Taking data security seriously again

April 6, 2010

It would have been easy to miss this piece of bad news buried in the tin-foil of a few million Easter eggs:

Memory sticks and CDs containing the personal details of 9,000 school children have been stolen from a house in north London…The computer equipment was encrypted – in line with council policies to avoid access to confidential information – but this was not the case with the CDs or memory sticks.

Apparently the member of staff responsible has been suspended and, according to Techwatch:

Barnet council has taken action to tighten up its security, by disabling USB ports and any access to external storage devices so such unauthorised file copying won’t be able to happen in the future.

The council has also ordered that all computers leaving the office will have to have their data encrypted from now on, and it’s launching an independent review into the whole issue of how its data is managed.

Perhaps Barnet hasn’t read the Data Handling Guidelines, created especially for them and all other councils 18 months ago. Had they done so, they perhaps might have considered reviewing their practices rather earlier and following the example of councils that have made it impossible to copy data on to removable media without prior consent.

In the course of their review, they may also like to bear in mind the words of Ian Brown in our report on children’s consent:

‘It is critical that systems are designed in a way that as far possible prevents security breaches, such as preventing sensitive data being copied onto unencrypted laptops, USB disks and other mobile media; and limiting very strongly the amount of sensitive data that can be copied around a system – eg it might be reasonable for a social worker to take home the records of 10 individuals on an encrypted laptop. It is a disaster waiting to happen for a director of children’s services to take home information on hundreds or thousands of individuals, regardless of laptop encryption or any information security training they have received.’

Nobody should be able to take the details of 9,000 children home with them in the first place.


Lessons still not learned

November 17, 2009

Yet another data loss by a local council:

Personal data on more than 14,000 voters has gone missing from the offices of a council in Hertfordshire. The data was protected by two levels of security, the council said, but admitted there was a “slight risk” it could be accessed.

Well what does that mean? It turns out that ‘two levels’ of security is actually two passwords: One to access the computer, a second to access the software holding the details. When my old laptop turned up its toes last year, the data-retrievers very kindly set up my new one pdq – and simply scavenged the passwords from my old, dead machine. If you want, you can buy the software to do that online for around a tenner.*

So in other words, we’re talking about rather more than a ‘slight risk’. If the laptop has been stolen by someone with no interest in its contents, they probably won’t bother accessing the data. On the other hand, if that ‘someone’ realises that there is potential value in the contents, they probably will. That the data can be accessed is almost certain, the only question is whether the thief will bother to do so.

Once again we get this tedious assertion from the recalcitrant council:

the council takes its responsibility to look after their personal data very seriously

I’m trying not to froth at the mouth, but for heaven’s sake! They patently didn’t take it nearly seriously enough! Why keep trotting out this meaningless nonsense? Unencrypted data should never have been on a laptop in the first place. If a council is taking its responsibility ‘very seriously’, then they should be abiding by the Data Handling Guidelines, which have their first birthday next week. Which bit of the following excerpt is unintelligible?

Wherever possible councils should avoid the use of removable media including laptops, removable discs, CDs, USB memory sticks, PDAs and media card formats. Where it is unavoidable, encryption should be used and the information transferred should be the minimum necessary to achieve the business objective.

Presumably the council is also by now compliant with the Government Code of Connection. Amongst other things, councils should have a default position of not using laptops

Removable media
Removable media should be disabled unless there is a business case for its use.

What is the point in all of the time and public money spent on developing security standards when councils simply carry on downloading sensitive data to unencrypted devices?

*Update: ARCH’s webmaster has just helpfully pointed out that you may not even need a tenner


Leeds 2, DP 0

December 11, 2008

For For the second time this week:

A laptop used by an educational psychologist dealing with some of Leeds’s most troubled children has gone missing.The computer was reported missing to police yesterday after being missing for a week.

Leeds claim that the data on the laptop wasn’t sensitive. So what on earth was the ed psych actually recording on it?


Another singalong

December 8, 2008

From the BBC:

The private details of thousands of children were found on a memory stick dropped by a council worker…it included the names, dates of birth, ethnicity and contact details for about 5,000 nursery-age children living in the Leeds area.

The council has apologised and started an investigation.

The stick, which was found in a second-hand car, also contained confidential information about child protection and whether or not the children’s parents claimed state benefits.

The data was, of course, unencrypted. Now, you all know the chorus:

A council spokeswoman said: “We take issues of information security very seriously”


There goes another one

December 3, 2008

This speaks for itself really:

Personal information regarding thousands of children is in criminal hands after a laptop theft. Surrey County Council (SCC) notified the 7,851 children, parents and carers, whose details were stolen, that there had been a “potential security breach” in a letter over the weekend.

Personal, unencrypted data was stored on the laptop swiped from a car belonging to one of the county council’s contractors, Trapeze Group UK Ltd, on November 12.

Unencrypted? Unencrypted? Oh good grief. You’d think they might have learned by now. And in case you’re wondering, Trapeze Group is responsible for arranging transport for children.


Lost for words

November 2, 2008

Apparently we have to allow the government to use our data as they see fit, and accept that it may end up in a pub car park.:

Gordon Brown has made a frank admission that government cannot promise the safety of personal data entrusted by the public.

The Prime Minister was speaking hours after it emerged that a memory stick containing the passwords to a government website used submit online tax returns had been lost.

“It is important to recognise we cannot promise that every single item of information will always be safe because mistakes are made by human beings. Mistakes are made in the transportation, if you like in the communication, of information.”

He makes it sound as if we didn’t know that already and were the ones begging to have our data harvested.

Perhaps the ‘consent’ forms that children and parents sign when an eCAF is carried out should contain an extra question:

Where would you prefer us to lose your personal information?
(a) on a train
(b) at a disco
(c) via the post/courier service
(d) in a car park
(e) other

PS. I guess it’s appropriate that the Minister responsible for the Government Gateway is the same one who left confidential correspondence from his red box on a train.


Database debacles

October 11, 2008

I doubt if anyone has missed the news that EDS has lost a portable hard drive containing:

the names, addresses, passport numbers, dates of birth and driving licence details of those serving in the army, navy and RAF. It also includes next-of-kin details, as well as information on 600,000 potential services applicants

As you might imagine, while attention has focussed on serving forces personnel, it’s the 600,000 potential recruits that particularly worry us. Presumably a fair number of those are still in their teens and won’t discover for a while yet whether this latest data debacle has made them sitting ducks for identity fraud.

For several years now, the US media has been reporting the increasing use by fraudsters of children’s identities. The Federal Trade Commission points out that they are ‘perfect targets’ because they have clean credit histories, and are unlikely to know what has happened until they open a bank account or apply for credit.

MPs have apparently demanded ‘a “cultural change” in public sector data handling’. Good luck with that – the rot goes deep. Only last week, a company called Databarracks published the results of a survey of schools that showed:

92% of education institutions say they back up their data, however, analysing this further, the survey shows that while 60% take the data offsite, 55% of them have this function performed by a member of staff who takes the data home.

No doubt Databarracks has its own agenda, but its findings do echo an earlier study that found almost half of schools taking unencrypted pupil data off school premises.

You only need to read UK Liberty’s pages on data loss to see the scale of sloppy public sector data-handling practices.

It would be nice to think that things would have improved by the time the national Contactpoint and eCAF databases make their entry on to the scene, but it’s not likely. Just substitute ‘Contactpoint’ or ‘eCAF’ for any of the systems mentioned on UK Liberty, and you’re looking into the future.

Incidentally, on the subject of Contactpoint, you may have missed a letter in the Telegraph from the CE of Barnardo’s objecting to conservative plans to scrap the system. He says:

I would ask Mr Gove to think long and hard about whether or not Barnardo’s, which works with more than 100,000 of the most disadvantaged and vulnerable children in Britain, would support ContactPoint if we thought it would, as Mr Gove suggests, increase the risk of children being abused.

What a relief. If Barnardo’s says it’s OK, that must be right. We can go back to sleep.


A week’s-worth of security breaches

September 16, 2008

An impressive hat-trick this week. On the bright side, it’s good to see that nobody has made any of those irritating claims about taking data security ‘very seriously’.

First off the blocks:

The discovery at a Cornish nightclub of a computer memory stick with details of troop movements on it is being probed by the Ministry of Defence (MoD).

And then two in quick succession:

Discs containing personal information on almost 18,000 NHS staff have gone missing from a north London hospital.

Followed by:

A police force has undertaken an urgent hunt for a computer memory stick after admitting it has been lost by an officer on duty. West Midlands Police would not confirm or deny reports that the data stick contained information on terrorism.

Two on the same day, eh? The pace is hotting up. UK Liberty is keeping a tally.

Update 7pm: We spoke too soon. It’s now four this week:

An NHS trust has apologised after a computer memory stick, containing the confidential files of 200 patients, was found in a street.

Tees, Esk and Wear Valleys Trust said the stick was found by a member of the public in Barnard Castle, Co Durham. It stored a summary of medical histories and patients’ national insurance numbers and addresses.

This is just ridiculous.


The learning flatline

May 9, 2008

You might think that DWP staff would have been chastened by the child benefit Chernobyl into some basic grasp of data security, but apparently not:

The government has been sending out highly sensitive data in packages with the passwords necessary to access it, it has been revealed today.

And in a predictable mismatch of words and actions, a DWP spokeswoman said:

“We take the security of individuals’ data extremely seriously”

If you’re wondering where you heard that before, it was last uttered a month ago by the LGA.


You have to laugh

May 1, 2008

I think this is called having your cake and eating it. Engaged in the nerdy pursuit of trawling the last few days of parliamentary questions, I found the following written answer from Ministry of Justice Minister David Hanson to a question about young people serving indeterminate prison sentences – not something the government enjoys talking about:

These figures have been drawn from administrative IT systems which, as with any large scale recording system, are subject to possible errors with data entry and processing so numbers have been rounded to the nearest 10.

And here we were thinking that Contactpoint and eCAF would be infallible. In similar vein, the BBC reports that in the last 3 years:

More than 600 staff at HM Revenue and Customs (HMRC) have been disciplined for accessing personal or sensitive data, it has been revealed

Treasury Minister Jane Kennedy is keen to stress

However, this represents less than 1 per cent. of total staff for each of the three years in question

Let’s see, if Contactpoint and eCAF have 330,000 users and just 0.5% misuse their access, I make that 1,650 people. Despite ministerial assurances that employees are always caught (and how do they know about the ones who weren’t?) it’s clear from the HMRC figures that the risk hasn’t acted as a deterrent over the past few years.


The goldfish bowl

April 22, 2008

The latest news on data breaches:

Government departments and private companies have reported an “alarming” number of new data breaches in the wake of the recent HM Revenue and Customs fiasco.

Details of nearly 100 cases of data breaches, two thirds committed by government departments or other public sector bodies, have been passed to the authorities, the Information Commissioner, Richard Thomas, said.

He warned organisations to step up security as he released details of the wave of new breaches, including unencrypted information lost on laptops, computer discs, paper records and memory sticks lost, stolen or missing in the post.

Undaunted, the government bulldozers ahead towards its goal of a single record system. I’ve just been re-reading the government’s ‘Harnessing Technology’ (pdf) today. Ostensibly it’s about using ICT in education, but as the role of schools expands into welfare, inevitably education and social care records start to merge.

It’s an extension of the approach piloted in Connexions, where personal problems are seen as ‘barriers to learning’ that must be dealt with. Thus the government wants to:

Ensure integrated online personal support for children and learners…

Support children’s and learners’ transition and progression by developing and implementing a common approach to personal records across education and children’s services, including public and private organisations and industry.

It hardly needs saying that the scale of data breaches can only increase with the amount of data collected. How strange to think that the government was once so wary about the collection of children’s personal data that they introduced the School Census one small step at a time. Less than ten years later, it’s hard to think of any personal data that isn’t fair game for the ‘joined-up’ treatment.


You can trust us…

April 14, 2008

The BBC has been doing some digging:

Personal data about members of the public has been lost or wrongly revealed by 13 London councils in the last year, a BBC survey has found… In one instance, sensitive information about children in care was stolen when a youth worker took files into a bar.

This response is frankly irritating:

Tim Allen of the Local Government Association emphasised that data security was very important to local government

It’s demonstrably not important enough. There seems to be a second story here, too:

Some 23 councils replied to the freedom of information request

But there are 33 councils in London, all of them public authorities bound by the Freedom of Information Act. What happened to the other 10?


Still here…

April 2, 2008

…Though our prolonged silence might have made you think otherwise. It’s been one of those intensely busy periods with no spare blogging time at all.

I did notice recently that an opinion poll carried out for the Information Commissioner’s Office found:

three-quarters of us were more worried than ever over access to personal data. And 70% said they felt powerless over how organisations kept an eye on data.

The survey comes after the government lost computer discs containing the entire child benefit database.

From the look of the other news around, people’s worries are entirely justified. There was this:

Documents containing payroll information relating to 182 NHS staff members have been have been found dumped in a street…The documents had been in the care of company Capita when they were lost.

They contained information, including addresses, bank account and National Insurance details, from five trusts in Leicestershire and Northamptonshire.

And this from the Liverpool Daily Post:

an investigation by the Daily Post, using the Freedom of Information Act, has revealed the loss of 230 records by health staff in the region.

More than half of the trusts which replied to a request for information confirmed they had lost data. It is also revealed that the largest data loss – 100 records held on a “memory stick” by Liverpool Primary Care Trust, was not reported to the patients involved.

Even the prison service is doing its bit:

Prison Service and IT staff are trying to correct errors in the networked Local Inmate Database System [Lids] – which holds records on more than 80,000 prisoners – after the Service’s IT supplier EDS discovered that thousands of records contained incorrect information or data was incomplete or missing.

Yet more symptoms of what the Joint Committee on Human Rights describes as:

“The Government’s failure to take safeguards sufficiently seriously”

and

“insufficient respect in the public sector for the right to respect for personal data.”


It was the elves…

March 13, 2008

Someone has to be telling porkies here:

A patients’ group said it is astonished that three inquiries into how medical records came to be strewn on a road failed to find anyone responsible.

The records belonged to patients from London’s Whipps Cross University Hospital and St Bartholomew’s Hospital, and London Ambulance Services (LAS). The papers were found in Northaw, near Potters Bar, Hertfordshire, in January.

Probes by the hospitals trust, LAS and by Bywaters waste management company found their procedures were “robust”.


More skeletons

February 21, 2008

It’s just endless:

The Ministry of Defence is launching a new inquiry after admitting to the loss of two more laptops containing unencrypted personal details. The additional losses came to light during the investigation of the theft earlier this year of a laptop containing 600,000 peoples’ personal details.

This takes the biscuit:

Departmental minister Parmjit Dhanda told MPs, “The official data on each of the laptops was not encrypted because none of the information was classified.” In an attempt to reassure MPs, he added, “Each laptop was password protected.”