The government has promised sweeping changes to the way data is
secured across Whitehall in the wake of the missing discs
review.
HM Revenue and Customs (HMRC) was considered "woefully
inadequate" in its handling of corporate data and its
managing of sensitive data was described as a "muddle through"
in two independent reviews last week.
Information Commissioner Richard Thomas will serve notices
requiring HMRC to carry out technical changes to secure its data
following investigations into the loss of discs containing
25-million child benefit details.
HMRC must report its progress on implementing the changes every
12 months for the next three years. "No chief executive can now say
that data protection does not matter," says Thomas.
An action plan, published by cabinet secretary Sir Gus
O'Donnell, addresses the technical safeguards that need to be in
place from now on, and which were found to be lacking in the
events leading up to the loss of the discs.
The over-arching policy limits the use of removable media
including laptops, removable discs, CDs, USB memory sticks, PDAs
and media card formats for storage or access to sensitive data.
Users will be allowed to access only data stored on secured
sites or through remote password-protected access.
Remote access will require cryptography conforming to the
Federal
Information Processing Standard 140. Computers used by staff to
dial into government databases must be patched and have up-to-date
antivirus protection.
Departments holding personal data on more than 100,000
individuals must hire IT experts to conduct penetration testing on
their systems. Government departments will need to keep electronic
logs auditing access to data.
IT systems that hold personal data will also have their security
accredited after major hardware or software upgrades approximately
every five years.
In addition to the IT changes recommended by the Cabinet
Secretary, the Independent Police Complaints Commission (IPPC)
report recommends that HMRC trains and communicates an
understanding of data protection and security to staff.
The government's own report says the success of its information
security would depend on fostering a culture of valuing and
protecting information.
But the discs remain missing and the government has not held
anyone accountable for their loss.
The director of public prosecutions offered staff at the centre
of the case immunity from prosecution under the Data Protection Act
for any "inadvertent breaches" of security, although no misconduct
or criminality was found.
Vince Cable, Liberal Democrat Treasury spokesman, said the
inquests into the incident focused on "cultural failure" while
failing to hold individuals accountable for failures.
"We now have something new called 'cultural failure', which is
an all-pervasive management mess for which everybody is to blame,
but no individual is responsible," he says.
Poynter review IT recommendations
● Move to a single customer record for individuals and a single
customer record for all parts of the organisation to reduce points
of risk
● Introduce powers to allow HMRC to specify secure methods of
exchanging data with its customers
● Transfer of digital data involving physical media should be
phased out
● In the short term, any removable media should be encrypted so
that if they are lost or stolen any data or information on them
cannot be accessed
Government action plan on data security
● Departments must have their systems tested by independent IT
experts, to expose any security risks
● Departments holding personal data on more than 100,000
individuals must hire IT experts to conduct penetration testing on
their systems
● Civil servants who need access to sensitive data outside the
office must dial in on a home system or through a remote secure
channel, rather than transfer data on a mobile device
● All devices must be encrypted and the use of discs will be
phased out
● The government plans to minimise access rights to information
and will keep logs of electronically held information
HMRC lost disc timeline
1 March 2007
National Audit Office (NAO) makes first request for details of
all new and terminated cases of child benefit claimants - between
600,000 and 800,000 people
12 march 2007
HM Revenue and Customs (HMRC) confirms that the NAO is entitled
to the information
2 October 2007
National Audit Office formally asks HMRC for files on child
benefit claimants
18 October
HMRC tells the NAO that the CDs have been sent
24 October
NAO informs HMRC that the discs have not arrived. NAO asks for a
second set to be sent - it needs them urgently to ensure an audit
of HMRC's accounts is not delayed
25 October
NAO confirms receipt of the second set of discs. Staff point out
that the first set has still not arrived
5 November
HMRC confirms that the first set of CDs is still missing
8 November
NAO begins a search for the missing CDs and the loss of the data
is raised formally as a security incident. Senior management is
informed - but not the chancellor of the exchequer Alistair
Darling, who is responsible for HMRC