At this rate.....
....it would be easier for them to pick up on Intels new idea (Googles old idea!) about portable datacentres....then they could lose the lot without having to both with buring data to CDs in the first place!
Her Majesty's Revenue and Customs (HMRC) has lost two further CDs containing private information. Staff at HMRC have told police that another two CDs are missing, according to the Times. They contain information on thousands of people and were sent to offices in London, but have yet to appear. We called the Met, but it …
Every business that has outsourced it's IT or has remote call centres has a gaping hole in it's security. None of these companies have complete control over their data - most won't even know where it all is (there could be copies all over the place, unknown to the "owner").
Outsourcing usually goes to the lowest price bidder. That in itself is not compatible with top quality security (security == delays, reviews, processes, permission, authorisation, audits ....). Add to this the outsourcer will employ people predicated on salary, not professionalism.
Question: can you apply UK data security laws if the IT operation is run in another country? Or is that one of it's "benefits"?
Sending personal data in this way has been happening on and off since I started with <small NHS trust in Scotland>. On at least one occasion, central offices have requested details of our entire payroll (thousands of staff) including addresses and bank account details, e.g. for the purposes of fraud prevention - the so-called National Fraud Initiative. I know that this initiative involves other major government financial agencies, principally the Benefits Agency, and continues right down to local government housing benefit and employment records etc.
Our local data protection officer offers no resistance to this practice and, when challenged on the matter, insists that sending the discs is allowable within the provisions of the DPA - i.e. the all-encompassing "anti fraud" clause.
What's more, these discs are actually sent twice - once from the payroll providers to our office for review and release (by computer-illiterate middle management) then a second time from our office to whatever agency has requested the data. The data is password "protected" with weak encryption and a weak password. Anyone with basic knowledge and software could get at the data with a simple dictionary attack within seconds.
I hope to f*ck this really blows up in some senior faces because I know that even within our small trust, this practise is green-lighted by board-level execs.
way back when i was working for da police in gloucestershire...each day sensitive material (cases involving rape, child abuse etc) had to be sealed and driven to court by an actual police officer. one week there was no-one to do it, so every day i would stroll across town with this nasty stuff under my arm. pretty scary, i felt, that it should fall to me a perpetually hung-over student to make sure this material got to its intended location - thing is, i was background checked and had to sign the official secrets act before i could even get into police HQ.
yes, i was a 'junior staff member' with access to a lot of sensitive info but had anything happend it wouldn't have been too difficult to trace the source of any leak. who is accountable, then, for the loss of an entire nation's personal details?
According to the Data Protection Act:
As an individual you may claim compensation from the data controller for damage or distress caused by any contravention by a data controller under the requirements of the Data Protection Act.
The laughable thing is we'd end up paying for our own compensation.
... so we have gov't, NHS, what about education, just think how many schools and colleges hold data on their students. FE and HE are slightly more comprehensive as well, as fee paying students will have had to register their payment details. How up on Data Protection are these institutes?
My brother, having lived in France for years, reached pension age a while ago. So he contacted the DHSS for the first time in years, and gave them the brand new address he'd just moved to.
As he says: "It was notable that I received the El Gordo scam when ONLY the DHSS had my new address.
I can't vouch for any other LEAs but certainly all the schools in Northumberland are transmitting their data between between sites (within the LEA) securely. There are several methods in place for this (I wont go into details here) and one of the lesser used (because it hardly ever works properly and is a pain in the ass) is the DfES secure data transfer site. It requires a pretty secure password (so all the secretaries write it in their SIMS manuals for the time when they need to send data) to access an SSL encrypted site where the school can place files into the destination school's area of the site. The destination then receives an email to inform them there are new files waiting and they can log in and download them.
Have you ever tried to do this? I have, and it's an absolute minefield of grey areas. Quite apart from the fact that actually reporting anything to the IC is near-impossible at the best of times, once anyone says the magic words "fraud prevention" it's like "well no we need to supply all this data because, duh, they're the Good Guys - what's your problem, do you have something to hide?"
...is that I am so disillusioned with any British bureaucracy that I am actually not surprised by these revelations.
I already know that the DVLA give out details to pretty much anyone with £5 and a vague reason. NHS trusts always seem to be in the news for lax data security. The Inland Revenue's own auditors apparently can't even sign off their department's figures because they don't know what they are. Banks leave confidential data in bin-bags on the streets. Even if you're added by mistake, you can't be removed from the DNA database. In fact, I can't think of a single Government Database which is a shining example of efficiency, security and best-practice. How can these self-evidently incompetent, blame-dodging, bunch of numptys think they can keep blaming junior staff who, inexplicably, have unfettered access way in excess of their position? And how can they seriously expect us to think it will somehow be better when ID cards are introduced? It beggars belief!
But is it better in Europe? No, the EC's auditors have again refused to sign off the whole of Europe's accounts due to endemic corruption...
Just had an significant thought there, what with this being child benefit records and all, surely there will be a big chunk of data relating to childrens' mothers maiden names.
If this data did end up in nefarious hands perhaps it will rear it's head in 15 or so years when children listed open bank accounts etc....?
The majority of the fire service's activities are based around prevention rather than cure. This is perfectly sensible but there are still fires that they have to put out, people cut out of cars and cats recovered from trees.
There are all sorts of proactive ways to 'ensure' data security on computers or other devices but let's face it computers and their data are stolen. This can not be denied, all over the modern world. When this happens it is not good enough to blame a junior official or to dissect internal procedures. Somebody has to react. In the recent case of the HMRC disks then the police are now scraping around in landfills, hoping for the best. But with computers, in particular mobile computers, this needn't be the case.
A stolen laptop can be located anywhere in the world that there is a mobile phone signal (quite some estate) and before a potential data thief can start probing the contents the data can be deleted to US Department of Defense standards (seven sector sweeps). Surely this method provides a level of reassurance not previously available.
I have seen companies such as Virtual Network Partners who claim to be able to offer a similar service to this. There is more information at www.virtualnetworkpartners.eu