Would a data notification law improve UK data security? A panel of experts in data protection was beaten yesterday by a simple question from the floor: "Can you give us an example of good data security practice by the British Government?" The meeting, a Westminster eForum event, was to discuss what needs to be done to sort out the UK's woeful record of failing to care for its …
IMHO if someone at HMRC / MoD / <enter your preferred organisation> faced the prospect of some time at Her Majesty's pleasure we wouldn't have these problems - they'd be sorted pronto. One senior guy taking an early bath (HMRC) isn't quite in the same league as a view though prision bars.
And for good measure, wouldn't a similar regime for hospital managers help focus their minds on making sure their customers didn't catch MRSA ?
Why stop at notification when a breach occurs? That's just shutting the stable door after the horse has bolted.
I feel all organizations who store personal information should, every year, write to the person and tell them where they got the data, what the data is, and to whom they have passed this information on.
That way, anybody can challenge the accuracy of the data, and it's distribution.
This has so many areas where I am in full agreement. All the recent data losses I can recall were down to careless incompetence, either not following correct processes or not even knowing/caring if there were any. Until accountability at senior level comes in then there is no incentive to changes as there are always more drones to replace the one given the blame. Even if the drone was the person responsible for the loss, someone higher up the foodchain put them in the position to lose the data and did not explain the value of the data they had been given.
There is no value in fining a Government department since the money comes from us anyway but there would soon be a change in attitude if the line managers were required to take it on the chin for the actions of their staff.
Anyone who has specifically requested data or mobile computing capability should go regardless if they do not follow obvious protection techniques and then lose it.
it's perfectly simple and I believe the point was made in the article. Rather than waste time having pointless discussions like this we need to make it impossible/illegal for ministers to have the personal data of ANY citizen in their possession. Be it on laptops, desktops, whatever.
All such information should only be accessible via encrypted vpn's/ssh tunnels etc and anyone breaking this basic code of conduct should be sacked _immediately_ without any prospect of appeal.
For example, I work from home occasionally, if I want to look my companys internal web pages I simply proxy my web browser through an ssh tunnel. All my code is kept on machines that stay inside the company network and is nice and secure there. Through the simple use of screen I have a persistent session that I can access at any time and I never have to take any files home with me. I can forward the X session on my desktop at the company through ssh and work graphically if I want to (but I never do, who needs a GUI when you're writing OO perl, javascript, css etc).
The concept is very simple.
Most important of all is that we make it prosecutable offence to lose anyones personal data with a minimum prison sentence in the region of a couple of years.
Please please please not more laws, it is already impossible to keep up and introducing a law does not stop breaches occuring it just means that when they do they can prosecute people for them. I am sick to death of this country how when someone trips up on a blade of grass they introduce a new law to hold the gardener responsible for not cutting the grass short enough only to find there is a counter law which says if you cut the grass too short it provides no cushion for someone if they fell on it.
If DVLA hands the private data on a vehicle out to someone, anyone, even the police, for any reason and a court has not ruled that it must be kept secret, then it should be disclosed. DVLA should contact the person to notify them who received the data and for what claimed reason. What I'm saying here is that just because my car passes your plate reader doesn't mean that my details should flash up on the computer. In the absence of a crime my privacy should be protected.
If the person seeking the data has nothing to hide they have nothing to fear. If the DVLA disclosing the data was alright, they have no reason to hide it and have nothing to fear.
Likewise every RIPA request, if the request was legal and necessary and not malicious and no court has ruled that it needs to be kept secret, then it should be notified to the person being spied on. If the RIPA request was done honestly then they have nothing to hide and nothing to fear.
Likewise every data breach, 'we lost your private data, sorry, our bad'.
Or, 'we handed your private data to USA.gov cos they said you'd been naughty and stupid EU Commission declaration means we have to take their word for it, sorry'...' the information we sent was your connection history, times, dates etc.'.
You know, people have the "right to good administration", bad administration that's kept secret is not the same as "good administration". How would they know they're being treated badly if you can keep the abuse secret?
One plus point from all of these security f***ups is that I don't have to spend hours trying to convince companies that the extra £500 charge for securing their data is money well spent.
Maybe at long last I will see an end to the phenomenon of securing the most sensitive company data with a four character password, or if they want to be really secure, the word "password", both of course using the username "administrator".
Of course, there will always be some idiot who writes down any usernames and passwords on a post it note, then sticks it to the front of the server cabinet.
"every year, write to the person and tell them where they got the data, what the data is..."
