Consultation outcome

Call for Information on the uses and security of Private Telecommunications Networks within the UK

Updated 6 December 2023

Overview

Since the development of modern telecommunications there has been a need for networks that provide communications services for customers with specific industrial requirements. Private telecoms networks can be better suited than the public network at meeting such requirements, including improved reliability, security, and higher bandwidth.

Private telecoms networks based on 3G, 4G, and legacy technologies are already in use in many sectors across the UK. The deployment of standalone and advanced 5G ^{[footnote 1]} is likely to lead to further growth in the market for private telecoms networks as organisations aim to take advantage of the high reliability, low latency, and high capacity offered by this latest generation of communications technologies. As set out in the government’s Wireless Infrastructure Strategy, 5G has the potential to enable mission-critical services and underpin technologies that can bring significant economic benefits. ^{[footnote 2]}

The market for private telecoms networks is different to the public networks market. The fact that private telecoms networks are procured to fulfil specific business needs, and to offer customised connectivity means there is an important role for smaller specialist vendors, as well as large technology companies, including hyperscalers. The lower barriers to entry of the private telecoms networks market create opportunities for new providers and different models of provision, involving a wider range of companies such as system integrators.

It is important to understand the implications of the increasing use of private telecoms networks. For example, if businesses providing services critical to the UK become increasingly reliant on such networks, damage or disruption to those networks could have significant impacts on the users of critical services. Therefore, risks associated with such private telecoms networks must be appropriately managed. This includes protecting them against external threats as well as ensuring they are resilient to accidents, system outages and natural hazards now and in the future.

This call for information is intended to help the government obtain further information and views on the use, security and resilience of private telecoms networks. Anyone can respond to the call for information. However, we are particularly interested to hear from those involved in the development and provision of such networks, and the organisations that currently use them, or plan to use them in the future.

The Department for Science, Innovation and Technology (DSIT) will use the responses to help determine whether specific government intervention is needed to promote the security and resilience of private telecoms networks.

How to respond

We would welcome information and views on the use, security and resilience of private telecoms networks in the UK. The specific questions for which we are seeking answers through this call for information are set out in Sections 1-4 below.

Please use this online survey wherever possible to respond to the call for information, as this will help us to analyse the responses.

Alternatively, you can submit your response to the call for information by emailing it to private.networks.cfi@dcms.gov.uk.

Hard copy responses can be sent to:

Telecoms Security Policy Team
Department for Science, Innovation and Technology
100 Parliament Street
London
SW1A 2BQ

The information and views you provide will be considered in shaping future policy development and may be shared between UK government departments and agencies for this purpose. Personal information will be removed in such instances. Copies of responses, in full or in summary, may be published after the call for information closing date on the Department for Science, Innovation and Technology’s website. If you wish for part of your response to remain confidential, please identify the part and state the reason.

You may find it helpful to have the call for information document open in another window, so that you can easily refer back to it while answering the survey. This survey will automatically take you to questions relevant to you based on your previous answers.

Once started, you are able to return to complete the survey on the same device at any time before the survey closes. When you are ready to submit your response, please follow the survey instructions. Once submitted, you will no longer have access to your response. Please note that you will only be able to complete the survey once.

All responses should be submitted in advance of the closing date for this call for information, which is 11:45pm on Wednesday 13 September 2023.

If you have any questions or comments please email private.networks.cfi@dcms.gov.uk.

Freedom of Information

Who is collecting my data?

The Department for Science, Innovation and Technology (DSIT) helps to drive growth, enrich lives and promote Britain abroad.

We help businesses and communities to grow by investing in innovation and help to give the UK a unique advantage on the global stage, striving for economic success.

This website (“Website”) is run by the Department for Science, Innovation and Technology (“we” and “us”, “DSIT”). DSIT is the controller for the personal information we process, unless otherwise stated.

Purpose of this Privacy Notice

This notice is provided within the context of the notice provided to meet the obligations as set out in Article 13 (this sets out the info we have to provide where the data is received directly from the data subject). Article 13 of UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA). This notice sets out how we will use your personal data as part of our legal obligations with regard to Data Protection.

The Department for Science, Innovation and Technology’s personal information charter (opens in a new tab) explains how we deal with your information. It also explains how you can ask to view, change or remove your information from our records.

What is personal data?

