Recently in privacy Category

Sackings mount over DWP data leaks

| No Comments
| More
DWP CIS security breaches - FOI - 23 MAR 2012.pngPublic bodies have sacked at least 120 staff for abusing their access rights to the Department for Work and Pensions' Customer Information System, a government database containing details of every citizen in the country that will be at the heart of the coalition government's Universal Credit benefits system.

DWP admitted the latest sackings to Computer Weekly as Channel4 closed a year-long investigation into cowboy private investigators who steal private data from government databases for cash. A Channel4 Dispatches documentary, aired last night, revealed how the rogue operators in the burgeoning security industry were getting illegal access to personal data stored in government databases. Undercover reporter Chris Atkins bought with just a few hundred pounds data about people's state benefits, health complaints and criminal records.

Local Authorities sacked 46 staff between January 2010 and March 2012 after they were caught abusing their rights to access the DWP database, Computer Weekly can reveal exclusively.

DWP itself sacked 57 staff in the two years to March 2012 after they were caught snooping for personal data in their own system, the department told Computer Weekly in answer to a Freedom of Information request.


The revelations bring to 120 the total known DWP database sackings since 2007. But this could be just the tip of the iceberg. DWP has disclosed information about only a small portion of those staff with access to the CIS. Having previously ignored requests for information about members of its own staff caught snooping, it has now revealed only those who were caught in the last two years.

The DWP citizen database is used by at least 200,000 people across almost the whole of central and local government. The DWP told Computer Weekly, as it has repeatedly since 2009, that it cannot reveal the full extent of data breaches on its national database because it does not "keep central records". HM Revenue & Customs, which employs a staggering 80,000 people, has refused access to information about any of its staff caught abusing their rights to access the DWP database.

Channel4's investigation found in response to another FOI that the DWP had, aside from sackings, disciplined 992 of its own staff in 10 months for breaching security of the CIS - five people every day. Full exposure of breaches and sackings at DWP and HMRC, which are merging their computer systems to form the Universal Credit benefits system, might damage the credibility of the flagship coalition programme.

Three years after Computer Weekly exposed the problem, local councils are still sacking people at the same rate. They have been forced to sack five staff on average every three months for snooping on on the CIS. Between January and March 2012, they sacked seven. Those sacked have been caught looking up celebrities, neighbours, family members, colleagues and acquaintances.

Channel4 Dispatches - Watching the Detectives - Chris Atkins undercover camera.jpegSpooks

The Channel4 documentary exposed a private investigator who bragged and then followed through on a claim that he could use an "internal contact" to get people's personal data for cash.

Stephen Anderson, director of Crown Intelligence and Security Limited, dredged up personal information about activists the undercover reporter said were causing a nuisance for a retail corporation. For £500, Anderson retrieved detailed records about claims for state benefits made by James Leadbitter, a climate change and anti-capitalist activist from Burnley.

On discovering illegal data breach, Leadbitter told the programme: "I feel sick. Why don't they just break into my flat and go through my stuff...I would struggle to get that information out of the DWP."

The source of the data was unconfirmed. The investigator did not reveal whether he used his inside contact or blagged the information by pretending to be someone he wasn't. The benefits data may have come from local authority databases or the DWP CIS. Further investigation not shown in the programme revealed that someone had been trying to blag data from a DWP call centre. It looked like the investigators were testing various well-trod routes to the data.

DWP claims the sackings prove its security checks are adequate: they catch staff who look up information they shouldn't. It records and tracks details of staff accesses on the system. It said the benefits data obtained by Channel4 did not come from DWP.

How Gov aimed to exploit personal data trade

| No Comments
| More
The £3bn trade in tip-offs about people caught in car accidents has exposed the seedy side of the personal data market. Seedier still are draft government plans to cash in on this bonanza when it ought to be sticking to the Tory manifesto promise to give people a right to call the shots over their own personal data.

Plans to replace Labour's ID scheme with a private sector system of identity assurance, which Computer Weekly revealed Cabinet Office had floated to industry in April, have led inevitably to a proposal for the private sector to become more active as custodians of people's personal data as well. This is already happening to a large extent but, much to people's dismay, the private sector seems less interested in being custodian than exploiter.

In the Cabinet Office plan, British citizens would be represented by electronic identity and attribute agents (attribute being jargon for an item of personal data) in a "marketplace in trusted data provision."

"The 'trusted attribute service' economy is based on the exchange of attributes (aka claims) which are data items from a trusted source relating to an authenticated individual," said the Cabinet Office draft technical blueprint.

"They also provide a mechanism for third parties to expose such data, and operate in a market for that service," it said.

It went on to say how government could cash in on the billions already being made in the market for personal data. The idea was that people build a network of trusted relationships online and personal data supplied from members of their network can be assembled in combinations of ever-greater numbers of attributes to meet higher and higher levels of security clearance. Companies providing that data could charge for it, like police forces and insurance companies have been charging ambulance chasers for tip-offs when people are caught in a car accident.

"Government attribute providers" would under the Cabinet Office plan exist in all major government departments and feed personal data about the citizens in their charge to private sector identity and attribute agents.

"Possible examples" of data the government could trade included "nationality", the "right to work", and verification of national insurance and driving licence numbers.

"The government could potentially charge the private sector for this service," said the draft plan.

That might simply involve verification of data: whether someone is a benefit claimant or a disqualified director, or a confirmation of their nationality. In the virtual world, a yes/no answer is indistinguishable from the actual transmission of a string of data such as: "unemployed, disqualified director, from Jamaica".

These were draft plans presented for discussion. Though it is not unknown for the government to trade in people's data. DWP had for example been giving BT access to its national insurance database under arrangements that have not been disclosed.

The Cabinet Office Identity Assurance Scheme could not rely on a private sector ID market if it did not engage in actual exchange of personal data with private sector providers. The draft plan proposes people should have control over the trade in their data. But it is tempered by a warning that this may not always be possible.

That, as has been demonstrated by the example of the insurance scam, is the element of the coalition government's private sector ID scheme set to match in dread Labour's Big Brother: a market in which people's "attributes" are traded in such a frenzy that it inflates prices, leading people to be fleeced simply for being "known", pestered by vultures like ambulance chasers, and with who knows what other unforeseen consequences.

An answer to this problem has been proposed by the personal data model government has piloted at Brent and other councils, and with which the DWP and Cabinet Office have been closely involved.

That is the Mydex model, in which people are given the means to control their own personal data in their own personal agent: deciding who gets to see it, who gets to use it and on what terms. It would even give people the means to flog their own data, making them the primary agents in any market.

If that sounds too good to be true, its because the market is already getting carried away with itself. Banks are getting in on the act, as if early evidence hasn't already shown how the personal data market can inflate to the detriment of ordinary people without their help.

The government needs to act quickly to carry its pre-election promises on civil liberties to their logical conclusion. That does not mean making a song and dance about dismantling Labour's ID scheme only to throw everyone's identities to the dogs in the private sector. That means ensuring people have the means to control their own personal data, wherever and however it is held.

Advisers foretold ID's doom

| More
The Identity Card Scheme offers a lesson in the infeasibility of IT systems held to political ransom. The cost of failure was too high for the Labour government. So the Home Office pressed on Quixotically with the system, despite never overcoming its critical weaknesses.

The picture that has emerged with the publication of last week's Independent Scheme Assurance Panel report is one of a government department hashing together on the fly a system of a size, complexity and sensitivity never before attempted. It may have been too big to fail, but it was also too much to handle.

The Home Office was obliged over the years to issue empty assurances that everything was under control and that it was addressing the repeated warnings given by ISAP. Can you handle a project of this size and complexity, asked ISAP in 2007. Yeah, 'course we can, said the Home Office - we've recruited some more executives.

In failing to deliver on those assurances, the department gave an indication of the amount of strain its IT experts must have been under. Working on a panacea project must be like happy-clapping at a cult.

The inconvenient imperfections of the ID plan were spelled out clearly in ISAP's 2007 report, compiled in the year after the Home Office cut the ribbon on the system blueprint and set their IT chumlies off on their futile quest.

After three years of development, the problems still had to be addressed. And very little of the blame could be put on the poor techies building the system. The snags were political. The fault was incompetent ministerial direction.

Writing on the wall

Data security risks identified in 2007 were never brought under control. And much else ISAP and good sense required of the ID project in 2007 was never fully addressed.

Public trust essential to the scheme was never secured. Inter-departmental differences over the accountability, funding and ownership of the cross-government system architecture were never settled. A "robust and transparent" system of data governance was never established. The system requirements were never properly defined and neither were its benefits, though both were crucial, it was and is commonly said, before the system could be properly designed.

Vital skilled staff were never recruited. A system of competent organisational governance was never established. Cross-government support was ever obtained and a cross-government standard of identity data and management was never agreed.

It was being built, against ISAP's advice and accepted wisdom, on "shifting sands". And contracts with suppliers were let, to satisfy a political timetable, despite these crucial preliminaries not being clarified.

This must have been especially awkward for the Home Office and may explain why it disbanded ISAP in 2009. No matter that the oversight panel was set up after the Home Affairs Select Committee said in 2004 that the Gateway review process (through which the Office of Government Commerce usually seeks to prevent embarrassing IT failures) couldn't be trusted to oversee a "project of this scale". Don't worry, said the Home Office, we'll set up an independent oversight board.

Had the Home Office given ISAP more credence, a lot of time and money may have been saved. The panel's first public warning put the writing on the wall: data loss will lead to a loss of public trust that, it implied, would be the project's ruin. There were real risks of data loss, it said. Something had better be done about it because people won't stand for it.

Mind bending

This was to be done with a PR exercise that would win public trust by showing how security concerns had been addressed. People would be told the system's tolerance for errors. Said system would have not only to be "robust" but also "well respected".

The problem was swept under the carpet. Civil servants were being sacked for snooping on the Customer Information System (the DWP database that was to form the biographical core of the ID system) before the scheme began. They were still being sacked after the scheme was scrapped in 2010. The DWP's precautions were shoddy, the security leaks were proving unmanageable and the DWP refused to reveal the error tolerance of the CIS. It may not even have known.

You have to wonder how the ISAP overseers felt about it all in the end. Nokia CEO John Clarke, Cranfield Professor Brian Collins, ex-First Direct Bank CEO Alan Hughes, BAA IT director Malcolm Mitchell, and ex-HSBC Bank CIO Fergie Williams: these sort of people are not used to being fobbed off.

Being from the commercial world, they are also accustomed to developing systems that rely for their success on customer choice. Paradoxically, they advised that the ID scheme would only succeed if everyone was forced to use it. This exposed the lie in Blair's ID sales patter, the come-on-you-know-you-want-it approach to civil security: everyone was going to get it anyway, whether they liked it or not.

Sad ending

"To be successful," the ISAP said, "the scheme has to become the government's (and the commercial sector's) primary means of identifying individuals and controlling updates to and use of their data."

It sounds preposterous now. Citizens no more like the Home Office watching them for their own good than foreigners like having bombs dropped on their heads for their own good.

The ID scheme gives us one other amusing paradox to ponder. From ISAP's perspective, it demonstrated how a lack of transparency in public policy and execution led inevitably to costly failure. Yet had the government come clean about the risks, it may never have won the public's support in the first place.

Transparency is the only hope we have of overcome the endemic problem of public databases being snooped.

What support people had given ID was befooled. The sands shifted so much under the ID scheme that it's hard to say what it was meant to do in the first place. Someone should nose around the Home Office with that very same question in mind. When they come across its fascistic database of identity-carded foreigners they might ponder whether it would ever have been approved either had the opening sales gambit not been ID-for-all.

Papers please!

| No Comments
| More
The House of Lords has been scrapping Identity Cards this last fortnight. Sort of.

