Dr. Richard Browne:

I have referred to this already in respect of the voluntary sector. It is a very significant challenge. Colleagues in other European jurisdictions had this exact discussion with the UK relatively recently. There is no cheap or simple solution to these questions. The UK's public sector cybersecurity strategy commits to having systems in place to deal with these kinds of questions by 2030, so this is a common issue elsewhere. These kinds of challenges arise because cybersecurity has arrived on top of an extant structure of IT and IT governance which evolved over a long period of time. As the Deputy has said, individual schools, clinics, clinical settings including dental surgeries and a wide range of other organisations hold data, including, in some cases, clinical data, on services that are not certified or unified. In many of these cases, the solution is to unify IT services or to change the structure through which they are provided. This is happening in central government, in the university sector and in other sectors. There are other sectors, including the education sector, that will be really challenging to deal with. We do not have a specific programme in place for securing educational IT but this is something that will have to be dealt with by means of centralised ICT procurement in the Department of Education. It is not a simple process. Who owns the school? Who owns the computer? Who owns the data? Who is the data controller? None of these questions are readily resolvable by anybody in the system.