Data Privacy and Security – closing the stable door?

I was recently asked to do a presentation on the topic of ‘Effective Information Management’ for a local government organisation. Part of the presentation covered data security and privacy, where I emphasise the the importance of policies and procedures created BY people FOR people. The point being that we already have the technology to ensure data and information remains secure, but if we don’t pay attention to how people use these systems, through appropriate policies, procedures and training, then we’re effectively negating the benefits of the technology.

More worryingly, no matter how many security lapses we hear about, there appears to be a general reluctance in some government departments to ask staff to actually confirm that they have seen, read, understood and agreed to the policy, preferring instead to publish to an intranet and just point people at it.

So, I was naturally drawn to a recent item in Public Sector Forums which provides a chronological list of some of the more recent data security breaches, some of which did not get widely reported in the national press. I’ve reproduced the item in it’s entirety below:

Published: 16 September 2008

Public Sector Forums

As Privacy International’s Simon Davies said recently in the Times:

“Ever since Revenue & Customs lost the records of 25 million people who claim child benefits last year, there has been a frantic rush of reviews, departmental audits, inquiries, an endless stream of new procedures and sombre ministerial statements promising root-and-branch reform. But almost everyone in government knows that there is no easy solution. Most departments are still struggling to work out what the security challenges facing them are – let alone how to resolve them.”

To appreciate something of the scope and scale of the Government’s data security problem, we’ve compiled a scrapbook of press cuttings on the subject just over the past month. As well as some high-profile breaches, we found some other lesser-known stories which didn’t make the national headlines. Even more troubling is the very real likelihood this is not even the ‘tip of the iceberg’ stuff. What other ‘hidden’ losses could be lurking out there below the surface which we don’t even know about yet?  Ponder the list of reports below:

15 August: Colchester University Hospital has fired a senior manager whose work laptop, containing the names, address and treatment details of 21,000 patients, was stolen from his car while he was holidaying in Edinburgh. The data was not encrypted to prevent unauthorised access.

19 August: Personal data belonging to 29 million people was lost by government departments in the last year, according to an analysis by the BBC using details from annual reports and parliamentary questions.

22 August: While working on a Home Office IT project, PA Consulting loses an unencrypted memory stick holding confidential information on all 84,000 prisoners and 43,000 serious offenders. This report came days after the Home Office confirmed another external contractor had lost two CDs containing names, dates of birth, passport numbers and nationalities of 3,000 seasonal agricultural workers.  Reassuringly, the Department commented: “This is not a Home Office data loss”.

23 August: The Telegraph reports over 160 ‘significant’ incidents of confidential data breaches have been reported to the Information Commissioner’s Office (ICO) by public and private sector bodies since November.

26 August: Restricted and Confidential police documents are found dumped in a skip outside a Hampshire police station during building works.

26 August: Redbridge Borough Council introduces new security measures after staff applications forms for criminal records checks, and their supporting identification documents, mysteriously go missing. Fortunately only three people are affected, but the loss meant the staff were working for eight months at schools without background checks.

27 August: Sensitive police memos relating to a major drugs bust operation, including suspects and witness statements from officers, are found by a member of the public in a bin at a recycling centre in Lancashire.

27 August: ContactPoint, the Government’s forthcoming national database of children in England and Wales, sparks new privacy concerns after it emerges police could be granted access to search for evidence of criminality.

28 August: A computer bought on eBay for £6.99 is found to contain council tax data from Charnwood Borough Council, including the names of names, addresses and banking details of thousands of residents.  The data had not been properly erased from the PC’s hard drive. Police later arrest a council employee.

29 August: FOI enquiries to NHS Trusts in North East England reveal multiple serious security breaches of patient confidentiality. Among the losses were a box of 19 records stolen from a consultant’s car when he left it in his driveway overnight.

1 September: ContactPoint is postponed again after being delayed last year for a security review. The Guardian now reports the project is failing to take adequate steps to protect the data of vulnerable children.

4 September: The Health Service Journal reports out of 105 clinicians surveyed, 92 said they carried memory sticks containing confidential patient information - of which only five were password protected.

5 September: An unencrypted memory stick containing information on 146 patients  – including test results for sexually transmitted infections – is lost by Chelsea and Westminster Hospital.

5 September: Documents released under the Freedom of Information Act show the Cabinet Office – responsible for ensuring good practice in data security throughout central government – has itself never been independently audited for compliance with data protection principles.

8 September: Highly-sensitive and confidential information on 10 children with special needs is discovered on a USB pen drive found on the floor of a service station in Yeovil. The device contains names, dates of birth and details of the children’s behavioural problems.

8 September: EDS loses a portable hard drive holding the names, dates of birth, national insurance and employee numbers of 5,000 staff in the National Offender Management Service in England and Wales. The hard drive had been lost for over a year until the details came to light.

9 September: An unprotected memory stick with details of troop movements, including times, locations and travel and accommodation details of 70 military personnel, is found on the floor of a Cornish nightclub.

10 September: After the high-profile theft of a laptop containing confidential information from Hazel Blears’ constituency office, Kensington, suppliers of notebook security locks, offer 150 MPs a free kit to help make sure their own laptop doesn’t go walkabout.  Just eight responded.

11 September: PA Consulting is sacked by the Home Office over the recent data loss of prisoner data. In a statement, the company says: “It is clear from the events of recent weeks that the challenge of managing necessary confidential information held by government, and in particular of eliminating human error, is industry-wide.”

11 September: Unencrypted data on 15,000 patients is lost after a burglar steals computer back-up tapes from a GP’s office in Winchester.

11 September: A survey of 47 NHS authorities finds little or no action is being taken following data losses. FOI enquiries by medical publication Pulse found since January 2007, there had been 188 reports of staff breaching data privacy rules or accessing patient data without authorisation and 75 reported losses of data. Only 14 of the 263 incidents were followed up with formal disciplinary action.

15 September: West Midlands Police confirm they are investigating the loss of a memory stick after it was taken out of a police station by an officer on patrol. The force has refused to comment on its contents, however local press reports suggest it held highly-sensitive information on terrorists. The Independent Police Complaints Commission, which is investigating the loss, described it as an “extremely serious matter”.

16 September: Surrey and Sussex Healthcare NHS Trust owns up to over 50 ‘known’ losses of confidential patient information in the last three years. According to a press report, sensitive medical notes were once found in a public toilet and sent on five occassions to the wrong people.

16 September: A memory stick containing confidential records of 200 mental health patients is found lying in a street. The Tees, Esk and Wear Valleys Trust said the ‘serious breach of patient confidentiality’ occurred after an IT technician lost the device. The stick contained entire medical histories of patients, as well as national insurance numbers and addresses.  Early investigations into the breach found other members of staff were breaching security policies by storing patients’ private details on their hard drives.

16 September: Personal details of 17,990 NHS staff in London have gone missing in the post after four CDs were lost en route to a payroll contractor. The discs were last seen on July 22 when they were left in an envelope on a post tray marked ‘recorded delivery’, however there was no record they were actually sent. They contained name, date of birth, national insurance number, start date and pay details of current and former staff, and some addresses. A NHS employee has been suspended.

It is maybe worth noting that not all of these security breaches were caused by government staff – service suppliers were at fault in at least two incidents.  However, one common thread running through all of the incidents is human failure. Which brings me back to my original point – it’s the people that really matter, the technology is secondary. Until public sector organisations invest time, effort and money in training staff in how to manage secure data, then the billions being spent on developing technology for things like a national ID scheme will count for nothing.  I’ve found the 80:20 rule works quite well here, i.e. when developing and implementing any new technology, budget for 20% of the cost on the actual technology and 80% on getting people to use it effectively. I haven’t seen any evidence that anything like this ratio is being used for technical infrastrucure projects in government.  Someone tell me I’m wrong!

Feel free to share...Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInBuffer this pagePin on Pinterest

Social Media User’s Bill of Rights

Feel free to share...Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInBuffer this pagePin on Pinterest

Came across this today, which seems to be gathering a body of support. I like the sentiments; pity it’s not enforceable!

Joseph Smarr, Marc Canter, Robert Scoble, and Michael Arrington have authored a bill of rights for users of the social web. The bill states:

We publicly assert that all users of the social web are entitled to certain fundamental rights, specifically:

  • Ownership of their own personal information, including:
    • their own profile data
    • the list of people they are connected to
    • the activity stream of content they create;
  • Control of whether and how such personal information is shared with others; and
  • Freedom to grant persistent access to their personal information to trusted external sites.

Sites supporting these rights shall:

  • Allow their users to syndicate their own profile data, their
    friends list, and the data that’s shared with them via the service,
    using a persistent URL or API token and open data formats;
  • Allow their users to syndicate their own stream of activity outside the site;
  • Allow their users to link from their profile pages to external identifiers in a public way; and
  • Allow their users to discover who else they know is also on their
    site, using the same external identifiers made available for lookup
    within the service.
Feel free to share...Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInBuffer this pagePin on Pinterest

More Government micro-management: E-commerce legislation

Feel free to share...Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInBuffer this pagePin on Pinterest

I wonder how many UK businesses have complied with the e-commerce legislative requirement to include company registration details on their web sites and in their emails? The law became effective from 1st January 2007. If you are a business owner (as I am), you may be forgiven if you didn’t hear much about it, because there was little in the way of any direct communication with businesses.  Unfortunately that will be no excuse when the bureaucrats come to dishing out the fines. Details of the legislation can be found here.

Feel free to share...Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInBuffer this pagePin on Pinterest

New Guidance on use of Council Tax data

Feel free to share...Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInBuffer this pagePin on Pinterest

I saw this earlier this week on Public Sector Forums and  reflected  on its significance. The Information Commissioner’s Office will today (26th Jan)
publish revised guidance for local authorities wishing to make
secondary use of Council Tax Data, for example to populate CRM systems. Previous government guidance on data sharing has created uncertainty in many local authorities on whether they can use this data for other council functions, despite the prevailing common sense that having one authoratitive data set is preverable to building several sets of data about a citizen’s residantial status. The ICO guidance asks a series of questions together with explanations
which outline the ICO’s latest approach, answers to which will
determine the permissibility of using the data.  The questions are as
follows:

  • Is it necessary for the local authority to use the information to carry out its statutory functions?
  • If council tax information is used for another purpose, what effect will this have on the people the information is about?
  • Would using the information cause unwarranted detriment to any individual?
  • Would using the information for another purpose benefit those the local authority provides services to?
  • Is the information particularly sensitive?
  • Will the information be adequately protected from improper use or disclosure?
  • Is there an alternative to sharing information in a form that identifies individuals?
  • Do individuals understand how the local authority will use their information?

The guidance is available for Download ICO_Tax_Guidance_2007.pdf

.

Feel free to share...Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInBuffer this pagePin on Pinterest

Road Pricing Petition

Feel free to share...Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInBuffer this pagePin on Pinterest

The government’s proposal to introduce road pricing will mean you having to purchase a tracking device for your car and paying a monthly bill to use it. The tracking device will cost about £200 and in a recent study by the BBC, the lowest monthly bill was £28 for a rural florist and £194 for a delivery driver. A non working Mum who used her car to take the kids to school paid £86 in one month. On top of this massive increase in tax you will be tracked. Somebody will know where you are at all times. They will also know how fast you have been going, so even if you accidentally creep over a speed limit in time you can expect a Notice of Intended Prosecution with your monthly bill.

If you care about our freedom and stopping the constant bashing of the car driver, you may wish to sign the petition on No 10’s web site.

Feel free to share...Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInBuffer this pagePin on Pinterest

Why Command and Control is So Bad

Feel free to share...Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInBuffer this pagePin on Pinterest

Bruce Nussbaum at Business Week has written an article entitled "Lessons from Home Depot’s Bob Nardelli – Why Command and Control is So Bad".

Now here’s a lesson from the private sector which could easily be applied to Government; autocratic top-down, command and control works great when you focus on
process, e.g. cost and quality, Six Sigma measures and all that stuff. However, if the UK Government is serious about giving local authorities and and local communities more influence and power to improve their lives – as described on the DCLG Local Government White Paper issued last October, then the present culture of centrally imposed targets and measurements must be relaxed.

Process controls and metrics may still have a place within any organisation that is accountable for its actions – whether this is to shareholders, in the case of a publicly-quoted company, or to citizens if it is a local authority. However, as the article states, controls and metrics are now commoditised sediment and should make way for the discipline and process of innovation. It remains to be seen whether Central Government is serious about devolving power to locally elected representatives, or whether it will insist on maintaining it’s ‘we know best’ attitude and the associated micro-management mechanisms it has established over the past few years.

Feel free to share...Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInBuffer this pagePin on Pinterest

Government culls web sites

Feel free to share...Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInBuffer this pagePin on Pinterest

For anyone that didn’t catch this headline on the BBC web site yesterday – "Hundreds of government websites are to be shut down "to make access to information easier" for people.Of 951 sites, only 26 will definitely stay, 551 will definitely close and hundreds more are expected to follow".

For anyone even remotely connected to the public sector, as well as ordinary citizens, this can only be good news. The proliferation of webs sites across central government is a consequence of an entrenched attitude that every project or initiative should have a web site – in fact this was usually the first thing that project teams did once they had been handed funding. No thought was ever given to what would happen to the site once the project had completed and funding no longer available.  This ‘silo thinking’ is endemic across the public sector, and created huge problems in being able to find relevant information – that could well be split across several sites. The fact that it’s easy in web-land to provide links between sites and content hasn’t occurred to many of the site owners. Removing out of date or irrelevant content is clearly a step in the right direction, and should remove some of the clutter from search engine results.

Feel free to share...Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInBuffer this pagePin on Pinterest