Councils are failing to prosecute staff caught using a
sensitive government database tosnoop on celebritiesand members of the public,
disclosures under the Freedom of Information Act have
revealed.
Computer Weekly has established that
staff from at least 34 local authorities have misused the
Department of Work and Pensions' (DWP)
Customer Information System (CIS) database to look up personal
details of the public.
The database, which holds 92 million records on the population,
underpins the government's ID card programme. It stores sensitive
data such as ethnicity, relationship history and whether someone is
being investigated for fraud.
Nine staff have been quietly sacked from their local authority
jobs for abusing the database, nine have been given official
warnings, two have been suspended, four resigned and six had their
database access privileges removed, Freedom of Information requests
lodged by Computer Weekly have revealed.
But none of the local authorities have chosen to bring
prosecutions against their staff for abusing their access to the
CIS database.
Abuse of access rights
The revelation has promoted accusations that local authorities
and the DWP are trying to keep the breaches quiet.
Phil Booth, national organiser for campaign group
No2ID, said, "They are
reluctant to prosecute because that will give the wrong message
that the database is insecure from the inside."
"These are the people we are supposed to be able to trust," he
said.
"It is the job of the keepers of the National Identity Register
to keep external hackers out. The problem is insider access by
people already authorised."
Local authorities are required to sign a
Memorandum of Understanding that permits them to access the
"restricted data" on the CIS. It contains the threat of criminal
prosecution of staff who abuse their access rights.
"DWP will consider prosecuting individuals for misuse of
information held on CIS. DWP will support your local authority to
ensure appropriate disciplinary or prosecution action is taken in
serious cases," it states.
The Memorandum of Understanding gives the DWP rights to withdraw
CIS access from local authorities when "any individual user is
suspected of misusing the system".
Data and the law
But many of the councils told Computer Weekly that their
decision not to prosecute staff who have used the CIS database to
snoop on members of the public was taken in consultation with the
DWP.
Peter Sommer, an expert witness in computer crime cases and
visiting professor at the London School of Economics, said the
breaches have raised concerns that the law might be too weak.
The Computer Misuse Act could be used to prosecute someone for
unauthorised access to a database, he said, but not for looking at
information they should not see on a database they are authorised
to use.
The Memorandum of Understanding between local authorities and
the DWP says that requirements to keep data on the CIS database
confidential are "underpinned by legislation" in the Data
Protection Act 1998, the Social Security Administration Act 1992
and the Computer Misuse Act 1990.
"[This] binds DWP and your local authority to handle customers'
personal information in confidence... Your local authority has an
explicit responsibility for the security of the information and is
accountable for the actions of users with access to the CIS," it
says.
The Social Security Administration Act 1992 could be used to
send people to prison for snooping on social security databases
they were otherwise authorised to access, but only if it were
proven they had disclosed their findings to others, say
experts.
In at least one instance, a council worker passed on information
to a family member. The worker was given a warning.
A DWP spokesman said, "It is the duty of local authorities to
consider and enforce what is appropriate, including legal action
against their employees."
National Identity Scheme
A Home Office spokesman said the CIS breaches should not reflect
badly on the
National Identity Scheme, which is still in development. The
CIS might be pegged as the biographical store for the Identity
Scheme, he said, but Home Office data would be stored separately
from data held by the DWP and protected by "strict access
controls".
"IPS [Identity and Passport Service] will make the systems
supporting the National Identity Scheme as secure as possible,
building on an excellent track record with the current
passport database," he said.