1) This morning the papers are full of the news that a disc containing data about convicted criminals was ‘mislaid’ for a year, eventually turning up covered in dust on someone’s desk. Doubly appalling is this gem from the CPS statement:
“This is not a data security issue as this information was always in the possession of the CPS.”
2) BBC local news a couple of nights ago carried this story about a heap of files that turned up in a derelict council building in North London. When Lynne Featherstone, MP for Haringey, challenged the council, she was astonished to be told that they were only ‘old’ files.
After we spoke to Annette Brooke MP, LibDem spokesperson on children, she asked the following question – and got a deeply worrying answer:
Annette Brooke: To ask the Secretary of State for Children, Schools and Families what steps his Department is taking to prevent school staff removing unencrypted sensitive pupil data from school premises. 
Jim Knight: Becta is responsible for producing and publishing guidance for schools on how to ensure the security of their IT systems. Becta’s latest guidance was published in September 2007 and is available on its website. This guidance includes information for schools on monitoring the physical security of ICT equipment, data security and the security of pupil information and data.
In other words the government abrogates all responsibility for data security in schools to a Non-Departmental Public Body.
Three separate examples, but one underlying factor. Despite the CPS insistence that “this is not a data security issue” (“these are not the droids you want”?) all three go to the heart of the real problem: the biggest threats to data security come from insiders who do not take their responsibility for other peoples’ data seriously enough.
No amount of money spent on ‘secure’ systems is going to stem the tide of data breaches if those in charge of the data cannot recognise that their attitudes are the real data security problem. And until that culture-change happens, our private information is simply not safe in their hands.