There has been another loss of personal data, this time by the Ministry of Defence’s main IT contractor. Acording to media reports, the removable hard drive may contain unencrypted data on bank accounts, driving licences, passport numbers, dates of birth, addresses, and telephone numbers. In short, more than enough material for identity theft.
The need to enhance security of personal data is clearly pressing. The focus tends to be on physical protection, ensuring that the information is protected in such a way as not to fall into the hands of those who should not have access to it. However secure such systems, there is always the danger of human error. However, the issue is not simply the loss of data but the volume of data held on individuals. If data are held in different places, one reduces the likelihood of details sufficient for identity theft being lost. Would one way forward, therefore, be to prescribe that certain personal data must be held separate from other data (prohibiting, say, dates of birth being held alongside family details or bank account details)? Or is that likely to prove too inconvenient (requiring those with legitimate reason to see the data to access different sources) or insufficient to prevent identify theft (where relatively little information appears to be needed)? Or should protection of personal data be paramount to the extent that there is a statutory ban on holding all such data in one place? And should identify cards, if introduced, contain a minimum of personal information?
Dear Lord Norton,
I think the solution on ID cards is a simple one: don’t introduce them. That would save a lot of money which should be a Government priority given how much of our money it is currently spending!
Howridiculous.
It is difficult enough to work out a solution as it is without then trying to make the solution work technically.
One approach is to realise that all of these details are pieces of ‘factual information’. They can never be changed and once exposed they are useless as a form of security. They can be used together to uniquely identify someone simply because of the large number of permutations, but they should not be used as an ID in themselves.
The security mantra is you can have access if you have something (a smart card, key, biometrics), or know something (passwords, dob or other facts).
If we now assume that the factual information can no longer be protected (or is so difficult to protect it becomes impractical) then we can fall back onto something we have.
If we legislated so that all sensitive transactions needed to be authorised using biometrics then knowing all these facts would be insufficient to give you access.
In other words make the information worthless, rather than try to hide it.
Another key point it that the disk has been lost – this has been going on for years, companies are always losing things. It has not proved to be a problem in the past, it’s only media sensitivity that’s the problem.
We don’t know where the disk is or what it contains – yes that’s a risk, but how big?
I don’t think any general solution based on separating personal data is going to work well – presumably that data was collected for a reason.
There’s a key theme in all of these reports of UK Govt and its contractors losing data – they are losing it physically. Simple question. WHY are people transferring data (any data) on USB keys, CD drives, removable hard drives, laptops etc. There is a technology that obsoletes all of those …. it’s called a network, and we’ve been building them for decades.
I work for a large, very well known software company that routinely handles extremely sensitive data. This company has a perfect track record: personal data has never been “lost in transit”. The reason is straight forward: that data never – ever – leaves secure datacenters. When that data moves between those datacenters it does so in encrypted form via dedicated fibre links.
I very strongly suspect that the root problem here is lack of adequate tools and internal connectivity to make securely transferring data easy, which in turn must be rooted in poorly skilled or poorly staffed (government) IT departments. I know that this case was a contractor, but all that shows is that the MoD was not holding its partners to a high standard, probably because it can’t meet such a standard itself.
If you want to stem the bleeding of critical data from government agencies, the best solution is to take a long, hard look at IT facilities and training across organisations – then fix them.
The British people had Identity Cards in the last war. A real war with bombs raining down day and night, and night after night with many people killed-more killed than when the two towers were destroyed by terrorists. All they had on those cards was the persons name (maybe an address, I cannot know the latter for sure), and a number.
After the loss of all the private and important details which are supposed to be secure, if called for an interview for a compulsory ID Card, the only details I will give are the same that was on the only ID cards that were issued to the free people of this Country in living memory. They are or were FREE because of those that gave their lives in that war.
I am aware that this Government are not going to take prisoners, but as I will be living in a SHED by then, they can take what possessions they might find.
I think Lord Norton is absolutely right to point out that human error will always thwart any technical fix that is put forward to prevent data loss. In a world where information about individuals is increasingly valuable, it seems that the only reasonable response is to limit the amount of data that is collected.
Of course, some data will have to be collected, so we do need something of a technical fix – and encryption would a step in the right direction. Why not force all government laptops to use full-disk encryption? It’s (nearly) transparent to the user, and makes it much more difficult for a lost laptop to turn into a privacy loss.
Lord Norton,
You’re right on the money, as usual. Things will only get worse as more and more personal data is stored by the government. You doesn’t have to be a network security engineer to understand the principle of placing all of your eggs in a one basket. When the latest scheme, the £12bn IMP, gets going it will not only be that one basket but also not for for purpose. Analysis available here: http://www.theregister.co.uk/2008/10/08/us_gov_data_mining_report/
Someone else who appears to have ‘lost’ their identity..
“Peter Mandelson has revealed he will sit in the Lords under the full title of Baron Mandelson of Foy in the county of Herefordshire and Hartlepool in the county of Durham.”
Do me a favour…- will he be doing pantomime this year ???
Good pub quiz question though…
After the child benefit data loss, colleagues who work at a government-owned lab next door to us were told they couldn’t take their laptops off-site. Simple as that. Eventually, standard encryption software was chosen, and now they have to use it if they will take the machine away. Of course, as they are scientists, very few, except maybe managers or a few in HR, will have personal data on their machines; more likely it’ll be experimental data, no use to identity thieves.
As Mike points out, no data should be taken away on physical media. Everything should be done over a secure network link. Even ignoring for a moment the possibility of data loss, what the employees are doing is incredibly bad practice for a number of reasons: not least, it means they aren’t working with the latest dataset, and also that they are accessing all records not just those they require. It just shows that they don’t know what they are doing, really.
As for Lord Mandelson, having two territorial designations is not that unusual, and where the peer also has a placename in his title, it can mean including three different places: last year, Nicholas Stern became Baron Stern of Brentford, of Elsted in the County of West Sussex and of Wimbledon in the London Borough of Merton!
I think the Lords (and their elected colleges) would do very well to
look at Germany and how it treats personal data. Germany has very
strong privacy laws which companies take very seriously. For
example once a phone company has billed a phone call it can’t keep the
data in an identifiable manner so has to anonymise it. They do this
because the law holds data privacy very highly and the penalties for
failure are very high.
The UK’s Data Protection Act was pioneering in many ways when it was
introduced in identifying the importance of data about you held by
other people. The core pillars of information security and access to
ones own data are a good foundations to build on. Unfortunately the
prevailing wind in the last 10 years has been towards ever greater
centralisation of government data along with “Allow all” access policy
that assumes as wide a collection of government officials can have
access to the data as possible. This culture of data warehousing
inevitably leads to situations like the many losses of data reported
over the last few months. If the government has such a lax approach to
privacy (and seems so free of legal consequences) the private sector
can’t be far behind in treating the DPA as an optional extra.
I urge the house to look closely at legislation in our fellow European
countries and consider how we can instill a culture of respect for
personal information and a default “Deny All” access policy that puts
individual privacy first. When the DPA was first introduced not many
people realised the consequences of bits of information about you
being stored on computers. Now awareness of data security is growing
perhaps it’s time we came up with some new laws and regulations for
fitting for the information age?
There is not one ID card or information on a Data base that has prevented a Terrorists’ action.
As long as a sovereign Government has no control over its own borders, or has agreed to transfer authority over those borders to foreigners, or has “welcomed” the thought of one EU state and treats the English Channel as a little brook, there is absolutly no point in having ID Cards at all.
Millions of illegal immigrants have come into this Country over quite a number of years now, and along with them, perhaps mingling with them and unknown to those that wanted a better life here in the UK, have been terrorists.
It is too late now to even expect the cooperation of the British born people here in the UK. Why should the people of this Country continue to vote for or continue to pay “wages” and or vast expenses to those that sit on green of red benches in our Parliament when they have, willingly and eagerly through EU Treaties transferred PERMANENTLY, sovereignty (authority) over many areas that our own Government should be legislating for ourselves?
If no one voted for any MP come the next General election, what would happen? If they only voted for known Eurosceptics what would happen? Some times DREAMS DO COME TRUE.
There are a number of reported cases of abuse of our data by people who have legitimate access, let alone people who gain access illegitimately (perhaps by stealing a laptop or finding a USB stick on a train).
The principles in Part 1 of the Data Protection Act are sound. It is a pity they are increasingly ignored, as Alex Bonee pointed out earlier.
At best, the ID card and intrusive database (the National Identity Register) scheme could be said to be an attempt at a one-size-fits-all solution – but that is part of the problem. It will not bring the benefits the Government claims, it will not make a difference in some areas and make other areas worse, it will cost at least double the estimate, and the Government has been dishonest about it. It should be scrapped.
I must add, if I may, that we should not only consider a proposal on its individual merits but also how it fits into the overall picture, which includes:
Possibly the highest number of CCTVs per square mile of any nation?
The National Identity Register, the database behind the ID scheme, will not only contain all sorts of information related to the identity we have been assigned, but also record every transaction that involves us proving our identity – look at the (non-exhaustive) list of organisations and the benefits page on the IPS website, for examples of when this will occur.
ContactPoint, a directory of all children from birth, their names and addresses, the details of their parents, the institutions and agencies they have been and are in contact with.
The NHS medical records database, containing our names, addresses, and medical history etc.
Criminal Records Bureau checks that not only reveal convictions but also unproven (and possibly unfounded) allegations.
The above contributing to a complete picture of our personal lives.
Automatic Number Plate Recognition will record all our journeys involving road vehicles. Currently the Passenger Name Record system records our air travel, but there are proposals to record our train and boat journeys too, as your Lordships in the Select Committee on the European Union learned earlier this year. Congestion charge schemes and Oyster card schemes are being introduced outside of London. There will be a complete picture where we have been.
The Intercept Modernisation Programme will record details of our communications (our phone calls, our emails, our web searches etc) – not the content (not yet!), but who has contacted who, at what time, on what date, from what mobile phone cell, phone number, or IP address, how long / large the communication was etc. So there will be a picture of our social and professional networks.
Why does there need to be such intense surveillance at such a personal level?
I do not believe this Government has malign intentions. Sure, some of them are poorly thought through, and incompetently deployed, but they aren’t evil. However, I do believe we should spend some time to consider where we are going with this and where we might end up.
We have been “given” so many RIGHTS, by the UN, EU and our own beloved Government that we are awash with them. So why do we feel like prisoners, watched every minute of the day, oppressed, downtrodden and IN FEAR of saying or doing the wrong thing?
We may be fined heavily for leaving a bin lid higher than it resting on its contact place on the bin, a criminal record if we accidentally drop a piece of paper in the street. Now it looks as if our phone-calls, e-mails, any visits to certain placed may be monitored and shared with other organisations. Perhaps soon we may ALL have criminal records, in fact perhaps some ‘welcome’ that day. But once everyone has lost that precious CLEAN RECORD, people have nothing left to lose. We can all do on the merry roundabout of crime, doing just what we like, taking what we want without having to pay for it in money and where criminals get better treated than the innocent.
Why did we fight in the last war? Why did so many die in that war? Our Daily lives were cowering in Anderson Shelters while the bombs rained down and the men folk were dying in their hundreds in plane’s and ships. May God forgive all of you that sit in those Houses of Parliament for what you are doing at this moment in time.
This outburst comes from reading some of the debates in the House of Lords on the Anti Terrorism Bill. You are making TERRORISTS.
I re-state, I will only give my name and number (which I still remember) from my ID Card I held in the 1940’s while some parts of Manchester and surrounding area was pounded to Hell with about 14 Nursing Staff were killed from Hope Hospital alone and hundreds from the area dead. The Terrorists in the end will have won.
Thanks for your responses. They reinforce the strength of feeling about the crucial need for data protection. There are two clear conclusions. First, data that are held should be kept to the minimum necessary. If it is not necessary to hold the data, then it is necessary not to hold the data. Second, when it is held it should be kept securely. I take the extremely helpful points made by Mike and Jonathan. I am also grateful to Alex Bennee for drawing attention to German experience, which is clearly worth examining. The value of this blog is that it attracts comments of this sort.
Lord Norton: May I suggest that you refer this post before publishing:
Although you talk here of data loss it is more closely linked with build standards on desktop workstations used within government departments. I suspect that common build standards are not prescribed or enforced across departments anywhere in government or government agencies?
An ongoing concern of the American Food and Drug Administration or FDA is the ability to import and export data from workstations used in manufacturing related areas.
When workstations or PC’s were first introduced to assist the manufacturing process it soon became evident that by ordinary means an individual could change the content of electronic records to cover their tracks in an act of omission or negligence that would later give rise to a patient health risk problem and result in a subsequent product recall and possible litigation.
All pharmaceutical companies that export health or food related products into the USA must now comply with a prescribed set of standards known as Title 21 Code of Federal Regulations (21 CFR Part 11) Electronic Records; Electronic Signatures.
The practical reality of ensuring electronic record accountability remains very complex and expensive. It has led manufacturers to ensure that software and hardware meet industry best practices or GxP.
Government could learn a great deal from the paradigm adopted by manufacturers. It is not uncommon to see three build standards in use across a business depending on the areas they are used in.
You might consider making the below references available to the house library?
Ref: Compliance Contents: Electronic Records; Electronic Signatures.
Background: Final Rule. PDF Version
http://www.fda.gov/ora/compliance_ref/part11/
General Principles of Software Validation;
Final Guidance for Industry and Staff
http://www.fda.gov/cdrh/comp/guidance/938.pdf