Security Principles – ScotAccount
Laurie Brown, Digital Information Security Officer within Scottish Government, provides strategic information security direction, assurance and governance across a number of Scottish Government digital public services including the work of the digital identity programme.
In this blog post, Laurie introduces the security principles being applied to ScotAccount, the new digital identity service.
Valuable design and the principles of security
In Serena Nusing’s excellent blog on service design and Commercial Off-The-Shelf (COTS) products, she talks about the most valuable design, where desirability, feasibility and viability intersect.
These three principles are based on the 7 foundational principles written by Ann Cavoukian during her time as Information and Privacy Commissioner for Ontario, Canada, and the UK General Data Protection Regulation principles. These principles have also been aligned to the Digital Scotland Service Standard which aims to make sure that services in Scotland are continually improving and that users are always the focus.
Principle 1: Privacy by design and default
Data minimisation is the default, and data privacy is embedded into the design and development of the service.
The rationale for this principle asks us to consider data protection and privacy issues upfront in everything we do, putting in place appropriate technical and organisational measures to safeguard individual rights. The principle underpins the specification, design, development, operation, and maintenance of the service, including relationships and contracts with third parties throughout the entire lifecycle, covering information collection through to disposal.
Additionally, this principle requires that we do not collect personal data, unless and until a specific and compelling purpose is defined: and once defined, that such collection is justified, necessary, proportionate and we have demonstrable accountability.
Principle 2: Security by design and default
Positive action to anticipate and prevent information security incidents before they happen.
The rationale for this principle is characterised, predominately, by proactive, rather than reactive, cyber security measures to protect information from cyber-attack whilst ensuring a portfolio of proactive and preventative cyber resilience capabilities are in place to ward off cyber-attacks or, if the need arises, respond to, and limit the impacts of cyber-attacks.
Principle 3: Usability by design and default
Provide stakeholder assurance that, where possible, security is verified and transparent to the customer and supports business requirements, keeping the interests of the customer uppermost.
The rationale for this principle is to assure all stakeholders that the service is visibly operating according to the stated promises and objectives and is subject to regular independent verification.
It means that we are clear, open and honest about how the service is operating according to the stated promises and objectives, about how we are ensuring we meet the principles of an ethical digital nation and that we maintain a culture of transparency and openness in having a proactive approach to publishing relevant information.
And finally, that we keep the needs of our users uppermost, responding to our programme of continuous user feedback by challenging and ensuring our privacy and security approach supports rather than hinders the usability, accessibility and digital inclusion of our service.
In my next blog, I will explore in more detail the first principle ‘Privacy by design and default’, outlining how privacy has been approached so far, and how we are building trust and confidence in the service with service end-users, service customers, the Information Commissioner’s Office, and other key stakeholders.
How to contact the team
You can subscribe to Scottish Government Digital Scotland newsletter for regular updates on ScotAccount and other digital projects.
If you work for a public service organisation and are interested in finding out more about ScotAccount, or to access our test environment, you can get in touch with the team by emailing: email@example.com