Government fails its data security training target

By Siobhan Chapman

Government departments are failing to meet IT security training requirements, according to responses to a Freedom of Information Act (FOI) request.

Despite high-profile government data breaches, most departments have yet to implement a basic level of training on data handling, a freedom of information request made to 16 government departments has found.

The Data Handling Report, published by the Cabinet Secretary Gus O’Donnell in June 2008, committed all departments to mandatory training for those with access to protected personal information or involved in managing it. Each department should have started their mandatory training by the end of October 2008.

But FOI requests made to 16 government by learning provider Firebrand Training departments found many have failed to meet basic training requirements.

The departments for Department for Children, Schools and Families revealed it had no mandatory IT security training in place at all.

While new employees in the Department for Communities and Local Government are issued with an induction pack, they do not receive any formal training.

The Data Handling Report also mandates that employees that handle personal data must undergo annual refresher training. But eleven out of the 14 departments that responded revealed that they not have any refresher training in place for employees. One exception was the Foreign & Commonwealth Office that does operate a refresher training policy, but on a five-year schedule. All departments stated there were plans to implement refresher classes in 2009.

Eight government agencies, including the Ministry of Justice, the Treasury, and the Foreign and Commonwealth Office, said they had no budget for IT security training this year.

Seven departments were unable to respond to the question on whether there was a training budget for IT security. These included the Ministry of Defence, the Cabinet Office, the department for Health, Department for Environment Food Rural Affairs, the Culture department, the Home Office and the Department for Work & Pensions.

Robert Chapman, chief executive of Firebrand Training, which put in the FoI request, said it was a disappointing, but “not surprising” indication that the government was “failing to demonstrate a commitment to data protection”.

“The education of employees is essential to any organisation’s security,” he said, adding: “We rely far too heavily on IT departments. It is clear that inadequate training and inconsistency between departments has produced a naiveté among government employees.”