Government outlines plans to raise data protection standards

In a letter to Chi Onwurah, Chair of the Science, Innovation and Technology Committee, David Knott, the Government Chief Technology Officer, outlines the measures that the UK government plans to implement in order to enhance information security standards ahead of a Select Committee hearing. 

The letter follows the 2022 personal data breach by the Ministry of Defence (MoD), which exposed the identities of 18,700 Afghans applying for relocation to the UK. 

Knott writes that the measures will be a "step-change in how data protection is coordinated" within government. The Government Digital Service (GDS), part of the Department for Science, Innovation and Technology (DSIT), will take on responsibility for coordinating cross-government data protection risks and compliance. The Government Chief Data Officer (GCDO) will be the accountable individual responsible for managing cross-government data protection risks and compliance. In addition, the government will establish a dedicated team reporting to the GCDO that will set relevant standards, respond to risks and implement privacy-enhancing technologies across government. 

Alongside these measures, the government is drawing up a joint commitment with the Information Commissioner's Office (ICO) to raise standards, while a cross-government Technology Risk Group will be established to drive accountability for technology risk, unifying all major technology risks under one clear and accountable governance structure. 

Additional measures being implemented include:

• The Cabinet Office will conduct an assurance exercise for all central departments and arms-length bodies in October 2025, defining necessary measures. 
• It will also write to risk and audit committees to review risk appetite regarding threat to life data breaches. 
• Furthermore, a model action plan will be developed in collaboration with the ICO and the GCDO for security staff to use in the event of a breach, and GDS will ensure all departments follow the principles for securing personal data in government services, particularly for new initiatives such as Digital ID.
• DSIT will focus on strengthening strategic relationships with critical IT partners, starting with Microsoft, to drive full value from tools that reduce the risk of accidental data breaches, such as ensuring consistent use of Data Loss Prevention (DLP) features. 
• To make good information security habitual for all civil servants, the Government Security Group (GSG) will commission a new communications campaign by Q1 2026, highlighting the real-world consequences of personal data breaches. GSG will also bid to make Information Security the focus of the 2026 One Big Thing campaign. 
• GDS will support information management professionals and roll out new information management training for all civil servants to address poor information handling.

These commitments will be underpinned by the formal joint commitment with the ICO by the end of 2025 to raise standards and facilitate constructive dialogue.

In a statement, Information Commissioner John Edwards said that he was pleased that the government has clarified its plans to raise information security and data protection standards. Edwards also commented on the joint commitment, which will take the form of a memorandum of understanding, explaining how the regulator will collaborate with the government. 

Training Announcement: Freevacy offers a range of independent data protection qualifications from IAPP and BCS. Our certified courses are available at foundation and practitioner levels and cover multiple legal jurisdictions, data protection operations management, and the implementation of complex privacy solutions in technical environments. Find out more.