Datagate: the truth

I write this month’s column during a bad few days for data protection in the UK. You may recall a story I broke online back in May 2007, which led to the Foreign Secretary launching an independent investigation (I was thanked for my part in closing the security breach) and another being started by the Information Commissioner. Its gist was that the UK government, by outsourcing the online application facility for UK visas to various global locations including India, had put the personal data of applicants at risk for several years – the Mickey Mouse security measures in place allowed anyone to literally stumble across private information, including passport numbers, employment details, addresses and travel plans. Terrorists and ID thieves alike would have been having wet dreams about it had they known this breach existed.

That’s why I took the perhaps unusual step for a journalist – I like to think it was the ethically correct one – of informing the company responsible (VFS Global) and the government before running my story, only going public 24 hours after I was certain the breach had been sealed. Then, the brown stuff hit the fan: Channel 4 News ran the story as its lead, and folks higher up the political food chain were forced to take notice.

Six months on, that investigation by the Information Commissioner’s Office (ICO) is complete, and it concludes that the Foreign & Commonwealth Office (FCO) was in breach of the Data Protection Act, whose seventh principle states that “personal data shall not be processed unless… appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”. The ICO has now required the FCO to sign a formal undertaking to comply with the principles of the Data Protection Act, and failure to meet the terms of this undertaking is likely to lead to further enforcement action by the ICO. Mick Gorrill, Assistant Commissioner at the ICO, told me that: “Organisations have a duty under the Data Protection Act to keep our personal information secure. If organisations fail to take this responsibility seriously, they not only leave individuals vulnerable to identity theft, but risk losing individuals’ confidence and trust.”

What a shame then that within a week Her Majesty’s Government was once again facing data protection compliance meltdown, with the news that the Revenue & Customs had managed to “lose” a couple of CDs containing the personal data – including national insurance and bank account numbers – of some 25 million people claiming child benefit in the UK. I won’t go into all the political ins and outs of this affair, as I’m sure you’ll have read more than enough online and in print already. However, the point that leapt out and slapped me across the face like a wet fish on a cold morning was that the ability to burn that entire database onto a disk even existed in the first place. Forget that some junior member of staff was able to use an unrecorded internal postal system to send this data to another department, and could do so without even encrypting it first – that’s a mere bagatelle alongside the fact that this rudimentary copying risk should ever have been permitted in the first place. It’s among the easiest of technical protections to implement.

At this point, I’ll accept I’m following the expected route for a security specialist, by talking about threat assessment in terms of technology when all too often the real risk to data is actually people rather than devices. The truth is, however, that by separating the two when creating a security strategy, you leave a wide chasm into which the data criminal will be able to jump – technology and people must be treated as a single entity in security terms, each one protecting the other. The “HMRC 25 Million”, as I suspect this incident will become known, illustrates the fact that security is only really taken seriously when people are putting out the resulting fires. Gordon Brown apologises for the breach, blames a junior member of staff, then gives the Information Commissioner the power to carry out spot checks on government departments without prior consent (which it’s been requesting for years).