Having digested the news that Ruth Kelly announced to the House yesterday it seems clear that in Government and its agencies the principle of least privilege is dead (if I should add, it was ever alive). You may be wondering how exactly this latest data loss occured. How was it that 3 million personal data records were in Iowa? Who the hell is this company that had the data? Well if you read this blog regularly you will know the answer but for those that don't it goes like this.
The EU ergo the UK have, at least on paper, some the strictest data protection laws in the world. However, in a world on global trade this poses a problem for any company or as it transpires Government that wishes to purchases services that require the transfer of data outside Fortress Europe.
In the case of the USA, the federal government acknowledged this and decided, working in 'partnership' with the EU, to draw up a 'framework' that would allow US companies to take data and 'satisfy' EU minimum requirements. The system that was set up is known as Safe Harbor and works in such a way that a US company that wishes to handle data from the UK has to be assessed against the data protection legislation.
Who does the assessment? Well according to the Safe Harbor website it is the registering company. They download the relevant form, tick the boxes and gets listed on the site. Once on the site this means a UK based organisation, public or private, can send the company data withou worrying about the law anymore. Safe Harbor likewise, if my own reading of the site is correct, acts as an indemity type protection for the US company should anything go wrong.
Pearson Vue (NCS Pearson) are such a company. They specialise in software for testing and assessment, and they are, as we learned yesterday, contracted to a sub-office of the DVLA and Department of Transport. They are also, as I revealed last week, the company responsible for taking data on a daily basis from the Teacher Development Agency, and, unlike with the learner driver issue, the TDA does send date of birth details as well as other specific personal data to the US.
The real problem here though, as I said above, is the the principle of least privilege is seemingly dead in Government agencies. The principle dictates that only those who require access to data should have access, think of it like 'need to know'. This however poses difficult questions when it comes to software development.
After all, if you are developing and maintaining a system that is already in production you need to have some sort of production like data set to test upon. Performance testing for example is something that can only really be achieved against a proper data set, lest you go for linear extrapolation and take the risk of missing a potential clanger of a bug.
Thus, when the Government has a system it will, on occassions, need to have full data available for development purposes. But what do you do when your developer is not in the EU but is in the US or some other country?
Effectively you find yourself in a situation where you have to breach least privilege, and transport your data into an unknown state, both geographically and conceptually. It is at this point at which the system breaks down because it relies entirely on a paper procedure and promises that everything will be OK.
So what is the solution? Well for a start it is time for Government IT to be brought properly in-house. As with the need for a Whitehall wide ministerial position for information security there needs to be a ministerial position and departmental responsibility for IT across Government.
A proper technology ministry responsibile for all IT and security. A department which all other departments resource their IT systems through and which is based in the UK. The bottom line is this. Under no circumstances should any personal data be sent out of the country by Government.
Now some people might say what about private industry? Am I suggesting the same should be true for them? The answer is no, because the private sector is already heavily governed and heavily punished when it makes serious mistake with data security. Unlike the Government, the private sector is already heavily curtailed by the law.
The Government's proposal for jail time for anyone breaching data security is a misdirected solution as well. Putting a Band-Aid over a gaping ash will not stop the blood from leaking. It is the system that is flawed, and heavily punishing those working in a flawed system will not stop the problems occuring.
As long as we have a disconnected system of IT development and systems in Government then there will always be someone else to blame. It's time foe the Government to realise that the buck must stop with Government when Government systems fail. If that means removing responsibility for IT from many and giving it to the few so that there is a place for the buck to stop then so be it.