Question to the Cabinet Office:

To ask the Chancellor of the Duchy of Lancaster and Minister for the Cabinet Office, how information and data in the Cabinet Office or Government Digital Service which is collected centrally or shared by Departments is held; what the security clearance required to access such data is; who has access to such data; and what measures are in place to ensure such data does not leave the Cabinet Office.

The Government Digital Service (GDS) and the wider Cabinet Office take their responsibilities in relation to the handling of data extremely seriously. We always take into account both the data protection regime and other guidance like the Government’s Data Ethics Framework.

Different types of data and information are stored in different ways in accordance with our information assurance policies. In relation to the specific project to join up performance analytics across the GOV.UK estate, GDS has created a separate account within its existing Google Analytics account to hold the anonymised performance data collected from GOV.UK services managed by other government departments. Data within the two accounts is not linked together.

Currently Baseline Personnel Security Standard (BPSS) cleared personnel working on the project have access to this anonymised data. BPSS is the minimum required security clearance, and access is granted on a case-by-case basis to further ensure that only appropriate people have access to the data. Data is stored in an encrypted format when it is in transit between service systems and the centralised Google Analytics account, and when stored in the account data store. These measures, together with GDS’s secure by default approach ensure that no data will leave the Cabinet Office by accident or malicious intent.