Now the Home Office has contrived to lose data covering the entire prison population of 84000, plus another 30000 people who are on the Police National Computer, on an unencrypted memory stick. My profession is IT, and one of things that I do is run records management for a FTSE 100 so I do know what I am talking about when I say that there is no excuse at all for this. Firstly sensitive data should never be consigned to portable storage, unless is as part of a courier transit from one secure location to another. If such transit is routine then it should be electronic, but in any case the data should be encrypted. Putting this sort of data on a memory stick, unencrypted is unforgivable, and the government's efforts to blame a contractor would have more credibility if the Home Office didn't already have form for doing exactly the same thing. The thing is that working with data in this way is usually not necessary. If you need to test software then data for that purpose can be desensitised, that is you change it to factitious details but in the correct format. So names become 'Joe Bloggs' or 'Jane Doe' and so on. On the rare occasions that you really need to work with real data, then you are very, very careful, or not, if you are this government.
My view is that this whole area needs some legislative focus. The most recent Criminal Justice bill adds large financial penalties for negligent data handling, but the process of implementation will take until the middle of next year. Right now there are no meaningful penalties beyond bad publicity for an organisation that is incompetent as opposed to criminal in the way it handles personal data. This has to change if we want to stamp these sorts of blunders out.
This latest screwup also begs a question; would you trust this government to run a National Identity database?
Thought not.
No comments:
Post a Comment