Personal data is any information relating to an identified or identifiable natural living person, otherwise known as a ‘data subject’. A data subject is someone who can be recognised, directly or indirectly, by information such as a name, an identification number, location data, an online identifier, or data relating to their physical, physiological, genetic, mental, economic, cultural, or social identity. These types of identifying information are known as ‘personal data’. Data protection law applies to the processing of personal data, including its collection, use and storage.

What personal data are we collecting?

Most of the personal information we collect and process is provided to us directly by you. This includes:

• Organisation name
• Name of the individual filling out the survey if provided
• Personal email address, job title and phone number if provided

We also receive personal information indirectly, from the following sources in the following scenarios:

• Qualtrics, the platform used to complete the survey. Qualtrics will collect your IP address

How will we use your data?

You will be asked to provide your organisation name when you complete the survey. If you are filling in the survey in a personal capacity rather than on behalf of an organisation, you will be asked for your name instead.

Your organisation name will also be used to help provide additional context for your responses, for example helping DSIT understand why you may have responded in a particular way. It will help us understand your position, insights and priorities within the wider telecoms market.

Qualtrics will automatically collect your IP address. We will not use this information further.

What is the legal basis for processing my data?

To process this personal data, our legal reason for collecting or processing this data is: Article 6(1) (e) it is necessary to perform a public task (to carry out a public function or exercise powers set out in law, or to perform a specific task in the public interest that is set out in law).

The lawful basis that we rely on to process your personal data will determine which of the following rights are available to you. Much of the processing we do in DSIT will be necessary to meet our legal obligations or to perform a public task. If we hold personal data about you in different parts of DSIT for different purposes, then the legal basis we rely on in each case may not be the same.

What will happen if I do not provide this data?

Providing your organisation’s name is recommended, but not mandatory, if you respond by email. If you fill in the survey on behalf of an organisation, you will be required to name that organisation. The data protection implications of not providing your organisation name as part of your response are detailed below.

If you agree to email your response without providing your organisation’s name, rather than completing the survey, DSIT will receive your response but will not know your organisational name.

Who will your data be shared with?

We will let you know if we are going to share your personal data with other organisations – and whether you can say no. You can ask us for details of agreements we have with other organisations for sharing your information.

If you write to us on a subject that is not our policy area, and the response needs to come from another government department, we will transfer your correspondence, including the personal data, to that department.

You can also ask us for details of any circumstances in which we can pass on your personal data without telling you. This might be, for example, to prevent and detect crime or to produce anonymised statistics.

We won’t make your personal data available for commercial use without your specific permission.

How long will my data be held for?

We will only retain your personal data for 3 years in line with DSIT retention policy if:

• it is needed for the purposes set out in this document,
• the law requires us to

Will my data be used for automated decision making or profiling?

We will not use your data for any automated decision making. If we need to do so, we will let you know.

Will my data be transferred outside the UK and if it is how will it be protected?

We will not send your data beyond the UK. If we need to do so, we will let you know.

Links to other websites

Where we provide links to websites of other organisations, this privacy notice does not cover how that organisation processes personal information. We encourage you to read the privacy notices of the other websites you visit.

What are your data protection rights?

You have rights over your personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). The Information Commissioner’s Office (ICO) is the supervisory authority for data protection legislation, and maintains a full explanation of these rights on their website

DSIT will ensure that we uphold your rights when processing your personal data.

How do I complain?

Data Controllers Title: The Department for Science, Innovation and Technology
Data Controllers Address: 100 Parliament Street, London, SW1A 2BQ

The contact details for the data controller’s Data Protection Officer (DPO) are:

Data Protection Officer
The Department for Science, Innovation and Technology
100 Parliament Street
London
SW1A 2BQ

Email: dpo@dcms.gov.uk

If you’re unhappy with the way we have handled your personal data and want to make a complaint, please write to the department’s Data Protection Officer or the Data Protection Manager at the relevant agency. You can contact the department’s Data Protection Officer using the details above.

How to contact the Information Commissioner’s Office

If you believe that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator. You may also contact them to seek independent advice about data protection, privacy and data sharing.

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Website: www.ico.org.uk
Telephone: 0303 123 1113
Email: casework@ico.org.uk

Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.

Changes to our privacy notice

We may make changes to this privacy policy. In that case, the ‘last updated’ date at the bottom of this page will also change. Any changes to this privacy policy will apply to you and your data immediately.

If these changes affect how your personal data is processed, DSIT will take reasonable steps to let you know.

This notice was last updated on 21/06/23.

Do you consent to your personal data being recorded at part of the process of completing this survey?

• Yes
• No

Scope and definitions

What are Private Telecoms Networks?

A private telecoms network is an electronic communications network which is not provided wholly or mainly for the purpose of making electronic communications services available to members of the public. ^{[footnote 3]}

For the purpose of this call for information private telecoms networks can be broadly understood as referring to bespoke telecoms networks that are only available for a closed user group. This is as opposed to public telecoms networks that provide a standard network or service to individuals or businesses, relying on common infrastructure. Business-to-business networks typically rely on this common infrastructure, but may be considered private telecoms networks if they are delivered on bespoke network infrastructure. Some examples of private 5G telecoms networks are set out below.

Example 1

Private telecoms networks are built on the sites of large ports. These networks provide 5G in place of public LTE and Wi-Fi networks. 5G communications are better equipped to provide the full range of capabilities required by the closed user group of port workers.

The private telecoms networks allow the workers to utilise Internet of Things (IoT) devices, and use real-time analytics combined with machine learning to improve the efficiency. This functionality is greatly aided by the low latency a private 5G network provides.

Example 2

Private telecoms networks are used to provide connectivity for connected places technologies in a city centre. A LoRaWan network is used to provide low power and long range connectivity.

This network connects a range of IoT devices to improve communications, planning and public services. This includes deploying smart services, such as smart bins, intelligent street lighting and smart parking. Sensors are also able to carry out environmental monitoring, for example detecting pollution levels to inform planning decisions.

Example 3

In the future, hospitals will be able to use private 5G networks to test a number of use cases for clinicians, including IoT technology, augmented reality headsets and artificial intelligence (AI) processes. The IoT aspect includes smart medicine storage and ‘e-observations’, which electronically record patient observations.

The low latency of 5G will enable clinicians to control IoT devices in near-real time. This network is only accessible to those working in the hospital, and the bespoke network infrastructure is limited to the hospital’s campus.

Network Rules

Within the call for information questionnaire some questions have been targeted at specific types of organisations. For the purpose of this call for information, we have defined the following user groups:

• Customers - organisations procuring and normally financing the network
• End Users -  those using the connectivity provided by a private telecoms network (for example, the staff within a customer’s organisation) ^{[footnote 4]}
• Providers - the organisations responsible for providing private telecoms networks to customers, including:
  • designers and developers of private telecoms networks
  • organisations operating private telecoms networks or services for customers
  • systems integrators specialising in coordinating delivery
  • vendors supplying equipment used within the networks

Timescales

In this call for information we are focused on newer, or yet to be deployed, networks. For that reason we have focused this call for information on networks that have been developed in the last five years and networks that are planned or likely to be rolled out in the next five years.

Critical sectors

The term ‘critical sectors’ is also used throughout this document. A sector would be deemed critical should it provide infrastructure that would result in major detrimental impacts on the availability, delivery or integrity of essential services, leading to severe economic or social consequences or to loss of life, should it be lost or compromised.

For the purpose of this call for information, we would define any of the following sectors as critical: chemicals, civil nuclear, defence, emergency services, energy, finance, food, government, health, space, transport and water.

Security

For the purpose of this call for information ‘security’ can be defined as the protection of a network against external threats, such as cyber attacks. This includes taking steps to identify and reduce the risk of anything that compromises the availability, performance or functionality of the network.

Resilience

For the purpose of this call for information ‘resilience’ means the ability of the network to withstand, respond to and recover from disruption. This can include the response to natural hazards such as extreme weather as well as cyber attacks.

Section 1: General Questions

This section is designed to provide us with basic information about you and/or your organisation to improve our understanding of the types of organisation providing and using private telecoms networks. It also helps us to put your subsequent answers into context.

1. Are you responding as an individual or on behalf of an organisation?

• Individual : please provide name
• On behalf of an organisation

If you are responding as an individual please go directly to section 4 - Policy Questions.

2. What is the name of your organisation?

3. Including yourself, how many people work in your organisation across the UK as a whole?

• Less than 10 employees
• 10 to 49 employees
• 50 - 250 employees
• More than 250 employees
• Don’t know

4. What role does your organisation have?

Please tick more than one if appropriate.

