Safeguarding our data

20 January, 2008

Danger! Mental dumping ground ahead!

Like loads of other IT people in the UK, I’ve been pretty worried about the forthcoming compulsory centralised ID database in the UK. I’ve previously written to my MP, joined ORG and tried to spread the word.

In recent months there have been at least five large-scale (10,000 people or more) data security breaches where carelessness has put unencrypted data into what is effectively the public domain.

The press have been really picking up on this and running an awful lot of related stories. The BBC at the moment are running a “Have Your Say” on the subject of “How can we safeguard our data?” (yes, I know about its general quality, thanks), and there are a worrying number of comments like this one:

The nation should have a referendum now on whether this Government is fit to remain in power.

peter gallagher, london

Recommended by 82 people

In every one of the security problems to date, its not been the direct fault of the Government, but the Civil Service. That is to say, it’s not as if Gordon Brown’s been handing out people’s details on memory sticks; regardless of who we vote for, we’ll always get the Government. Even then, you can expect things like this to happen from time to time – they’re just people after all. It’s just that there are so many things that they could have been doing for years to make life easier for themselves such as routine encryption, file transfer by internal network (such as the Government Secure Intranet), strict laptop carry-out procedures and so on (also see the Cabinet Office’s page about risk management in the public sector). I’m sure they must live with a mountain of similar procedures already for their paper assets, the same needs to apply for their electronic ones as well.

Stuart Langridge recently asked a question along the lines of “Is it my fault if I make some piece of information public, and it is used against me?” – my worry with data security isn’t that I make something public, but that someone else, like a governmental body, does it for me. What rights do I have to make sure that my data is always encrypted? What rights do I have to withdraw data from their databases? What rights do I have to be informed if my data is leaked? (OK, this last one is currently up for debate)

If the government is at the stage where it thinks it can successfully roll out large single-centre data centres (which AFAIK it hasn’t managed to previously), all these details have presumably been dealt with already. Documents like the

Data Sharing Review Consultation suggest not.

See other posts tagged with general gov identity and all posts made in January 2008.


Stuart Langridge
21 January, 2008 at 07:21

What rights do I have to make sure that my data is always encrypted? What rights do I have to withdraw data from their databases? What rights do I have to be informed if my data is leaked?

Pretty much none, none, and none, respectively. The Information Commissioner is a voice in the wind on this sort of thing, tragically enough. I appreciate that it’s the civil service rather than the government who are actually the problem here, but the government could compel the civil service to actually _give a toss_ about our data without even trying hard, and they’re not doing it.

21 January, 2008 at 11:33

Perhaps it would make sense to have the same rights for data held by either the public or private sector; I doubt the latter are enforced very strongly either though.

23 February, 2008 at 02:00

If you interesting in keeping an eye on the steady stream of data security breaches the Open Rights Group keeps a up to date list here UK Privacy Debacles and keeps a track of the never ending stories related to the lost computer discs scandal at HM Revenue and Customs.