HMRC ONLINE SYSTEM CRASH

OK, so this is no big surprise - especially given the Government's record for (in)competence over IT systems. And at least they have had the wit to extend the deadline for filing - no doubt thinking about the horrendous publicity they would receive on the back of the double standard revealed a few days ago.

In advance of any announcement as to what has caused the problem, current speculation (and conventional wisdom) is arguing in favour of a failure to build in to the system adequate capacity/scalability to cope with (inevitable) traffic peaks as the deadline approaches. No doubt this has been a contributory factor - it is a not uncommon problem with the Government's IT systems. But - call me an old softie or maybe I'm just being too optimistic - I'd like to believe it also has something to do with data security improvements to the site/system on the back of the HMRC fiasco. This may be just too incredible - and probably wouldn't be admitted to by Treasury spokjesmen in any event - but, if such an analysis is correct, it would imply that ad hoc attempts to retrieve an irretrievably 'broke' system are likely to cause more problems than they solve. In effect what may be necessary is a root-and-branch re-design/re-build of IT systems to guarantee that proper data security and capacity is built in from the get-go.

I don't doubt that this is an especially scary thought - in policy/financial/&c terms - for the Great Bottler and his team!!!

PLOD AT THE DOOR OF No.10 ... AGAIN?

Now here's a thing!

As we know Richard Thomas, the Information Commissioner, has indicated that he is in favour of amendment of the Data Protection Act. Specifically, he is calling for a new criminal offence although quite what form this should take is perhaps less clear. But let us assume that it is wrapped around the phraseology "knowingly or recklessly failing to comply with the data protection principles". That would just about cover all the appropriate bases. And, let us assume that Parliament in its wisdom does in fact put this on the statute book.

Well, we also now know that the Great Bottler, when he was still Chancellor, was alerted to the fact that "data protection procedures governing the child benefit database" were as leaky as a sieve back in 2004 (reports here and here). And yet (so it seems) he chose to do bugger all about it. I know we're talking hypotheticals here but I reckon that sort of behaviour is a pretty good fit with "knowingly or recklessly failing to comply with the data protection principles". In other words, given a law change, the Great Bottler - and, presumably, the current incumbent, Darling - would be in the frame for a visit from Plod, presumably under caution!

You've got to reckon that Nu-Labour, following the indignity of Bliar being the first serving PM to be interviewed under caution over cash-for-peerages, are dead keen not to put themselves in a position where that could happen again - in fact, it'd be worse because I reckon Plod would be interested in the actions of both of the holders of the two highest offices in the land (the PM and the Chancellor of the Exchequer). And so it seems. Certainly it's what I read in to the sub-text of this written answer to Baroness Noakes last week.

But, in reality, this may offer them scant comfort. Those excellent fellows over at Privacy International appear to be seriously contemplating an action against the UK Government even as the law currently stands. Quite right too. Needless to say, their chances of prosecuting such a case would improve immeasurably if you, dear reader, felt inclined to offer your support. So, should you feel disposed so to do, please feel free to contact Simon Davies at simon@privacy.org. I'm sure that for a whole bunch of us there would be no better Xmas present than the prospect of the Great Bottler and his sidkick, Darling, having a little visit from the boys in blue!!!

THE CROSBY REPORT

Those estimable fellows over at Ideal Government have recently posted this little gem.

Now, call me a hopeless cynic but I reckon the answer from Andy Burnham means that:

1. The Report has in fact been read by Ministers - and the Great Bottler himself in particular - and so, to all intents and purposes is ready for public consumption. But they are resisting publication because ...


2. It is a savage indictment of the architecture that the Government are currently proposing for their ID card scheme.

i.e. William Heath's take on it is absolutely spot on.

But, as I posted earlier, I am less certain that his 'seasoned Whitehall-watcher' has necessarily got it right in supposing that the Report is destined for some hinterland of long grass deep in the bowels of the Treasury. Rather I think that the Great Bottler reckons the Report may yet prove to be a potential ace up his sleeve.

Whatever else he may be he is a mightily shrewd politician - after all he commissioned the Crosby Forum in the first place when still Chancellor and you don't go to that trouble unless you're 90% confident that it will say what you want. Even then he will have actively considered the electoral downside of running with the ID cards project. His plan therefore was to make sure he had a get-out in place just in case the whole ID cards palaver went belly-up. Of course he can't have reckoned that, on the margins of the HMRC fiasco, it would do so quite so spectacularly. So at the moment his hands are tied because - call it control-freakery, hubris, pride, whatever you will - he can't take the risk of being controlled by events.

Nevertheless, timing is all. So, down the line when his political weather is a little bit sunnier and (always assuming if) he has regained some measure of control, he may well pull the proverbial rabbit of the Crosby Report out of the hat to justify scrapping ID cards, particularly if the prevailing winds tell him that to do so would be politically/electorally advantageous.

We shall see but, if nothing else, it's good to see David Davis sniffing around the issue - at least someone in Parliament is!

DATA SECURITY: GOVT'S TRACK RECORD

Further to my previous post, I've been doing a little research. It would seem that (some of) the various legislative changes to the data protection/security regime that Richard Thomas is currently calling for have in fact already been before Parliament.

Back in March of this year in the House of Lords various amendments were debated in the context of the Serious Crime Bill aiming to strengthen the hand of the ICO vis a vis data protection/security. In fact, on 30th April and again on 9th May Baroness Anelay (now Opposition Chief Whip in the Lords but Home Office spokesman at the time) moved specific amendments (relevant debates available here and here) to ensure that the information commissioner would have the right to carry out assessments of data processing on his own volition. And, on 18th and 25th June respectively, Baroness Noakes (Opposition Treasury spokesman) and Earl Northesk initiated debates (here and here) on a similar provision on the face of the Statistics and Registration Service Bill.

In both cases, the Government rejected the amendments pretty much out-of-hand, although (it being the House of Lords) with some small measure of elegance. No surprise there then! Now, I'm not saying that, had they been accepted, the HMRC fiasco wouldn't have happened - though it might have made it less likely. Rather it is illustrative of the culture of complacency and indifference with which government thinking about and policy development of the needs of data security and protection is infected.

In passing I can't resist a barbed dig at the Lib Dems about this. Rationally this whole issue should be their natural territory but, in parliamentary and legislative terms, they give the impression of being completely unsighted about it. Instead - and happily - the Conservatives are making all the running on it with the 'yellow perils' being merely followers. It does beg the question as to what the Lib Dems are actually for if they can't be bothered to prosecute those matters that should be dearest to their hearts and underlying political philosophy. So, reckoning that the Conservatives in the House of Lords have a bee in their collective bonnets about this, is there a realistic prospect that they might introduce a PMB in the near future?

ONGOING DATAGATE FALL-OUT

As The Register' John Oates reports, Richard Thomas was giving evidence to the Justice Committee in the Commons yesterday. He specifically calls attention to this comment from the ICO's head honcho: "... several [Government] departments have come to see us on a confessional basis, ..."

Chilling stuff and - as if we didn't already know - indicative of wholesale systemic failure of data security arrangements and protocols not just at HMRC but across the whole panoply of Government. And which departments (I reckon the DWP is a likely candidate) have been donning their hair-shirts and pleading mea culpa? Perhaps more importantly, shouldn't these departments be making these confessions to us directly - more than likely it's our data at risk - rather than skulking off to the ICO with their tails between their legs perhaps in the hope that their laxity and incompetence will get conveniently swept under a carpet?

