A Whitehall department that is to supply some of the key
technology for the
ID cards scheme is trying to find out how
its systems and processes allowed confidential information on up
to 26,000 people to be compromised.
More than a week after the Department for Work and Pensions (DWP)
discovered that it had accidentally sent bank, national insurance
and personal details to the wrong people, it was unable to say why
it happened. "The investigation is ongoing," said a spokesman.
The incident shows how an unexpected - and as yet unexplained -
weakness in controls, processes or systems, or a combination of
these, can allow a department with long-established procedures to
disclose confidential citizen data accidentally.
Alexis Cleveland, chief executive of the Pensions Service, part
of the DWP, said the failure "should have been spotted sooner".
She added, "We are working very closely with our IT provider to
identify who has been affected."
The department told Computer Weekly that the accidental
disclosure was a "separate issue" to its work on providing part of
the technology for the ID cards scheme.
The National Identity Register - a database of citizens created
to support the issuing of ID cards - will use some of the hardware,
software and operations capability that is supplied by the DWP for
its Customer Information System.
Whitehall officials emphasised that the ID cards database would
not use data held in the DWP's Customer Information System - only
the system's technology and operational capability. The register
will be filled gradually with fresh and verified information
derived, for example, from interviews with applicants for
replacement passports.
A spokesman for the department said, "With regard to the DWP
Customer Information System, there are strict measures in place to
protect the integrity of people's data. Access to the information
is only allowed where it is legal to do so, and it is restricted to
the specific business needs of the customer.
"Specific controls are in place to restrict who can see each
field, which manages the risk of unauthorised or inappropriate
access."
Other Whitehall officials said that, under proposals for the ID
cards scheme, biometric and other personal information would be
held on separate databases, making it highly unlikely that someone
without authorisation could gain access to both sets of data.
The problems came to public attention after some of those
affected contacted the BBC's Today programme.
Tony Collins'
IT projects blogAgainst the current: exploring the
challenges of complex IT projects
Comment on this article:
computer.weekly@rbi.co.uk