With a junior official losing highly sensitive data the government is placing the blame on the the official, no surprise there. But the question is not why he sent this information through the post but how it was possible that someone so junior could get this information in a form that was so easily lost.
Why does a junior official have the ability to take sensitive data from the HMRC database and place it on a couple of CDs? This sort of data must have a high value on the black market and it seems that almost anybody at HMRC can access this data and sneak it out with little or no difficulty.
This is not the failure of a single individual but a failure of the data protection system at HMRC and we can only assume that other departments have similarly deficient systems. Who's fault is it? It is the government's fault, it's the responsible minister's fault and ultimately it is the prime minister's fault for appointing such incompetent ministers in the first place.
It is not acceptable that government departments that hold data about every citizen of the UK have such poor IT systems that junior officials have access to PCs that can not only access our data but also provide the facility to convert it to a form so easily lost or stolen.
Most private companies that hold sensitive data don't allow PCs that can be used to access such data to have CD-writers, USB ports, or access to the internet because they know that their employees can make mistakes or deliberately leak private data. Of course if such data were to be leaked from a private company it would have devastating financial consequences for the company. If this sort of thing were to happen at a bank there would almost certainly be a run on the bank that would threaten to devastate its credibility (and its share price). Of course with a bank we can always move our money elsewhere.
Providing rules within government departments that state that sensitive data should not be sent unsecured will not solve the problem. It must be made impossible for data to be leaked in this manner by junior officials whether they obey the rules or not. The IT systems that hold data about us must be secured not just against honest and competent junior officials but against corrupt and incompetent ones as well.
Obviously there will be times when sensitive data will be needed to be shared between departments. (It turns out this was not one of them, the Audit Office did not require, or even ask for, all the data that was lost.) When this sort of data transfer is required a minister should be informed and a senior official should supervise the transfer from beginning to end. Encryption should obviously be employed and the physical security of the data should also be of the highest priority.
Loss of citizens' sensitive data should be a resigning matter for the minister responsible, only then might we be confident that our data is safe with the government. Of course government departments should also only have information that they really need.
ID card anyone?
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment