Budget transfers from Central Contingencies: Cyber Security and Data Protection Capabilities

Information about the publication of Ministerial Decisions

A formal published “Ministerial Decision” is required as a record of the decision of a Minister (or an Assistant Minister where they have delegated authority) as they exercise their responsibilities and powers.

Ministers are elected by the States Assembly and have legal responsibilities and powers as “corporation sole” under the States of Jersey Law 2005 by virtue of their office and in their areas of responsibility, including entering into agreements, and under any legislation conferring on them powers.

An accurate record of “Ministerial Decisions” is vital to effective governance, including:

demonstrating that good governance, and clear lines of accountability and authority, are in place around decisions-making – including the reasons and basis on which a decision is made, and the action required to implement a decision
providing a record of decisions and actions that will be available for examination by States Members, and Panels and Committees of the States Assembly; the public, organisations, and the media; and as a historical record and point of reference for the conduct of public affairs

Ministers are individually accountable to the States Assembly, including for the actions of the departments and agencies which discharge their responsibilities.

The Freedom of Information Law (Jersey) Law 2011 is used as a guide when determining what information is be published. While there is a presumption toward publication to support of transparency and accountability, detailed information may not be published if, for example, it would constitute a breach of data protection, or disclosure would prejudice commercial interest.

A decision made 12 May 2017:

Ministerial decision reference MD-C-2017-0060
Decision summary title Cyber Security and Data Protection Capabilities
Decision summary author	Finance Manager - Corporate Group	Is the decision summary public or exempt?	Public
Report title Cyber Security and Data Protection Capabilities
Report author or name of person giving report	Finance Manager - Corporate Group	Is the report public or exempt?	Public
Decision and reason for the decision The Chief Minister accepted budget transfers of up to £1,845,000 in total from Central Contingencies over the year’s 2017, 2018 and 2019 to support the States of Jersey Cyber Security Strategy and Data Protection Capabilities and accepted a temporary increase of 3.0 FTE’s over the life of the implementation of the project. The indicative allocation of funding over the years is £709,000 in 2017, £568,000 in 2018 and £568,000 in 2019. At their meeting on the 8th February 2017 the Council of Ministers, considered a report which set out the capability model required to support the States of Jersey Cyber Security Strategy and the new EU Regulation (GDPR) which would enter into application on 25th May 2018. It was noted that the Corporate Management Board had approved the proposed model on 10th January 2017, and the Information Security Governance Board had approved it on 19th January 2017. Having received presentations on the matter, the Council noted the background to the present position, recognising that the overarching vision of the capability model was to ensure that the Government protected the data and the privacy of the information it held about its citizens. The model had been built on existing Information Service capabilities (tools and resources) with the addition of those elements not yet supported or which required new advanced skills. The Council, having noted the principles which the model followed, accepted that successful delivery would require investment, with contingencies considered to be an appropriate source of funding, given the nature of the proposed model.
Resource implications The Chief Minister’s Department revenue head of expenditure to increase by up to £1,845,000 in total over the year’s 2017, 2018 and 2019 and Central Contingences to decrease by an identical amount. The indicative allocation of funding over the years is £709,000 in 2017, £568,000 in 2018 and £568,000 in 2019. There will also be a temporary increase of 3.0 FTE’s over the life of the implementation of the project. The recurring costs of the implementation and the FTE requirement will be subject to a growth bid in the 2020 MTFP. Implementation should be complete by end of 2018 and activity will become business as usual from 2019 which will be the basis for the MTFP growth bid. This decision does not change the total amount of expenditure approved by the States for 2017 - 2019 in the Medium Term Financial Plan.
Action required Research and Policy Officer to advise Finance Manager – Corporate Group that this decision has been approved.

Signature

Position

Senator I J Gorst

Chief Minister

Date signed

Effective date of the decision

Budget transfers from Central Contingencies: Cyber Security and Data Protection Capabilities

Chief Minister’s Department

Ministerial Decision Report

SoJ Cyber SECURITY and DATA PROTECTION CAPABILITIES

Purpose of Report

To enable the Chief Minister to accept budget transfers of up to £1,845,000 in total from Central Contingencies over the year’s 2017, 2018 and 2019 to support the States of Jersey Cyber Security Strategy and Data Protection Capabilities and to accept a temporary increase of 3.0 FTE’s over the life of the implementation of the project. The indicative allocation of funding over the years is £709,000 in 2017, £568,000 in 2018 and £568,000 in 2019.

Background

In 2016 the Corporate Management Board and the Council of Ministers agreed and allocated funding to support the development and implementation of a Jersey Cyber Security Strategy and to investigate commercial opportunities arising from the implementation of the new EU GDPR in Jersey.

The Channel Islands ‘adequacy’ ruling under the current EU Directive will be re-assessed against the GDPR. CI governments have made the decision that the GDPR will be incorporated into local law with the aim to be ready in May 2018 and the States of Jersey must now create and deploy capabilities that support our Cyber Security Strategy and ensure compliance with GDPR and local regulations in 2018. The Information Service Department (ISD) developed a model to implement these capabilities within the government and this model was discussed and approved by the Corporate Management Board (CMB) on 10th January 2017 and by the Information Security Governance Board (ISGB) on 19th January 2017. The feedback received was very positive and both boards strongly support it.

