My previous post sparked a minor flurry of comments (cheers Tim) about top-n lists, but I was shocked tonight (literally about half an hour ago) to find ANOTHER piece on the newswire about a government department / local authority misplacing yet another set of valuable documents and information in some form of internal postal system. Granted, with this one there was not any way that innocent individuals information could be gleaned, however, this is another example of this systemic ineptitude and total ignorance of basic data security principles when dealing with the important issue of personal data.
As somebody who has made a career in the data management industry, with experience in large scale data warehousing and business intelligence projects (even presenting a series of talks of data security principles), this is something I feel I can comment on with some authority. In a sense, Gordon Brown has been unlucky. He took over just as two major data security violations took place in government departments, namely the HM Revenues and Customs (HMRC) and the Driver and Vehicle Licensing Agency (DVLA), and it would be naive to think that government departments and local authorities all work in some kind of revolutionary way such that the Prime Minister knows EVERYTHING that goes on, of course not, he relies on his junior ministers / secretaries of whatever stupid government department's turn it happens to be this time, nor would it have been any different under any other government party, since it's still the same employees who work in the HRMC or DVLA, but just as the managing director of a company is liable for corporate mistakes by employees (generally), I'm afraid the buck stops with Mr. Brown. This has certainly not been a good few months for the Labour party, especially with the other things such as questions over funding rear their ugly head.
I'm afraid, though, as much as I understand about the way that this country is structured, I have no sympathy for any of them. It, quite simply, staggers belief the sheer scale of some of the data security violations (most of which definitely contravene the Data Protection Act 1998).
So, here's the top 10 list of government ineptitude, in ascending order of total inept ignorance and each showing a total lack of respect for the important of security of personal information :
10. Hundreds of HMRC documents (including VAT returns and personal details) found by a BBC reporter on a Nottingham street
9. An ex-employee for the Department for Work and Pensions (DWP) having thousands of benefit claimant details (fortunately, non-financial) on 2 CDs for over a year after leaving
8. The DVLA sending 1,215 questionnaires with personal details out and 100 going to the wrong addresses.
7. The Scottish Government losing pension statements for 200 people (fortunately, found again a day later)
6. HMRC (again) involved in a postal mix-up regarding the personal details of 50 people being accidentally sent to a training company in Dundee.
5. Domestic violence victim details (names and addresses) faxed by mistake to local shops in Glasgow by Strathclyde Police
4. 15,000 Standard Life customer details "lost" in transit from HMRC (again)
3. Ruth Kelly admitting that the details of three million learner drivers were "lost" by a contracted company based in Iowa, contracted to the DVLA.
2. The Department of Work and Pensions (DWP) sending the pension details of 26,000 pensioners to the wrong addresses
and, of course.....
1. By far the most staggering, 25 million child benefit records from HMRC (yes, again!) to the National Audit Office (NAO) on 2 CDs being lost in internal mail.
As somebody who has personally been affected by number 1, and also aware that their financial and personal details on a (get this!) "password-protected" set of 2 CDs generated by a junior official and sent by UNREGISTERED courier, seemingly with the full knowledge of much more senior managers (even though the chanceller, Alistair Darling, blamed the fiasco solely on this "junior official"), this shows another absolutely astounding lapse of data security by a government. In any other context, senior heads would roll for this, certainly if this country was a private company, no one would touch us with a ten-metre cattle prod. To add insult to injury, the Information Commissioner, Richard Thomas, has stated that the government did break the Data Protection Act 1998 by not safeguarding sensitive data. However, the Information Commissioner's Office (ICO) lacks any kind of teeth, since the maximum fine that a Data Protection Act 1998 violation can incur is, wait for it...., £5,000. Yeah, that's right, only five grand, although, to be fair, Mr. Darling has promised that the ICO will get more powers of prosecution for future data protection violations. What this will mean for us citizens / consumers, we'll have to wait and see.
1 comment:
#2 is quite scadalous. We've sending the personal details of three million people to a company based in a nation where
(a) The executive branch of government thinks it's perfectly acceptable to spy on their own citizens in violation of their own laws.
(b) This same government considers that anyone that's not one of their own citizens has no rights whatsover, and they also have no respect for the sovereignty of any other nation, even those which are supposed to be their allies.
(c) They are fighting a paranoid 'war on terror' in which anyone can be disappeared into legal limbo with no due process and no actual evidence other than heresay.
Send any data to America and it may fall into the wrong hands. And I define the US government as 'wrong hands'.
Post a Comment