Question to the Department for Science, Innovation & Technology:

To ask the Secretary of State for Science, Innovation and Technology, what guidance his Department provides to departments using suppliers who operate (a) Foundry, (b) Gotham and (c) other cross-sector data platforms on the risk of cross-domain data use.

All departments must adhere to the UK Data Protection legislation to manage risk and protect personal data when they are using cross-sector data platforms provided by suppliers. All departments are controllers of the personal data they hold and are individually responsible for demonstrating compliance with the data protection principles, and take appropriate technical and organisational mitigations in line with the UK GDPR to reduce risk. Under the same legislation, all departments are required to appoint a data protection officer (DPO), who must be an adequately resourced expert in data protection to assess compliance of data platforms, provide advice regarding Data Protection Impact Assessments (DPIAs) to identify and mitigate risks.

The Government Digital Service has published the principles for securing personal data in government services, which includes a principle that outlines the actions that departments need to take for best compliance with the data protection legislation when they use platforms provided by third-party suppliers. The actions departments are expected to take include commercial agreements with robust terms and conditions for protection of data, appropriately assigned liabilities, risk assessments, audits, monitoring and oversight of compliance with processing terms and conditions as well as seeking further assurances of compliance from platform suppliers.

The Government Security Group and the Government Digital Service have developed the Security by Design Policy, which covers the management of third-party product security risks.

Government Digital Marketplace is a resource for departments and the wider public sector organisations to find reliable and secure technology for their digital projects. Departments are provided with guidance that covers features, security arrangements, standards, certifications and compliance information of supplier platforms, which fall under existing government frameworks.