At their meeting on the 8th February 2017 the Council of Ministers, considered a report which set out the capability model required to support the States of Jersey Cyber Security Strategy and the new EU Regulation (GDPR) which would enter into application on 25th May 2018. It was noted that the Corporate Management Board had approved the proposed model on 10th January 2017, and the Information Security Governance Board had approved it on 19th January 2017.

THE MODEL

The capability model was created using best practices developed by the Data Management Association (DAMA) and the Enterprise Information Management Institute (EIMI) and draws on extensive research.

The model is informed by a wide range of reviews and material; these include:

Jersey’s Cyber Security Strategy - 2016
The States of Jersey Information Security Roadmap - 2015
SoJ Information Security Review conducted by the Comptroller and Auditor General - 2015
Jersey’s Draft Digital Policy Framework - 2016
The ISD and eGov IM capability maturity model assessment - 2015
Data Protection Guidance and GDPR papers published by the Jersey Office of the Information Commissioner – 2015/2016
DAMA Guide to the Data Management Body of Knowledge – 2013
IRM UK Data Governance Conference Europe 2016
Government ICT 2.0 Conference 2016

In developing the model, officers engaged with senior personnel from governmental departments and agencies, Gartner, Inc. (a world's leading information technology research and advisory company), the Office of the Information Commissioner, and experts from technology companies.

The overarching vision of the capability model is to ensure that the Government protects the data and the privacy of the information it holds about its citizens. A cyber-attack, large scale privacy breach on the States information systems; or noncompliance to the new GDPR; would have a devastating effect on the island’s reputation and would have a direct impact on Jersey’s attractiveness as a jurisdiction; other potential impacts are huge fines and risks of political turmoil.

The model is built on existing Information Service capabilities (tools and resources) with the addition of these elements that we do not support yet or that require new advanced skills: specific cyber security software, data protection and data quality profiles.

The Model follows these principles:

It encompasses all domains of Information Management (i.e. security, privacy, governance, quality).
It supports the States and the Island digital strategy.
It is flexible enough so that it can be adapted to any organizational or operational models.
It can be easily expended beyond the States to include Parishes or local organizations interacting with the government.
It covers all aspects of an effective and efficient framework: people, processes and technology.
It is flexible enough so that it can evolve with changes in digital and communication technologies.

FINANCIAL & STAFFING IMPLICATIONS

The successful delivery of this capability model requires investment; given the nature of the proposed model it is likely that contingencies are an appropriate source of funding. The implementation of the model is an additional government function that must continue to be resourced into the future.

Work with Chief Executive, Treasurer and with the Treasury Minister is been initiated to confirm the assumptions and estimates.

The business case shows that £1.845m is needed to support the model until 2019 and that it is recognised that in the future an ongoing commitment to IM capabilities will be essential and funding will be allocated as follows:

The recurring costs and the FTE requirement of the implementation will be subject to a growth bid in the 2020 MTFP. Implementation should be complete by end of 2018 and activity will become business as usual from 2019 which will be the basis for the MTFP growth bid. Ongoing costs from 2020 are estimated to be £568,000.

Having received presentations on the matter, the Council noted the background to the present position, recognising that the overarching vision of the capability model was to ensure that the Government protected the data and the privacy of the information it held about its citizens. The model had been built on existing Information Service capabilities (tools and resources) with the addition of those elements not yet supported or which required new advanced skills.

The Council, having noted the principles which the model followed, accepted that successful delivery would require investment, with contingencies considered to be an appropriate source of funding, given the nature of the proposed model.

Draft minutes detail;

The Council accordingly –

- noted the importance of sufficient and appropriate mechanisms to secure cyber security and to comply with the relevant data protection requirement; and

- endorsed the creation and deployment of the proposed capabilities model during Quarter 1 2017, subject to the identification of funding, including consideration by the Minister for Treasury and Resources of the provision of contingency funding, noting that there was an ongoing funding requirement requiring a growth bid to be made as part of the Medium Term Financial Plan 2020-2023 (MTFP3).

The officers were directed to take the necessary action.

3. Recommendation

The Chief Minister is recommended to accept budget transfers of up to £1,845,000 in total from Central Contingency over the year’s 2017, 2018 and 2019 to support the States of Jersey Cyber Security Strategy and Data Protection Capabilities and to accept a temporary increase of 3.0 FTE’s over the life of the implementation of the project.

4. Reason for Decision

The Council of Ministers acknowledged that investment will be required to support the development and implementation of a Jersey Cyber Security Strategy and approved funding of up to 1,845,000 at their meeting on 08th February 2017.

Resource Implications

The Chief Minister’s Department revenue head of expenditure to increase by up to £1,845,000 in total over the year’s 2017, 2018 and 2019 and Central Contingences to decrease by an identical amount. The indicative allocation of funding over the years is £709,000 in 2017, £568,000 in 2018 and £568,000 in 2019.

There will also be a temporary increase of 3.0 FTE’s over the life of the implementation of the project.

The recurring costs of the implementation and the FTE requirement will be subject to a growth bid in the 2020 MTFP. Implementation should be complete by end of 2018 and activity will become business as usual from 2019 which will be the basis for the MTFP growth bid.

This decision does not change the total amount of expenditure approved by the States for 2017 – 2019 in the Medium Term Financial Plan.

Report author : Finance Manager – Corporate Group	Document date :
Quality Assurance / Review :	File name and path:
	File name and path: