Monday, August 25, 2008

If directors can go to prison for failure below why can't ministers?

Now that my few days break is over I just wanted to comment on the latest data security cock-up by the Home Office. Now, before some anonymous commenter tries to defend it saying that it was actually a third party that lost the data so you cannot blame the Home Office really you need to take a step back and see where the actual root cause of the loss lies.

It's true that a third party was given the data in an allegedly encrypted format and that they then copied it into an insecure format and promptly lost it, but the real issue here is the content of the original data. According to the news reports I heard, the data was originally shipped for the purposes of research, the question that needs to be asked therefore is what research is there that requires identoifiable information to be present?

By that I mean, why was the data not cleansed at source before being handed out? Certainly in the private sector, if you need to provide "production-like" data for development or research purposes, you make the necessary changes to that data to remove that identifiable information before giving it away. In this case for example, there would be no value in having the full names of prisoners or convicted offenders in the data. Those record could have easily been replaced by sequential numeric values.

I've often made the point here that data security leaks from Government appear to be systemic. The system itself certainly appears seriously flawed. Every department in Government has lost significant amounts of data, they've all lost laptops, memory sticks and the like as well. a quick perusal over Hansard for the last year shows almost weekly admissions by the Government of where it is going wrong. The question is, how do you fix it?

As anyone working in the private sector will know, they have to become registered with the Data Protection Registrar if they are going to hold personal information, they will also know that if they are found in breach then they can face sever penalties. It seems that the current set-up though is geared towards the private sector failing whilst the Government can get away with anything but having a "review" and promising that it will not happen again.

In some respect much of this comes down to a failure to follow process and procedure, and a lack of buy-in for those processes and procedure at the top. Corners get easily cut when the penalties for doing so and next to non-existent. I'm not the biggest fan of regulations for businesses, but every now and again whilst they make business life hell for some they can actually produce what you need in that process buy-in area.

Take for example, Sarbannes-Oxley regulations for American listed companies and business that came about in the wake of the Enron financial scandals.Those regulations were and are anal and I have had to work within them but they really did make corner cutting a lot less common. The reason was that Sarbox basically said that of the company didn't comply then directors could go to jail. It's amazing how the threat of prison stretch sharpens the mind of the white-collar arena.

Perhaps therefore it is time for a Sarbox style approach to information security in Government? Legislatory mandated rules rather than guidelines, which put down in statute how Government is to handle data and crucially makes the penalties for Governmental failure severe. That is to say that the buck ultimately stops at the top of department with the threat of jail on the head of the politiciain in charge (as well as senior civil servants).

No one should be above the law, but when it comes to our data it appears that the Government and politicians see themselves as being so. The first principle of Government is the protection of its citizens. If Government cannot itself protect the data of its citizens within its own rules then it has failed and its politicians should be able to use rhetoric and the justification of the ballot box some years down the line to avoid censure

Of course, the likelihood of politicians voting and pushing through laws that could see them sent to prison is unlikely. However until some sort of legislator y framework in put in place that actually deals with these issues harshly, it will continue to be the case that successive Governments, of whichever political party, will fail and then tell us how the line has been drawn in the sand and honestly it won't happen again.

19 comments:

Lord Blagger said...

SOX is a very bad idea.

What you need is to be able to delegate the resposibility down the tree to the appropriate level.

ie. The accounts of a staff canteen do not need to be signed off and audited by the chief financial officer.

However, if the CFO doesn't alocate resources to get them audited, they assume responsibility.

But please, don't put SOX in. SOX was brought in because the auditors didn't audit enron. The response was, more audit (allow us to extort money legally)

Nick

Mostly Ordinary said...

The Government did indeed suggest prison sentences for those who breeched the DPA. The proposals most vocal opponent? The Press in the form of the Editor’s Code of Practice Committee. Paul Dacre who chaired to committee said:

"The threat of custodial sentences under the Data Protection Act was particularly worrying because of the effect it would have had on press freedom by inhibiting investigative reporting"

Given you can build in exceptions that a Judge can take into account I don't see it as an issue and who would want to protect people like Clive Goodman anyway?

I take your point about using real data and not generated data. By I guess it depends what they were doing with it. If you're developing a system scrubbed data is fine but if you're doing analytics you need the real information to work with.

I guess the inevitable report that will some out will tell us why they had this sort of data.

The only real facts we know is that the Government explicitly prohibits transfers to unencrypted mobile media. I guess we'll find out what the data was being used for at some point.

Anonymous said...

I'm sorry Dizzy but you have fallen into the socialist trap.
More & more regulation is NOT the answer.

It inevitably leads to more & more criminalisation (see todays discussion on criminalisation of young children). More Gatso, more ASBOs, more regulation gives the state more & more control over our individual lives.

The political class will find ways of not getting caught by their own regulations. Witness the Lady who was removed from office because Fatty Prescott did not like the way she made him declare the union funding on one of his many residences.

Less regulation is the answer, not more jail.

John of Enfield

Anonymous said...

The Conservatives and Liberal Democrats both tabled amendments to the Criminal Justice Bill earlier this year to do just this. The Government blocked the amendments.

Anonymous said...

Standard operating procedures for personal and other sensitive data,

Hardware and software controls - make sure encrypted files can't be saved in any unencrypted format, and block USB ports and CD writers on all machines handling sensitive data
Procedural controls - vetting of people with access to sensitive files and allow them access only from secured premises
Administrative controls - Clear structure for establishing and monitoring compliance with security procedures
Process ownership - someone with authority to impose the security processes and to take the rap if they go wrong.

Looks like another comprehensive failure on all levels.

Prison is too good for these serial offenders.

anthonynorth said...

One major problem with any government department is admin training. It is easy to train someone to work in a registry, slightly harder to train a secretary, the most qualified usually dealing with HR.
Guess which level of expertise shuffles delicate stuff around?

Anonymous said...

No one should be above the law, but when it comes to our data it appears that the Government and politicians see themselves as being so.

Methinks not just data.Above the law for everything.

Barnacle Bill said...

I fully agree that government ministers should be held responsible for the failings of their departments as well as the other parties involved.
I used to operate under the the rule of "ultimate responsibility" when I was a ship's master.
Where I could be held responsible for the cook cutting his finger in the galley to the officer of the watch colliding with another ship whilst I was turned in.
So yes lets see ministers actually held to account.

Anonymous said...

You are lucky I am not a labour blogger or the spelling mistake at the head of your post would have been the justification for some stick. They do not have much else to say.

Anonymous said...

Excuse me, don't you have an Attorney General, or the equivalent...that guy in a wig....

What are his constitutional powers? Can't he initiate action which if successful throws one of these tossers you lot insist on describing as ministers in the pokey?

Anonymous said...

The irritating thing about this is that there is a strict set of guidelines for handling the kind of data that PA lost. It's set down by CESG any everyone in or dealing with the MOJ/HO has to comply to it.

The fact is that PA are a leech of a company, who feel they're above the regulations. Everyone I know who has had the misfortune of dealing with these idiot opportunists is hoping the Home office/MoJ uses this incident to develop a spine and kick them out.

Unsworth said...

Yes but this is just another example of the complete abandonment of moral responsibility and authority. This lack of professsionalism is a creeping sickness which has affected most of society.

Who now has genuine pride in their work? Who can honestly say that they have done their job well? It's all about working to the rule-book. If the rules don't cover it then tough. And if the rules do cover it - then tough. Just do the minimum for the cash.

Over-regulation has led to abandonment of personal responsibility. Time to throw the rules out of the window and make people personally liable for there actions. You can hear it now 'System fault, lessons will be learned, etc etc". No mention at all of laziness, incompetence and downright deception, of course.

dizzy said...

To John of Enfield. I am not talking about regulation, I'm talking about legislation that will hold politicians and Government to account on the matter of data security. it's not a socialist trap at all.

Letters From A Tory said...

Interesting perspective. It is hard to justify public sector officials not being subject to severe punishments for losing extremely valuable information, and the Conservatives would do well to put this forward in their manifesto and implement it on day one rather than waiting for their own disasters in government.

Sackerson said...

"As anyone working in the private sector will know, they have to become registered with the Data Protection Registrar if they are going to hold personal information, they will also know that if they are found in breach then they can face severe penalties. It seems that the current set-up though is geared towards the private sector failing whilst the Government can get away with anything but having a "review" and promising that it will not happen again."

So, as a precaution, make a list of all the instances where the Government has got away with it, and demand equal treatment if caught, on the principle of natural justice.

Anonymous said...

sorry all you posters, government ministers, civil servants and all the contractors and others don't think they are above the law they KNOW they are!

Anonymous said...

Thanks for your reply. Sorry Dizzy - I was enraged by the very sight of the words Sarbanes Oxley.

John of Enfield

Anonymous said...

Of course it's systemic. The problem lies in the fact that the vast majority of local and national government employee's are morons, and totally incapable of grasping the most elementary principles of computer security.

dreamingspire said...

Agree on PA with 25/8 comment - but they are management consultants, disconnected from the real world of implementation, just like the senior civil servants are. A PA man told me that (although not in quite those words).
On cleansing the data at source, remember the story of the missing DWP CDs? The reason given for not cleansing that data at source was cost - they were in the grip of a contractor who charged a lot for extras (we have heard that one before).