The House of Lords Science and Technology committee produced earlier this year a report on internet security. The government responded last month – at around the time HMRC became aware that the staff had lost 25 million personal records. Some of their comments are worth re-evaluating,
“The Government takes seriously all crime committed by use of the internet and agrees with the Committee that confidence in the internet is vital. However, we also feel there is an unwarranted suggestion that its only response to the problem is to regard it as a personal responsibility of the user to take necessary precautions. It is true that the user should be aware and both take precautions and behave responsibly. But this is not the only way to improve personal internet security and the Government’s written and oral evidence supports the Committee’s conclusion that this is a shared responsibility.” (from the preamble – the shared responsibility presumably includes those that hold data – I mean what confidence can we have in electronic transactions or databases if those responsible for the databases lose them)
The Lords committee made various recommendations – which a reading suggested should be fairly uncontroversial and which are glossed here with comments taking into account subsequent matters. The recommendations included
4. It is time for Government to develop a more holistic understanding of the distributed responsibility for personal internet security.
9. The steps currently being taken by many businesses trading over the internet to protect their customer’s personal information are inadequate. It tranpsires that these are not the only people obviously whose practice in protecting personal information are inadequate. The refusal of the financial services sector in particular to accept responsibility for the security of personal information is disturbing, and is compounded by apparent indifference at Government level. You don’t say. Indifference at government level. Shame on you House of Lords committee, you obviously don’t know what you’re talking about. How can anyone accuse this government of being indifferent to this topic? Governments and legislators are not in a position to prescribe the security precautions that should be taken; Although they could set an example perhaps? however, they do have responsibility to ensure that the right incentives are in place to persuade businesses to take the necessary steps to act proportionately to protect data. I’m presuming proportionate actions include recommending to business that they should not be sending the stuff in a password protected file by disc.
11. We further believe that a data security breach notification law would be among the most important advances that the United Kingdom could make in promoting personal internet security. We recommend that the Government, without waiting for action at European Commission level, accept the principle of such a law and begin consultation on its scope as a matter or urgency. Can’t happen soon enough – I’m sure the government would exemplify best practice in tis area by notifying those affected by any breach both promptly and effectively.
12. We recommend that the data security breach notification law should
incorporate the following elements:
• Workable definitions of data security breaches, covering both a threshold for the sensitivity of data lost, and criteria for accessibility of that data;
• A mandatory and uniform central reporting system;
• Clear rules on the form and content of notification letters which must state clearly the nature of the breach and provide advice on the steps that individuals should take to deal with it. (5.56) Well HMRC are in the process of following this good practice, some days after the original notification – as noted by dizzy – HMRC has issued a letter of apology and FAQs and the advice the government and HMRC offers as to how to deal with matters? Don’t call your bank. Don’t worry. It doesn’t seem to be in the hands of crooks yet.
13. We further recommend that the Government examine as a matter of urgency the effectiveness of the Information Commissioner’s Office in enforcing good standards of data protection across the business community. Seems reasonable. After all it would be ridiculous if someone lost, say 25 million sets of records and because there had been no previous enforcement notice the Information Commissioner could simply tut very firmly – and there would be no remedy. Such a massive breach must surely have some legal consequence.
So how did HM Government respond to these sensible suggestions – bearing in mind that at this point – they didn’t know that something was awry with 25 million records? The responses will follow in the next post later tonight.
This entry was posted in benefit data
. Bookmark the permalink