A further article from The Register (John Oates again) reports that Richard Thomas also insisted that his "his budget was insufficient and his powers too weak". In fact I was appalled to read that, whereas the ICO gets a total of £10m annually (essentially from registration fees), the Health & Safety Executive gets £890m - bet that makes Dizzy Thinks utterly apoplectic, given his loathing of the HSE - and the Food Standards Agency £143m. I reckon this arrangement says a huge amount about where Government places data security as a priority within the scheme of things. Additionally Richard Thomas sums up government IT policy pretty well if clouded a bit with the art of understatement: "There is excessive faith in technology perhaps without addressing the risks that go with collecting that information." And just for good measure he was decidedly lukewarm about ID cards as well. All in all, it looks as if he's gearing up a little to exert the indpendence of his office somewhat more forcefully than he perhaps has done so in the last five years.

In that vein and on a (slightly) happier note, he also recommends some eminently sensible things that the Government could be getting on with in the wake of 'datagate', specifically the creation of a new criminal offence and a statutory right of inspection of any given organisation's data security practices. Quite rightly he defines the current position in law, where he can only act with the consent or at the invitation of the relevant organisation, as "bizarre". So, will the Government bring forward appropriate legislation as a matter of urgency? Well, I'm not holding my breath! Or will the Opposition Parties get their collective acts together and try and run something as a Private Members' Bill? At the very least that would put pressure on the Government. Well, as usual we'll just have to wait and see.

ContactPoint "DELAYED"

So reports Kablenet. And a good thing too. Yippee!!!

But it is only a delay. And, needless to say, Goggle-Eyed Balls and his crew are trying to spin that the HMRC debacle is only a very minor consideration in this decision - as pointed out by John Oates here.

A few thoughts come to mind. The Written Statement insists that "ContactPoint will be a simple basic online tool" and seek to allay any anxiety by insisting that "No case information will be held on ContactPoint". As ever these dimwits singularly fail to understand that it is possible to infer a huge amount about any given individual from even the slimmest/most basic biographical data. For example, on their own admission, it will include "an indication as to whether a service or practitioner holds an assessment under the Common Assessment Framework or whether they are a lead professional for that child". Now, it doesn't take a genius to work out that, if an assessing "service", "practitioner" or "lead professional" is identified on the database, it becomes comparatively easy to work out the specific area of concern for/of that child. In other words, his/her data privacy and confidentiality has been circumvented.

In addition I've always struggled to understand how it is that a potential total user-base of 330,000 individuals - no doubt of the same calibre as those at HMRC - generates consistency with or confidence in the reassurance that "only cleared staff subject to the highest level of Criminal Records Bureau checks would be able to access the system". And, bearing in mind how adept Government staff have been at losing their laptops (see here), let us hope that those 330,000 people - I'm sure they're all good souls with no malicious intent!?! - can at least avoid dropping their random number generating tokens down the back of the train seat or what have you!

TRUSTING DATA SECURITY

On the face of it this from ECOTEC Research & Consulting (via cc:eGov, seemingly an offshoot of the European Commission's DG Information Society and Media's eGovernment Unit) makes a helluva lot of sense - although I haven't had a chance to read the whole report yet. I have to say too that I'm a little nonplussed that something as commonsensical as this has emanated from the EU. The BBC's report on this is here.

As their press release says, in the wake of the HMRC fiasco, their paper is "a timely reminder about the need to manage trust and security effectively." A masterpiece of understatement! And, as the Chairman of ECOTEC, John Bell, says: “This study has demonstrated that trust in public authorities and their technological systems is a key issue for governments across Europe and one that will not go away. Dealing with it will be the next great challenge for governments in the digital world”. Well ... actually it's been "a key issue" for the past decade or longer, and dealing with it is becoming more urgent with each passing day.

Given the history of all this, we'll have to wait and see whether there is a cat in hell's chance of any of it feeding into the development of policy whether at a pan-European level or by individual member states. But I'm not holding my breath that The Great Bottler and his cohort will have the wit to pick up this particular ball and run with it.

BLUNKETT: GENERAL IGNORANCE

Dizzy has an excellent hatchet job on David Blunkett's letter today to The Times. As he says the former Home Secretary - and, lest we forget in light of the HMRC debacle, former Secretary of State at the Department of Work and Pensions (how much of the 'systemic' failure within the Child Benefit system stems from his tenure of that office?) - "should shut up".

