just 38% could say that there was one person, an SIRO, that ‘owned’ information risk at their organisation.

38 30 32 22

23 Yes

18 11 10

No 4

Technology

Don't Know

Corporate

User

Almost a further third (32%) were unsure, and three in ten were definite that there was no SIRO at their organisation.

Total %

Page 19

Connecting the Public Sector

2009

Is there a clear incident reporting mechanism in place for when security may be breached? 70 60 50 40 30 20 10 0

Nearly six in ten (59%) said that a clear incident reporting mechanism was in place for when security may be breached.

59 35

Yes

27 19

16 6

4 5

0 1

Technology Corporate

User

However, that left 27% unsure of what to do in case of a security breach and 14% absolutely sure that there was no mechanism in place to report a breach.

Don't Know

1 1 1 Other Frontline

Total %

Are all staff regularly trained about the sensitivity of citizen information and the importance of adhering to correct procedures for its handling? 80

Two thirds of respondents said that all staff were regularly trained regarding the sensitivity of citizen information and the importance of its correct handling.

Yes

40 14

10 11

0 1

2 1 0

Don't Know

0 Technology Corporate

User Other Frontline

However, two in ten (20%) – from the technology and user groups ‐ said that this did not happen.

Total %

5.5 How does your organisation share sensitive citizen data with the following organisations? 60

% USING TODAY

54 44

Removable media (USB, CD etc) courier/ post Internet

41 36

40 30

Paper/ courier/ post

28 22 16

1717

23 21 16

20 8

11 6

6 8

Point to point connection

18 7

Secure government network

11 4

8 Other

0 Local Authorities

Health Organisations

Police

Fire & Rescue

Third sector

Central government

Commercial organisations

In light of the continuing stream of data loss incidents covered in the media, and actioned by the Information Commissioner, it was surprising to find that all organisations continue to share sensitive citizen data with other public sector organisations by post and courier – in both paper and removable media (USB, CD etc) formats. Paper was more popular than removable media; this may well be due to recent media tales of usb stick discoveries in inappropriate places. Indeed, apart from when communicating with central government, where secure government network was used most, paper/post/courier was the most used option when communicating across frontline services. Interestingly, not one of the corporate/chief executive group said that their council shared citizen data using removable media when dealing with other local authorities, health organisations, central government or commercial organisations. They were also more likely to say that their council used the secure government network to communicate with central government than any other mode of communication.

Page 20

Connecting the Public Sector

2009

5.6 Do you feel that any of the following policy agendas or initiatives impact the handling of sensitive citizen data? 90 80 70 60 50 40 30 20 10 0

73 59

36 15

1413

51 45 31

28 20

49 4139

48 34

18 10

30 16 2

13 1

No impact Requires secure data sharing Don't Know

The most interesting result from this question was that for ‘Total Place’ – 73% of respondents did not know whether it would require secure data sharing. However, by the time the quick poll took place six weeks later, 76% answered yes. There are some obvious initiatives and policies that, in the minds of respondents, require secure data sharing – namely delivery of shared services and mobile & flexible working initiatives. Nearly seven in ten (69%) felt that this would be imperative in the MAPPA arrangements. Researchers were intrigued to find that only 58% of the sample felt that the LGA Data Handling Guidelines would impact the handling of sensitive citizen data, requiring secure data sharing. Since the launch of the guidelines last November, researchers had assumed that they were being adopted unilaterally across local government. (See box for details.) Tell Us Once (67%) and Service Transformation (59%) initiatives would also require secure data sharing according to the majority. Researchers had anticipated both Local Strategic Partnerships and Operational Efficiency Review initiatives to require the sharing (securely) of data to inform strategy and efficiency savings. However, less than half (49% and 34% respectively) felt that this would be necessary. LGA Data Handling Guidelines for Local Government

Comments relating to this question: “(The) personalisation agenda requires secure data sharing.” “Partnership activity level currently appears to focus on protocols and high level contact. More detailed work is needed to make the partnerships effective at a data sharing level. It would help if e‐GIF were treated seriously, local authorities actively rather than passively 'encouraged' to share information and application suppliers forced to invest in integration and data exchange as a basic part of their packages, not an expensive bespoke add‐on.” “As a former intelligence officer I am concerned at sharing using BlackBerry machines which are far from secure and yet may receive email”. “There needs to be a sea change in the way that case records are handled. Firstly the ESCR (Electronic Social Care Record) is relatively new. Secondly, the (welcome) move towards multiagency working, CAF, ContactPoint etc, within the framework of ICS, envisages a much wider range of information sharing. Good data sharing protocols with key stakeholders are critical, as is a technical infrastructure that will support secure data sharing, which is largely absent at present in Children's Services. This leads either to poor record keeping or wasteful double entry on incompatible systems.”

Produced by Socitm, working in partnership with the Local Government Association and the Welsh Local Government Association, the LGA Data Handling Guidelines for Local Government were published in November 2008. The guidelines show councils the steps they need to be taking to keep ‘safe and secure’ data collected from residents, businesses and other parties. According to the LGA’s website, the guidelines ‘highlight recognised best practice in secure data handling, and provide local authorities with a vital aid in discharging their responsibilities and accountability for secure and effective handling of personal information.’ ‘The publication sets the standard for local government moving forward.’ States the LGA: ‘The guidelines provide a key checklist of actions that set out the fundamental steps that every council should take to mitigate against the ever present risk that personal information is lost or that data protection systems fail. They provide chief executives, senior managers and elected members with a vital tool for the secure handling of personal information.’ www.lga.gov.uk Page 21

Connecting the Public Sector

2009

5.7 Do you feel that any of the following legal requirements affect the way your council handles sensitive citizen data within its daily work? 120 100

79 %

40 4

Don't Know

Yes

Criminal Justice and Immigration Act

Civil Contingencies Act

Data Protection Act

Human Rights Act

Freedom of Information Act

Unsurprisingly, the vast majority of respondents felt that the legal requirements of both the Data Protection Act (96%) and the Freedom of information Act (94%) impacted the way their organisation handled sensitive citizen data. The Human Rights Act was also felt to have an impact by almost eight in ten of the sample (79%). The only respondents saying no to this question were from the departmental/user subset – the majority of IT heads and chief executive/corporate respondents felt that it would impact, with just a few of each saying that they did not know if it would or not. Over half (57%) said that the Criminal Justice and Immigration Act would affect the way they handled sensitive citizen data. However almost three in ten (29%) did not know whether or not it would. Just 14% said that it definitely would not. Half felt that the Civil Contingencies Act would have an effect; again 14% felt that it would not, with the remainder (36%) not knowing.

Human Rights Act Personal data must be handled in accordance with the Data Protection Act (DPA). But the parliamentary Joint Committee On Human Rights last year (2008) found that breaches in data protection (aka data loss scandals) contravened the HRA – which safeguards the right to respect for personal information. ‘The committee has repeatedly expressed concerns ‐ mostly rejected by the government ‐ about the adequacy of safeguards on the sharing of personal information in specific bills.... The committee agrees with the Information Commissioner that data sharing is not, in human rights terms, objectionable in itself. But it inevitably raises human rights concerns. Government must show that any proposal for data sharing is justifiable and proportionate and that appropriate safeguards are in place.’ The committee expects the government to take action ‘to foster a positive culture for the protection of personal data by public sector bodies’. It also suggests that anyone affected by government data breaches could use the Committee on Human Rights report to support legal action brought against the government. www.parliament.uk

It is worth noting that the chief executive/councillor group said yes to all these questions.

Data Protection Act

Indeed, as can be seen below and in the relevant boxes, all do have major impacts on how citizen data is handled.

The requirements of the Data Protection Act 1998 are well known across frontline public sector organisations. All organisations which handle personal information are required to comply with a number of important principles regarding privacy and disclosure. One of the eight key principles is that data be kept securely.

Civil Contingencies Act The Civil Contingencies Act 2004 places a statutory duty on certain organisations to share information in emergencies. The Act and its associated non‐legislative measures provide a ‘robust, modern framework for civil protection right across the UK’. Recovery Guidance on the Cabinet Office website outlines requirements for data protection and sharing in emergencies. In a number of emergencies, problems, either perceived or real, surrounding interpretation of Data Sharing and related Human Rights legislation have prevented public bodies from carrying out their duties effectively. The Indian Ocean Tsunami, the Bichard Inquiry (to the Soham murders) and the Victoria Climbie Inquiry all

The issue of sharing personal information is a key area of data protection compliance and an issue of much debate. The Information Commissioner has produced guidance for the public sector. It should be noted, however, that the ICO also regularly publishes a set of ‘data protection myths’ suggesting that ‘unfortunately, some organisations continue to use the Data Protection Act 1998 as an excuse not to do something, rather than seeing it as good business sense to treat their customers and their information with respect’. Indeed, DPA is often put forward as a reason to block data sharing in the public sector. However, the Information Commissioner has at various times stated that he does not want data protection to be ‘wrongly blamed for preventing sensible information sharing’, for example in order to detect crime, prevent fraud or protect children at risk. www.ico.gov.uk

Page 22

Connecting the Public Sector

2009

Freedom of Information Act

identified areas of uncertainty in the interpretation and application of data protection and sharing rights and responsibilities.

The Freedom of Information Act applies to all public authorities and companies that are wholly owned by public authorities. Public authorities are obliged to provide information both through a publication scheme and in response to requests made under the general right of access.

Most recently, as part of the government’s lessons identified following the 7 July 2005 London bombings, it was found that limitations on the sharing of data between a number of Category 1 and 2 responders hampered the connection of survivors to appropriate support services. Subsequent investigation found that many of these limitations were self‐imposed and resulted from incorrect application of duties perceived to be imposed on public organisations by the Data Protection Act and other legislation.

When responding to requests, there are set procedures that public authorities need to follow, including the time in responding ad the fees that can be charged for dealing with requests. Full guidance is on the Information Commissioner’s website: www.ico.gov.uk

Criminal Justice and Immigration Act Of most interest to frontline public sector organisations, the Criminal Justice and Immigration Act 2008 amends the Data Protection Act to allow the ICO to fine organisations directly for serious breaches of the DPA principles.

Data sharing within and between the public and private sectors, and between Category 1 and 2 responders, cuts across a range of scenarios and responsibilities – the duty to properly risk assess at local and regional levels; to construct effective and realistic emergency plans; during the response to an emergency; and to recovering from and managing the consequences of emergencies. www.cabinetoffice.gov.uk/ukresilience.aspx

The provision is not yet in force, but secondary legislation setting out the level of fines and their application is anticipated shortly. The Information Commissioner has recommended that the fines are brought in as soon as possible and that they should be in line with those imposed by the FSA. www.justice.gov.uk

5.8 Does your organisation share sensitive citizen data with any of the following? Don't Know

Police

9 16

Will do soon No

74 30

Fire & Rescue Service

Yes 14

Health Authority / Primary Care Trust

29 34

Regional Government Offices

78 20 24

Ministry of Justice

Department for Communities & Local Government (CLG)

35 37 22 31

Department for Work and Pensions (DWP)

59 28

Department for Children Schools and Families (DCSF)

HM Revenue and Customs (HMRC)

HM Courts Service (HMCS)

Other local authorities

43 42 8 19 10

71 30

Page 23

Connecting the Public Sector

2009

As can be seen from the charts on the previous page and below, more than seven in ten councils currently share citizen data with other local authorities (78%), with the police (74%) and with DWP (71%). More than six in ten (64%) shared data with the Audit Commission, 59% with HMRC, 56% with HMCS and 51% with schools and other educational institutions. Almost half (47%) shared data with CLG, 42% with DCSF. It was interesting to note the ‘no’ responses – not one category gained a negative response from half of the sample. The ‘highest’ negative responses were for data sharing with DCSF (43%) but almost as many again (42%) did share information with the department ‐ which confirmed researchers’ expectations that many requirements would be departmental/user specific. Does your council share sensitive citizen data with any of the following organisations? (Cont’d)

Don't Know 17

Schools and other education institutions

UK Borders Agency

25 18

Audit Commission

64 24

Driver & Vehicle Licensing Agency (DVLA)

33 27

Probation Service

27 26

Crown Prosecution Service (CPS)

HM Prison Service (HMPS)

24 0

Yes

Office of Fair Trading (OFT)

Will do soon

5.9 Which of the following example databases would help your council to deliver services if they were accessible electronically from your local authority offices? As can be seen from the chart on the following page, over half of respondents would find electronic access to the following databases ‘from their desk’ helpful in terms of service delivery: National Fraud Initiative (62%), National Blue Badge Register (60%), DVLA (59%), National Pupil Database (54%), Joint Asset Recovery Database (53%), Hospital leavers & admissions database (52%), Electronic patient records (50%) and the Persistent Offenders Register (50%). Few had access today to any of these databases, the exceptions being the National Fraud Initiative (19%), DVLA (17%) and ContactPoint (12%). Whilst access to relevant databases for individual departments will without doubt depend on requirements, researchers anticipate that once secure access becomes a trusted entity and the benefits to service improvement such access delivers are demonstrated, demand for access will grow.

Page 24

Connecting the Public Sector

2009

Which of the following example databases would help your council to deliver services if they were accessible electronically from your local authority offices? (Cont’d)

19 19

National Fraud Initiative (Audit Commission)

DVLA

Already Accessible 62

Yes

NOMS

20 2

National Pupil Database

National Resilience Extranet (NRE)

41 4

National Blue Badge Register

Persistent Offenders Register

48 50

SARS

38 2

Moneyweb

26 5

Libra

23 6

Joint Asset Recovery Database

Electronic patient records

Hospital leavers & admissions database

44 12

Contactpoint

40 %

48 50

5.10 Additional comments on the issue of secure handling/sharing of sensitive citizen data Additional comments: “The greatest challenge is human behaviour (compliance) ‐ though partially mitigable by technological advances ‐ culture shift is still significant.” “Too many databases, not enough sharing.” “Until all councils have mandatory and auditable Board‐level ownership of information security risk, the situation will remain unsatisfactory. GC has helped raise some awareness, but many councils (connected and unconnected) remain in an immature IS‐capable state.” “Data sharing is expected ‐ citizens only want to tell us things once. The organisational and departmental divides within public sector are not understood by the citizen when they are accessing services. However, this does place a very high profile on data integrity, security and methods of data sharing. There have been too many highly publicised data breaches for the general population to have full confidence in public sector data handling. However, whereas technical solutions can be introduced and improved, the biggest challenge, from my perspective, is the education of data handlers.”

Page 25

Connecting the Public Sector

2009

“There is still a perception among many people and organisations (not specifically local government where I am from) that ordinary email is a secure system.” “There needs to be a national forum for this sort of issue. There are so many agencies involved and with an interest and we all need to get together to discuss best practice. Organisations that should be around the table include ALGIS in LARIA, NADPO (Data Protection Officers), National Association of Information Management, CILIP, Records Management Society, SOCITM, Society of Archivists. ALGIS in LARIA might be keen to take on such a role.” “Data security is important but vague ‐ it is sometimes unclear whether you can share info or not which will adversely impact on the service you can deliver.” “Maybe both government and LGAs should be considering the advantages of a VRM based method of citizens asserting a self‐maintained identity thus removing the onus for the storage of such identities by Local Government in the first place. Our recent custodianship of such data seems fraught.” “For Health and Social services to share data effectively requires not only security but confidence and change in culture. Data security is often used as a power/control mechanism and not in the best interest of the patient/service user.” “Recent events have rightly focussed everyone on confidentiality, but info security is not just about confidentiality. It is also about data quality and availability, which are the real key to cost‐effective frontline service provision. Info security also needs to be aligned to the strategy of the organisation and built into its business processes. Please give clear guidance on how to allocate a SIRO.” “This whole area is under‐resourced and not understood by strategic management in many LAs children's services departments. The NHS Connecting for Health Information Governance Toolkit is about to be made statutory for Adults and Children's Social Care. This will greatly assist in providing an effective driver for pursuing this agenda further.”

Page 26

Connecting the Public Sector

2009

6. Edited highlights from GC Communicate newsletter in 2009

6.1 Opportunities for improving service delivery using GCSX (September 2009) Now that the GCSX network is live across all English and Welsh local authorities, opportunities for improving the way in which information is shared between public sector organisations are coming to the fore. A growing number of secure and efficient services and data transfers are fast becoming reality: Sharing data with Health: Local authorities with a GCSX connection can now use a GCSX email account to exchange sensitive data ‐ including patient identifiable data ‐ with health sector staff that have an NHS.net email address (eg PCT staff and GPs). Connecting to the Police: With both GCSX and the Police National Network (PNN) connected to the wider Government Secure Intranet (GSi), data can now be safely transferred between council and police using GC Mail. Information relating to crime statistics, community safety, child protection, youth offending and emergency planning can all be better shared and used to improve services and joint community initiatives. Courts Access: The Ministry of Justice (MoJ) is currently piloting secure local authority access to HM Court Records, held on the Libra case management system, via GCSX. Youth Offending: The Youth Justice Board (YJB) has implemented a GCSX connection to link up Youth Offending Teams (YOTs) with the YJB Service to arrange secure accommodation placements for youth offenders. The service uses structured messaging to transfer data between YJB and YOTs. YJB is also working with Government Connect to enable secure local authority access to both its main Case Management System and the eAsset database which provides information on youth offender secure accommodation across the country. Trading Standards & Asset Recovery: GCSX connectivity enables secure information sharing between local authorities, police and trading standards providers. Access to both the Joint Asset Recovery Database (JARD) and Money Web will soon be available to Trading Standards officers from their council desktops ‐ enabling local authorities to participate in the Home Office incentive scheme and claim their share of the estimated £200m+ of criminal assets documented within these databases. In and Out of Work: DWP, HMRC and local authorities are implementing new processes that provide a more joined up service to certain people moving in and out of work. National rollout of the streamlined processes began in autumn 2008 and is scheduled to complete by early 2010. eLAID rolls out: Following a successful pilot with 10 local authorities and JobCentre Plus, the eTransfer Project pilot ‐ secure electronic exchange of Housing Benefit and Council Tax benefit claim data using an electronic Local Authority Input Document (eLAID) – is set to roll out nationally.

6.2 The Public Sector Network –Partnership and Innovation (August 2009) John Stubley, PSN Programme Director Today we live in an ‘on demand’ world. Video, music, internet, business service access – everyone wants it now. And this need has to be satisfied, irrespective of time, place or device. The Public Sector Network (PSN) might not offer such unbridled access, but it aims to enable common business functionality across the Local Government Sector. It will improve the way we share services and information, bringing the potential for better efficiency and effectiveness. To put it bluntly, it will allow us do our jobs better. The PSN is designed to be a single, integrated infrastructure, delivered by multiple service providers ‐ in effect a ‘private network of networks’ for the public sector, providing voice and data services. It will allow the same quality of experience to be offered across a range of platforms – desktop, laptop, mobile devices and telephone.

Page 27

Connecting the Public Sector

2009

Why Network Procurement Should Change At the very heart of the PSN is a concept that brings together network services and standards, and most importantly helps to re‐ invent and improve the procurement process. Currently, procurement lacks centrally managed standards. All public sector bodies run separate procurement competitions to buy their networks to connect their various departmental locations. This creates an environment which is highly inflexible, built to different standards, wasteful and costly. Procurement needs to change. In a nutshell, the PSN allows users to move away from the ‘kit and bandwidth’ mindset and look at ICT in terms of the services your organisation needs.

6.3 Aggregated Connection to GCSX Saves Kent £1m (August 2009) Kent Connects – a partnership of all Kent and Medway authorities – was the first partnership to achieve aggregate connection to GCSX, saving itself over £1m in the process. All 12 districts, Medway and Kent County have invested in a shared IT infrastructure, the Kent Public Services Network (KPSN). By signing up to a standard configuration for aggregate connection to GCSX all the authorities benefited from a simplified, and thus cheaper, connection process. As an added bonus the partner councils have achieved better standards of resilience and capacity than any would have achieved by themselves. Two 10MB GCSX compliant circuits in separate locations now ensure resilience and business continuity for all councils in the partnership. Each circuit receives equal volumes of data, has separate firewalls, and supports the other. Partners now benefit from at least 100MB circuits, with the majority of KPSN running at 1GB. The greater bandwidth increases capacity and provides the network with flexibility in peak times. Centralised project management also freed up ICT staff to focus on other work and streamlined discussions with GCSX. As network services are shared the group’s future costs are reduced ongoing. Jeff Wallbank, KPSN’s partnership development manager, says that aggregation supports the Digital Britain agenda and has environmental benefits too: “The number of circuits has been reduced but upgraded, potentially extending high speed access to the internet for small businesses and residents.” Jeff believes that aggregation is an option for other authorities: “There are more savings and efficiencies to be had. Bigger aggregations are possible, and it can only help in the drive for efficiencies and joined‐up public services. However I recommend getting the partnership governance model right at the outset.” Meanwhile KPSN partners are developing the use of GCSX and the secure GC mail: sharing information with magistrates’ courts to streamline council tax and business rate summons, tackling fraud with trading standards and Kent Police, and liaising on social services cases.

Page 28

Connecting the Public Sector

2009

6.4 In and Out of Work over GCSX (July 2009) In and Out of Work (IOW) provides a single point of contact at Jobcentre Plus for customers to access Jobseekers Allowance and Income Support, HM Revenues and Customs Tax Credits, and local authority administered Housing and Council Tax benefits. People whose work status changes thus no longer have to visit multiple government offices but can deal with all relevant support organisations in one place, in one go. Their financial support also arrives more quickly and is less prone to error as duplication and rekeying is removed from the process. E‐Transfers, the system developed in collaboration with the DWP Housing Benefit Information Flows team, enables the electronic transfer of local authority Input Documents (LAIDs) using the DWP Generic File Transfer Service via GCSX (Government Connect Secure eXtranet). The IOW project also uses GCSX to provide the links for the secure exchange of customer information. The E‐Transfer and IOW project teams are working together with Government Connect to align implementation of the two new processes in order to minimise the impact of these changes. Wherever possible, local authorities will be e‐enabled in advance of adopting IOW processes.

6.5 Tower Hamlets join the GCSX network and adopts In and Out of Work (June 2009) Tower Hamlets switched on to the Government Connect Secure eXtranet (GCSX) on 23 February 2009, after submitting its first assessment return in May last year. The journey has been an instructive and crucial one. There were a number of drivers behind signing up for the secure network. The Department for Work and Pensions’ (DWP) intention to switch off access to CIS by 1st April unless routed through a secure network, being one. However, ensuring that client data be secured to the ‘highest possible standard’ has long been one of Tower Hamlet’s highest priorities. “We do have a general commitment to ensuring that data is secure” says ICT head, Jim Roberts. “We take the whole issue of security very seriously indeed. Subscribing to GCSX is a very good indication that we are doing the right thing. “Improved processes around GCSX should also in future speed up certain business processes, which in turn will hopefully release savings opportunities.” Tower Hamlets is looking forward to enjoying such benefits now that it is linked into the network. These will include: an improved administration and delivery benefits; reduced risk of misplaced sensitive data by having secure email; and a secure ftp route for data exchange with central government departments. The council was also one of a number of local authority areas that adopted the new In and Out of Work (IOW) processes in February – and will be using its GCSX connection to enable this. Through the GCSX network information can be shared electronically and securely. “We were very excited and keen to get involved,” says Steve Hill, the council’s benefits service manager. “The idea of just one organisation collecting the evidence so that customers only have to go to one place, rather than several, is a highly appealing one. This will make a huge difference for our customers in terms of access to benefits and turnaround.”

Page 29

Connecting the Public Sector

2009

6.6 Caerphilly County Borough and Gwent Police work together over GCSX (April 2009) Caerphilly County Borough Council (CBC), Gwent Police and other local agencies have signed up to the GCSX programme, with several departments within the council looking to use the network to securely share information with trusted partner organisations – including Housing Benefits, Community Safety, Social Services, Youth Offending Service and HR/payroll. Head of Caerphilly council, Cllr Lindsay Whittle, said: “This system is excellent in that we are now able to securely transfer sensitive and confidential data between partner agencies swiftly and accurately. Not only is it of real benefit to us, but it will also benefit the residents of the Caerphilly county borough. No doubt others will follow suit in the near future to take advantage of this new secure communication facility.” Caerphilly’s community safety manager, Howard Rees, agreed: “Residents of the Caerphilly county borough should feel safe in the knowledge that this technology will now aid us even further in tackling crime and disorder across the area, as it allows us to communicate with our partners quicker and more accurately than ever before. “Those responsible for committing crimes and acting anti‐socially will not be tolerated, and this new technology will help significantly in helping us bring them to justice quickly.” Detective inspector Huw Watkins of Gwent Police has emphasised the timeliness of the implementation: "We are working together on a daily basis in the sharing of information for the benefit of the community. As the staff at Caerphilly CBC are working with us on a variety of themes, it is essential that we are able to communicate securely. “This approach has allowed us to drive down volume crime, and share information about preventing radicalisation. This is great news for the people of Caerphilly, who can be sure that those responsible for ensuring their safety are working together to target those who cause harm. “One particular incident recently highlights this to very good effect. Following deployment of a 'capture car’ in Blackwood the footage of the suspected offender was circulated to Caerphilly staff. Almost a month later, police officers saw some men acting suspiciously in Blackwood and asked the council’s CCTV operator to focus on the person. “That operator recognised the man as being wanted by the police, was arrested by the officers and the crime cleared up.”

6.7 Preston looks forward to fast, secure data exchange (April 2009) Preston City Council was connected to the GCSX network on 2nd April 2009, just six months after its original Code of Connection submission. “We continually invest in ICT at Preston, move with the times and keep our technology current. From this point of view we had a very good base to build on and not a huge amount of work to do to become compliant,” asserts Greg Skellorn, Preston City’s ICT support manager. “The main challenge for us was ensuring that our processes, policies and procedures included the specific requirements of the GCSX network. This also gave us the opportunity to ensure that these were generally properly documented and up to date.” The main motivation to signing up to the Government Connect programme was the DWP Data Access Policy that came into force on 31st March this year. “Longer term, we hope the facility will help us to streamline services by speeding up secure data exchange with a range of public bodies. Any services that come online and will help us to do this, we’ll make use of,” says Greg.

Page 30

Connecting the Public Sector

2009

6.8 South Hams gets secure access to DWP systems (April 2009) South Hams District Council went live using GCSX in February ‐ one of the earliest authorities to do so. “I’m extremely pleased with the dedication of my team here at South Hams. The process has had its challenges but, with the support of the Government Connect team, we’ve made it,” said Pauleen Blampied, South Hams head of ICT. “With GCSX in place, we now have a more secure mechanism to access DWP systems and will also be able to take advantage of the security and efficiencies that GC Mail offers," says Robin Barlow, ICT support manager.

6.9 How secure is LA Remote Access? (March 2009) Citizens rightly demand that personal data is properly handled and access controlled. Remote access and mobile media are particular challenges in that they provide a ‘soft underbelly’ for physical and virtual attack on systems, such as hacking. Furthermore, we risk losing public confidence when we misplace or mishandle remote devices containing secure data. And yet, this way of working is fast becoming a necessity within local authorities. Whilst local authorities have been, and are, innovative, CESG security standards have highlighted weaknesses. Prior to GCSX, councils were not assessed against industry standards for remote access. A secure system of remote access is part of the CoCo process (although the GCSX network does not technically impact on remote working). The vast majority of local authorities are now acting positively to correct these weaknesses. Networks are assured and risk assessed against confidentiality, integrity and availability. In fact, the government data that is accessed across GCSX includes Impact Level 3 (IL3) Restricted data, eg DWP’s CIS database. CoCo compliance also demands dual factor authentication on remote network access, in order to reduce the threat of attacks against local authorities. Normally this is a card or token based solution which confirms the user identity ie authenticates. It offers an additional assurance that users are who they say they are, and not just someone who has gained access to the system and passwords. When data is accessed by remote systems some of this data may still be cached on the PC. This data is retrievable using specialist tools that can be deployed by unauthorised as well as authorised persons. Such a PC could cause considerable embarrassment, as a minimum if it falls into the wrong hands. This is one reason why CESG insists that PCs must be appropriately encrypted and consideration given to disposal. Although there are thin client systems that claim not to leave information on PCs there are compliance difficulties if these are not correctly configured. There is a need for appropriate control at the end points where they sit outside the LA network. A further risk is that the PC might not be maintained at the right patch level i.e. all operating system updates are applied. This could include essential security patches which would leave the PC (and hence the network) exposed if not properly controlled. This is not possible if the PC is owned by the individual rather than the organisation. Remote working brings inherent risks which can certainly be mitigated through checks and balances, outlined within the CoCo process. GC presents an immediate opportunity to put those checks into place sooner rather later before it’s too late.

