Service Standard

9. Create a secure service which protects users’ privacy

Evaluate what data the service will be collecting, storing and providing.

Give feedback about this page

Understand how government classifies the data, the organisation’s legal responsibilities, and security risks associated with the service. Consult experts where you need to.

Why it’s important

Government services often hold personal and sensitive information about users. Government has a legal duty to protect this information. Failing in that duty would undermine public trust in government services.

What it means

Service teams should:

• actively identify security and privacy threats to the service, and have a robust, proportionate approach to securing information and managing fraud risks
• have a plan and budget that lets them manage security during the life of the service (for example by responding to new threats, putting controls in place and applying security patches to software)
• collect and process users’ personal information in a way that’s secure and respects their privacy
• follow the guidance about using cookies or similar technologies
• use an approach to identity assurance and authentication that balances the risks in a proportionate way (for services that need identity assurance or authentication)
• work with business and information risk teams (for example, senior information risk owners (SIROs), information asset owners (IAOs) and data guardians) to make sure the service meets security requirements and regulations without putting delivery at risk
• carry out appropriate vulnerability and penetration testing

Related guidance

Securing your information

Protecting your service against fraud

Collecting personal information from users

Working with cookies or similar technologies

Vulnerability and penetration testing

Service standard points

1. Understand users and their needs

2. Solve a whole problem for users

3. Provide a joined up experience across all channels

4. Make the service simple to use

5. Make sure everyone can use the service

6. Have a multidisciplinary team

7. Use agile ways of working

8. Iterate and improve frequently

9. Create a secure service which protects users’ privacy

10. Define what success looks like and publish performance data

11. Choose the right tools and technology

12. Make new source code open

13. Use and contribute to open standards, common components and patterns

14. Operate a reliable service

• Last update: 30 May 2022

  Added links to related guidance and other standard points. There is no change to the content of the standard point itself.

+ Show all page updates (2)

1. 20 August 2021

   Added a link to guidance about using cookies.

2. 8 May 2019

   Guidance first published