Wednesday, November 21, 2007

Data Loss - Reprise

Okay, so we seem to have (from the best figures I can glean), approximately 25 million sets of personal data. Within that, it appears to be (this will be updated as I can):
  • 11 million families Update: not sure now whether this is the number of adults or the number of household records (you can have child benefit paid split between carers if the child spends time living in more than one household, and you can also change who it is paid to ...)
  • 14 million children
  • 7¼ million bank accounts. Update: Sandra Quinn, APACS spokes-weasel, said on MoneyBox (Sat 24 Nov) that there were 7.3 million accounts notified to the banks through APACS. I'll take that as confirmation of this figure.
Now, of its self, those figures are interesting - it's free money, not means tested, paid to mum and not strongly audited (at least, Mrs S-E's never has) so there seems little incentive to fib - the average family with children under 16 (or slightly older) has 1.27 of them and 34% of mums really don't want the money paid into a bank account. But, security questions:
  • Why on God's green Earth did the NAO need, or think they wanted, the entire database? I appreciate that they have a duty to ensure that public funds are properly managed but surely that could have been done with summary data and some spot checks? Update: Apparently, they didn't want the personal data - but that still makes it even more dubious why they couldn't use summary data (i.e. I can think of reasons why they would want the personal data, just not ones legitimate to the NAO role.) Update 2: from Hansard - seems to be a proper explanation to me - Edward Leigh hairs the public accounts committee - h/t Roger Hird - (Ed notes - except, of course, that under the DPA, your NI number is, contrary to Mr Leigh's assertion, personal data, because somebody has the database to turn that back into a reference to you):
Mr. Edward Leigh (Gainsborough) (Con): I am grateful to the Comptroller and Auditor General and to the Chancellor for briefing me this morning. May I just make one or two things clear from the CAG’s briefing? He requested this information—the national insurance numbers—to create a sample to enable him to carry out the audit. It is clear that the CAG specifically asked that all personal details, bank account details and all that sort of information should be removed before this was sent. That is the most important thing. The National Audit Office simply asked for the national insurance numbers; this had nothing to do with personal details.
  • Ross, on Newsnight last night, said that the database should have been classified as "SECRET". Can't comment on that, because the definitions of UK protective markings are themselves protectively marked :). It would be interesting to find out what the Accreditation Documentation Set rated the system as (I can guess) and how this relates to the new Impact Levels ... (Will post an IL definition table if I can find it on the web).
  • Was backup software involved? If so, why was this not set to decrypt by default?
  • Why was this not transferred over the GSI or xGSI (Government Secure Intranet)?
  • What involvement, if any, did Aspire (the Cap Gemini SPV that runs HMRC's IT) have in this saga?
  • Why all the delays? (Ed: Actually, I know the answer to this one - the "shoot the messenger" culture endemic in modern Britain - private as well as public sectors.)
Security red herrings (IMNSHO):
  • "Junior official" - the poor bod who actually did this is likely to be some form of IT or audit minion, almost certainly not an Oxbridge classics grad (or even, horrible to have an almost job-relevant qualification, a PPE grad), acting on the commands of their superiors.
  • Lost in the post - yes, it went in the Government internal mail. Why? Have you ever tried to get first class posting, never mind recorded / registered post from a large bureaucracy? Generally, the only way to do it is to go to the Post Office yourself and try to claim the cost back on expenses.
  • Quibbles about refunds of any fraud or suing the taxman. The former will happen, the latter can't - see here.
  • Fines for HMRC - the large fines against banks were levied (IIRC) by the FSA, who have no authority over HMRC, as opposed to the Information Commissioner, who has a different penalty regime (largely, and reasonably effectively against large organisations, name and shame).
More news:
  • The Information Commissioner speaks:
Richard Thomas, Information Commissioner, said:

“This is an extremely serious and disturbing security breach. This is not the first time that we have been made aware of breaches at the HM Revenue and Customs – we are already investigating two other breaches. Incidents like these illustrate that any system is only as good as its weakest link. The alarm bells must now ring in every organisation about the risks of not protecting people’s personal information properly. As I highlighted earlier this year, it is imperative that organisations earn public trust and confidence by addressing security and other data protection safeguards with the utmost vigour.
  • But why does he mention a KPMG review? Jane Kennedy said (on Newsnight which I caught online) PWC? Do we really need them both? Update: Seems to be a typo in the IC press release - Kieron Poynter, mentioned as leading the study for KPMG, is Chairman of PWC UK. Update 2: And the KPMG mention has been removed from the online press release (without acknowledging the change).

1 comment:

Anonymous said...

Kieron Poynter went to the same school (two years above) as Sir Gus
O'Donnell who has been credited with/blamed for the establishment of HMRC.

 
HTTP Error 403: You are not authorised to access the file "\real_name_and_address.html" on this server.

(c) 'Surreptitious Evil' 2006 - 2017.