St. Helen's Council: Securing sensitive personal and social data in government email communications

• Customer Profile: Government agency; 8,500 employees
• Goals: Regulatory compliance; fit into existing infrastructure
• Solution: PGP Universal™ Gateway Email secures sensitive data in email
• Deployment: Easy, quick deployment by PGP® partner; on schedule; within budget
• Benefits: Accelerated client referrals & care; policy options; scalability
  

St. Helens Council chose PGP Universal Gateway Email to safeguard sensitive information and protect the privacy of social care clients.

St. Helens Council is the government services provider for one of the largest towns in the northwest of England. The Council supplies a broad range of social care and health services to about 179,000 residents. It consists of the departments for Adult Social Care & Health, People Services, Urban Regeneration, Environmental Protection, and the Chief Executive Department.

The Challenge

St. Helens' Adult Social Care and Health department handles a large amount of sensitive data about the vulnerable adults for whom it provides services. The department needed to relate information on client care to external organizations and providers in a way that would comply with legislation requiring secure electronic communications. In addition, the Council needed a cost-effective encryption solution that could integrate with the existing network environment as well as a new government security infrastructure initiative, would require minimal IT training and support, and be transparent to end users.

Existing network. The Council's network was based on two Lotus Notes® Domino® servers, which already included limited encryption for internal users. "The capabilities were awkward and not very user friendly," says Ste Sharples, the Information Communications Technology (ITC) business manager for St. Helens Council. "We needed a solution that was more sophisticated, provided additional options for end-to-end secure communications, and could fit in seamlessly with our Domino infrastructure."

Government mandate. The U.K. government's agenda for social care includes developing electronic social care records and working in a more integrated way with its health and independent sector partners. This objective requires agencies to electronically transfer data relevant to an individual's care planning and services package.

Infrastructure initiative. The Government Connect program is an initiative designed to create a common infrastructure for secure electronic interaction between local government such as St. Helens Council, central government, and citizens. The goals of Government Connect are to build a secure network and offer practical advice that will enable local authorities to send emails securely, share data across government departments and with each other, and deliver secure electronic services to the public. The program will provide a secure extranet and security solutions with which other applications must interoperate.

The Solution

A recommendation from the Council's IBM representative prompted the ITC manager to consider a PGP® encryption solution to work with the existing environment, help implement the government's electronic agenda, and provide the additional security functionality needed. "We started by focusing on things like secure email and file transmission, and PGP® solutions were mentioned in our initial discussions," Sharples says.

Although Sharples knew many available solutions worked with Microsoft® Exchange, few viable options worked with the Council's Domino environment. To ensure PGP Universal Gateway Email could integrate with the complex network, he decided to work with Intellect Security, a PGP® Gold Partner, on a proof of concept. "Intellect Security offered a low-cost option that would enable us to effectively roll straight into a live production environment once we were happy with how things worked," he explains.

Interoperate with existing infrastructure. In addition to two Lotus Notes Domino servers, the Council had already deployed an IronPort® email security appliance to protect against viruses, spam, and spyware. "Although it was important that any encryption product we selected be able to interact with our Domino environment, it also had to work with the IronPort content-filtering appliance, which controls all our email," Sharples says.

Secure sensitive information. Like other government authorities, St. Helens Council has been concerned about confidential client information falling into the hands of those who have no right to see it. In response, the Council had created a training program to ensure staff and managers were aware of the need to securely manage customer information. The need to protect information went beyond the Council, however. Creating care plans for vulnerable adults required the department to frequently exchange sensitive personal and social data electronically with external health care organizations and service providers. "We take the responsibility to protect such information very seriously," says Alison Hughes, customer systems service manager for the Adult Social Care and Health department.

Provide policy options. To meet the requirements for secure communications, the solution needed to automatically encrypt all emails to a particular destination so there was no possibility of sensitive information being sent in the clear.

Facilitate ease of use. The ITC manager says minimal end user training was required. "We didn't do much more than send out instructions about what to do when they received an encrypted email," Sharples says. "Otherwise, there's not really a lot for them to use, because the PGP solution just sits there in the background."

The Results

The ITC team and the Adult Social Care and Health department are very pleased with the benefits the new PGP® email solution provides. As Sharples explains, "We started off with a limited number of users who participated in a proof of concept and have since expanded the solution to an entire department." The deployment by Intellect Security took only a few days. "Intellect Security not only had a good deal of expertise in PGP solutions, but also was very responsive. Our help desk hasn't had any issues, and the whole experience has been very good," Sharples says.

Accelerated care. In the past, a social worker would have returned to the office after seeing a client, typed a letter outlining the care required, and then faxed or mailed the information to the care provider. With the new PGP solution, Council staff can email referrals to independent sector care providers safely and easily. "Now, we can send information immediately after meeting with a client, which means we can set up domiciliary, respite, and residential care packages promptly," Hughes says. "Practitioners can also use templates generated within the customer database to populate the document with the necessary information and then securely email it directly to providers or partners. This arrangement prevents information from going astray in the post or being sent to a fax where it can be read by those who shouldn't have access." Perhaps most important, ensuring that arrangements for care begin as quickly as possible increases the effectiveness of the support provided to clients.

Broader communications. PGP Universal Gateway Email also enabled the Council to provide secure communications to recipients who do not have encryption solutions. According to Sharples, "We can use either the PGP Universal™ Satellite or PGP Universal™ Web Messenger functionality to send email securely to anyone with Internet access. These options eliminate a lot of boundaries, because they allow us to provide secure access to data without asking recipients to install anything or change their environment. We just provide the choice and leave it up to them. For us, it's seamless because we know we have a secure channel one way or the other."

Supplemental functionality. Sharples is interested in learning how PGP Universal Gateway Email will work with the new Government Connect initiative. "We hope to be an early adopter of that program," he says. "I believe the initiative will provide some end-to-end encryption, but only within a 'closed' network environment. The PGP solution offers greater functionality that will satisfy the requirement for secure communications no matter what the situation."

New policy options. The Council's IronPort content-filtering appliance controls policy, automating encryption for specific email domains and recipients. With the addition of the PGP solution, users can now also specify on-demand encryption by using the "Confidential" flag in the email client.

Ease of use. "Compared to the power of what it's actually doing in securing communications, PGP Universal Gateway Email is a very simple solution that's almost transparent to those involved," Sharples says. The technical staff quickly became comfortable with the PGP solution. "The proof of concept was a low-risk approach because if it didn't work, we hadn't expended a lot of time or resources. Intellect Security deployed the solution in a couple of days with some basic training for our Domino administration team. It worked immediately, and from then on, it's just been a question of adding seats."

Scalability. The solution's scalability is also an important part of the equation as Sharples considers extending email encryption to the Council's Children and Young People's Services department. Because the Council has already invested in the PGP® Encryption Platform, the architecture automatically deployed with PGP Universal Gateway Email, the Council can easily add other PGP encryption applications as new needs arise. That option to add applications without adding infrastructure or resources is very appealing, Sharples admits. "We're already looking at providing secure delivery of billing information using the network data encryption provided by PGP® NetShare."

Solid foundation. The ITC manager anticipates that the use of secure email will continue to grow. "We've got a proper foundation now that will allow us to respond immediately, 'Yes, we can do it,' to anyone who needs that kind of capability." Sharples is also looking forward to integrating PGP Universal Gateway Email with the security functionality provided by the Government Connect program. "You can implement the PGP solution without any restrictions, so in the long term, we see it complementing what we'll be able to do via the U.K.'s secure electronic infrastructure initiative," he adds.

Summary

In addition to providing the required secure email functionality and easy network integration, PGP Universal Gateway Email also supports the ITC manager's development strategy. "Any solutions we choose must be able to support the S/MIME standard Domino uses," Sharples points out. "Alignment with open standards is the strategic direction we're following, so from that perspective, the PGP® email encryption solution is a good fit."

About the PGP® Encryption Platform. The PGP Encryption Platform reduces the complexities of protecting business data by enabling organizations to deploy and manage multiple encryption applications cost-effectively from a single management console. Deployed with the first encryption application, the PGP Encryption Platform makes installing a separate or additional infrastructure unnecessary when the organization needs other encryption applications. The PGP Encryption Platform supports the broadest range of integrated applications to secure email, laptops, desktops, instant messaging (IM), PDAs, network storage, FTP or bulk data transfers, and backups.

About Intellect Security Ltd.

Intellect Security, a PGP Gold Partner, is a specialist provider of solutions focused around the PGP Encryption Platform. Intellect Security has an unequalled pedigree in the provisioning of PGP®-based technologies to both large and small corporations in the U.K. and across Europe. The company has been closely involved with the evolution of PGP Corporation during the last 10 years and has developed several PGP-based solutions for the automation of batch data encryption.