Monday, November 02, 2009

Don’t Put Your Data With The State, Mrs Worthington!

Several more examples of firstly, the way in which the authoritarian state continues to acquire data of questionable legality on law-abiding citizens, and secondly, a cavalier attitude by corporates and public sector bodies alike to data protection, and the security and privacy of individuals’ personal data, came to Clameur de Haro’s attention in the past week.
In the financial world, Zurich Insurance finally admitted losing the personal account details for over half a million people, more than a year ago. The personal details of no fewer than 51, 000 British customers were among data backed up on a tape which was on its way to a South African data storage centre when it was lost in August 2008.
That’s bad enough, but at least people can choose to place their business with an alternative provider and not with Zurich if they feel its custodianship of their personal details is negligent or deficient. Unfortunately no such choice arises in the case of data required to be held by public sector or government agencies. 

The Home Office, in a written answer to a Parliamentary question, admitted that the estimated number of people whose DNA profile is stored by the government has, for the first time, gone through 5m, with some 5,094,568 individuals now thought to be represented on the National DNA Database: on an estimated replication rate of about 13.8 per cent, this means that the number of actual DNA profiles is 5,910,172 - about one for every ten people in Britain.
This unrestricted growth of what is, on a per capita basis, the world's largest repository of human DNA information has continued despite the New Labour regime’s defeat at the hands of the European Court of Human Rights last December, when the ECHR ruled that the policy of retaining – permanently - the DNA profile of every single person ever even arrested (not charged or convicted) in relation to any offence, no matter how comparatively trivial, was manifestly illegal. So far the New Labour regime has taken no action to comply with the ruling.

The UK Information Commissioner revealed (tellingly, only as a result of a demand under Freedom of Information legislation) that there are more data loss reports being submitted to him from companies and governments than ever before – 356 for the period November 2008 to September 2009, compared with 190 in the equivalent period in the previous year. The biggest cause of loss, in 198 incidents, was lost or stolen hardware, usually laptops and memory sticks, while 78 were due to data disclosed in error, typically discs or memory sticks being mis-addressed.

The most recent figures released by the Commissioner in normal course (October 2008) also showed that, of 277 incidents since HMRC lost the entire UK child benefit recipients database a year earlier, no fewer than 197 came from the public sector.
Then it emerged that the UK's Rural Payments Agency (RPA), five months ago, lost tapes which contained the payment details of more than 100,000 farmers in the UK. The agency told DEFRA (the Department for Environment, Food and Rural Affairs), but DEFRA told nobody else, and certainly not the farmers affected.
DEFRA appears to be trying to finger IBM for the loss. Apparently, 39 backup tapes were transferred by the RPA from its Reading offices to Newcastle, following which the tapes then “went missing”: 37 were subsequently found, but not the other two. DEFRA is alleging that the tapes were simply placed on the wrong shelf by the IBM staff who actually operate the RPA data centre in Newcastle.

The last definite record of the tapes' existence was in June 2008: it was only in May 2009, according to the report seen by CdeH, that IBM staff realised the tapes were missing and reported the loss to the RPA, who then told DEFRA. DEFRA has suggested “that it is likely that the lost tapes have been destroyed without anybody realising”. Vaporisation perhaps? Spontaneous self-combustion, maybe?
While bad, none of this should have been too serious in practical effect however, because the tapes and the data on them would have been encrypted and passworded, surely? Er………no, ‘fraid not, this is a government department we’re talking about, after all.
DEFRA has tried saying that all this doesn’t matter, because “extremely specialised equipment” would be needed to extract the data off the tapes. Clameur de Haro’s techie adviser, when asked about this, just laughed – seemingly, said “extremely specialised equipment” basically consists of a tape drive and backup software, the kind of equipment stocked by every tape-using IT store and freely purchasable over the internet.
This may all seem a bit remote from Jersey – but just how comfortable can we be that, somewhere within the vast edifice of personal data held by the States, there isn’t a similarly cavalier approach to data security, or worse, a similar debacle already perpetrated but being feverishly concealed from public view?
Meanwhile, the only sensible approach seems to be to give the state as little personal data as possible.
Add to del.icio.usDigg It!Stumble This

No comments: