Benefit data again – post two of two

Earlier today I made reference to the HOuse of Lords Science and Technology committee report on Internet Security.  This contained a series of recommendations for government on how to protect data to safeguard internet security.  IN late October (around the time HMRC discovered that they had lost discs containing the names, addresses, NI numbers and bank account details of over one third of the population) the government produced a response to the Lords Committee.  In retrospect the response demonstrates considerable complacency on the part of the government.  Some of the responses are worth reading in full.

The Lords recommended a holistic approach to internet security.  The government reply was

The Government certainly agrees that a large number of stakeholders need to have a clear focus on the need for personal internet safety and, indeed, this is more than a distributed responsibility as the actions of one internet user or participant can impact on the welfare of others. Well you’re not wrong there are you.  One stupid user misplacing personal data can compromise the security of millions of people who shred their bank statements and other correspondence, use smart passwords, and take all personal precautions that can sensibly be taken.  Our evidence to the Committee highlighted the considerable work that is going on across Government to improve the security of the nation’s information infrastructure. No comment needed I think  This work is led by the Cabinet Office and involves a coordinated effort by the Cabinet Office’s Central Sponsor for Information Assurance, the Centre for Protection of the National Infrastructure and the Communications and Electronic Security Group. That work has taken a strategic view of what actions the Government should be taking and we acknowledged the important range of activities that are going on across Government to address personal internet security issues.  Again no comment necessary – but it is good to see that the Government have a range of activities addressing personal internet security issues by regularly using discs to pass confidential information, be it  without a password or with a password scrawled on it.

 
This work includes:–
Formulating an information assurance strategy for Government; this underlines the importance of improved performance based on a risk-based approach to the protection of information assets. HA ha ha ha ha – the government had a risk-based approach to the protection of information assets.  The strategy acknowledges the importance of non-Governmental stakeholders contributing to the strategy’s goals like TNT?
Efforts to improve the quality of software and services; CPNI, Cabinet Office and the Department for Innovation, Universities and Skills (DIUS) all have activities to engage with software vendors to assist with the identification and remediation of vulnerabilities, promote testing arrangements to give confidence in the use of software and hardware security products and to more generally promote good software design.
Engaging with service providers; BERR, Home Office and other Government Departments are actively pursuing ideas with the Internet Service Providers as to how they might work even more closely with their customers to prevent harm to customer equipment and prevent those customers causing harm to the networks and other users. This will necessarily embrace issues around harmful content.
Outreach to business and home users: Recognising that many problems can be avoided by appropriate actions by users, the Government has a long history of direct engagement with business on security measures and this has been enhanced by a Knowledge Transfer Network that is creating a new approach to identifying and disseminating best practice. Leading by example obviously.  I’m glad the government have now shown me what best practice is.  Outreach to school age children has been significantly increased this year with the addition of Internet safety and security in secondary schools curriculum at Key Stage 2.The success of Get Safe Online, a public private initiative, has increased the awareness of home users and micro businesses of what they can do to prevent falling foul of security problems.
 
The Government can therefore accept the spirit of the recommendation in that we must continue to deepen our understanding of the issue of personal internet security and what can be done to improve it, and indeed has taken some significant steps on this in recent years. Significant steps like losing the personal data of 25 million people?  Or just the 15,000 Standard Life customers?  or the others whose data has been sent by CDs to various people around the country?  We would not, however, accept the view of the Committee that the Government has taken a narrow view of this problem in the past.  No, of course not.”

Recommendation 5 from the committee related to data protection issues specifically.  The government response is as follows,

We can accept that new forms of online activity, including the expansion of supply chains to include systems in a multitude of jurisdictions, poses new challenges for data protection enforcement. As does holding data of all patients in a NHS system; or holding the data of every taxpayer; or holding the data on every recipient of benefit who you’ve forced to provide you with bank details rather than permitting payment over the counter in post offices; or perhaps holding personal and biometric data in a government controlled ID database? We do not accept that the incidence of loss of personal data by companies is on an upward path Pauses only to note incredultiy given events occurring at the time this response is being prepared by the government  and we do not accept that the Government is indifferent to the problem. Course not.  That’s why they’ve managed to lose discs holding the details of 25 million people  The Government believes that the market incentives provided by the impact of adverse publicity surrounding breaches of security are powerful drivers to apply appropriate protection. Ha ha ha ha.  Well now they know.  there hasn’t been anyone that’s had any greater adverse publicity on this topic than the UK government I’d guess.  The Government also believes that the current legislative and enforcement regime surrounding personal information is proportionate and provides a strong incentive to appropriate action by companies. Only if there is a loss (see the HL committee recommendation 13 given that the powers of the Information Commissioner are not sufficient to provide general remedies for breaches of data protection legislation –  without prior notices) – although I may be missing something…  The Government agrees that it cannot prescribe the technologies or processes that should be deployed to protect information but we accept the spirit of the Committee’s recommendation in part. We accept that the business models being adopted by companies whereby personal information is processed by sub-contractors Does processing by sub-contractors include sending it by courier?  in various jurisdictions is proving a challenge in both management terms Ha ha ha ha – a challenge in management terms.  Perhaps supervising things would help – or are the pressures put on staff due to job cuts and efficiency savings rendering supervision impossible? and in relation to the underlying principle of European legislation that equivalence of protection should be ensured. A recent report by the Information Age Partnership and BERR pointed to the need to look at this problem and move towards solutions that work with the emerging global market in online services.”

Recommendation 11 was to propose the introduction of a data protection breach notification law.  The government rejected this.  They said,

The Government provided evidence to the Committee that recognised that the move towards breach notification laws in other jurisdictions was an interesting development. We are, however, clearly not so convinced as the Committee that this would immediately lead to an improvement in performance by business in regard to protecting personal information and we do not see that it would have any significant impact on other elements of personal internet safety. Obviously, because after all such a system requires notification to be made timeously and let’s say someone allows a breach of security in relation to 25 million people you’d have to rely on them to notify relevant people promptly – not wait for 3 weeks for an underling to notify the people in charge, or an extra week to notify those in charge of those in charge, or an extra three days to notify the police, or another few days on top of all of that to notify one set of parties who may be affected by the loss of information; or an extra few days to notify the individuals directly affected. . We will continue to observe the US experience and consider whether we need to find more formal ways of ensuring that companies do – as a matter of routine – contact the Office of the Information Commissioner when problems arise. Do as we do, not as we say; or vice versa?  This enables a proportionate response to be taken and ICO acknowledge that there are occasions when notifying consumers of a breach of security might not be appropriate. Fair enough – sometimes though you just have to let the poor sods that you’ve potentially sold down the river to organised criminals from around the world find out. Such discussions also enable a discussion to take place about precautions taken and how they might be improved. Don’t put the stuff on disk.  And if you do put it on disk – encrypt it.  And deliver it yourself.  Remember TNT is an explosive as well as a courier.

We agree with the Committee’s conclusions that there appears no obvious justification to apply such requirements to the communications providers in isolation.”

And recommendation 13 was that the enforcement provision for breaches of data protection legislation be bolstered – an old legal approach that legal obligations require sanctions for their breach to give them teeth and to ensure compliance.  The government though rejected that too.

“[T]he Government believes that the current enforcement regime for data protection is fit for purpose.”  which it isn’t

So is there anyone in the goverment wishing that they’d possibly framed that response a little differently?

Advertisements

About loveandgarbage

I watch the telly and read when not doing law stuff and plugging my decade and a half old unwatched Edinburgh fringe show.
This entry was posted in benefit data, news, politics, Uncategorized. Bookmark the permalink.

4 Responses to Benefit data again – post two of two

  1. Do you not know anyone in the meejah who would be interested in this detailed analysis?

    • I know no-one in the media aside from the guy that owns the papershop that delivers my morning Guardian – and I guess he’s only tangentially related. I was surprised that given the government response on this isn’t very old (and I think Ross Anderson referred to it on newsnight the other day) that no-one has been through to point out how some of the statements now have the faintest taint of complaceny.
      Scott

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s