Local authority security compliance: help or hindrance?

The Government Connect Secure Extranet (GCSx) provides local authorities (LAs) with access to central government networks. To connect to it, they must complete and maintain a Code of Connection (CoCo). This compliance requirement involves technology, people and process. The audit process aims to assess the technical as well as human security elements to ensure that data is treated safely and with respect.

The impression we get from some in the sector is that it can be expensive, drain resources and is often interpreted differently by different authorities. When initially connecting to the GCSx, most authorities will have experienced some internal disruption in ensuring each department is aligned to answer the compliance requirements.

Money was spent to implement it. With innovations continuing to move rapidly, spending on upgrades and new technology will continue. With every public sector organisation set for further cost savings, many will deem this untenable.

But it is imperative all public sector bodies ensure data is secure. Once a system is in place, it should be maintained through audits and further spending if required. Reputations are on the line and access to public sector bodies is invaluable and should continue.

GCSx aims to empower LAs by giving them access to crucial information from public sector bodies to share among themselves, helping them work towards similar goals. There should be a conscious drive to share best practice, ultimately providing peace of mind to employees and the public.

Implementing and maintaining this security solution should cut costs in the long term. Whether you agree with the annual audit process of GCSx CoCo or not, it is a reality that involves all local authorities across England and Wales.

I predict that the criteria for compliance will change as new security threats arise and organisations will be expected to manage the risks around human-initiated data breaches as much as technology-initiated ones. Whatever happens, compliance will always exist where sensitive data is present.

More frequent and effective dialogue between government and LAs could alleviate some of the tension around compliance, so the two parties understand each other’s issues.

Ensuring efficient security without hindering day-to-day work takes time but, in the name of protecting data, it is time well spent.