Left column

Middlecolumn

Posts tagged: "COVID-19"

    Better data means better services – so how can government get there?

  • Posted on April 29, 2021 by

    The shielding programme was a swift government wide response to identify and protect clinically extremely vulnerable (CEV) people against COVID-19.

    Our recent report on Protecting and supporting the clinically extremely vulnerable during lockdown, shows how government quickly recognised the need to provide food, medicines and basic care to those CEV people shielding. This had to be pulled together rapidly as there were no detailed contingency plans.

    But there was a problem.  In order to do this, government was faced with the urgent task of identifying the people who needed support based on existing, disparate data sources.

    Difficulties in extracting and combining data

    The urgency of this exercise was recognised by all involved, but difficulties in extracting, matching and validating data from across many different systems meant that it took time for people to be identified as CEV.

    At the start of the pandemic, there was no mechanism to allow a fast ‘sweep’ across all patients to identify, in real time, those who fell within a defined clinical category.

    It was a major challenge to identify and communicate with 1.3 million people by extracting usable data from a myriad of different NHS and GP IT systems all holding data differently.

    This lack of joined-up data systems meant NHS Digital had to undertake the task of accessing and extracting GP patient data, stored in different ways in each practice and holding specific details about people’s medical conditions to merge with their own databases. It took a huge effort by the team to complete this task in three weeks.

    Data issues were not resolved by the time of the second lockdown

    Government had identified systems were not capable of ‘speaking’ to each other across hospital, primary care, specialist and adult social care services following the first iteration of shielding (March – August 2020), and sought to apply them to the second lockdown towards the end of 2020. However, our report highlighted resolving the data issues was not an area where significant progress had been or could be made.

    This reflects the wider issues of data across government

    These challenges are examples of broader issues that we have previously highlighted in our report on Challenges in using data across government. People often talk about better use of data as if this is a simple undertaking. But there are significant blockers and constraints that require sustained effort to overcome, which apply to all areas of government trying to use and share data other than for the single purpose it was originally created for.

    The basic issues are widely known and acknowledged:

    • Huge variability in the quality and format of data across government organisations
    • Lack of standardisation within departmental families and across organisational boundaries making it difficult for systems to interoperate
    • The extent of legacy IT systems across government further compounding the difficulties
    • Ownership and accountability aren’t easily agreed where a shared dataset of personal data is brought together and has equal value to different services.

    It’s unclear to us how calls to establish and enforce data standards are going to work in practice if existing systems can’t be modified to support them and there is no firm timetable, road map or funding commitment for replacing them.

    In our report Digital transformation in the NHS, we reported that 22% of trusts did not consider that their digital records were reliable, based on a self-assessment undertaken in 2017. The average replacement cycle for a patient records system is something in the region of once every 15 years so this change isn’t going to happen overnight.

    Our aim is to support government in tackling these issues, and not to be critical of past failings, because we recognise that it is hard. We set out a number of recommendations in our data report and they are summarised in our accompanying data blog.

    Some are aimed at the centre of government and others are steps that individual organisations can take. Our cross-government recommendations were primarily around accountabilities, governance, funding and developing rules and common ways of doing things.

    Our recommendations for individual organisations are:

    • Put in place governance for data, including improving the executive team’s understanding of the issues associated with the underlying data and the benefits of improving that data
    • Set out data requirements in business cases. This should include an assessment of the current state of the data, and the improvements or new data that are necessary. These assessments should have an explicit consideration of ethics and safe use
    • Implement guidance for front-line staff for handling data, including standardisation, data ethics and quality.

    Organisations that hold a cohesive view of their citizen/patient data must address this issue in a managed and incremental way, rather than having to resort to one-off costly exercises which have to be repeated when the next need arises. This will require sustained effort and perseverance.

    Unfortunately, there are no easy shortcuts, but with a will to put in the necessary effort progress can be made one step at a time.


    Yvonne Gallagher

    Yvonne Gallagher

    Yvonne is our digital transformation expert, focused on assessing the value for money of the implementation of digital change programmes. Yvonne has over 25 years’ experience in IT, business change, digital services and cyber and information assurance, including as CIO in two government departments and senior roles in private sector organisations, including the Prudential and Network Rail.

    Tagged:

    Comment on this post...

  • Auditing government’s pandemic response

  • Posted on April 22, 2021 by

    Like governments around the world, ours has committed unprecedented amounts of public money to the fight against coronavirus. By the end of 2020, this reached £271 billion in the UK and will continue to increase. 

    As the UK’s independent public spending watchdog, the National Audit Office has been tracking the Government’s pandemic spending commitments, reporting to Parliament and the public on whether that money has been accounted for correctly and spent as intended. The Committee of Public Accounts has also used our findings as the basis for taking evidence from senior civil servants and for making its own recommendations. 

    One year on from the start of the pandemic, what can be learned from the way government has responded to it? 

    Like many countries, the UK was not well prepared for this pandemic. While we recognise that government cannot be expected to plan for every eventuality, we have repeatedly found that there was no contingency plan to deal with the unfolding situation. And, where plans were in place, these did not anticipate this type of pandemic. 

    Reflecting on this difficult starting point, we have independently assessed each element of the Government’s response based on what was reasonable to expect in the circumstances. 

    The urgency and scale of action required meant that ensuring value for money for the public did not always take priority. Trade-offs were necessary, which increased the risk of financial losses. So, the question we looked to answer in our audits was how well those trade-offs were understood and managed. 

    The furlough scheme, designed and implemented by HMRC and HM Treasury, and the scaling up of Universal Credit payments by the Department of Work and Pensions, were delivered at impressive speed and against a sudden and huge increase in demand. 

    Yet, even with this sterling effort by the Civil Service, the speedy response has come at a cost – higher levels of fraud and error than government would have otherwise expected. 

    This increased risk of financial losses is seen most clearly in the Bounce Back Loan Scheme. The scheme has provided vital cash flow support to small- and medium-size businesses – by the end of March 2021, more than 1.5 million loans had been issued with a total value of £47 billion. 

    However, when initially launched, the scheme proved slow and cumbersome for smaller businesses. In response, credit and affordability checks were removed from the process for loans of up to £50,000 and government guaranteed 100 per cent of the loans. This sped up loans and proved a lifeline for thousands of smaller businesses, but is likely to come at a cost.

    When we reported on this in November 2020, government estimated that 35 per cent to 60 per cent of borrowers may default on the loans. A better indication of the true cost to the public purse will begin to emerge from May when the first repayments are due, although businesses are able to apply to defer this. 

    Those involved in the procurement of personal protective equipment (PPE) faced the considerable challenge of an overheated global market for PPE and an inadequate UK stockpile. Necessary trade-offs, to allow for rapid acquisition of life-saving equipment, were less well managed. At the height of the emergency, it was reasonable to place urgent orders directly with suppliers, rather than use slower competitive tendering methods. But even allowing for the urgency of the situation, essential standards of government transparency were not consistently met. This includes how some suppliers were picked and how a high priority channel for considering certain suppliers was created. 

    In emergency situations where the assurance provided by open competition is not available, it is even more important to provide prompt and full transparency to maintain public trust in how taxpayers’ money is being used. 

    The public health response to the virus has required government to create and deliver a vaccine programme and a test and trace operation at a scale and pace never seen before. The success of the UK vaccine programme is based on shrewd investments in candidate vaccines, brilliant scientists, effective commercial agreements with industry and the delivery power of a National Health Service bolstered by an army of volunteers. Public money had to be committed when there was no guarantee of vaccine effectiveness and this risk was managed well, making good use of relevant scientific and commercial expertise. 

    As the vaccine roll-out progresses and as lockdown measures lift, NHS Test and Trace’s role in identifying and suppressing outbreaks will become more vital. Our initial work on Test and Trace in December found that it had achieved a rapid scale-up in activity and had built much new infrastructure and capacity from scratch. However, we also highlighted value for money concerns and weak evidence of the effectiveness of the service. 

    Test and Trace’s operations will transfer to the new UK Health Security Agency, which is expected to become fully operational later in the year. We will report again on the progress Test and Trace has made in the summer. 

    There is much to be learned already from the pandemic. To promote transparency, government must clearly define its appetite and tolerance of risk, particularly under emergency spending conditions. Uncompetitive procurement practices must not be allowed to become a new norm. It should also monitor how Covid-19 programmes are operating, dynamically updating demand forecasts, and ensuring it has the ability to flex its response. 

    Reporting on the Government’s ongoing response to the pandemic will remain a priority for the NAO. Our upcoming work will include a review of the role of Greensill Capital in Covid-19 loan schemes. We will also publish a series of lessons learned reports starting in May, designed to be of value for the remainder of this pandemic and to help the UK better prepare for future emergencies. 