I've little enough to add - Dizzy covers all the bases superbly. But I have to admit that a wicked, perhaps even provocative in this politically correct age, thought came unbidden to my mind: "There's none so blind as them that can't see!"

P.S. Rest assured and for avoidance of doubt it's a commentary on his intellectual capacity rather than anything else.

COULD 25m PEOPLE SUE HMRC?

On reading Iain Dale's post about this, I couldn't resist looking up the relevant text of the Data Protection Act. Section 13 seems to be the most pertinent provision. It states:

"13 Compensation for failure to comply with certain requirements

1. An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage.
2. An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that distress if—
   (a) the individual also suffers damage by reason of the contravention, or
   (b) the contravention relates to the processing of personal data for the special purposes.
3. In proceedings brought against a person by virtue of this section it is a defence to prove that he had taken such care as in all the circumstances was reasonably required to comply with the requirement concerned."

I'm no lawyer but, on the face of it, anyone affected by the HMRC fiasco could sue for not only "damage" (i.e. financial loss, identity theft, or what-have-you) but also "distress" (i.e. mental anguish caused by the whole sorry episode, &c). Interesting.

But what really tickled me about this was the prospect of the Government, as a defence, seeking "to prove that [it] had taken such care as in all the circumstances was reasonably required" should anyone choose to take action against them. That really would be interesting!

'LOST' HMRC DISKS FOR SALE!!!

So The Register reports.

Well, someone had to do it didn't they? Made me chuckle anyway.

GOVERNMENT SECURITY FAILURE

Not surprisingly the blogosphere is awash with the fall-out from HMRC having 'lost' 25m - yes, 25 MILLION!!! - data records. I don't have a great deal to add to what others have already said on the subject - notably in no particular order Dizzy, Iain Dale, Man In a Shed, Ian Brown at Blogzilla, SpyBlog, et al. But, for me, Ross Anderson at Light Blue Touchpaper is absolutely spot-on in his reaction. As he says:

"It’s surely clear by now that the whole public-sector computer-security establishment is no longer fit for purpose."

I should coco!!!!

For my part, I make these observations:

• The Great Bottler's dandy wheeze, when still Chancellor under Bliar, to expand his empire by combining tax and benefit functions under one roof at HMRC has come back to haunt him - he certainly looked pretty nervy as Darling delivered his Statement. A case perhaps of the biter bit?
• The fall-out from this will resonate for many weeks and months (and, as Dizzy suggests, Darling falling on his sword over it is a wholly viable prospect; it may even leech towards The Great Bottler himself). It is impossible to exaggerate how serious and damaging this could potentially be to the stability of the economy not only at the level of individual families but also much more widely;
• For anyone who has shrugged their shoulders and assumed that they are content that Government should be the primary manager and/or administrator of their personal data, this is proof positive (not for the first time) that they have been deluding themselves (as suggested above by Ross). And, while on the subject of shrugging shoulders, the litany of security lapses and failures perpetrated by Government and its departments is now so long that we should be demanding that effective action be taken to remedy the situation, not sitting back and let them repeat the same old mistakes time and time again;
• there is an urgent requirement to review and re-balance the legal position vis-a-vis the ownership of personal data. Currently the individual citizen has no rights of ownership whatsoever and inevitably therefore control over how the data is administered, processed, manipulated, &c is severely constrained and limited. At the very least the law should grant us some enforceable rights in this increasingly important area;
• at this stage, the Information Commissioner is quite right to reserve judgment. But, as a general principle, these sorts of security lapses need to be proceeded against with the full force of the law. Too often, they are dealt with internally by resort to what are, compared to what would happen in the private sector, relatively soft disciplinary measures. Rather, because of the position of trust in which Government and its staff find themselves, they should be prosecuted to the max.

No doubt this story'll run a bit in the coming days so I may well return to it. But for now, my mind is just boggling at how incompetent this whole sorry affair is - I've got to lie down with a wet towel over me head to try to recover!!!