We live in a society that is becoming increasingly obsessed with being totally risk free. Clearly life wouldn’t be worth living if we eliminated all the risks.Similarly in the work place we are increasingly suffering from ill advised low risk strategies. In particular I am referring to the current raft of security restrictions being placed on staff, regarding the handling and sharing of data, in the aftermath of a number of high profile losses and thefts of data.
The primary driver for the measures being introduced (or at the least being reinforced) has been the review ‘Loss of MOD Personal Data’ commissioned by the Permanent Under Secretary Ministry of Defence and carried out by Sir Edmund Burton. I’m also assuming at this point that the online ‘questionnaire’ that employees are currently filling in is part of this initiative.
Firstly it doesn’t seem that Sir Edmund is saying that data is being shared with people that it shouldn’t be shared, but the slant currently being taken in SPVA is not to share data with anyone making work at the business end of SPVA very difficult.
Typically, of course, the reality of the data loses and those responsible is rather removed from front line staff in SPVA.
From the Burton report;
The stolen laptop……was one of a small population of, currently, 51 laptops, which hold a large database incorporating over 600,000 personal records. Investigations revealed that a total of 4 of these laptops have been stolen since 2004 (all from parked cars). Although the security instructions for the safekeeping of laptops were clear in prohibiting them from being left in unattended vehicles, they did not dictate that the data must be encrypted.
From my understanding of the situation the laptops ‘lost’ were in the possession of service personal from the recruiting and training divisions of HM Armed Forces.
Readers will also remember HM Revenue and Customs loss of Child Benefit data in 2007 widely reported as lost by the civil service. Our understanding here is that the CD (or DVD) was lost at some point whilst in transit, with both messenger and courier services being privately owned.
Readers may also be aware of the loss/theft of data from RAF Innsworth last year, again widely reported as a civil service loss. Whilst news and information on this has been very quiet, with requests from us for information going unanswered, we understand that the data was lost from an EDS controlled (double secure) area. And possibly coincidentally on the day that EDS staff there were given redundancy notices.
More recently readers may remember in October last year that key government services were taken offline after a ‘pocket storage device’ containing details of the Government Gateway was discovered in a pub car park in Staffordshire. Whilst DWP claimed that the data on the drive was encrypted a security expert who was given the device said that he could access the data and potentially gain access to around 12 million public records. In this instance the data was lost by an employee of Atos Origin who have the £46m five-year contract to provide managed IT services for the Government Gateway.
You can see the pattern here, it seems to me that it is all too easy to blame civil servants for losses of data with the truth being somewhat different. The clear existing instructions forbidding users to leave laptops in unattended vehicles was not being observed. In all the other cases it would seem that private business has been culpable to some extent.
This does make me question why, in the light of these things, serious and draconian measure are being put into place in areas where, to our knowledge, no losses of data have occurred. Looking at the issue in a practical way, and using a little bit of common sense, why would anyone, for instance, tap into a phone call between a member of AFCS at Norcross and a member of VWS on a mobile phone to hear disability details?
The Burton report says;
Culture Changes – the ‘Facebook Generation’. The Department recruits from, and exists within, a culture where the rapid and often uninhibited exchange of information is the norm. At work, this behaviour must be tempered by common sense and sound judgement, informed by data protection practice, and the particular concerns of MOD work. However, returning to strict information control of the type applied to paper documentation of fifteen or more years ago is not considered practical in the modern working and cultural environment
In conclusion we have to agree that protection of public data is incredibly important but that we would like to see a little bit of realism as to what can be done where, to have procedures that are fit for purpose and not one size fits all and, finally, a little bit of honesty about where the real problem lies.
