Privacy, identity theft and the Government

The IPCC investigates all Government data losses. Its report contradicts Darling’s explanation of events, instead stating that, “individual members of staff were not to blame...” and that, “processes for data handling were woefully inadequate...”.

“The failings identified by our investigation are significant,” IPCC Commissioner Gary Garland said in a statement accompanying the report. “Because of this, and the high level of public concern about this incident, I have provided the Information Commissioner, Richard Thomas, with a copy of this report. It raises concerns he is properly placed to address.”

The Treasury also commissioned an inquiry, this time by former Price Waterhouse Coopers’ chairman Kieran Poynter. His final report tells the full story, but the table on page 30 of that report makes for particularly interesting reading because it shows that four sets of discs were involved. The first famously went missing. The second remained at HMRC as a backup. The NAO returned the third because it wasn’t password protected. The fourth arrived safely at the NAO.

In August 2008, Darling announced that HMRC needed to spend a whopping £155m to implement proper data security standards. “It is quite clear the loss was entirely avoidable,” he said. “I apologise unreservedly.”

Tip of the iceberg
We asked John Burns, a consultant with data security specialist NCC Group, for his comments. “There are concerns,” he told us, “the incidents that have been made public are only the tip of the iceberg. While Government policies and standards do exist, it is clear that they have not been consistently applied throughout the different Government departments and agencies.” The Government’s own regular admissions of sensitive data losses support this view.

The Ministry of Justice has suffered eight separate data losses involving 45,000 personal records. The Department for Work and Pensions has lost data affecting 16,800 people. In December 2007, a hard disk containing three million UK learner driver records was stolen from the Iowa City office of data processing bureau Pearson Driving Assessments.

In January 2008, the theft of a recruiting officer’s laptop saw the Ministry of Defence lose the unencrypted records of 600,000 recruits and potential recruits to the Royal Navy, Royal Marines and Royal Air Force.

Incredibly, the laptop was left overnight in the back of the officer’s car. Some of the records reportedly included passport details, national insurance numbers, driver’s licence details, family details, doctors’ addresses, and NHS numbers ­ – more than enough information to easily assume multiple new identities.

Since then, the MoD has admitted that 747 laptops have disappeared in four years, along with 121 USB memory sticks ­ – five of which reportedly contained secret data.
These losses are in spite of official procedures designed to prevent such losses, as Burns explained: “Government departments and agencies are required to apply government policies and standards,” he told us, “and should be regularly audited for compliance through the use of the CESG Listed Adviser Scheme ­ – a partnership linking the unique information security knowledge of CESG with the expertise and resources of the private sector.”