Page 31

Connecting the Public Sector

2009

6.10 Libra ‐ available soon over the GCSX (February 2009) Libra replaces the magistrates’ courts existing information technology systems with one national system enabling standard national business processes across all courts. HMCS are also changing the business processes used to manage the criminal, civil, accounting and enforcement workload, these new processes coupled with the new infrastructure will improve information links between the courts and criminal justice partners. Local authorities will be able to utilise these enhancements initially through their Youth Offending Teams (YOTs), using their GCSX connections. YOTs will be able to streamline work practices and share information more efficiently with these key agencies. Libra provides electronic interfaces that automatically transfer case information between the courts and partners (such as the Police, DVLA and the Office for Criminal Justice Reform). Interfaces reduce re‐keying of data and should decrease transcription errors. GCSX users will be able to access Libra from their own desktops, negating the need to use third party access and will be able enquire about court cases, view an electronic diary and print court lists and registers. This reduces the time spent dealing with routine enquiries and printing lists. Youth offending teams may currently have local agreements to access existing court systems to see court lists and results for young people that YOTs are managing. However, when Libra is installed, this will no longer be possible. Local authority IT networks that are Code of Connection compliant will meet these criteria and will not have to make costly and timely alternatives to receiving this information. Phil Sutton, head of ICT Business Change and Benefits for the Wiring Up Youth Justice programme, said: “The Libra Central Service is a real benefit for YOTs in court areas where Libra has been installed. Early feedback from YOTs using the service has been extremely positive. They now receive court lists and results automatically, which saves them time.”

Page 32

Connecting the Public Sector

7. GCSX, Central and Local Government

2009

www.govconnect.gov.uk

Developing opportunities for improved information sharing between Central and Local Government Housing and Council Tax Benefit Administration GCSX is enabling improved benefits administration via: • • • • •

Direct secure access to DWP customer information system (CIS). Secure email of personal sensitive and RESTRICTED data between local authority and DWP staff. Secure bulk file transfer of case data ‐ eg Local Authority Input Documents (LAIDs) and Local Authority Claim Information documents (LACIs) ‐ between DWP and local authority systems. Improved access to DWP fraud related data. Delivery of the In and Out of Work project which through secure electronic communication between DWP, HMRC and local authorities is streamlining processes and enabling people moving in and out of work to access benefits entitlements more effectively.

Trading Standards GCSX is enabling secure communication between key delivery partners. This can lead to an improved ability to share regulatory intelligence within Public Protection Partnerships, improved 5x5x5 reporting between organisations and the ability to securely access Serious Organised Crime Agency (SOCA) applications such as the Joint Asset Recovery Database (JARD) from a local authority desktop.

Youth Justice By establishing secure connectivity between the Youth Justice Board (YJB), HM Courts Service and local authority based Youth Offending Teams (YOTs) GCSX enables secure access to key applications such as the HM Courts Libra system, the YJB’s Case Management and e‐Asset systems and the exchange of secure structured messaging relating to custodial and remand information.

Tackling Crime and Improving Community Safety GCSX enables more secure, reliable and timely exchange of data between the Police and local authorities, improved ability to share information with key partners in the delivery of Multi‐Agency Public Protection Arrangements and Risk Assessment Conferences (MAPPA and MARACs) and secure information sharing with Fire & Rescue Services.

Better Health and Adult Social Care Integration GCSX provides a secure email facility that enables local authorities to securely share Patient Identifiable Data with NHSmail users (PCTs, Acute Trusts, GPs etc) in order to improve existing joint working arrangements in areas such as bed management, hospital discharge, unscheduled care and hospital at home initiatives. In addition DWP is looking to enable access to N3 applications via GCSX and remove the current requirement for separate N3 connectivity.

Better Children’s Services By enabling secure access to systems such as Contact Point, the Common Assessment Framework (eCAF) and Free School Meals (FSM) and providing secure email between local authorities and key partners such as the Family Courts, GCSX provides the potential for local authorities to improve information sharing with key partners in order to safeguard children.

Page 33

Connecting the Public Sector

2009

Improving the Management of Citizen Changes of Circumstance GCSX will provide the secure channel for local authorities to engage in the Tell Us Once programme, which aims to radically improve the provision of government services by enabling citizen information to be securely and electronically shared across government via access to the Tell Use Once ‘hub’ and secure email.

More Effective Government Estate Management GCSX is enabling the Office of Government Commerce to share the full dataset contained in its central database of civil estate properties, land holdings and occupations (e‐PIMS). This will lead to greater cooperation between central and local government and exploitation of the opportunities for improving the efficiency and effectiveness of the wider government estate.

Supporting Civil Contingencies GCSX enables organisations to securely communicate electronically via email and by making it possible to browser‐access shared emergency planning and instant response applications both locally and nationally. One such application is the National Resilience Extranet (NRE) that will be available to local authorities over GCSX soon.

Improving Joint Working The ability to access central government data systems from a local authority building via a GCSX connection will not only enable local authority staff to access useful and reliable data efficiently and securely but will also enable central government staff to operate within and deliver services from local authority buildings. This will enable the provision of multiple services to citizens from a single location – thereby improving the ability to deliver end to end services, tailored to the citizen, from initial point of contact through to service delivery and facilitating more efficient joint working between government departments and local authorities.

Shared Services A recent Gartner study concluded that GCSX offers good value for money and in certain scenarios may offer the most efficient option for the provision of shared service infrastructure at both the local and national level.

Page 34

Connecting the Public Sector

2009

8. Government Connect Benefits Realisation Fund – Local Authority Pilots See the I&DeA website for full details: www.idea.gov.uk Project

Description

Bristol City Council

Without secure email, the trading standards community in the South West can neither share ‘restricted’ intelligence with enforcement colleagues and law enforcement partners nor access specialist intelligence databases.

Trading standards and intelligence sharing in the South West (SWERCOTS)

However, the advent of GCSX secure email dramatically transforms the teams’ dynamics by enabling secure email and providing secure access to specialist databases. Teams can now target effective enforcement in partnership with other local, regional and national services and law enforcement agencies. This new collaborative and intelligence led approach should make the lives of rogue traders, loan sharks, fraudsters and other criminals targeting the vulnerable much harder – and the lives of residents much safer.

Conwy County Borough Council Joint Asset Recovery Database (JARD)

The government’s ‘Taking Profit Out of Crime’ initiative helps councils, the Home Office and other partners to recover money from crimes covered by the Proceeds of Crime Act. Data is held centrally in the Joint Asset Recovery Database (JARD). Conwy County Borough Council has been leading recovery activity in its area – currently working on behalf of itself, 11 other councils, the DVLA and the Illegal Money Laundering Unit. GCSX will facilitate secure remote access to JARD for Conwy’s team ‐ enabling roll out of more efficient electronic processes and delivering immediate savings from cutting the need for officers to make frequent trips to London to access information in person and attend court.

Dartford Borough Council Kent Connects Kudos – tackling crime and antisocial behaviour

Kent Connects’ KUDOS (Kent Universal Data Output System) project is exploring how secure data sharing can be enabled in order to streamline joint working between partners to help tackle crime, antisocial behaviour (ASB) and drug abuse in Kent and Medway.

The police, fire and rescue authority, local councils, primary care trusts and others work together in the area through local crime and disorder partnerships (CDRPs). Each agency has its own IT and data recording systems but has a duty to share its data. Kudos is using GCSX to enable standardised, secure data sharing and underpin operational planning.

