GOVERNMENT'S DATA SECURITY WOES

Notwithstanding my previous post, this is by way of a small spot of house-keeping. I can't really let the latest batch of the Government's data security breaches (as per here, here and here) pass without some sort of comment.

Happily others have made appropriate noises about them already - notably Dizzy (who else?)(here and here) who makes the eminently sensible and intelligent suggestion of "a proper technology ministry responsibile for all IT and security". Personally I reckon it needs to go a little further than this. There should be a Cabinet-rank Minister, ideally with some level of technological expertise/knowledge (chance would be a fine thing from our current bunch of politicos!!!), with full responsibility and accountability for IT across the whole of Government not just cross-departmentally. The problem here isn't just about data security but about the whole bundle of IT issues (procurement, project development, infrastructure, &c, &c) which suffer from the dread disease of departmental turf ways and unjoined-up Government. As Dizzy rightly says: "As long as we have a disconnected system of IT development and systems in Government then there will always be someone else to blame".

The other part of the problem is that Government's 'wants and needs' from our data, notwithstanding data protection legislation, are (generally) antipathetic to our own. Worse, there is a cultural malaise within policy development in this area that assumes too readily that our interests should be subsumed to an airy-fairy perception of the 'greater good'. In other words, our data 'wants and needs' for our data play second fiddle to those of Government. The vexed issue of who 'owns' data is inextricably wrapped up in this and gives rise to an extremely persuasive argument that this matter - the rights to privacy of and for data - should be addressed legislatively as a matter of urgency. Quite rightly Dizzy also maintains: "Under no circumstances should any personal data be sent out of the country by Government". Again I favour going further than this. We should revert to a principle that has been floating around for some time, trusted third party "info-mediaries". Responsibility for all data administration and management should be stripped away from the government machine and passed to a sensibly funded, independent (of both the public and commercial sectors) organisation (or organisations) (perhaps akin to the ICO) which would be statutorily charged with all data management, ideally on a federated basis, on behalf of the citizen and the government (in that order).

And finally I slightly disagree with Dizzy when he says: "The Government's proposal for jail time for anyone breaching data security is a misdirected solution". He is of course correct in saying that this is "putting a Band-Aid over a gaping gash". Nevertheless, it seems to me that the complete absence of any effective sanction for "reckless" data security breaches is a major contributory factor to the cavalier/indifferent culture that exists on data security within Government. It therefore follows that some form of deterrent could have the beneficial effect of focussing minds on being rather more assiduous about data security. I can't help thinking that this is a necessary part of the solution.

I have one final point to make. Evidently, the Great Bottler is hoping that the scandals surrounding data security breaches will disappear over the coming weeks - which attitude, incidentally, is itself a manifestation of the cultural malaise of which I speak. If I was in his big tent, I wouldn't have all that much confidence in this expectation. What we know is that the Information Commissioner has made it plain that there is a whole bunch of government-held data has gone 'walkabout' - although none as serious as the HMRC scandal (given the scale of that disaster, we shouldn't be surprised by that). Thus far we've only really been told about the DSA breach. So it is reasonable to suppose that news of others will continue to dribble out for quite some time. Quite apart from that, the whole matter will be revisted by the media and Parliament relatively early in the New Year when the various Reports are published. The issue just isn't going to go away. Additionally, all it would take for the whole issue to flare up again in spades - and for the skids to be put almost terminally under tthe Great Bottler's administration - would be a single instance of fraud or identity theft perpetrated as a result of a loss/breach of government-held data. And that, dear friend, continues to be a seriously viable possibility!!!

(Sorry about that.) But still have a happy Christmas.

PRIVACY IMPACT ASSESSMENTS

Once again those splendid chaps over at Ideal Government bring us welcome news, this time about the launch of Privacy Impact Assessments by the Information Commissioner (relevant press release available here). As William Heath suggests, ID cards/ContactPoint/eCAF/Connecting for Health/ eBorders/Scottish bus pass scheme for the elderly/&c would almost certainly have fallen foul of the criteria for assessment. And wouldn't we be in a much better situation if PIAs had been prepared for all these things (and more) so that the necessary and appropriate adjustments/amendments to secure our data and protect our privacy could have been made?

What I'm less certain about is what level of compulsion, if any, the ICO can impose so far as the preparation of PIAs is concerned. So let us hope that some bright spark(s) in Parliament and/or Government (I don't hold out much hope that the latter will) manages to get their head round this and has a go at legislating to make it a statutory duty for Government in all its incarnations to prepare PIAs. Were this to happen it might - just might - limit the almost unrestrained opportunities that our lords and masters have of making a complete and utter horlicks of all their IT schemes and creating hugely expensive 'white elephant' projects all over the place.

PLOD AT THE DOOR OF No.10 ... AGAIN?

Now here's a thing!

As we know Richard Thomas, the Information Commissioner, has indicated that he is in favour of amendment of the Data Protection Act. Specifically, he is calling for a new criminal offence although quite what form this should take is perhaps less clear. But let us assume that it is wrapped around the phraseology "knowingly or recklessly failing to comply with the data protection principles". That would just about cover all the appropriate bases. And, let us assume that Parliament in its wisdom does in fact put this on the statute book.

Well, we also now know that the Great Bottler, when he was still Chancellor, was alerted to the fact that "data protection procedures governing the child benefit database" were as leaky as a sieve back in 2004 (reports here and here). And yet (so it seems) he chose to do bugger all about it. I know we're talking hypotheticals here but I reckon that sort of behaviour is a pretty good fit with "knowingly or recklessly failing to comply with the data protection principles". In other words, given a law change, the Great Bottler - and, presumably, the current incumbent, Darling - would be in the frame for a visit from Plod, presumably under caution!

You've got to reckon that Nu-Labour, following the indignity of Bliar being the first serving PM to be interviewed under caution over cash-for-peerages, are dead keen not to put themselves in a position where that could happen again - in fact, it'd be worse because I reckon Plod would be interested in the actions of both of the holders of the two highest offices in the land (the PM and the Chancellor of the Exchequer). And so it seems. Certainly it's what I read in to the sub-text of this written answer to Baroness Noakes last week.

But, in reality, this may offer them scant comfort. Those excellent fellows over at Privacy International appear to be seriously contemplating an action against the UK Government even as the law currently stands. Quite right too. Needless to say, their chances of prosecuting such a case would improve immeasurably if you, dear reader, felt inclined to offer your support. So, should you feel disposed so to do, please feel free to contact Simon Davies at simon@privacy.org. I'm sure that for a whole bunch of us there would be no better Xmas present than the prospect of the Great Bottler and his sidkick, Darling, having a little visit from the boys in blue!!!

DATA SECURITY: GOVT'S TRACK RECORD

Further to my previous post, I've been doing a little research. It would seem that (some of) the various legislative changes to the data protection/security regime that Richard Thomas is currently calling for have in fact already been before Parliament.

Back in March of this year in the House of Lords various amendments were debated in the context of the Serious Crime Bill aiming to strengthen the hand of the ICO vis a vis data protection/security. In fact, on 30th April and again on 9th May Baroness Anelay (now Opposition Chief Whip in the Lords but Home Office spokesman at the time) moved specific amendments (relevant debates available here and here) to ensure that the information commissioner would have the right to carry out assessments of data processing on his own volition. And, on 18th and 25th June respectively, Baroness Noakes (Opposition Treasury spokesman) and Earl Northesk initiated debates (here and here) on a similar provision on the face of the Statistics and Registration Service Bill.

In both cases, the Government rejected the amendments pretty much out-of-hand, although (it being the House of Lords) with some small measure of elegance. No surprise there then! Now, I'm not saying that, had they been accepted, the HMRC fiasco wouldn't have happened - though it might have made it less likely. Rather it is illustrative of the culture of complacency and indifference with which government thinking about and policy development of the needs of data security and protection is infected.

In passing I can't resist a barbed dig at the Lib Dems about this. Rationally this whole issue should be their natural territory but, in parliamentary and legislative terms, they give the impression of being completely unsighted about it. Instead - and happily - the Conservatives are making all the running on it with the 'yellow perils' being merely followers. It does beg the question as to what the Lib Dems are actually for if they can't be bothered to prosecute those matters that should be dearest to their hearts and underlying political philosophy. So, reckoning that the Conservatives in the House of Lords have a bee in their collective bonnets about this, is there a realistic prospect that they might introduce a PMB in the near future?

ONGOING DATAGATE FALL-OUT

As The Register' John Oates reports, Richard Thomas was giving evidence to the Justice Committee in the Commons yesterday. He specifically calls attention to this comment from the ICO's head honcho: "... several [Government] departments have come to see us on a confessional basis, ..."

Chilling stuff and - as if we didn't already know - indicative of wholesale systemic failure of data security arrangements and protocols not just at HMRC but across the whole panoply of Government. And which departments (I reckon the DWP is a likely candidate) have been donning their hair-shirts and pleading mea culpa? Perhaps more importantly, shouldn't these departments be making these confessions to us directly - more than likely it's our data at risk - rather than skulking off to the ICO with their tails between their legs perhaps in the hope that their laxity and incompetence will get conveniently swept under a carpet?

A further article from The Register (John Oates again) reports that Richard Thomas also insisted that his "his budget was insufficient and his powers too weak". In fact I was appalled to read that, whereas the ICO gets a total of £10m annually (essentially from registration fees), the Health & Safety Executive gets £890m - bet that makes Dizzy Thinks utterly apoplectic, given his loathing of the HSE - and the Food Standards Agency £143m. I reckon this arrangement says a huge amount about where Government places data security as a priority within the scheme of things. Additionally Richard Thomas sums up government IT policy pretty well if clouded a bit with the art of understatement: "There is excessive faith in technology perhaps without addressing the risks that go with collecting that information." And just for good measure he was decidedly lukewarm about ID cards as well. All in all, it looks as if he's gearing up a little to exert the indpendence of his office somewhat more forcefully than he perhaps has done so in the last five years.

In that vein and on a (slightly) happier note, he also recommends some eminently sensible things that the Government could be getting on with in the wake of 'datagate', specifically the creation of a new criminal offence and a statutory right of inspection of any given organisation's data security practices. Quite rightly he defines the current position in law, where he can only act with the consent or at the invitation of the relevant organisation, as "bizarre". So, will the Government bring forward appropriate legislation as a matter of urgency? Well, I'm not holding my breath! Or will the Opposition Parties get their collective acts together and try and run something as a Private Members' Bill? At the very least that would put pressure on the Government. Well, as usual we'll just have to wait and see.