Surely this is a bad idea. If I wanted to partake in identity theft - all I would have to do is wait for those letters to arrive and I could use the identitites of all the people who lived in my property before me!
Forget 'criminal' charges, can you imagine the prosect of 12 good men (or women) understanding the finer points of effective data protection and determining whether a companies process were adequate or not - not they'll just accept the government bullsh1t - "Its ok we lost all your data - it's password protected' (ha ha)
And as for the private sector, show me the CxO of a resonable sized company that actually understands the issue either. Particular with the current pressure on costs they're much more likely to take short cuts (USB sticks anyone!!)
Simple punitive tariff of penalties: -
£10M for any breach by a government depatment, local council etc.
25% of turnover for any private company
PLUS: Oblligatory sacking of MD or CEO & CTO or respective equivalents in the public sector
That would focus the mind enough methinks!
Nice idea but just no workable. Have you any idea how much personal info even a small company has? To carry out this level of processing would take ages and cost firms a substantial amount of money. Not a problem, you might say, cos they can afford it. Big firms yes, but not small firms as they're margins are so tight. There is another way - any organisation that collects personal information is legally obliged to notify the ICO and this register is public. Just contact the ICO and they'll tell how.
I agree that current sentencing is too light and there needs to be stiffer penalties including prison time and punitive fines. The current maximum fine is £5,000. Some unscrupolous bodies could make that money in a day so it's an easy write off.
Telling someone they're the subject of a RIPA autorisation is a load of bollocks too. What's the point in carrying out surveillance on someone if they know someone is watching?
What we need is a culture change, sending people to jail is following the same sort of path that the current government has introduced with the extreme porn laws, 42 days, etc, etc.
Damage to reputation will bring this about (but perhaps only when the public finally understands why it matters). Loss of job with a requirement that references / agencies must highlight the involvement that an individual had with the loss of data in previous employment might go some way towards this and I think will concentrate their minds.
Similarly firms that have had breaches should be audited for their data policies and practices. The results should be made publicly available.
Yes, the Nationwide was fined almost a million pounds, but since it is a building society, it was the customers who ended up footing the bill -- the same customers whose data had been lost, which added insult to injury.
The answer is to make the senior executives peronally liable. That, and only that, would focus their attention on the importance of data security.
Peter's idea is not far off workable.
The *disclosure* should be notified. You gave them the data, so you know they have it, but you don't control the disclosure. If small companies don't want to send out the notifications then they shouldn't disclose.
"Telling someone they're the subject of a RIPA autorisation is a load of bollocks too. What's the point in carrying out surveillance on someone if they know someone is watching?"
Get a court order if it's covert surveillance and it can be kept secret. There is a fundamental right to privacy, there is NOT a fundamental right to conduct covert surveillance. There is a right to judicial process too, there is NOT a right to BYPASS judicial process for covert surveillance.
So you don't get the 'covert' part unless a judge has said it can be covert.
So why shouldn't parents receive a letter saying they were watched last week to see if they really live in the house they claim they live in? Notification of a surveillance can necessarily only happen *after* and the parent can't go back to last week and undo what they did, so it cannot affect the outcome. If the parent feels wronged, they can complain/sue/vote out their crappy council, up to them....
Asking the panel if they had any good examples was a bit mean, but I was hoping someone would step out. Personally, I would have said the Police National Computer was a good example...but the moment you say something is good a hundred people are ready to flame you over why it is naff. I don't blame them for not taking that risk. On the main issue of your article, I remain unconvinced either way at this stage. I think things will take a bigger step forward when new technology creates radical process changes in the public sector, rather than being used to map existing ones. I also think that idea isn't particularly new or clever - just hard to do in practice. By the way, this is my own view, and not an official BCS pronouncement! More of the same here - www.bcs.org/blogs/davidevans
In the case of government/public sector/military there shouldn't be an option. It should be prison - not for the drone but whoever heads the department. In the private sector it should be senior management who goes to prison and the company gets heavily fined. I think you would only need one example.
Meanwhile they are only discussing what 'needs' to be done. It will take years for anything to happen. By then it will be so watered down that it will end up no different from what it is today. This should also apply to data pimping ISP's.
That's my prediction. As one who has already had personal data lost, thanks to this government, I sure as hell would like to be proved wrong.
Any proposal that would increase the business administration costs imposed on our stakeholder/partners would be considered by the government to be both oppressive and burdensome and entirely at odds with our responsibility to ensure that consumers make themselves available for maximum exploitation at all times so that we can guarantee the stability of our economic system.
With regard to data integrity, you will be aware that we have spent many billions of your tax-pounds to support our partners in the IT industry and the fruits of that investment will shortly become apparent with the introduction of a new national ID database and a shiny new plastic ID card. While we do not regard this as a panacea for all the problems we face in a world that is increasingly populated with terrorists we are confident that once you have purchased your ID card (compulsory, and a snip at a mere 120 quid) you will be protected from terrorists, muggers, lightning strikes, illegal immigrants, traffic wardens, beetle infestations, spam, malware and possibly even asteroid strikes. Trust us, we're NuLabour.
Gordon & Alistair
It seems insane to me that where you have confidentiality breaches which can facilitate criminal activity (whether through malicious data breaches or inadvertant loss) you shouldn't have criminal penalties!
The Information Commissioner has long been criticised as a paper tiger in terms of its ability to reprimand and deter breaches of private data, and the recent events have made this all the more urgent.
The only reason I can see that criminal penalties have NOT been included in the DPA1998 is because it would potentially mean that government employees (yes that includes you, senior HMRC figures) would face jailtime for their carelessness with the lowly and undeserving minions data. Rightly so, and not before time.
So, if I'm a manager in an organisation which is covered by all this, and one of my staff makes a foul-up that results in a breach - then I go to jail !? The only way I'll accept that job is if I have the power to fire any employee in my department, at a moments notice with no justification required. If someone decides they'd like to see me put away, all they need to do is 'loose' some sensitive data and I carry the can.
Even if the trial finds me not guilty (even with the press baying for my blood) I'll be seen as a liability in any future job and be passed over for promotion, assuming I'm allowed to keep my job.
If any of those sneaky devils as much as looks at me in a funny way, I'll know they're up to something and I'm being set up for a criminal prosecution. 'You don't have to be paranoid to work here but it helps.'
"Personally, I would have said the Police National Computer was a good example...but the moment you say something is good a hundred people are ready to flame you over why it is naff."
"The most recent PNC audit report published by HMIC, that of Avon and Somerset Constabulary, noted that 22 per cent of records that had already been checked by supervisors still contained an error. The error rate concerned a sample of records input in recent months. Old data, which might contain more errors, is not audited."
http://www.theregister.co.uk/2006/05/26/bichard_part3/ 26th May 2006
I didn't want to disappoint. Have things changed much since then?
The best way to deal with these breaches is to hold the Senior Management - Board members, CxOs, Directors, senior civil servant/minister etc personally, financially responsible.
At this point you can guarantee that they'll start to take notice of data security, as a few thousand lost records means no fifth house!
Plus, there's none of that 'Government fines Government Dept' paper-shuffling nonsense, and the shareholders, customers and rate payers don't actually take the hit.
Given that 'corporate manslaughter' exists, this sort of thing's a fairly simple extension.
Shame it'll probably never happen.
A more realistic start would be obligatory public notification of data breaches, in newspapers and on TV. If customers know that Bank X loses data often, then maybe they'll try harder.
There'd need to be extremely stiff (and preferably personal) penalties for failing to notify the public though, or it really wouldn't work.
"anyone breaking this basic code of conduct should be sacked _immediately_ without any prospect of appeal."
Not only sacked but criminal charges pressed and a high probability of jail time.
Personal data is a serious matter and should be treated seriously by serious people, not morons who leave government laptops in the back seats of cars.
Anyone who carelessly allows a breach of confidential data and/or personal data should be classed as a terrorist and incarcerated for 42 days without charge and then thrown in prison for 10 years for refusing to give up their passwords.
Or maybe we should adopt sharia law (and why not) and cut off one of their hands. doubtul they will make the same mistake twice. And if they do, there certainly won't be a third leak from that particular chappie.
No.
Because as many have already said 'the horse has already bolted'. However, such a notification would be welcome because at least the dept./organisation would be required to 'fess up to the mess.
To really solve this, training and attitude across the board needs to be examined and sorted out. Breaches like the following must occur more frequently than any of us can know: I recently renewed my home insurance. Stapled to the hunk of home insurance documents I received was the full motor insurance details of another customer, complete with car reg/driving licence/home address/named driver details. The attitude from the insurance company towards this data leak when I notified them was "oh the documents all get printed on the same printer and must have got mixed together". HELLO? BRAIN? Wakey wakey. I phoned the other customer (probably a breach in itself) to at least put him in the picture and then as requested promptly shredded the documents. Good job that Joe Public is honest and well meaning eh.
Flames icon, best place for documents you're not supposed to be in possession of.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
