Data is at the heart of digital transformation. It is important to recognise that better data can inform policy-making and improved decision-making about the management of assets and delivery of service.
The Government's position on open data includes:
- making it easier to access public data.
- making it easier for publishers to release data in standardised, open formats.
- following a 'presumption to publish' process unless there are clear, reasons (such as privacy or national security) not to do so.
Open data is:
- accessible (remotely) at no more than the cost of reproduction. This is without limitations based on user identity or intent.
- in a digital, machine readable format for interoperation with other data.
- free of restriction on use or redistribution in its licensing conditions.
NPSA have produced a framework for adopting a security-minded approach to the sharing of data. This includes open data. The framework does not undermine the principles of open data or reduce the benefits of data sharing.
Open and shared data - adopting a security-minded approach
The UK Government want to harness the potential of data by making it easier to:
- access public data
- for publishers to release data in standardised, open formats and
- engrain a 'presumption to publish unless there are clear, specific reasons (such a privacy or national security) not to do so.
the government defines open data as:
accessible (ideally via the internet) at no more than the cost of reproduction, and without limitation based on user identity or intent, in a digital, machine-readable format for interoperation with other data and free of restriction on use or redistribution in its licensing conditions.
However, it is also necessary to be aware that the publication of certain data or information could adversely affect the privacy, welfare, safety or security of an individual or individuals.
It might compromise the safety or security sensitive assets...
The services they deliver...
Or the intellectual property or trade secrets of an organisation or company.
It could also cause commerical or economic harm to a country or potentially jeopardise the security, internal or foreign affairs of a nation.
Any data which could lead ot these types of outcomes should be regarded as sensitive and a security-minde approach should be adopted in relation to its sharing and publication.
If you are unsure whether data or information is sensitive you should seek appropriate advice.
Security-mindedness is the understanding and routine application of appropriate and proportionate security measures.
To deter and disrupt hostiles, malicious, fraudulent and criminal behaviours or activities.
Someone senior at your organisation should be accountable for the security-minded approach of data.
Responsiblity should also be assigned for:
- identifying potential security and data aggregation issues
- assessing the risk associated with publishing and sharing specific data sets
- developing and managing the required security-minded policies and processes
- advising on, and undertaking monitoring and auditing
- and obtaining appropriate professional security advice.
The types of proportionate security mitigation measures and organisation may employ include:
- removing a sub-set of the date aform a published data set when only that sub-set creates a security risk
- reducing the precision of information where the precision of location or timing data increasese the security risk
- providing the data in summary to reduce the level of detail available where the granularity of the data increases the security risk
- you might also wnat to share the data set without sensitive metadata
- reduce the level of detail or granularity of mapped data as a user zooms in to view an area
- or monitor access by requiring user registration or a login to access specific data sets.
Unlocking data has vast potential, but sharing can also present risks.
Make sure you understand sensitivites related to your data before you share it.
That means taking a security-minded approach to your information right from the start.
Now learn more using CPNI's dedicated guidance on data-sharing.