Now that my few days break is over I just wanted to comment on the latest data security cock-up by the Home Office. Now, before some anonymous commenter tries to defend it saying that it was actually a third party that lost the data so you cannot blame the Home Office really you need to take a step back and see where the actual root cause of the loss lies.
It's true that a third party was given the data in an allegedly encrypted format and that they then copied it into an insecure format and promptly lost it, but the real issue here is the content of the original data. According to the news reports I heard, the data was originally shipped for the purposes of research, the question that needs to be asked therefore is what research is there that requires identoifiable information to be present?
By that I mean, why was the data not cleansed at source before being handed out? Certainly in the private sector, if you need to provide "production-like" data for development or research purposes, you make the necessary changes to that data to remove that identifiable information before giving it away. In this case for example, there would be no value in having the full names of prisoners or convicted offenders in the data. Those record could have easily been replaced by sequential numeric values.
I've often made the point here that data security leaks from Government appear to be systemic. The system itself certainly appears seriously flawed. Every department in Government has lost significant amounts of data, they've all lost laptops, memory sticks and the like as well. a quick perusal over Hansard for the last year shows almost weekly admissions by the Government of where it is going wrong. The question is, how do you fix it?
As anyone working in the private sector will know, they have to become registered with the Data Protection Registrar if they are going to hold personal information, they will also know that if they are found in breach then they can face sever penalties. It seems that the current set-up though is geared towards the private sector failing whilst the Government can get away with anything but having a "review" and promising that it will not happen again.
In some respect much of this comes down to a failure to follow process and procedure, and a lack of buy-in for those processes and procedure at the top. Corners get easily cut when the penalties for doing so and next to non-existent. I'm not the biggest fan of regulations for businesses, but every now and again whilst they make business life hell for some they can actually produce what you need in that process buy-in area.
Take for example, Sarbannes-Oxley regulations for American listed companies and business that came about in the wake of the Enron financial scandals.Those regulations were and are anal and I have had to work within them but they really did make corner cutting a lot less common. The reason was that Sarbox basically said that of the company didn't comply then directors could go to jail. It's amazing how the threat of prison stretch sharpens the mind of the white-collar arena.
Perhaps therefore it is time for a Sarbox style approach to information security in Government? Legislatory mandated rules rather than guidelines, which put down in statute how Government is to handle data and crucially makes the penalties for Governmental failure severe. That is to say that the buck ultimately stops at the top of department with the threat of jail on the head of the politiciain in charge (as well as senior civil servants).
No one should be above the law, but when it comes to our data it appears that the Government and politicians see themselves as being so. The first principle of Government is the protection of its citizens. If Government cannot itself protect the data of its citizens within its own rules then it has failed and its politicians should be able to use rhetoric and the justification of the ballot box some years down the line to avoid censure
Of course, the likelihood of politicians voting and pushing through laws that could see them sent to prison is unlikely. However until some sort of legislator y framework in put in place that actually deals with these issues harshly, it will continue to be the case that successive Governments, of whichever political party, will fail and then tell us how the line has been drawn in the sand and honestly it won't happen again.