Staff at 30 local authorities have been responsible for
"serious security breaches" in the government database that will
form the core of thenational ID cards
programme.
Local authority staff have viewed sensitive personal records on
the Customer Information System (CIS) run by the Department for
Work and Pensions (DWP), it emerged today.
The database contains information on nearly everyone in the UK,
including all benefit recipients, pensioners and anyone with a
national insurance number.
Routine checks have unearthed security breaches by staff at 30
local authorities since 2006, who accessed personal records
"without business justification".
The DWP CIS database will form the core of the biometrics-based
national identity register, under the government's ID cards
programme. DWP data is kept separately from the national identity
register data on the CIS system.
Prosecution warning
The DWP warned local authorities in January that it might
prosecute staff found accessesing the CIS illegally if the local
authorities did not take action.
"Regrettably, checks have identified some local authority staff
are committing serious security breaches," the DWP told local
authorities in its Housing Benefit and Council Tax Benefit General
Information Bulletin on 15 January.
"DWP will support your local authority to ensure appropriate
disciplinary or prosecution action is taken, and may consider
prosecuting directly under social security legislation," it
said.
The bulletin said staff should not access CIS records about or
on behalf of their or their colleagues' friends, relatives,
partners, or acquaintances. Nor should they share their government
passwords with other people.
The DWP said the breaches were all "view only" accesses of
personal information stored in CIS records where there was no
business justification for the access.
Security vulnerabilities
The latest breaches demonstrate how there may be security
vulnerabilities inherent to the government's data sharing
programme. Councils which use the CIS database can also access HM
Revenue & Customs data.
The courts, legal services, the Department for Schools and
Families, and others have access to DWP data under data sharing
arrangements. The DWP also gives the private sector access to its
CIS. BT uses the CIS to administer its social telephony scheme. It
is not known whether security breaches have been committed by staff
accessing the CIS database from any of these other
organisations.
The DWP said in its statement that the CIS breaches were few and
demonstrated how secure its systems were.
"The small number of breaches shows that the CIS security system
is working and is protected by several different audit and
monitoring controls, which actively manage and report attempts at
unauthorised or inappropriate access," it said.
An Identity and Passport Services spokesperson said, "The IPS
will make the National Identity Scheme database as secure as
possible, building on an excellent track record with the current
passport database.
"Legislative protections will ensure deterrent protection
against people misusing the system.
"Furthermore, it will be a criminal offence to make any
unauthorised disclosure of information from the database.
"The database will also be subject to the independent scrutiny
of both the Information Commissioner and a new Identity Scheme
Commissioner."