    This article was first published in the Daily Telegraph

    Tagged:

    Comment on this post...

  • Tackling the challenges facing public sector spending

  • Posted on February 1, 2021 by

    Gareth Davies

    Since the COVID-19 pandemic began, the NAO’s role has been to provide Parliament and the public with evidence-based reports on how public money has been used to tackle the crisis. So far we have published 12 reports on different elements of the pandemic response, including for example the test and trace programme; the procurement of PPE and ventilators; the furlough scheme; and loans to businesses. All of our COVID-19 work is on our website, along with details of the pipeline of COVID-19 work in progress, due for publication in 2021.

    Our work so far has highlighted the challenge faced by government of responding effectively to an unprecedented public health and economic emergency whilst maintaining control over how (and how well) public money is spent. Our reports show how the trade-off between speed, effectiveness, cost and control has been managed in the different elements of the COVID-19 response and provide important learning for the rest of this pandemic and any future public health emergencies. The Public Accounts Committee has held public sessions on each of the topics covered by our COVID-19 reports, taking evidence from the officials responsible and issuing its own reports.

    To support transparency and the effective scrutiny of government spending, we are continuing to update our COVID-19 cost tracker, with the latest update made on 29 January 2021. As well as providing the latest estimate of the cost of every significant government commitment as part of its pandemic response, the tracker shows spend to date where that is available. It also allows the data to be downloaded and analysed by type of support, department responsible and date of commitment.

    Although the pandemic has rightly required significant audit attention, our work programme has also covered other important areas of public spending. In November, we reported on the state of preparations at the UK border for the end of the EU Exit transition period on 31 December 2020. We will follow up how the new border arrangements are working in practice later this year.

    In December, our first report on the government’s progress in meeting its commitment to a net zero carbon economy by 2050 looked at the governance and management arrangements being put in place to deliver this big shift in how we generate power, heat our homes, use our land and travel. We are following up with audits of specific elements of the net zero strategy, such as government’s role in encouraging the transition to ultra-low emission cars.

    COVID-19 has also impacted the NAO’s other major area of work, the audit of government department and arm’s-length body accounts. Finance and audit teams alike adjusted well to fully remote accounts preparation and audit for the 2019-20 annual reports and accounts. Overall, audits took longer to complete, partly due to the logistical impact of lockdown but also because of the impact of the pandemic on 31 March 2020 asset and liability valuations and on the going concern status of organisations facing significant loss of income. I had to include ‘emphasis of matter’ paragraphs in 84 of my audit reports, drawing attention to significant uncertainty in these areas.

    Looking ahead, government’s 2020-21 accounts present significant accounting and audit challenges. For the departments in the front line of the pandemic response, they must account for tens of billions of unplanned spending during the year, often in risky control environments. Our audits will assess the robustness of the estimates and judgements made by departments in accounting for this spending.

    As well as responding to the pandemic in the last year, we have also been making progress on the new strategic priorities we set for the NAO for the five years 2020 to 2025. This is already visible in our new series of lessons learned reports, bringing together good practice, warning signs and tips for success on important areas of public spending. The first in this series, Lessons learned from major programmes, was published in November. As part of our focus on audit quality, we’ve also embarked on an overhaul of our audit methodology and the procurement of a new audit software platform, which will incorporate powerful new data analytics.

    All of this work has only been possible thanks to the commitment and professionalism of my colleagues who, like so many others, have continued to deliver our work programmes whilst managing the impact of lockdowns, home schooling and other pressures. We’re conscious that others, notably healthcare and other front line workers, are handling much greater challenges. That thought focuses us on helping government to extract as much learning as possible from this experience so that the country is prepared for any future emergency of this kind.

    Tagged:

    Comment on this post...

  • Auditing COVID-19: an international perspective

  • Posted on August 27, 2020 by

    WHO President Tedros Adhanom Ghebreyesus addresses a European Parliament committee hearing on COVID-19. Image © European Union 2020 – Source : EP

    COVID-19 continues to have a significant impact on the work of the National Audit Office, including our international work. Our team has continued to complete our international assignments successfully from the UK. We are actively exchanging experiences with other national audit agencies (also known as Supreme Audit Institutions – SAIs) on how to audit governments’ response to COVID-19 across the world, which provides us with valuable insight to strengthen our UK audit response.

    The objectives of our international work are three-fold – we want to use international good practice to improve our UK focused work; we want to enhance the UK’s reputation by showcasing the quality of our public audit work worldwide; and we want to protect the UK taxpayer’s interests overseas by bidding to audit international organisations that receive UK funds, or by providing training to SAIs in countries that receive UK aid. 

    The NAO published its new strategy in June , so we were already planning how international activities could best contribute to our mission as the UK’s independent public spending watchdog. As Gareth Davies, the Comptroller and Auditor General, recently described, the NAO is undertaking a substantial audit programme on the government’s response to the COVID-19 pandemic. From the start, we were clear that UK audit coverage of the pandemic would be stronger by including global insights. People who read our reports see media coverage contrasting how other countries are responding and want an objective comparison between these responses. We can also learn lessons from other countries that can help the UK to better respond to this pandemic.

    The NAO has a global reputation as a leading SAI, but we strongly believe there is always more we can learn from others on how best to provide a modern public audit service. Having good links with other SAIs also allows us to make better use of international comparisons in our reports –  particularly in key areas such as delivering major infrastructure and defence projects – providing Parliament with insights on how other governments approach the same challenges facing our own.

    As we contacted other SAIs it was obvious our situation was not unique. As well as considering the specific nature and unprecedented scale of the pandemic, SAIs around the world were all thinking about how to audit the same thing at the same time. SAIs have a unique cross-government perspective and an independent evidence base that many other commentators do not. We are expected to audit government’s use of public funds but there is a lot to consider. How do we time our interventions so as not to compromise the emergency response, whilst ensuring full accountability for the use of public money. What type of audit product is useful at different stages of the response?

    NAO staff have shared insights on the pandemic in webinars organised by the International Organisation of Supreme Audit Institutions (INTOSAI ). We also established a new European Organisation of Supreme Audit Institutions (EUROSAI) Project Group on Auditing the response to the COVID-19 pandemic, which we are co-chairing with SAI Finland. As part of this, SAIs from 30 European countries have agreed to coordinate and communicate COVID-19 work; share audit approaches, information and outputs; and scope content for any future lessons learned reports. In June and July we co-hosted eight online meetings where 30 SAIs set out the impact of COVID-19, their audit response, and what they wanted to share and learn. We will use these insights, and further information exchanges on specific topics, in our own reports to Parliament.

    This isn’t easy, and each SAI has a different answer as every country’s context is different. However, what has quickly become apparent is that government responses around the world are similar: preparing, responding and then handling the recovery and long-term impacts of the pandemic. This involves significant expenditure in healthcare, wider emergency response measures and supporting individuals, businesses and the economy.

    Since the pandemic started, operating internationally hasn’t been straightforward. In March we recalled our people working overseas at short notice and like everyone we have had to adapt to working online. Our work has continued successfully. We completed our international audits, including the World Intellectual Property Organisation, the Organisation for the Prohibition of Chemical Weapons, and the Pan American Health Organisation. The international bodies we audit will have to consider new ways of working in response to the pandemic. To support them in this, our audit reports provided an important and independent perspective on the decisions they have to make on future strategic planning, more efficient and effective processes, and on making better use of the resources provided to them. We will also share experiences with other SAIs auditing UN organisations at the UN Panel of External Auditors this November.

    Learning how public servants around the world have responded to the pandemic, many in countries with fewer resources than the UK, provides valuable comparisons. It makes us even more grateful to those on the front line of the UK’s response.

    The aim of everything we do at the NAO is to help Parliament hold government to account for its use of public money and to help improve public services. The nature of public audit means we first need to look backwards to understand what happened, so we can then look forwards to recommend how to make things better. By working internationally, the NAO is also looking outwards to help us understand how others are meeting the same challenges the UK faces.

    Read more about the NAO’s response to COVID-19


    Authors: Daniel Lambauer, Kevin Summersgill, Damian Brewitt

    Daniel Lambauer joined the NAO in 2009 as a performance measurement expert and helped to establish our local government value for money (performance audit) team. He is the Executive Director with responsibility for Strategy and Resources. As part of his portfolio, he oversees our international work at executive and Board level and has represented the NAO internationally at a range of international congresses. Before joining the NAO, Daniel worked in a range of sectors in several countries, including academia, management consultancy and the civil service.

    Follow Daniel on Twitter

    Follow Daniel on LinkedIn

    Kevin Summersgill joined the NAO’s value for money (performance audit) specialism in 2005. He has audited a wide range of public policy areas and as our Head of International Relations and Technical Cooperation routinely represents the NAO internationally. A specialist in continuous improvement and management systems thinking, he has advised governments and United Nations organisations around the world on how to increase effectiveness, transparency and accountability.   

    Follow Kevin on LinkedIn

    Damian Brewitt is a Chartered Accountant and Director of our international audit portfolio, leading financial and performance audit teams across the NAO’s portfolio of international external audit engagements. He has spent 16 of his 28 years of public sector external audit undertaking financial and performance audit of organisations across the international system. He has specific expertise in IPSAS, international governance and risk management. He supports the NAO and our stakeholders in providing sector insight, leveraged from his experience and the work of our teams across our international client portfolio. He has chaired the Technical Group of the UN Panel of External Auditors for the last two years.

    Tagged:

    Comment on this post...

  • Auditing the government’s response to COVID-19

  • Posted on July 23, 2020 by

    Gareth Davies

    I last posted to this blog in late April as the country was in the teeth of the COVID-19 pandemic, explaining how we were maintaining our operations and adjusting our work programme in the light of the government response to the virus.

    Now, in late July, most of the UK is gradually emerging from lockdown following a devastating period for many families, an enormous effort by health and care workers and many others in crucial roles and an unprecedented set of government spending interventions to mitigate some of the economic effects of the crisis.

    Like every organisation, the NAO has had to adapt to the new working environment, but throughout this period we have continued to deliver our core programmes of work: the audit of the 2019/20 accounts of more than 400 government departments and public bodies and a substantial programme of value for money reviews and investigations into important spending programmes.

    A substantial proportion of our effort has been redirected to the audit of government’s response to COVID-19. We have published reports on the scale and nature of the public spending commitments and on readying the NHS and social care for the pandemic. We have a further seven studies already underway to begin publishing in the Autumn, and more in the planning phases. We’ve developed our COVID-19 hub for people to follow our work on this.

    Looking back, at the point that Parliament rose for its summer recess, we had completed the audits of 171 departments and public bodies, including some of our larger audits such as the Department for Work and Pensions and the Home Office. Our work on the remainder continues over the summer and those audited accounts will be laid in Parliament from its resumption in September. I’m grateful to both my audit teams and the finance teams of our audited bodies for their determined approach to obtaining the audit evidence we need when working remotely, and for addressing the financial reporting challenges posed by the pandemic including volatile valuations and going concern risks.

    We have continued to complete and publish value for money reports on vital areas of public interest, including universal credit, the MoD’s aircraft carrier programme, asylum accommodation and support and digital transformation in the NHS. Our factual investigations have included reports on progress in removing dangerous cladding from residential blocks, the selection of towns to bid for money from the £3.6bn Towns Fund and government’s response to the collapse of Thomas Cook. This work has supported sessions of the Public Accounts Committee which has been meeting virtually throughout.

    Our Overview of the UK government’s response to the COVID-19 pandemic brought together in one place all of the main activities, costs and funding undertaken by government in the initial months and laid the foundation for us to build our programme of more in depth studies. We also looked further into the action the Department of Health & Social Care and other bodies undertook during March and April to ready the NHS and adult social care for a rapid increase in the number of infected people.

    Looking forward, we have a broad and varied programme of work on COVID-19 to come once Parliament reconvenes in the Autumn. We have several reports planned on the important issue of government procurement. They include an audit of government buying in the pandemic, as well as specific studies into the efforts to increase the number of ventilators available to the NHS and on supplying the NHS and adult social care sector with PPE.

    We will also examine measures aimed at protecting businesses and individuals from the economic impact of the coronavirus pandemic. This includes reports into the Bounce Back Loan Scheme and the Coronavirus Job Retention Scheme. Other studies will look into the government’s work to protect and support the vulnerable during lockdown and the Free School Meals voucher scheme. Our website has full details of our work in progress related to COVID-19, and we will continue to add further reviews to this list as they are approved.

    In all of this work, we will examine how government adapted its approach to reflect the need for urgency in the first phase of the pandemic, and how it is managing the attendant risks to value for money and probity in public spending. Our reports will be published, laid in Parliament and be available to the Public Accounts Committee for its programme of inquiries in the normal way.

    We will continue to respond to the risks to public money posed by this unprecedented time for the country to provide the assurance required by Parliament and the public and to draw out the lessons for future phases of this pandemic and future emergencies.

    Read more about our work to report on the government’s response to the coronavirus pandemic.

    Tagged:

    1 Comment

  • COVID-19: What it means for the NAO

  • Posted on April 22, 2020 by

    Gareth Davies

    With Parliament returning yesterday, I wanted to take the opportunity to reflect on the last few extraordinary weeks and set out what it means for the National Audit Office and its work.

    Firstly though, on behalf of the whole NAO, I would like to pay tribute to everyone who is working so hard to see our country through this crisis. That of course includes our courageous health and social care workers and others on the front line of the response, but also all the public servants behind the scenes at the national and local level keeping our country going. As the organisation responsible for scrutinising so many of these public bodies, we have a privileged insight into how vital they are to everyone’s lives every day – and even more so at a time like this.

    To all of the public servants rising to this unprecedented challenge, thank you.

    Like many other organisations, the NAO has been home-based for a month now. In infrastructure terms, the NAO was well-prepared for homeworking as our systems are designed to support secure remote auditing. We are working hard to support our staff as they grapple with the practical and wellbeing challenges of the current situation. We are of course not the only ones. And as an organisation that supports Parliament, that has been especially brought home to us as we see the House of Commons resume business in a manner we have never seen before.

    As Parliament adapts, so too are we in order to ensure that we can help it to hold government to account. The response to the global pandemic will have implications for many years for public spending and public service delivery. It is too early to tell exactly what the impact will be, but it will be profound.

    What is already clear is that MPs, and the public that they represent, will expect us to carry out a substantial programme of work on the COVID-19 response so we can learn for the future. This will include looking at government spending on the direct health response as well as the wider emergency response. We will also look at the spending on the measures to protect businesses and individuals from the economic impact.

    It will take us time to develop and produce our work, more importantly it will take time for the public sector to be in a place where it can learn from our findings. Our challenge is to try and provide the appropriate level of evidence-based reporting to support accountability and provide insight at the most suitable time. We must not get in the way of public servants working hard to save lives, but we must also ensure that our reporting is sufficiently prompt to support proper accountability for public money.

    We have decided to begin with a factual summary of the significant government spending commitments and programmes relating to COVID-19 which we hope to publish next month. We will use this to identify a risk-based series of evaluative studies where we think there is most to learn.

    What is also important to Parliament is that we do not lose sight of the wider picture. There are many other challenges facing the UK including EU Exit; progress in meeting government’s net zero carbon emissions target; major infrastructure projects and the financial sustainability of key public services. Our work programme will have to balance this with the demands of COVID-19. That is why we will be continuing to publish reports already in train. We are also working hard to meet our key statutory duty to audit the accounts of over 450 public bodies.

    My colleagues and I are committed to providing Parliament and the public with the evidence they need to understand how public money has been used in tackling this crisis. We will also help ensure that the appropriate lessons are learned for the future.

    Tagged:

    2 Comments

  • Utilising technology when working from home

  • Posted on April 16, 2020 by

    person working from home office

    COVID-19 is affecting us all. The way we live, work and socialise has changed dramatically. The National Audit Office is no different, our staff are working from home and we will also have an important role to play in reporting on the government’s response to COVID-19. You can find more information on our emerging plans here. In the meantime, we’re resharing some of our knowledge on how organisations can make a success of working remotely at this time.

    Technology is a great enabler for working from home, but there are pitfalls to avoid. In September 2017, we issued a guide to cyber security for audit committees and now is an appropriate time to revisit some of the key points.

    The National Cyber Security Centre (NCSC) and the Crown Commercial Service (CCS) have also recently produced guidance on how people can buy and use the appropriate tools to work from home safely.

    Policies and procedures

    The most important point to note is that your organisation’s information security policies and procedures still apply – they exist for good reason. Security shouldn’t be sacrificed, even during difficult and uncertain times.

    If your organisation doesn’t have a homeworking policy, now could be an opportunity to think about what it might look like. But don’t be forced into a knee-jerk reaction because of the current situation; take the time to get the approach right and build it into your longer-term business continuity arrangements.

    Using personally owned IT

    If your organisation routinely provides laptops to staff which are securely configured and set up for remote access, then you’re in a good place. If not, Bring Your Own Device (BYOD) is a possibility, but inevitably this approach brings risks that need to be considered. The main risks are around unauthorised access and data loss.

    A popular BYOD approach for smartphones and tablets running Android or iOS is the ‘managed container application’. This means all corporate data is accessed via one or more designated apps (for example, Microsoft Office). This allows strong controls to protect and isolate corporate data from the user’s personal apps and prevents copying and pasting of data across the container boundary.

    Use of personal PCs is a more difficult area. Technology such as remote desktops minimises the risk of data loss as the apps and data stay on the remote server. Most IT departments will be familiar with remote desktops, and the main barrier to their more widespread use is having the necessary infrastructure to support the volume of users required.

    Allowing users to access work data through a web browser over an internet connection from their own PC might seem an attractive option, particularly with more services becoming available in the ‘cloud‘. However, NCSC are clear that this is a risky approach.

    They advise that it’s difficult to gain confidence in the security or configuration of the PC, and there are limited technical controls you can enforce to reliably prevent data loss or access from insecure or out-of-date devices. And, from a legal perspective, responsibility for protecting data and complying with GDPR and the Data Protection Act 2018 rests with the data controller, not the device owner. You may also have commercial arrangements that restrict running of business software on or accessing business data from personally owned devices.

    Collaborative working

    There are many established software tools for videoconferencing and collaborative working. Common apps include Microsoft Teams, Skype for Business, Google Hangouts, Cisco WebEx, GoToMeeting and Zoom. Do bear in mind that these should be securely configured, their privacy policies and settings reviewed, and used appropriately in relation to the sensitivity of the meeting content being discussed.

    Where you are meeting with a third party, it would be wise to set agreed expectations around call recording and screen sharing and request explicit permission before capturing any information discussed during the meeting, for example screenshots.

    Home environment

    There are also considerations relating to the home working environment itself. Devices outside an office environment are more vulnerable to theft or loss. This can be mitigated by physical security measures and by encryption – but do check that each device is turned on and set up correctly.

    Also consider your policy around printing from home and whether it’s necessary. Information in physical form needs to be protected in the same way as information in electronic form. Forwarding information from work to personal email accounts for printing is a big confidentiality risk, so where there is a legitimate need to print, you will need to make suitable arrangements.

    In shared accommodation, you should also be aware of who might be able to overlook your screen or overhear your teleconferences. There are reports that some organisations are advising people to turn off smart speakers and voice assistants during working hours when sensitive matters are being discussed.

    Preventing unauthorised access to devices is another obvious but essential consideration – NCSC has recently issued guidance on good password policy, including practical suggestions for reducing password overload for end users.

    Phishing scams

    Be aware of phishing scams, whether by email or text message. This advice applies generally, and some security companies have reported seeing a large increase in phishing attacks as a result of the current pandemic. NCSC has good advice on spotting suspicious emails.

    It’s important to promote and maintain a strong security-minded culture, even when your people are trying to collaborate and work flexibly.

    Obtaining IT equipment and services

    The Crown Commercial Service (CCS) has published information on a number of agreements that can enable the public sector and related organisations to quickly and easily procure technology products and services to allow employees to work more flexibly.

    CCS also note that a number of providers of collaboration software are offering introductory or extended trials of their products. These include Microsoft (Office365), Google (G Suite, Hangouts Meet) and Cisco (WebEx, Duo, Umbrella, AnyConnect).

    And finally

    The current situation is putting unprecedented pressure on individuals and organisations alike but try not to lose sight of the security basics. If you’re struggling to get a fully-fledged remote working strategy in place I’d recommend focusing on the fundamentals. Find the right approach for your organisation and gradually build it into your longer-term business continuity arrangements.

    We’re all having to adapt to these new ways of working, but don’t worry there’s plenty of support out there to help you protect your corporate and customer data.

    Tagged:

    1 Comment

Right column

  • About the NAO blog

    Our experts share their views about issues and common challenges facing government, what public sector leaders should look out for and how organisations have addressed issues. Our posts draw together threads from across our reports, share secrets spilled in events and reveal our experts’ expectations for the future.

    We encourage comments that support the exchange of ideas for improvement, but ask that those posting are respectful of others.

  • Sign up for automatic feeds

    Sign up to receive email alerts:




    RSS IconSubscribe in an RSS Reader