With huge amounts of data being handled and moved around daily, data security has become a very important topic. Tracy Capaldi-Drewett, Strategic Solutions Director, Epic Performance Improvement Limited, explains how they tackled the challenge of delivering the first truly pan-government e-learning project on data security.

Tracy Capaldi-DrewettNot long ago a week hardly went by without another embarrassing data loss story resulting from government. A CD was lost in the post (even though it went first class), a laptop was left on the tube and another was stolen from a supermarket car park.

These stories might have brought a smile to your face thinking about the embarrassment for ministers appearing on Channel 4 News and Question Time, but the losses might have included data about you.

These instances led to several government reviews, such as the Poynter Review, the Cabinet Office Data Handling Review and a cross government review of data handling procedures. These highlighted ‘systemic, rather than individual failures’, due to ‘woefully inadequate systems’ and that ‘data rules had not been adequately communicated, raising serious questions of governance and accountability’.

The Cabinet Office concluded that all government staff, regardless of grade, should undergo annual information risk awareness training, to help raise awareness and standards on the issues of data handling and security.

The challenge

The strategic objective was simple - reduce the incidence of data loss. To achieve this, the Cabinet Office asked The National School of Government (NSG) to

  • develop a common language and approach regarding risk awareness practice;
  • ensure civil servants handling ‘protected personal data’ underwent mandatory training, with annual refreshers;
  • create a positive, demonstrable change in behaviour regarding risk awareness practice.

Traditional ‘chalk and talk’ approaches were discounted in this digital age. Classroom training would have meant taking civil servants away from their work for long periods, together with costs of trainers, venues, travel and so on. The size of the target audience, challenging timescales and the need for easily customisable and updateable content for individual departments meant e-learning was the perfect solution.

But anyone who’s ever attempted to roll-out an initiative across the whole of government will appreciate the scale of the challenge. So the first task was to arrange a flurry of meetings and research visits to ensure the design and technical approaches met pan-government requirements. The challenges included:

  • Diversity of target audience - the programme had to be suitable for all civil servants - military, those in specialist, administrative and ancillary roles and senior staff alike.
  • Widespread resistance to change - to achieve its objectives, the programme had to deliver a behavioural shift in how data was handled and how it had been handled for a very long time.
  • Variety of technical infrastructures - the solution needed to work across the technical platforms of over 300 government departments and agencies.

In addition, the requirement was for a standardised approach to data handling, despite each department having its own procedures.

The design approach

Such a widespread solution required the involvement of information governance subject experts from across the public sector, representing the compliance and training and development units from a range of departments and agencies. They were tasked with providing best practice principles for protecting information and contextualisation of the e-learning content.

A series of subject matter expert (SME) workshops took place during the analysis phase - not an easy thing to manage with participants with differing expectations. The initial workshop was designed specifically to tackle the issue of expectations head on, and lay out a blueprint for effective inter-working for the following workshops.

Each workshop helped to more precisely define, structure and contextualise content and once the content was signed off by the cross government project team, development began.

Development was very much a partnership involving regular reviews of scripts and interim content builds by both the SMEs and wider stakeholder groups. This ensured that changes were made in-development and helped avoid large scale changes at the end of the process - always a risk, as the number of agencies reviewing the content increased as development progressed.

It also helped foster cooperation and commitment across government, generating goodwill towards the training prior to launch. By the time we reached the ‘Gold’ version of the programme, amendments were relatively minor, resolvable within hours rather than days. It also ensured delivery within the aggressive timescales laid down by government.

The solution

The result was a short, focused e-learning programme, with a robust technical approach that met all key government technical and usability needs, requiring only minor tweaks for local platforms. The design approach took the relatively dull subject of data protection and gave it a new lease of life through:

  • engaging scenarios relevant to the wide audience – learners advise a character as they take data-related decisions and answer 'crunch' questions to emphasise key decisions;
  • presenting security and protection in a wholly positive light, focusing on benefits to users, departments and the general public;
  • being succinct: all achieved in under an hour of learning time.

The outcome - the data speaks for itself

Initially, the programme launched via the secure NSG learning management system (LMS), available to all government users via a highly secure log in process. This was followed by a phase of staggered roll-outs to specific government departments who preferred to host their own version of the programme in-house.

To date, over 250,000 civil servants have completed the programme, across 320 departments and agencies, with 300 new users every week. At an average cost per user of less than 20p, there cannot be a better example of best value and resource sharing across government.

These numbers are even more stunning when put into perspective. ‘Protecting Information’ has achieved eight times as many users as any previous e-learning initiative. The Cabinet Office estimate that this shared services IT training initiative has saved up to £20 million compared to departments commissioning their own solutions independently.

And reactions from users have been extremely positive. A recent survey of the target audience revealed the extent of the training’s impact. For instance, prior to the training

  • only 53 per cent of users ensured they had the authority to release information and only sent the minimum required. After the training, this had risen to 99 per cent.
  • only 43 per cent of users knew how to send information securely. After the training, this is now 98 per cent - if my maths is correct, this means 140,000 civil servants now know how to send information securely who didn’t before!

And, most importantly, the project has demonstrably helped reduce the risk of data loss by helping staff understand the implications of not protecting information effectively. As Ken Ingram, Head of e-learning at NSG comments, ‘the design approach, particularly the scenarios, has ensured very high take-up amongst the target audience.

It’s not enough just to make the audience aware of the programme - users must engage with the content and the instructional design... and then tell their colleagues about it.’


The e-learning has raised awareness of the importance of protecting against data loss across a huge range of public sector organisations. Users include Whitehall departments, smaller public sector organisations and local authorities.

Since launch, the e-learning has been the main vehicle for aiding central government departments in meeting the mandatory requirement that ‘all staff that handle personal sensitive data are given basic data security training’.

Following its success, the government is engaging with top ICT suppliers to examine ways the programme might help improve information assurance and security throughout the contractor supply chain, where they interact with sensitive personal data held by government.

To sum up, Sir Gus O’Donnell, Cabinet Secretary and Head of the Home Civil Service commented, ‘We cannot afford to be complacent about the importance of keeping personal and sensitive data secure...making sure everyone understands their responsibilities is vital... this e-learning package helps departments, agencies and the wider public sector to do just that.