WRITTEN ON November 20th, 2007 BY Ruth Kennedy AND STORED IN Data nitwittery, Foundation of Trust, Identity, Transformational Government, What do we want?
Today’s news is full of the enormous security breach at HMRC, from which the personal details of “virtually every child in the UK” have been lost. Of course it’s not just children – those of us adults who have signed up to have the payments made directly into parental bank accounts have also potentially had our privacy and security breached.
The BBC reports
In an emergency statement to MPs [The Chancellor] Mr Darling apologised for what he described as an “extremely serious failure on the part of HMRC to protect sensitive personal data entrusted to it in breach of its own guidelines”. MPs gasped as Mr Darling told them: “The missing information contains details of all Child Benefit recipients: records for 25 million individuals and 7.25 million families.
“The chancellor blamed mistakes by junior officials at HMRC, who he said ignored security procedures. “Two password protected discs containing a full copy of HMRC’s entire data in relation to the payment of child benefit was sent to the NAO, by HMRC’s internal post system operated by the courier TNT. The package was not recorded or registered. It appears the data has failed to reach the addressee in the NAO.”
Weirdly, the Chancellor said that
the missing data in itself was not enough for people to access people’s bank accounts
err, hang on, wasn’t the missing data
children’s names, addresses, dates of birth, NI numbers and where relevant bank and building society account details.
??.
You have to hand it to Paul Gray, the fabulous, highly customer-orientated Chair of the department, for falling on his sword so swiftly and with such integrity. But it’s a tragedy that Whitehall has lost one of its best ‘transformational’ leaders, taking the rap for poor (nay, illegal) decisions made much lower down his tree. Isn’t there a senior manager closer to the breach who ought to be going instead?
Shadow Chancellor George Osbourne asked whether this was a “final blow” to the ID card scheme, saying the government “simply cannot be trusted with people’s information”, pointing out that the government had compromised the security and safety of “every family in the land”.
“Let us be clear about the scale of this catastrophic mistake – the names, the addresses and the dates of birth of every child in the country are sitting on two computer discs that are apparently lost in the post, and the bank account details and National Insurance numbers of ten million parents, guardians and carers have gone missing. “Half the country will be very anxious about the safety of their family and the security and the whole country will be wondering how on earth the government allowed this to happen.”
“They simply can not be trusted with people’s personal information,” added Mr Osborne.
It’s worth noting that HMRC (and the nation’s families) have suffered a social/behavioural failure – not a technological one. But it serves to emphasise once again that there’s insufficient energy and investment made in understanding the social side of the use of technology in public service delivery.
I am trying to think of a wibbi. It’s probably something like: WIBBI if government began to listen really really carefully and urgently to the arguments rehearsed so clearly on these pages (like those of Jerry Fishenden, Kim Cameron, Robin Wilton, Dave Birch, and all the rest of you who know you should be in the list) that much, MUCH greater care is needed when handling large databases of people’s personal information.
8 Responses to “Protect your bits: don’t give your personal details to the government”
Man, 10-0 to FIPR on tonight’s Newsnight I reckon. FIPR, with no professional staff, is maturing as it approaches its 10th birthday.
Ross Anderson was at his most effective; well-informed, quietly angry (with good reason having been roundly ignored for so long). He’s focussed on the centralising databases aspects of Transformational Government.
I’m really sad Paul Grey has gone, and completely disagree with the suggestion that creating a leaner HMRC is the problem.
I think the pendulum which started to turn with the PM’s liberty speech has just got a major push. Sensitive listeners amongst us have been persuaded for years. But now issues of trust and how we treat people’s valuable personal data have to be taken seriously, not just with lip service.
Good post and debate at the Light Blue Touchpaper blog of Ross Anderson’s Cambridge Computer Security possee:
http://www.lightbluetouchpaper.org/2007/11/20/government-security-failure/
We now have to assume that our “confidential” information is “public” and act accordingly:
Banks (and customers) must no longer rely on “fixed” information like DoB for identifying their customers.
Perhaps the banks’ own funding crisis will stop them trying so aggressively to lend to new customers – ones who were not previously known to the banks?
Perhaps this will force a return to sanity; thereby removing the spurious value of this “confidential” information to criminals?
Until recently, we relied on “trusted people” to introduce and vouch for other people:
eg. Our passport photos & applications were countersigned by a “trust-worthy” person.
[b]Question:[/b] When dodgy passports are detected, why are the people who countersigned the applications not punished?
—–
The “confidential” information lost on these CDs – and in the many other scandals – has criminal value only because government regulations force institutions to demand & to rely on paper proofs of identity rather than on trusted intermediaries.
[b]We should return to trusting people we trust.[/b]
ps. The chaos in the HMRC sounds familiar: I’m currently struggling with a different security scandal in a “Big 4″ bank – struggling to get the bank’s senior (but technically ignorant) staff to close a dangerous loophole caused by poorly supervised, junior technical staff – preferably [b]before[/b] there is a major incident.
So far, the bank’s senior staff won’t listen.
They say all information will be confidential….how confidential is it when you anyone in that office has access to your file and there is the rick of leakage.
Take example of the recent UK Post Error…..The Inland Revenue sent private confidential records of people tax, account and all other personal details on a cd via a normal post…
The result was the cds got lost….so are our information confidential then….how funny
can anyone tell me whether the department/government responsible for losing my information, bank details and childrens details be sued for their loss as personally i feel a letter of apology is no more then a slap in the face really. after all what would happen to us if we lost such sensitive information of the governments?
Good article. Well written.
I doubt information will be confidential in this digital age
I also don’t believe my government… but what can I do? I don’t know…