Devon County Council, on behalf of the Devon ePartnership

Devon’s councils are working together to pin down an ‘accredited and affordable model for enabling secure access’ to council systems for Flexible Working initiatives – which enable normally office based staff in partner councils to work from home or from a trusted partner site, such as an NHS site. However, ensuring access to a secure office environment and secure access to GCSX from the many different desktop, laptop and PDA devices used by staff is proving difficult.

Flexible Working

During the CoCo approval processes the partnership encountered a variety of protocols across government departments for secure access to GCSX. The current project will analyse, and attempt to synchronise, identified policies in order to develop a standard, affordable and accredited working solution to enable flexible working for all partnership councils.

Page 35

Connecting the Public Sector

2009

Dudley Metropolitan Borough Council Business Crime Partnership

Dudley Borough Business Crime Partnership Limited is a private, not‐for‐profit company set up by the council in a bid to reduce crime, the fear of crime, and antisocial behaviour in local business centres. Implementation of a secure GCSX connection will enable the council and partnership to securely share sensitive information with West Midlands Police and the Crown Prosecution Service. It will become possible to send pictures, crime details and criminal backgrounds in real‐ time safely via GCSX so that prolific offenders can be swiftly targeted in the business centres covered by the partnership.

Great Manchester Public Protection Partnership (GMPP) Business Compliance – Regulatory Services

Ten Greater Manchester authorities and the Fire and Rescue Service have formed the Greater Manchester Public Protection Partnership (GMPPP) to transform regulatory services in the region. The partnership is creating a radical new model to assess business compliance across all disciplines ‐ Trading Standards, Environmental Health, Licensing and Fire Safety ‐ with a simple e‐enabled assessment tool utilising a harmonised risk assessment system. The methodology for securely sharing this data across the partnership – and Greater Manchester Police, the Health & Safety Executive and the Food Standards Agency ‐ is underpinned by GCSX. The project aims to deliver efficiency savings and reduce unnecessary inspections; it will also enable expensive resources to be targeted at high risk and rogue businesses to deliver higher levels of public protection.

Halton Borough Council ‘Place shaping’ through GIS data sharing

Halton Borough Council has little information available beyond its own borough boundary to either help with citizen enquiries or facilitate business planning. The project aims to rectify that by formulating a means of securely sharing and using standard geographic information between Liverpool City Region Sustainable Community Strategy partners. Data will be in a standard format and be capable of being used directly within each partner’s existing corporate GIS. This aim is to share socio‐economic, crime, demographic and land use planning information between partner authorities ‐ Halton, Liverpool, Wirral, Sefton, St Helens and Knowsley ‐ plus other more general information sets such as environmental monitoring and property.

Hampshire County Council on behalf of the Hampshire and Isle of Wight Partnership Exploring a regional approach to employee authentication

On behalf of the Hampshire and Isle of Wight IT Managers’ Group, Hampshire County Council is investigating whether the national Employee Authentication Service (EAS) can be used as a common ‘strong’ authentication service for national, partnership and local working. GCSX and its ability to provide secure network links between local authorities and to EAS is an essential component of the design. Hampshire believes that it is feasible to develop a standard authentication service offering capable of being either used directly or replicated as appropriate by any local authority to strongly authenticate their employees to any EAS service or local partner network. Ultimately this should provide a key enabler for service transformation through breaking down the barriers between partner systems and support flexible working without compromising security. This will promote the take‐up of shared services by making them available more efficiently and cost‐effectively.

Page 36

Connecting the Public Sector

2009

Lancashire Council (Lancashire Constabulary & Police) Antisocial behaviour data sharing in Lancashire

A consortium of partners– including Lancashire County Council and Lancashire Police (project sponsor and lead respectively), London Borough of Barking and Dagenham, Newcastle City Council, North Lincolnshire Safer Neighbourhoods Partnership, and Somerset County Council ‐ has started a project to help deal more effectively with antisocial behaviour (ASB) The consortium aims to build and test a secure ‘pipe’ (data connection) for data sharing; gain government approval for switching it on; and then write and test XML schemas (templates for recording data). This will join the two main secure environments that police and local authorities use – the GCSX network and the Police National Network (PNN) – to enable ‘almost life‐time’ swapping of information about ASB. Thus enabling ASB to be identified, tracked and dealt with far more swiftly than at present.

Lichfield District Council Business data sharing in the West Midlands

Business Matters aims to demonstrate that by applying data standards to core data about businesses, data can be shared in ways that will improve efficiency both for business and the public sector. Project partners Lichfield (lead authority), Solihull, Dudley and Business Link West Midlands, believe that sharing accurate, up‐to‐date data will bring major benefits to many service areas. The GCSX secure network enables the project to move from this theoretical model of data sharing to actual deployment. Partners will be able to share a single ‘version of the truth’ about businesses in the West Midlands, thus facilitating better delivery of business support and regulatory services. Businesses should get more focused and targeted support, and public sector partners will be able to work in a joined up and more efficient way.

London Borough of Islington No Recourse to Public Funds

Islington aims to develop a database and information sharing process for social services to inform care provision for people with ‘No Resource to Public Funds’ (NRPF) – for example, asylum seekers and failed asylum seekers, people who have entered the UK on visas and, in some cases, European Economic Area nationals who are destitute in the UK. This ambitious project aims to address the information gap and revolutionise the way the NRPF client group is managed by local authorities. It will also develop a national NRPF database in partnership with the UK Border Agency (UKBA) to record who is being supported, why, and by which local authority. This will be accessible via GCSX. A steering group of six authorities (Birmingham, Bradford, Brighton and Hove, Glasgow, Islington and Manchester) is working with representatives from the UKBA and the NRPF Network.

London Trading Standards Authority (LOTSA) Trading Standards and Regional Intelligence in London

London Trading Standards (LoTSA) has its own regional intelligence unit providing services to all London boroughs, requiring the sharing and exchange of information. Information is shared through the filing of ‘5x5x5’ intelligence reports by trading standards officers within London Boroughs. Access to secure email and a connector from existing case management systems to a national database will greatly enhance the service. GCSX now forms a base on which to develop a working connector between local case management systems and LoTSA, enabling electronic receipt and processing of 5x5x5 reports.

Page 37

Connecting the Public Sector

2009

North Kesteven District Council, on behalf of the Lincolnshire Public Sector Working Group Customer Data Hub

Lincolnshire County Council is creating a single, trusted and complete view of the county’s customers in a new Customer Data Hub (CDH). This central repository of accurate, up‐to‐date data will be shared with the district councils. Connected to the national ‘Tell Us Once’ initiative, the project aims to use a common infrastructure ‐ based on GCSX ‐ across the county to improve information transfer. A common messaging format will be agreed to notify public sector authorities of residents’ changes of circumstances, along with data sharing protocols and governance processes around data management and data quality. In a future phase of development, CDH will provide Lincolnshire’s ‘change of circumstance’ service to the Department for Work and Pensions (DWP) via GCSX.

Plymouth City Council on behalf of Devon ePartnership and Isles of Scilly Civil Contingencies/Emergency Planning

Rochdale Metropolitan Borough Council Blue Badge Scheme

Recent events in the Devon ePartnership area – including the grounding of the MV Napoli off the East Devon coast and the flooding in Boscastle and Ottery St Mary – exposed communication frailties among Devon’s public services and highlighted the need for a standard, secure approach to both planning and operational contingencies between organisations. Building on work by Plymouth and Isles of Scilly civil contingencies teams, the project encompasses sensitive emergency planning data which can be shared among agencies via a secure infrastructure ‐ GC Mail over GCSX. It involves all 11 Devon councils, plus Cornwall Council and the Isles of Scilly, police, ambulance and fire services, as well as primary care trusts (PCTs) and regional agencies. The Blue Badge Scheme for disabled parking provides a vital lifeline to disabled people. A marked increase in Rochdale’s elderly population is reflected in the rise in its Badge holders from 673,000 in 1987 to over 2.3 million in 2007. Two‐thirds of badge holders are over the age of 65 and 55% of them do not use public transport. Rochdale is seizing the opportunity presented in the Department for Transport’s Reform Strategy to establish a secure data‐sharing system. With the ultimate vision of creating a national database with local access, Rochdale will use GCSX to give all Greater Manchester and North West authorities access to vehicle driver data. This will not only facilitate the issue of badges but also significantly enhance fraud enforcement. It will also enable secure data exchange with local authority partners such as the NHS, police authorities and DWP.

South Lakeland District Council Information sharing to facilitate a needs led approach to older people

Starting with service provision for older people, South Lakeland District Council is piloting a new approach to delivering efficient and effective services – ‘Need‐Led Service Design’. By understanding customers’ needs, and then designing and wrapping services around these needs, the council felt its services, and those of its partners, could be better targeted and more effective. The pilot will be underpinned by secure data sharing via GCSX across all relevant parts of the public sector working with the elderly. Partners, including NHS Cumbria, Cumbria County Council, Cumbria Fire and Rescue, Cumbria Constabulary and Age Concern, are keen to share information operationally. This will help them to provide services seamlessly and proactively to older people on a preventative basis, spotting issues before they become problems and keeping older people healthier and independent for longer.

Page 38

Connecting the Public Sector

2009

Sunderland City Council Births ‐ Tell Us Once

Sunderland City Council is exploring how parents’ experience of the public sector on the birth of a new child can be improved. From supporting new parents by improving access to child benefit and other child related benefits to developing secure and appropriate information sharing across the Local Strategic Partnership, Sunderland believes that more can be done to deliver joined up services for new babies and their families. The city is working with HMRC’s Child Benefit Service, South of Tyne and Wear Primary Care Trust, City Hospitals Sunderland Foundation NHS Trust, Northumbria Police and Gentoo Housing to explore how a secure infrastructure like GCSX can underpin improved data capture and data sharing. The project is linked to both the DWP ‘Tell Us Once’ and DCSF ‘ContactPoint’ projects.

Torbay Council on behalf of Devon ePartnership Safeguarding Children ‐ GC Mail

The Devon ePartnership surveyed all Devon councils to identify user communities for secure email, the volume of such mail, and current methods of transfer. The results clearly demonstrated that secure email was unacceptably being transmitted via insecure mechanisms, such as the internet. Significant volumes of secure data were also being shared between Devon councils, government agencies, police, health and voluntary sector organisations. Three Devon councils – Torbay, Plymouth and Devon itself – subsequently identified a requirement for secure email for their Safeguarding Children teams. Torbay Council has already piloted Government Connect’s GC Mail for its team. The project aims to document achievements/benefits to date, expand the solution further into the secure email community for Torbay team, and then roll out the solution for Plymouth City Council and Devon County Council.

See the I&DeA website for further details: www.idea.gov.uk

Page 39

Connecting the Public Sector

2009

Appendix I – Response: Quick survey i. Councils (Quick survey) – Total: 105 frontline organisations Aberdeen City Council Aberdeenshire Council Ashfield District Council Basingstoke & Deane Borough Council Bath & North East Somerset Council Blaby District Council Blackburn with Darwen Borough Council Bolton Council Bradford City Council Broxbourne Borough Council Camden Drug Action Team Camden London Borough Carmarthenshire County Council Cotswold District Council Craven District Council Crawley Borough Council Denbighshire County Council Derby City Council Doncaster Metropolitan Borough Council (x2) Dudley Metropolitan Borough Council Durham County Council Ealing Council East Hertfordshire Council East Renfrewshire Council East Staffordshire Borough Council East Sussex County Council Fareham Borough Council Fenland District Council Fife Council Flintshire Local Health Board Great Yarmouth Borough Council Hackney London Borough Hambleton District Council Hampshire County Council Haringey Council (x3) Havering London Borough Herefordshire Council Herefordshire Primary Care Trust Hertfordshire County Council High Peak District Council Hull City Council Humberside Police Force Huntingdonshire District Council Hyndburn Borough Council Isle of Wight Council Kettering Borough Council Kingston Upon Thames Royal Borough Council Kirklees Council Lancashire County Council Leicestershire Fire and Rescue Service

Lewisham London Borough Lincolnshire County Council Lincolnshire Fire and Rescue Service Liverpool City Council Malvern Hills District Council Manchester Primary Care Trust (x2) Newham London Borough Newham Primary Care Trust North Ayrshire Council Northampton Borough Council Nottingham City Council Nottinghamshire County Council Nuneaton & Bedworth Borough Council (x2) Portsmouth City Council Preston District Council Richmond Upon Thames London Borough Rochdale Metropolitan Borough Council Rushmoor Borough Council Rutland County Council Ryedale Borough Council Sefton Council Somerset County Council South Cambridgeshire District Council South Gloucestershire Council South Kesteven District Council South Oxfordshire District Council South Wales Police Force Southampton City Council Southwark Council Staffordshire County Council Suffolk County Council Surrey County Council Sutton London Borough Telford & Wrekin Council Torbay Council Torfaen Local Health Board Tyne and Wear Fire & Rescue Service Waltham Forest Council Welwyn Hatfield Borough Council West Midlands Police Authority Westminster City Council (x3) Wiltshire Fire & Rescue Service Winchester City Council Wirral Council Woking Borough Council Wokingham Borough Council York (City of) Council (x2)

Page 40

Connecting the Public Sector

2009

ii. Job titles (Quick survey) Acting Head of Revenues Application Developer Assistant Chief Constable Assistant Customer Services Manager Assistant Director Commissioning and Performance Assistant Director of Joint Committee (care and health) Assistant Director of Strategy & Performance Assistant Systems Officer Branch Manager for Corporate Development Business Development Manager Business Rates & Revenues Manager Change Consultant Chief Executive (x3) Chief Fire Officer Chief Information Officer Chief Revenues and Benefits Officer Client Services Officer Commissioning & Performance Manager Commissioning Manager ‐ Community Care Services Community Information Unit Manager Corporate Improvement Adviser Corporate Strategy Manager Council Solicitor County Manager Access and Information Customer & Information Services Manager Customer Services Manager (Resources Directorate) Customer Services Manager (x3) Data Protection & Information Security Officer Deputy Chief Fire Officer Development Plans Manager Director of Adult & Community Services Director of Adult Social Service & Housing Director of Children's Social Care Director of Corporate Planning Director of ICT & Business Transformation Director of Information Communication & Technology Director of Performance & People Drugs Team Leader E Enabler Practitioner Leader (Quality & Performance) Executive Head of Customer Contact Financial Adviser Financial Services & Audit Manager FOI Administration GIS Manager GIS Manager / LLGP Custodian Government Connect Lead Head of Billing Services Head of Customer Services Head of Environmental Health Services

Head of ICT Head of Improvement and Inclusions Head of Income & ICT Head of IT (x4) Head of Local Land Charges & LLPG Manager Head of Performance & Efficiency Head of Revenues and Benefits Head of Service ‐ Children & Families Housing Services Manager (x2) ICT Applications & Infrastructure Manager ICT Consultant ICT Systems Manager (Public Protection) Information Governance Manager Information Manager Information Security Manager Information Services Officer Interim Head of Public Protection IT Project Officer IT Strategy Manager Joint Commission Manager for Disability Services Library Operations Manager LLPG Custodian Office Manager ‐ Council Tax & Benefits Performance & Project Manager Performance Management Officer Performance Officer (x2) Planning Support Services Manager Principal Benefit Officer Principal IT Analyst Principal Officer ‐ Children's Commissioning Principal Trading Standards Officer Procurement and Commercial Manager Project Manager Project Manager ‐ Executive Leadership Team Revenues Revenues & Benefits Manager Revenues Manager (x2) Revenues Officer Scrutiny & Policy Officer (Information Management) Senior ICT Development Officer Senior Solicitor, Policy & Advice Team Service Development Manager Service Performance Manager Strategic Performance Manager Team Leader, Natural Environment Waste Policy & Amenities Manager

Page 41

Connecting the Public Sector

2009

Appendix II – Response: In‐depth questionnaire i. Councils (In‐depth questionnaire) – Total: 103 frontline organisations Aintree University Hospitals NHS Foundation Trust Babergh District Council Barking & Dagenham London Borough (5) Barnsley Metropolitan Borough Council Bolton Council Bournemouth & Poole Teaching Primary Care Trust Bracknell Forest Borough Council Brent London Borough Brighton & Hove City Council Bromley London Borough Broxtowe Borough Council Chelmsford Borough Council (2) Conwy County Borough Council Corby Borough Council Darlington Borough Council Derby City Council Derbyshire County Council Dudley Metropolitan Borough Council Durham & Darlington Fire & Rescue Service East Hampshire District Council East Sussex County Council Eastbourne Borough Council Eastleigh Borough Council Edinburgh (City of) Council Fenland District Council Forest of Dean District Council Greenwich Council Halton Borough Council Hammersmith & Fulham London Borough Havering London Borough Hertfordshire County Council King's Lynn & West Norfolk Borough Cncl Kirklees Council Leeds City Council (2) Luton Borough Council Mansfield District Council Midlothian Council Monmouthshire County Council Newport City Council North Hertfordshire District Council North Kesteven District Council North Norfolk District Council North Somerset Council (3) North Tyneside Council Northamptonshire Police Authority Norwich City Council (2)

Nottingham City Council Oxfordshire County Council Pendle Borough Council Poole Borough Council (2) Reading Borough Council (2) Renfrewshire Council Richmondshire District Council (2) Sefton Council Shepway District Council Solihull Metropolitan Borough Council South Cambridgeshire District Council South Gloucestershire Council South Lakeland District Council South Norfolk Council Southend‐on‐Sea Borough Council Stockport Metropolitan Borough Council (2) Suffolk County Council Sunderland City Council Swansea Local Health Board Tamworth Borough Council Test Valley Borough Council Thanet District Council (2) Tonbridge & Malling Borough Council Tower Hamlets Council Trafford Council (2) Wakefield City Council (2) Walsall Council Wandsworth Borough Council Warrington Borough Council Warwick District Council West Sussex County Council Wigan Council Wiltshire Council Winchester City Council Windsor & Maidenhead Royal Borough Council (2) Wirral Council Wokingham Borough Council York (City of) Council (3)

Page 42

Connecting the Public Sector

2009

ii. Job titles (In‐depth questionnaire)

Application & Information Manager Assistant Director of Adult Social Services Assistant Director of Finance & Resources Assistant Director, Democratic & Customer Services Benefits Customer Services Manager Benefits Manager (x4) Benefits Services Manager, Housing Benefits Supervisor Business Analyst Business Change Group Manager Business Systems Manager Call Centre Supervisor Change Manager Chief Executive Chief Officer ‐ Information Services Community Care Team Manager Contact Point Implementation Manager Corporate Director Adults & Community & Deputy Chief Executive Corporate Information & Complaints Officer Corporate Information Manager (x2) Corporate Records Manager Council Tax Manager (x2) Councillor Councillor ‐ Deputy Leader Councillor ‐ Education, Children & Young People Portfolio Councillor ‐ Executive Member for Children & Young People's Services Customer Access Manager Customer Relations Officer Customer Services Manager Data Protection & Information Security Officer Data Security Director of ICT & E‐Government Divisions Manager for Revenues and Benefits Environmental Health Principal Finance, Control & Support Manager Fire Control Data Manager Geographical Data Manager GIS & Mapping Manager & LLPG Custodian Head of Benefits Head of Children's Services & Safeguarding Head of Contracts & Procurement Head of Customer Contact Head of Department Head of ICT

Head of IT Head of IT Strategy Head of Performance & Scrutiny Head of Revenues & Benefits Head of Technology Services ICT Project Manager (x2) Information Governance Manager (x3) Information Officer IT Business Integration Manager IT Infrastructure Development Manager IT Systems Administrator IT Systems Team Leader Land Charges Manager/Officer (x4) Management Consultant ‐ E‐Government Management Information & ICT Systems Manager Member ‐ Portfolio Holder for Children's Services, Education & Youth Services Partnership Coordinator ‐ Unified Assessment Project Performance Improvement Officer Performance Review Inspector Performance Review Officer Planning Services Development Officer Policy & Performance Manager Primary Care Performance Officer Principal Environmental Health Officer Principal Housing Benefit officer Principal IT Officer Principal Service Development Manager Principal Trading Standards Officer Project Coordinator (Customer Services & Partnerships) Project Manager ‐ Government Connect Revenue & Benefits Manager (x5) Senior IT Support Analyst Senior Planning & Policy Officer Senior Support Officer Senior Trading Standards Officer and Chief Inspector of Weights and Measures (x2) Service Director ‐ Strategic Procurement & E‐Services Systems Development Manager Systems Support Team Leader Team Manager Technical Team Leader Trading Standards Manager (x2)

Page 43

Connecting the Public Sector

2009

Appendix III – The Questionnaires i. Quick Survey Q1. Do you share sensitive information about citizens with other public sector organisations? (eg local authorities, health, fire, police, central government). Q2. Do you ever share this data by post/paper/solid media?

Q3. Do you ever share this data by secure network communications? (eg GCSX)

Q4. Are all staff regularly trained regarding the sensitivity of citizen information and the importance of adhering to correct procedures for its handling? Q5. Do you feel there is a need to share sensitive citizen data in order to improve the quality and efficiency of public service delivery? Q6. Do you feel that accessing databases in other public sector organisations would improve/help the way you deliver services? (eg local authorities, health, fire, police, central government). Q7. Would trusted and secure data sharing be essential in order to deliver 'Total Place' public services?

ii. In‐Depth Questionnaire

Page 44

Connecting the Public Sector

2009

Page 45

Connecting the Public Sector

2009

(cont’d next page)

Page 46

Connecting the Public Sector

2009

(cont’d next page)

Page 47

Connecting the Public Sector

2009

(cont’d next page)

Page 48

Connecting the Public Sector

2009

Page 49