Shutting stable door
Over the past six months or so there have been a number of well publicised lapses in public sector data security and best practice. The resultant investigations have made a number of recommendations that the government has committed to implementing. The good news for the channel is that most of the work will need to be outsourced.
Three reports arising from last year’s negligent loss of two unencrypted discs containing the child benefit records of 25 million families by the Revenue and Customs agency (HMRC), and another on the loss of a Ministry of Defence (MoD) laptop, were published last week.
Their recommendations constitute a very belated recognition by Whitehall that unless it sets its data-handling house thoroughly in order, the bureaucratic dream of a compulsory identity card programme has less than a snowball’s chance in hell of ever obtaining parliamentary assent.
The Poynter Review (1MB PDF)
Kieran Poynter, Chairman of PricewaterhouseCoopers, was commissioned by the Treasury to investigate the HMRC debacle. He found no data security systems at any level and made 45 recommendations. Chancellor Alistair Darling told the Commons he accepted them all.
“HMRC has made good progress on 39 of the recommendations, including 13 which have been fully implemented,” said Darling, announcing a spend of £155 million to improve HMRC data security. “Work is continuing on the remaining recommendations.”
The Independent Police Complaints Commission (144KB PDF)
The IPCC investigated the incident to establish whether any criminal conduct or disciplinary offences had been committed by HMRC staff. It found a total lack of meaningful systems, a lack of understanding of the importance of data handling and a “muddle through” ethos. So, no-one is to blame because everybody is.
The Cabinet Secretary’s Report (218KB PDF)
This is obligatory reading for anyone seeking to do business with the public sector, as all will be required to conform to the data security standards it enumerates.
“Making government work better” says the sub-title of Cabinet Secretary Sir Gus O’Donnell’s report, which does not even mention the possibility that government might collect less data, or address the elephant in the living room of whether it is advisable to consolidate it all into one juicy target.
“I am under no illusion that more still needs to be done to restore public faith in the government's ability to handle personal information safely.”“I am under no illusion that more still needs to be done to restore public faith in the government's ability to handle personal information safely,” said O’Donnell. “Although no organisation, public or private, can ever guarantee that it will never make a mistake, I believe the measures we are announcing today will reassure the public that we are taking the necessary measures.”
O’Donnell says government departments are “custodians” of information and proposes innovations such as the encryption of important information held on discs, USB sticks and laptops, compulsory hack-attacks to test departmental networks and security training for civil servants, and privacy impact assessments for all service delivery projects before they proceed.
The Burton Review (1.1MB PDF)
Sir Edmund Burton, chairman of the Cabinet Office’s Information Assurance Advisory Council, conducted an investigation into the loss of the MoD laptop with the personal details of 600,000 job applicants. He made 51 recommendations to prevent similar losses in future, and MOD said it has accepted all of them and has prepared an action plan to implement them.