A Data Tsar?
Despite having ‘regulations‘ in place to ensure the protection and immutability of personal information, here in the UK we actually do very little to ensure companies or government agencies are held accountable when data loss occurs. Take a look at the list of ‘enforcements‘ on the ICO website, I don’t see many big fines or corporate heads rolling, more a softly softly approach consisting of joint agreements and undertakings to improve.
Today the MOD announced yet another very serious breach of security with disks going walkabout that contain confidential information on nearly half the personnel of the British armed forces. Here in the UK valuable items usually get some sort of escort when in transit, be it gold bullion, jewels or a wad of £50 notes. When 25 million confidential records (worth millions in the wrong hands so we are told) are sent outside an agency in the UK some office junior puts it in his coat pocket with the intention to pop down the post office after his cigarette break. Not of course that the office junior is to blame but he/she will be the one who gets the P45 out of the experience.
<rant on>The way we treat data is just terrible both in a personal and corporate sense. As individuals we give or throw away old computers and mobile phones without giving a second thought to the personal or confidential information held within. We simply have not had enough time or experience with living in a world where our data goes with us 24/7. We are not conditioned to automatically protect the digital information we keep on or about our person in the way that we would protect something tangible like a passport or birth certificate if it were in our possession. Neither do we possess the skills required to adequately remove that digital information from the current device when a new phone or computer takes our eye. Understanding just how big our digital footprint is and subsequently protecting it from miss-use/abuse is an area of daily life that I imagine 80% of the population simply do not understand. <rant off>
Below are links and summaries of just some of the cases of data loss that have occurred in the last two or three years in the UK alone:
Child Benefit records of 25 million people
Alistair Darling told the House of Commons this afternoon that a police investigation has been launched into how Her Majesty’s Revenue and Customs has lost child benefit records relating to 25 million people.
Lost details of 100,000 servicemen and women.
The Ministry of Defence and contractor EDS are frantically checking the bins this morning for a missing hard drive containing records of 100,000 servicemen and women and their families.
87 USB Sticks containing Classified Information
The UK Ministry of Defence has told parliament that it has lost or had stolen some 87 USB sticks holding “protectively marked” – ie classified – material since 2003.
The Ministry of Defence has lost 11,000 military ID cards in the last two years, the government has admitted to parliament.
Details of 600,000 potential Navy recruits
The Ministry of Defence has admitted losing the details of 600,000 people after the theft of a laptop from a Royal Navy officer in Birmingham last week.
Prison Service Courtesy of EDS
An estimated 5,000 prison officer and admin staff after private contractor EDS mislaid a sensitive portable hard drive
Names, addresses and expected release dates of all 84,000 prisoners in England and Wales were on the portable USB memory lost by PA Consulting, a Home Office contractor. The lost files also contained data on up to 40,000 repeat offenders, and the initials of people on drug-treatment programmes.
Bank Details found on Motorway
A box of files belonging to UK insurance group Prudential and including the banking details of 200 customers has been found on a motorway slip-road after it apparently fell out of a courier’s van, according to press reports.
Virgin Media – the entertainment and communications arm of Richard Branson’s Virgin Group – has lost an unencrypted computer disc containing the bank account details of 3000 UK customers.
3 million Learner Driver Records
It is estimated that up to three million learner drivers details were lost in the incident, which is alleged to have occurred last May.
Following reports that a laptop containing the details of 122 former directors of insolvent companies has been stolen from its Manchester offices, it has been revealed that this was one of four laptops stolen. Although no bank account details were held on the directors, names, addresses, dates of birth and occupations were. The Insolvency Service also reported that a further 150 people have been directly affected by the loss of the data…
Info sourced from (amongst others):
- www.theregister.com
- ukliberty.wordpress.com/data-loss/
The OM View
It would be wrong to tar every UK organisation with the same brush – many organisations both take the value data seriously, and have implemented holistic data safety reviews. (One IT administrator I know recently got his local government employers to change the water sprinklers above his SAN system after returning from a data storage training course: did he really need to go on a course to think about that!!) However, industry wide application of safe data handling practices still seem both ad-hoc and are often proven dangerous. Why not regulate data of certain types must be stored encrypted? Why not regulate that other data types should be transferred offsite via encrypted transmission? (which can be far stronger than an encrypted back-up device like a tape). How can it be that 1000’s of visa/mastercard records are put into a single, easily copiable location? What we have is an computer industry fighting over “how-to-do-it” patents, rather than regulatory led standards.
Maybe we need a data tsar in the UK whose role it is to oversee the creation and deployment of such standards and regulations.[update: we have an information commissioner (data tsar), Richard Thomas has been in the role since 2002. How many incidents of missing data since 2002?]
There may be some light at the end of the tunnel for us as consumers though as we appear to be more sceptical about just what steps are being taken to protect our personal information. Companies and government agencies alike should be forced (not encouraged or kindly asked) to publish the processes and technologies they use to protect our data. An annual report should be published that gives a league table of the companies with the worst records for data loss and of course those with the least incidents and best practices. That way, we the consumer would be able to choose who we trust (or not as the case may be).
Comments welcome…
[update] Watched Panorama on the beeb this week. Richard Thomas spoke about more needing to be done to protect our confidential data and that maybe we are going too far with the planned central database which will hold information on ‘everything’ we do. It is good to see he is becoming more vocal but surely he needs to implement more policies and dish out real and meaningful punishment, do more than just wax lyrical please Mr Thomas.
[another update]
Came across this article today detailing how Mr Thomas has failed to protect his own data … priceless.
More Data Loss
Scottish Police loss a memory stick containing details of 750 cars that are “of interest” to the police..
About this entry
You’re currently reading “A Data Tsar?,” an entry on MatrixStore
- Published:
- 10.10.08 / 7am
- Category:
- Archives, Archiving, MatrixStore, industry, storage
No comments
Jump to comment form | comments rss [?] | trackback uri [?]