• Customer - organisation procuring and normally financing the development of the network
• End user - those using the connectivity provided by a private telecoms network (for example, the staff within a customer’s organisation).
• Provider - organisation responsible for providing private telecoms networks to customers
• Other

5. If your organisation is a provider, what type of provider is it?

Please tick more than one if appropriate.

• Designer or developer of private telecoms networks
• Organisation operating private telecoms networks for customers
• Systems integrator
• Vendor (a provider of goods, services or facilities for use in private telecoms networks)
• Other

If your organisation is a provider of private telecoms networks, please proceed to section 2.

If your organisation is a customer of a private telecoms network provider please go directly to section 3.

Otherwise please please go directly to section 4.

Section 2: Questions for Private Telecoms Network providers

2A) Questions about the Network

This section is designed to be answered by providers of private telecoms networks. This includes designers and developers of private telecoms networks, organisations operating private telecoms networks for customers, systems integrators and vendors that are involved in the provision of networks. The questions focus on identifying the types and uses of private telecoms networks provided to customers.

6. What type of connectivity do your networks provide?

Tick all that apply.

• 3G
• 4G
• 5G
• LoRa
• Fixed
• Other

7. What size are the organisations to which you provide private telecoms networks?

Tick all that apply:

• Micro (less than 10 employees)
• Small (10 to 49 employees)
• Medium (50 - 250 employees)
• Large (more than 250 employees)
• Don’t know

8. Do you provide networks in critical sectors?

Critical sectors include chemicals, civil nuclear, defence, emergency services, energy, finance, food, government, health, space, transport and water.

• Yes
• No
• Don’t Know

9. If so, which sectors?

• Chemicals
• Civil Nuclear
• Defence
• Emergency services
• Energy
• Finance
• Food
• Government
• Health
• Space
• Transport
• Water
• Other

Section 2B: Questions about dependency

10. Who is the end user of the connectivity your networks provide?

Tick all that apply

• Members of the public passing through a site
• People living nearby
• Visitors to the site
• Members of staff of the customer organisation
• Small businesses on site
• Operational technologies
• Sensors and monitoring devices
• Other

11. Should your network go down, what would be the type(s) of impacts for the end user?

Tick all that apply:

• Public Safety
• Service delivery
• Security of the sector
• Security of the service
• Internal Systems (such as HR)
• Economic
• Don’t know
• Other

Please provide details.

12. What, if any, systems are reliant upon your networks?

If the private network in question were to fail would it have a knock on effect on any other systems. For example, are security systems (for example, automatic locks) or smart devices dependent on a connection to this network.

13. How reliant are those systems on your network?

• Very reliant
• Somewhat reliant
• A little reliant
• Not reliant
• Not Applicable
• Don’t know

14. What systems are your networks reliant upon?

Are there systems which if they were to fail would have a knock on effect on the running of your network? For example, a voice communication network could be reliant on power and would fail in a power outage.

15. How reliant are the networks on those other systems?

• Very reliant
• Somewhat reliant
• A little reliant
• Not reliant
• Not Applicable
• Don’t know

16. Do the networks you provide connect to, or share, resources with the public network?

• Yes
• No
• Don’t know

Please explain.

17. What steps do you take to ensure the security of the networks you provide?

In this context, security can be defined as the protection of a network against external threats.

18. What steps do you take to ensure the resilience of the networks you provide?

In this context, resilience means the ability of the network to withstand, respond to and recover from disruption

19. Do you consider standards and/or guidance from the following organisations in the design, development  or deployment of your network(s)? If so, which ones?

• Yes
• No
• Don’t know

20. If yes, tick all that apply.

• 3GPP (e.g. the 3GPP Security Specification)
• ETSI (e.g. ETSI 5G Security Architecture and procedures for 5G Systems guidance)
• DSIT, previously DCMS (e.g. Telecommunications Security Code of Practice)
• NCSC (e.g. The Cyber Assessment Framework)
• GSMA (e.g. 5G Cyber Security Knowledge Base)
• NPSA, previously CPNI (e.g. CAPSS)
• ISO (e.g. ISO 27031:2011 – Business Continuity)
• NIST (e.g. NIST CSF: Framework for Improving Critical Infrastructure Cybersecurity)
• O-RAN Alliance (e.g. O-RAN Security Requirements Specifications 5.0)
• Other
• Not applicable

21. Do you take any steps to ensure that your networks are resilient in the event of a power outage?

• Yes
• No
• Don’t know

22. If yes, please outline what measures you have in place, including the estimated duration that the network could continue to operate during any outage.

