Earlier today I made reference to the HOuse of Lords Science and Technology committee report on Internet Security. This contained a series of recommendations for government on how to protect data to safeguard internet security. IN late October (around the time HMRC discovered that they had lost discs containing the names, addresses, NI numbers and bank account details of over one third of the population) the government produced a response to the Lords Committee. In retrospect the response demonstrates considerable complacency on the part of the government. Some of the responses are worth reading in full.
The Lords recommended a holistic approach to internet security. The government reply was
“The Government certainly agrees that a large number of stakeholders need to have a clear focus on the need for personal internet safety and, indeed, this is more than a distributed responsibility as the actions of one internet user or participant can impact on the welfare of others. Well you’re not wrong there are you. One stupid user misplacing personal data can compromise the security of millions of people who shred their bank statements and other correspondence, use smart passwords, and take all personal precautions that can sensibly be taken. Our evidence to the Committee highlighted the considerable work that is going on across Government to improve the security of the nation’s information infrastructure. No comment needed I think This work is led by the Cabinet Office and involves a coordinated effort by the Cabinet Office’s Central Sponsor for Information Assurance, the Centre for Protection of the National Infrastructure and the Communications and Electronic Security Group. That work has taken a strategic view of what actions the Government should be taking and we acknowledged the important range of activities that are going on across Government to address personal internet security issues. Again no comment necessary – but it is good to see that the Government have a range of activities addressing personal internet security issues by regularly using discs to pass confidential information, be it without a password or with a password scrawled on it.
Recommendation 5 from the committee related to data protection issues specifically. The government response is as follows,
“We can accept that new forms of online activity, including the expansion of supply chains to include systems in a multitude of jurisdictions, poses new challenges for data protection enforcement. As does holding data of all patients in a NHS system; or holding the data of every taxpayer; or holding the data on every recipient of benefit who you’ve forced to provide you with bank details rather than permitting payment over the counter in post offices; or perhaps holding personal and biometric data in a government controlled ID database? We do not accept that the incidence of loss of personal data by companies is on an upward path Pauses only to note incredultiy given events occurring at the time this response is being prepared by the government and we do not accept that the Government is indifferent to the problem. Course not. That’s why they’ve managed to lose discs holding the details of 25 million people The Government believes that the market incentives provided by the impact of adverse publicity surrounding breaches of security are powerful drivers to apply appropriate protection. Ha ha ha ha. Well now they know. there hasn’t been anyone that’s had any greater adverse publicity on this topic than the UK government I’d guess. The Government also believes that the current legislative and enforcement regime surrounding personal information is proportionate and provides a strong incentive to appropriate action by companies. Only if there is a loss (see the HL committee recommendation 13 given that the powers of the Information Commissioner are not sufficient to provide general remedies for breaches of data protection legislation – without prior notices) – although I may be missing something… The Government agrees that it cannot prescribe the technologies or processes that should be deployed to protect information but we accept the spirit of the Committee’s recommendation in part. We accept that the business models being adopted by companies whereby personal information is processed by sub-contractors Does processing by sub-contractors include sending it by courier? in various jurisdictions is proving a challenge in both management terms Ha ha ha ha – a challenge in management terms. Perhaps supervising things would help – or are the pressures put on staff due to job cuts and efficiency savings rendering supervision impossible? and in relation to the underlying principle of European legislation that equivalence of protection should be ensured. A recent report by the Information Age Partnership and BERR pointed to the need to look at this problem and move towards solutions that work with the emerging global market in online services.”
Recommendation 11 was to propose the introduction of a data protection breach notification law. The government rejected this. They said,
“The Government provided evidence to the Committee that recognised that the move towards breach notification laws in other jurisdictions was an interesting development. We are, however, clearly not so convinced as the Committee that this would immediately lead to an improvement in performance by business in regard to protecting personal information and we do not see that it would have any significant impact on other elements of personal internet safety. Obviously, because after all such a system requires notification to be made timeously and let’s say someone allows a breach of security in relation to 25 million people you’d have to rely on them to notify relevant people promptly – not wait for 3 weeks for an underling to notify the people in charge, or an extra week to notify those in charge of those in charge, or an extra three days to notify the police, or another few days on top of all of that to notify one set of parties who may be affected by the loss of information; or an extra few days to notify the individuals directly affected. …. We will continue to observe the US experience and consider whether we need to find more formal ways of ensuring that companies do – as a matter of routine – contact the Office of the Information Commissioner when problems arise. Do as we do, not as we say; or vice versa? This enables a proportionate response to be taken and ICO acknowledge that there are occasions when notifying consumers of a breach of security might not be appropriate. Fair enough – sometimes though you just have to let the poor sods that you’ve potentially sold down the river to organised criminals from around the world find out. Such discussions also enable a discussion to take place about precautions taken and how they might be improved. Don’t put the stuff on disk. And if you do put it on disk – encrypt it. And deliver it yourself. Remember TNT is an explosive as well as a courier.
And recommendation 13 was that the enforcement provision for breaches of data protection legislation be bolstered – an old legal approach that legal obligations require sanctions for their breach to give them teeth and to ensure compliance. The government though rejected that too.
“[T]he Government believes that the current enforcement regime for data protection is fit for purpose.” which it isn’t
So is there anyone in the goverment wishing that they’d possibly framed that response a little differently?