It's not simply a matter of "scrap the ID scheme", as the coalition government promised. It's like one of those magic tricks: the Identity Documents Bill will make ID cards vanish but - tadaah! - the government will still be holding the powers that made them so objectionable in the first place.

This ID scrapping bill won't be enough "to stop the development of a 'papers please' culture in Britain," says No2ID in its brief on the legislation.

That 'papers please culture is the one in which bus conductors have been replaced with revenue inspectors. It's the one in which a jolly whistle and the ting-ting! report of a portable ticket machine have been replaced with the hiss of a walkie talkie and the rustle of bomber jackets as they huddle round.

No2ID takes particular offence at how the ConDem's ID legislation will make it a criminal offence with up to 10 years imprisonment to try and carry off a false ID.

There are no end of reasons why someone might justifiably goof some busybody official into thinking they are someone they are not. They might want to send Transport for London's heavies the the wrong way for a start.

Or they might want to get lashed before they are 18. No2ID reckons the last government lost no time in seconding its terrorist-nabbing ID legislation to the task of bagging underage drinkers.

Yet the strangest thing about the ConDem's ID Doc's Bill are in is its Clause 10. And they are its data sharing powers. The ConDem's will with this bill introduce a wide power for linking disparate data sources to passport records, to keep them for police intelligence and to extend them at the home secretary's discretion. Just the sort of powers they protested about in opposition.

IBM will meanwhile continue operating the stump of the ID system, the National Biometric Identity Service (NBIS) database, as a database of foreigners. Liberty notes rather politely the "divisive and objectionable" fact foreigners will still have to carry ID cards in Britain.

It as though the nation has forgotten the plot to The Great Escape, though it is possibly the most replayed movie in history.

Not that you can compare British officials to Nazi commandants. The ID Docs Bill doesn't give them the power to take you into the woods to have you shot if you have the wrong papers. They will merely have the power to send you to prison for 10 years.

ID v2.0 - the ConDem Pitch

| No Comments
| More
Want to know how the Identity Scheme will look under the ConDems?

Mydex, the company providing the technology for the government pilots* spelled out the vision for ConDem ID v2.0 at Socitm 2010.

We recorded the pitch. You can hear it using the podomatic player below.

The Cabinet Office tells us it dusted off the Crosby report for the occasion. Crosby said in 2008 that if the government wanted a sensible ID scheme it should leave it for citizens to sort it out themselves with the private sector. Be done with this big brother database, said Crosby between the lines. So the government kicked his report into the long grass. And it seemed like we'd never hear of it again... 

Until the  28 August, when the coalition government certified its commitment to a liberal identity scheme in the Official Journal of the European Journal.

It called for companies who can furnish people with a proof of identity the government can use to deliver them services. It wanted ideas for the...

"...establishment of the provenance of identity, verification of a person against an identity, verification of the authority to conduct the transaction, validation of personal data related to the identity, fraud prevention, malware prevention, and assurance of appropriate security when accessing a public service through all channel types including but not limited to online and telephony."

The DWP's Tell Us Once is taking the lead on this. The idea is after all to allow people to look after their own personal data, instead of having the government do it for you, or to you. Just as Crosby recommended. How extraordinary it now seems that it may have been any other way.

Jerry Fishenden, the LSE fellow and Cameronean think-tank compadre, says these plans are so old they go back to the December 2000 plan for an E-government Authentication Framework.

The US has since leapt ahead with the same ideas. They'll probably be doing our ID systems for us before long.

Fishenden's written a paper about what the yanks are doing and why we're now doing it too: it's called The Obama Effect, apparently.

* being run the the DWP, HMRC and Brent, Croydon and Windsor & Maidenhead Councils

Microsoft launches HealthVault - your personal health record?

| More

Microsoft is today launching HealthVault in the UK, a personal health data repository which has the implicit support of the Conservatives

John Coulthard, Senior Director Healthcare and Life Sciences at Microsoft, says:

"According to research, 13% of the UK population are actively interested and engaged in looking after their 'wellness' - i.e. they do things such as exercise regularly, look after their diet, monitor their weight, take their temperature and blood pressure. Many of these people record this data in a variety of places - from apps on their phones to scraps of paper.

"Today, with the launch of Microsoft HealthVault in the UK, we are offering those people a central repository for that data, where information can be entered manually by an individual for themselves or their family - or automatically from a range of compatible devices including weight scales, blood pressure monitors and pedometers.

Summary Care Records - too big to fail?

| 1 Comment
| More

"Given that [the Summary Care Record scheme] is not particularly effective at improving health care, the project has to be seen to be a success in some other way."

Emma Byrne is one of the authors of a confidential draft report on the Summary Care Records scheme.  She'd worked on the report with a team from University College London.

The latest report of her team was completed in March 2010 but hasn't been published, perhaps because some of its findings were not greeted warmly by the Department of Health. The Department and NHS Connecting for Health commissioned the SCR report from University College London.

Now Byrne has written an article for the Open Rights Group on NHS IT, the NPfIT and particularly the SCR scheme.  She is on the ORG's board.

Tell your GP a secret - and 900 council staff may have access to it

| More

                 - Elizabeth Dove's visit to her GP for depression may be an open secret on the Isle of  Wight,  since  966 council staff have access to her medical data. 966 is about 1% of the adult population of the island.

                - GPs across England routinely share mental health data with PCTs which share it with thousands of local council staff.

               -  GP Paul Cundy says the case of Elizabeth Dove is an ominous warning for the sharing of Summary Care Records data under "implied consent".


In 2008 Elizabeth Dove (a pseudonym) saw her  GP to ask what could be done about her depression.

Some time later Dove had a dispute with her local council, a matter entirely unrelated to her health.

Pursuing her complaint to the Isle of Wight council, she submitted a request under the Data Protection Act to be sent all the information the authority held on her.

To her dismay, she received sensitive data from her GP health records. It came from officials at the local council's housing department - with whom she had the dispute.

It turns out that her health data was held on a joint council and primary care trust system "Swift".

She hadn't consented to her health records being shared with the local council.

Dove said in an email to me:

"I feel very let down and betrayed by the NHS and my local council. I feel particularly that my trust has been broken by the NHS regarding the sharing of my medical information . Local authorities and public statutory organsisations seem insensitive to a person's basic human rights to personal privacy."

My article on this blog about Elizabeth Dove was picked up by investigative journalist Donal MacIntyre who hosts a programme on BBC Radio 5 live.

When Bob Howard, who works on the Donal MacIntyre programme, asked the Isle of Wight PCT and the IW Council for a comment on Elizabeth Dove's concerns, he learned that 966 council staff have access to the "Swift" system. 

Could Gov't misuse Summary Care Records for self-serving reasons?

| No Comments
| More

Dr Phil Peverley, a GP in Sunderland, writes in Pulse:

"...The Times, on 11 April, reported that the Labour party had sent 250,000 'cancer postcards' to various women.

"Addressed to the recipients by name, they warned that the Labour guarantee to see a cancer specialist within two weeks would be scrapped by the Tories.

"The cards also claimed that the 'right' to be treated within 18 weeks would be abolished by that same political party. They included a message from a breast cancer 'survivor' praising her treatment under Labour."It is not possible to know exactly who these cards were sent to, because Labour won't say. The recipients may have been selected randomly. But the Times article featured four women - all of whom had cancer or were being investigated for it - and they were the only women they knew who had received one.

"We don't know where the Labour party got these names and addresses. Not from the care record, because it isn't that developed yet. But who would think the care record would not be abused when we can't control who has access?

"Rare" bug in iSoft software led to mix-up of patient data

| No Comments
| More

Computerworld New Zealand reports that a bug in an iSoft application used at Gisborne Hospital led to patient details being displayed under someone else's record.
The report says that a bug in Healthview went undetected for two years.

Investigation and notification to iSoft brought to light a system error within Healthview and affecting most local sites using the product, said the hospital in a statement.

Subscribe to blog feed


-- Advertisement --