In January, the Swedish Government took steps to change its policy around IT outsourcing to private firms. It introduced rules, which will come into effect in April, to tighten security in IT outsourcing deals, affecting hundreds of outsourcing projects a year.
From April, all government agencies with security-sensitive outsourcing projects, will have to have them scrutinised by either the Swedish Security Service (Säpo) or the Armed Forces. This move follows a public data leak last year when the Swedish Transport Agency exposed sensitive information by transferring its databases to a third-party cloud provider without carrying out required data protection checks (read the full story on Computer Weekly). It also outsourced maintenance of its firewalls and networks to a different firm.
It was not the outsourcing move that caused the risks, it was the lack of proper security clearance for those handling the data. The risk was huge, as the leak exposed details of government and military vehicles, personal details of fighter pilots, police force members, members of the Swedish military’s most secret units and everybody in Sweden’s witness protection programme.
So the new requirements relate to when a supplier can access or store sensitive data outside government agency premises. Consultation must begin before the procurement process begins, and the security authorities are authorised to stop any outsourcing project from going ahead it they find insufficient security measures in place. So quite a shake-up and quite a tightening of rules.
Is this the beginning of a trend? Sweden’s minister of justice and home affairs, in a recent speech on people and defence, said, in learning from the Transport Board incident, that what is needed is a total change of government attitude.
“For many years, the starting point has been to outsource as much as possible, transfer, privatize, outsource – use which words you want. This, coupled with poor knowledge about what kind of tasks you really are wearing, and how it might be interesting from a defense point of view, is basically very risky. Certainly, there are things that can be outsourced, and that is then enough with a security agreement. But there are also things that absolutely cannot be … Here the regulations need to be tightened up considerably. We have to change the setting. From a principle of privatization for the sake of privatization, to a principle of security first.”
(Please note this is translated via Google translate, so cannot speak for total accuracy – but here it is in Swedish.)
The point is – they are wise words. And we have seen evidence of the UK government reconsidering outsourcing deals following instances such as the HMRC Concentrix episode (full story in The Guardian), the MOJ tagging scandal, and of course the recent Carillion problems.
The paper also reported in 2016 that we are seeing more than 1 in 3 public-private outsourcing deals return in house. “A Guardian investigation of the 36 strategic public-private partnerships (PPPs) that local authorities signed between 2000 and 2007 has found that 13 of the contracts – which ranged from seven to 15 years and covered IT, back-office functions, property management and highways – have since gone back in-house, either at the end of contract or as a result of early terminations.”
In the UK, we have also seen a drive coming from political levels to break up the largest IT contracts, such as the huge HMRC Aspire deal with Cap Gemini. The aim is to spread the work across more but smaller contracts and suppliers – but it is fair to say that the jury is out so far in terms of the real outcomes from that approach.
But clearly there are times when outsourcing is the beneficial thing to do. Yet if the aim in doing so is simply to reduce costs, organisations need to be careful. We have seen too many examples where other issues proved more significant (as in the Swedish data security disaster) with the end result that the taxpayer ended up paying more, as well as experiencing service and other problems.