Taking data security seriously again

It would have been easy to miss this piece of bad news buried in the tin-foil of a few million Easter eggs:

Memory sticks and CDs containing the personal details of 9,000 school children have been stolen from a house in north London…The computer equipment was encrypted – in line with council policies to avoid access to confidential information – but this was not the case with the CDs or memory sticks.

Apparently the member of staff responsible has been suspended and, according to Techwatch:

Barnet council has taken action to tighten up its security, by disabling USB ports and any access to external storage devices so such unauthorised file copying won’t be able to happen in the future.

The council has also ordered that all computers leaving the office will have to have their data encrypted from now on, and it’s launching an independent review into the whole issue of how its data is managed.

Perhaps Barnet hasn’t read the Data Handling Guidelines, created especially for them and all other councils 18 months ago. Had they done so, they perhaps might have considered reviewing their practices rather earlier and following the example of councils that have made it impossible to copy data on to removable media without prior consent.

In the course of their review, they may also like to bear in mind the words of Ian Brown in our report on children’s consent:

‘It is critical that systems are designed in a way that as far possible prevents security breaches, such as preventing sensitive data being copied onto unencrypted laptops, USB disks and other mobile media; and limiting very strongly the amount of sensitive data that can be copied around a system – eg it might be reasonable for a social worker to take home the records of 10 individuals on an encrypted laptop. It is a disaster waiting to happen for a director of children’s services to take home information on hundreds or thousands of individuals, regardless of laptop encryption or any information security training they have received.’

Nobody should be able to take the details of 9,000 children home with them in the first place.


One Response to Taking data security seriously again

  1. […] original here: Taking data security seriously again « The ARCH Blog AKPC_IDS += "683,";Popularity: unranked […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: