It hardly matters if private companies can't see it
Given that its own staff bleed risk, it shirley is less than important that outside companies are more restricted int heir viewing rights. Horses, bolted, door, barn.
The Department for Work and Pensions has disclosed that 124 council employees illicitly viewed personal data on its Customer Information System last year. A Freedom of Information request by GC News revealed that local authorities dismissed 26 employees during 2009-10 for breaching data security. The department's response …
"It also disclosed that no private companies, other than its own IT service providers and those contracted by councils to deliver services, such as BT, are able to access the CIS. It stressed that private sector companies are only able to do so on a restricted basis."
So, which one is it? No private company, or a whole bunch of IT suppliers (anybody knows how many are there) working with councils, or all private companies, but on a 'restricted' basis?
My first job at a major IT house was to replace a legacy pensions system - we had to clean up the data and move it onto the new platform. It was very common for data to be corrupted (due to the age of the old system and disagreements from satellite systems.) If we had "lost" a customer or their addresses didn't tally across systems, we sent their National Insurance number to the DSS and they sent us back their address, if they knew it, so that we could re-unite them with their pensions.
(I never managed to get my head round how someone could forget that they had a pension, but there you have it.)
Access is granted to just a few, but there will always be the "I'll let my mate have a peek" types, or "I'll leave that logged on while I nip to the toilet" episodes. It doesn't matter how few people have authorised access, there will be ways for unauthorised people to get a glimpse. Human nature being what it is, people like to see what they are not allowed to see, and frequently, they will succeed.
then they've already analysed everybody's profiles and are targeting them with 'relevant' ads.
Given that some people may have accessed their own accounts, surely they can't be sacked for that? They have a right to see what information is held on themselves per the DPA... Or are they denied access to their own information? Glossing over the technicalities and ethics a little, but on the face of it that particular scenario seems a bit arse backwards.
> ... and are targeting them with 'relevant' ads.
You know, I almost responded with a "don't be silly" but then realised it must have been typed in jest. Sometimes I take things very literally.
However, when you say "They have a right to see what information is held on themselves per the DPA" I have to say, they probably do but only by applying to DWP, the owners of the data, and asking for it. I doubt very much that they would be allowed to just look it up themselves. Remember these are council employees given express permission by DWP to use CIS for a specific reason.
Suggest we have a Pedant Alert icon!
So, in the article it switches from 124 Employees in the first sentence, to 124 breaches later, does that mean there were in fact 124 separate accesses, each by a separate employee? Or were there 24 employees investigated, who may have looked at any number of records each? Or were there 124 accesses, with some overlap in who did them?
And one would assume that (most of) these employees were those caught be an audit process, i.e. they would have regular access to the database as part of their job role, but an audit of a random selection of accesses showed that in these cases they had no justification for looking at the records in question. This would mean that statistically, there could be a much larger number of breaches, a number which could easily be estimated if the percentage of audited transactions vs number of total transactions were known.
This would be a useful figure to know and one would have thought another FOI request would have winged its way over about that.