23. What, if any,  steps do you take to manage security and resilience in the supply chain of your private network?

24. Is your organisation also a customer of a private telecoms network provider?

If it is not, you will proceed directly to section 4: Policy Questions.

• Yes
• No

Section 3: Questions for Private Telecoms Network customers

We invite customers, including procurers, of private telecoms networks, to answer the questions in this section.

25. What sector(s) does your organisation operate in?

Tick all that apply:

• Accommodation services
• Agriculture, forestry and fishing
• Arts, entertainment, recreation
• Business administration and support services
• Chemicals
• Civil Nuclear
• Construction
• Defence
• Education
• Electricity and gas
• Emergency services
• Financial services
• Food
• Government
• Health
• Information and communication
• Insurance
• Oil
• Post
• Production and manufacturing
• Professional, scientific and technical
• Property
• Public administration
• Space
• Transport
• Utilities
• Water
• Wholesale and retail trade; repair of motor vehicles and motorcycles
• Other

26. What is the main purpose of your organisation?

27. What is your organisation using private telecoms networks for?

Tick all that apply:

• Connectivity for staff on site
• Connectivity for staff away from site
• Internal communication
• Security
• Back-up systems
• Internet-of-Things (IoT) device control
• Sensors and monitoring devices
• Operational technologies
• Other

Please provide details.

28. If private telecoms networks used by your organisation were to stop working, would it affect the delivery of your organisation’s functions?

• Yes
• No
• Don’t know

29. If yes, which of your organisation’s functions would be affected?

30. If yes, would any of the following be affected?

Tick all that apply:

• Public safety
• Service delivery
• Security of the sector
• Security of the service
• Internal systems (e.g. HR)
• Finance
• Other

31. How do you plan to use private telecoms networks in your organisation in the future?

For example, how many networks do you intend to use, for what purpose, and to what extent?

32. To what degree did you consider security when you procured your private network?

In this context, security can be defined as the protection of a network against external threats.

1 = Security was not considered and 5= Security was prioritised.

• 1
• 2
• 3
• 4
• 5
• Don’t know

Please explain your answer. For example, what were the biggest security challenges that you faced, and how did you overcome them?

33. To what degree did you consider resilience when you procured your private telecoms network?

In this context, resilience means the ability of the network to withstand, respond to and recover from disruption.

1 = Resilience  was not considered and 5= Resilience was prioritised.

• 1
• 2
• 3
• 4
• 5
• Don’t know

Please explain your answer.

34. What, if any, steps do you take to manage security and resilience in the supply chain of your private network?

Section 4: Policy questions (for all respondents)

This section focuses on how we can ensure that the private telecoms network market develops in a way to encourage good security and resilience outcomes. This includes potential actions that industry can take, such as complying with standards, and potential interventions that the government could take to encourage good security and resilience. We would ask all respondents to answer these questions based on their knowledge and experiences.

35. Do you think the market for private telecoms networks is developing in a way that encourages good security?

• Yes
• No
• Don’t know

Please explain your answer.

36. How do you think new technological developments will impact the security or resilience of private telecoms networks?

37. To what degree do existing telecoms industry and cyber security standards support the deployment of secure and resilient private telecoms networks?

• A lot
• Somewhat
• A little
• Not at all
• Don’t know

Please explain your answer.

For example, are there ways in which standards could better support the security of private telecoms networks, or particular types of private telecoms networks? Are there changes to standards that you would like to see in future to support private network security?

38. How could the government best support the security and resilience of private telecoms networks?

39. Should private and public telecoms networks continue to be treated differently when developing policy to ensure good network security?

• Yes
• No
• Don’t know

Please explain your answer.

40. If yes, how should private telecoms networks be distinguished from public telecoms networks?

41. What are the security risks to private telecoms networks that should be prioritised when developing policy to ensure good network security?

1. Expected to become available in 2024, 5G Advanced will use artificial intelligence and machine learning techniques to further optimise network performance and support for extended reality applications. ↩

2. UK Wireless Infrastructure Strategy, published 11 April 2023. ↩

3. See definition of ‘public electronic communications network’ in section 151(1) of the Communications Act 2003; section 151(9) specifies that “a service is made available to members of the public if members of the public are customers, in respect of that service, of the provider of that service” ↩

4. Some networks will have many types of end users. ↩