22 November 2007

Alistair Darling And Datagate: Day 3

From two missing CDs, we have a long-term problem, especially for young people affected:

Helen Lord, from Experian: "The children whose names, addresses and dates of birth have been lost are also at risk, especially those who are between 15 and 17 years old now. The fraudsters will wait until they turn 18 and start applying for loans, credit cards, mobile phone contracts and other credit products in their names. That could have a catastrophic effect on their ability to get on the housing ladder, rent a flat, obtain their first credit card, obtain a loan for their first car, even open a bank account."
Anatole Kaletsky, in the Times, points out that it's not really about "junior officals" but what ministers required from computer boffins at the Revenue and Customs.

A junior official at HMRC may have been directly culpable in the case of the missing discs, but true responsibility is clearly located farther up the hierarchy. The obvious problem lay in the way that HMRC computers were designed and managed, which would seem to pin the blame primarily on the computer boffins, many of them working for private consultants, rather than civil servants themselves.

Just as the FSA and the Bank of England were regulating Northern Rock within a system designed by Gordon Brown in 1998 to satisfy the criteria that he considered most important, computer consultants design systems to achieve objectives ultimately specified by ministers. The question therefore is how much importance ministers attached to security and how this was defined.
Gordon Brown has given the Information Commissioner, Richard Thomas, new authority to carry out “spot checks” on government departments. This is less than a month after the government told a House of Lords committee that "the current enforcement regime for data protection is fit for purpose." However, Thomas is demanding far wider powers:

A spokesman said: "We want powers to carry out full audit and inspection powers, not just in Government departments but in local government and private companies."

Mr Thomas also wants the power to mount criminal prosecutions when serious breaches of data protection laws occur. At present he can issue only an enforcement notice, which results in a prosecution if an organisation fails to comply. Most prosecutions take place in magistrates’ courts, where the maximum fine is £5,000, rather than in the Crown Court, where an unlimited fine can be imposed.

Mr Thomas said: "It is important that the law is changed to make security breaches of this magnitude a criminal offence. Making this a criminal offence would serve as a strong deterrent and would send a very strong signal that it is completely unacceptable to be cavalier with people’s personal information."
It's a significant demand.

Internet service providers, search engines, supermarkets and their clubcard points databases, and e-commerce companies are retaining an expanding mountain of data on all of us.

Tesco is selling access to [its] database to other big consumer groups, such as Sky, Orange and Gillette. "It contains details of every consumer in the UK at their home address across a range of demographic, socio-economic and lifestyle characteristics," says the marketing blurb of dunnhumby, the Tesco subsidiary in question. It has "added intelligent profiling and targeting" to its data through a software system called Zodiac. This profiling can rank your enthusiasm for promotions, your brand loyalty, whether you are a "creature of habit" and when you prefer to shop. As the blurb puts it: "The list is endless if you know what you are looking for."

No comments: