Statement about the information in media regarding our IT public procurement

Background:

In April 2015, the Swedish Transport Agency outsourced the operation of the authority's IT system by signing a contract with IBM Sweden. The contract means that IBM Sweden is responsible for making sure that hardware, network and programs are working. This contract will continue in force until 31 October 2020, with the possibility of renewal. IBM Sweden has subcontractors abroad. When outsourcing to IBM Sweden, the former Director-General Maria Ågren decided, in the first half of 2015, to deviate from the Swedish Security Protection Act, the Personal Data Act and the Publicity and Secrecy Act, as well as from the authority's own guidelines for requirements on information security. The deviation from applicable legislation consisted in the operations technicians from IBM Sweden not having been submitted to security background checks. In spite of this, they were authorised to work with our IT system. This is why the Swedish Security Service initiated a preliminary investigation. This has led to Maria Ågren receiving an order of summary penalty, which means day-fines due to carelessness with secret information, but without intent.

About the order of summary penalty and the information in media with regard to the IT public procurement, Jonas Bjelfvenstam, the Swedish Transport Agency's Director-General, says:
– The authority handles crucial information which affects citizens, companies and other authorities, and it is my firm belief that we, in every situation, must comply with the laws and regulations applicable to the authority's work. Nothing else is acceptable. We take the criticism against the Swedish Transport Agency very seriously. And we would also like to make it clear that we have no indications that data was disseminated improperly.

What has the Swedish Transport Agency done to take care of this?
The Swedish Security Service contacted the authority in the summer of 2015, and directly afterwards, action was taken in order to improve the safety level. Since then, we have based our work on an action plan, with further steps that must be taken. This action plan has been shared with the Swedish Security Service. For safety reasons, we cannot enter into details about this plan. The work is comprehensive and technically complex, but will be completed in autumn 2017 at the latest.

Examples of steps we have taken:

• All equipment, programs and data remain in Sweden and have been in Sweden all the time.
• All administration for storing data is, since June 2016, handled in Sweden by approved personnel who have been submitted to a background control.
• All administration of networks is, since July 2016, handled in Sweden by approved personnel who have been submitted to a background control.
• All main administration of servers is, since May 2016, handled in Sweden by approved personnel who have been submitted to a background control.
• From autumn 2017, all administration of application management will be handled in Sweden by approved personnel who have been submitted to a background control.