The spending watchdog found that "too many bodies" within government have "overlapping responsibilities" for information security matters and that insufficiently clear information is collected by the government on the way it performs in protecting data or the costs involved.
"For the centre of government to take strategic decisions on protecting information, and departments to take a risk-based approach to protecting their information, detailed figures on expenditure and the benefits of current activities and projects are required," the NAO said in a new report (47-page / 383KB PDF). "We found no single body responsible for this and no central set of management information covering this area. The costs of protecting information across government are therefore unclear."
The NAO also said that some government departments do not give information governance the same attention as other forms of governance and that major projects aimed at better protecting information security in government have failed to fully deliver the cost savings they were expected to.
A shortage of skills within government on information security was also identified and the NAO said that plans for existing skills to be shared on a cross-department basis "will not solve the long-term challenge".
The way in which personal data breaches are reported by government departments was also described by the NAO as "chaotic". It said different departments operate different reporting mechanisms which render comparisons between the organisations as "meaningless".
According to the report, there were 8,995 data breaches recorded by the 17 largest government departments in 2014/15. Of that number, 14 incidents were reported to the Information Commissioner's Office (ICO). The NAO said "departments need to begin work now to adopt more clear and consistent reporting, to learn and share lessons, and to reduce the number of breaches". This will help them avoid "significant fines" that could be levied under the EU's new General Data Protection Regulation, which will apply from 25 May 2018, it said.
"Protecting information while re-designing public services and introducing the technology necessary to support them is an increasingly complex challenge," said Amyas Morse, head of the NAO. "To achieve this, the Cabinet Office, departments and the wider public sector need a new approach, in which the centre of government provides clear principles and guidance and departments increase their capacity to make informed decisions about the risks involved."
In its report the NAO welcomed the government's decision to set up a new National Cyber Security Centre (NCSC). It said the NCSC "will bring together much of government’s cyber expertise", but it said "wider reforms will be necessary to further enhance the protection of information".
"The NCSC should streamline central government processes for dealing with information incidents in cyberspace," the NAO said. "However, the scale and pace of the challenges of protecting information are such that these structural changes are unlikely to be sufficient on their own unless Cabinet Office also supports departments in addressing the wider problems set out in this report. The NCSC is designed to work with government and the private sector: whether it has the capacity to do so effectively remains to be seen."
A spokesperson for the Cabinet Office said: "The Cabinet Office conducted its own review of government security in early 2016 and many of our findings are consistent with the NAO report. So we are already well under way in strengthening oversight of information security by bringing together nine separate central teams into just two. We have also appointed the government’s first ever chief security officer to bring together all disciplines of government security under central leadership."
"The majority of the data breaches cited in this report will be very minor, but right across government we need and must do more. We will respond fully to this report in due course," they said.