Government to review Swedish Transport Agency
The Government took two decisions on 3 August 2017 as a result of the information that has emerged about the Swedish Transport Agency’s procurement of IT services. The first decision is to appoint an inquiry chair to review the events that led to security-sensitive and otherwise secret data being handled in contravention of Swedish legislation. The second requires the Swedish Transport Agency to identify the data that was handled inappropriately and determine what measures may be necessary to ensure the appropriate handling of protected information in future.
It is the Swedish Transport Agency’s responsibility to protect the data the Agency manages and ensure that appropriate routines and guidelines are in place to handle protected information. As a result of the information that has emerged concerning the Swedish Transport Agency’s procurement of IT services, the Government sees a need to ensure that the Swedish Transport Agency carries out the necessary analyses.
“The Government wants a prompt and thorough examination of events at the Swedish Transport Agency to learn lessons and prevent similar situations in the future. The decisions to both examine and identify the course of events are an important step in this direction,” says Minister for Infrastructure Tomas Eneroth.
The inquiry chair will be tasked with examining the entire procurement process, from concept to completion. Questions the inquiry chair will answer include: What analyses and considerations were made? What expertise was represented? Who took the crucial decisions? What internal routines and guidelines were in place and how did the Agency set priorities and take action in practice?
The inquiry chair, to be appointed by the Government, will consult with the Swedish Data Protection Authority, the Swedish Civil Contingencies Agency, the Swedish Security Service and the National Agency for Public Procurement.
The Swedish Transport Agency has been instructed to identify the data that was handled by contractor and subcontractor staff without security clearance and the parts of this data that are security-sensitive or otherwise secret.
The Swedish Transport Agency is also required to assess the damage or harm that has occurred, or could occur, as a result of the incident and determine the measures that may be needed to ensure the appropriate handling of protected information in future.
Both reports are to be submitted to the Ministry of Enterprise and Innovation no later than 31 January 2018.