Reports reveal poor security practices behind data losses

Poor public sector information security practices were highlighted last week by four separate reports into data handling.

Two of the reports focused on the failures that led to the loss of 25 million child benefit records by HM Revenue and Customs (HMRC), while another examined the loss of a Ministry of Defence (MoD) laptop, which contained unencrypted personal records for more than 600,000 people.

A fourth report, the data handling review, looked more widely at data handling practices across government, and made a number of recommendations for improving security.

Improving information security practices were highlighted as a key move. The review announced that a series of mandatory minimum measures will be put in place.

All information that is portable will be encrypted, including laptops and discs, and greater controls will be put on the moving of information. Departments will be obliged to have their networks tested by ethical hackers on a regular basis.

Civil servants who deal with personal data will undergo annual training, and the government will introduce privacy impact assessments (PIAs) that will monitor the effect of government initiatives on citizens’ privacy.

Data security roles in departments are to be more clearly defined to ensure clear lines of responsibility for protecting information ­ something that was lacking in the HMRC breach.

Departments will report on their performance in these areas to the National Audit Office. They will also be subject to spot checks from the Information Commissioner’s Office (ICO) as part of an effort to improve the transparency of procedures.

“Effective public services depend on information about the people they serve. But to command public confidence, that information needs to be safely stored and protected,” said Cabinet Office minister Ed Miliband.

“The government is determined to take the necessary steps to improve data security. The measures outlined today are an important part of that process.”

Despite the high-profile losses, the Cabinet Office is keen to emphasise that data sharing is crucial to its technology strategy.

Each week, the police and courts make 4,500 enquiries to online driver’s databases ­- for example, the Vosa-operated electronic record of data held by MOT garages which, combined with the insurance industry system enables 10 million people to renew their car tax online through the Driver and Vehicle Licensing Agency (DVLA) -­ while HMRC saw three million self-assessment tax forms filed online in 2006/2007.

The ICO will play an important role in overseeing the increasing amounts of public information being handled. Equipped with new powers to fine and spot check, the office finally has some of the powers it has demanded.

Information Commissioner Richard Thomas welcomed the Cabinet Office moves to improve security. “This material should help chief executives across the whole of the public, private and not-for-profit sectors achieve better compliance with the Data Protection Act and keep people’s details more secure,” he said.

The number of data loss reports since the HMRC breach suggests that incidents will still occur, even when the danger is highlighted. But putting in place the safeguards laid out in the review will be key to reducing the number of occurrences, according to Graham Titterington, principal analyst at Ovum.

“Security training is the most important measure ­ most of these incidents are down to human failure,” he said.

While encrypting data is a relatively simple process, managing the keys that unlock that data is not.

“Encrypting across departments will mean large, complex key management syste ms, and these are quite a challenge to put in,” said Titterington.

“Despite this, it’s realistic to expect most departments to have the recommended measures in place within a year.”

Like this story? Spread the news by clicking below:

 del.icio.us     Digg this     reddit!