Danger! Mental dumping ground ahead!
Like loads of other IT people in the UK, I’ve been pretty worried about the forthcoming compulsory centralised ID database in the UK. I’ve previously written to my MP, joined ORG and tried to spread the word.
In recent months there have been at least five large-scale (10,000 people or more) data security breaches where carelessness has put unencrypted data into what is effectively the public domain.
The press have been really picking up on this and running an awful lot of related stories. The BBC at the moment are running a “Have Your Say” on the subject of “How can we safeguard our data?” (yes, I know about its general quality, thanks), and there are a worrying number of comments like this one:
The nation should have a referendum now on whether this Government is fit to remain in power.
peter gallagher, london
Recommended by 82 people
In every one of the security problems to date, its not been the direct fault of the Government, but the Civil Service. That is to say, it’s not as if Gordon Brown’s been handing out people’s details on memory sticks; regardless of who we vote for, we’ll always get the Government. Even then, you can expect things like this to happen from time to time – they’re just people after all. It’s just that there are so many things that they could have been doing for years to make life easier for themselves such as routine encryption, file transfer by internal network (such as the Government Secure Intranet), strict laptop carry-out procedures and so on (also see the Cabinet Office’s page about risk management in the public sector). I’m sure they must live with a mountain of similar procedures already for their paper assets, the same needs to apply for their electronic ones as well.
Stuart Langridge recently asked a question along the lines of “Is it my fault if I make some piece of information public, and it is used against me?” – my worry with data security isn’t that I make something public, but that someone else, like a governmental body, does it for me. What rights do I have to make sure that my data is always encrypted? What rights do I have to withdraw data from their databases? What rights do I have to be informed if my data is leaked? (OK, this last one is currently up for debate)
If the government is at the stage where it thinks it can successfully roll out large single-centre data centres (which AFAIK it hasn’t managed to previously), all these details have presumably been dealt with already. Documents like the
Data Sharing Review Consultation suggest not.