You can tell how well though out this is...
The NHS risk document identifies the following Government Security Classifications, intended to identify different levels of information sensitivity across government departments and their suppliers:
- Official
- Official-sensitive
- Secret
- Top-secret
They then identify all of the various levels of sensistivity of patient information (from aggregated statistics through to clinical information and contact information for people at threat). Apart from publicly-disseminated information (such as numbers of people suffering from 'flu), everything maps to Official-Sensitive - even the key material encrypting the data because:
Whilst we need such data to be treated to the highest standards, they do not fit into the government policy criteria for SECRET or TOP-SECRET.
So the government, in 2014, adopted a system of security classification that is entirely inapplicable to the health data in its possession. And no doubt equally inapplicable to sensitive information about child protection, vulnerable adults, taxation and who knows what else. And is then pushing its departments to push that data out into the public cloud.
A dispassionate observer might conclude they were concerned only with the preservation of their own secrets.
Biting the hand that feeds IT
