Beta This is new guidance. Complete our quick 5-question survey to help us improve it.

  1. Service manual
  2. Digital Service Standard
  3. 7. Understand security and privacy issues

You must understand security and privacy issues to meet point 7 of the Digital Service Standard.

You’ll have to explain how you’ve done this at your service assessments.

How point 7 improves your service

Users won’t use your service unless you can guarantee:

  • it’s confidential
  • they can access their information in the service when they need to

How you’ll be assessed

Your assessment and the questions the assessors ask you will vary depending on your service and what it does.

Alpha assessment

To pass the alpha assessment for point 7 you usually need to explain:

  • how you’ve identified threats to your service, including potential pathways for hackers, and tested ways of reducing them
  • how you plan to keep up to date about threats to your service and how to deal with them
  • any threats of fraud (fraud vectors) which exist and the controls you’re prototyping

Beta assessment

To pass the beta assessment for point 7 you usually need to:

  • describe your team’s approach to security and risk management
  • describe the security and privacy threats to your service
  • explain the fraud vectors that exist and the controls you’re putting in place
  • describe how you’ve worked with the business and information risk teams eg senior information risk owner (SIRO), information asset owner (IAO) and data guardians, and how you’re working to meet any security regulations without putting delivery at risk
  • describe any outstanding legal concerns, eg how you’ll protect data or your policy on sharing it
  • present your cookie and privacy policy and explain how you arrived at it

Live assessment

To pass the live assessment for point 7 you usually need to:

  • describe your team’s approach to security and risk management
  • describe your ongoing interactions with the business and information risk teams, eg SIRO, IAO and data guardians
  • describe any outstanding legal concerns, eg data protection or data sharing
  • explain how you’re keeping your understanding of the threats to your service up to date, and explain how the threats have changed during beta
  • explain how you’re keeping your cookie policy and privacy policy up to date

Explain your service’s evolution

At each phase, you should explain how your service has evolved since its last assessment.

Read these guides to help you understand security and privacy issues:

Find out more about:

Last update:

Guidance first published