21 November 2007

Alistair Darling And "Junior Officials"

So, the entire child benefit database was sent by a junior official from HMRC in Newcastle to the audit office in London through a courier, TNT, on 18 October.

If a junior official has access to 7.25 million bank accounts, how many junior officials are there? 100? 1000? How "junior" was the junior official? No one seems to want to say if the junior official in question has been fired.

If an ID card scheme goes ahead, how many "junior officials" will have access to all the information about everyone in the country?

The UK has the world's largest DNA database, with 4 million profiles. Anyone arrested for an imprisonable offence can have a sample taken without consent. It also holds samples taken from crime scenes by police. How many "junior officials" have access to that?

The NHS wants to create an "Electronic Patients Record System" with all records online in a database. How many "junior officials" will have access to that?

ZDnet.co.uk:

Who thought transporting such information physically was the best way to do it? We're told that a junior official was responsible — but why do junior officials have, or indeed need, access to the entire, downloaded database? And why did the junior official think that a courier was the best way to transport such a vast database of such valuable, personal information? Is data security at HMRC really so bad that sending physical CDs was considered more secure than electronic transmission? What risk assessment did they use to come to that conclusion? Is there even a risk-assessment procedure in place?
Richard Thomas, the Information Commissioner, was on Radio 4 this morning:

It's almost certain that they’ve broke the [data protection] legislation … Any aggregated system of collecting information must be proof against criminals, it must be proof against idiots, it must be proof against those who do not follow ordinary rules or procedure … You don’t assume security is ok, you take active steps to monitor what’s going on … We have to have the powers and resources to do our job properly. I haven’t got the power as the Information Commissioner to inspect the processing of any organisation without the consent of that organisation. I’ve told the government, and I’ve told Parliament, we need to have the power -- as our European counterparts have -- to inspect what’s actually going on inside organisations without their consent.

No comments: