Tony Collins's IT Projects Blog

In December 2006, the Home Office made clear its plans to use CIS for the ID Cards scheme. The Home Office's "Strategic Action Plan for the National Identity Scheme, Safeguarding your Identity, said:

"... for NIR [National Identity Register] biographical information, we plan to use DWP's Customer Information System (CIS) technology, subject to the successful completion of technical feasibility work.

"DWP's CIS technology is already used to hold records for everyone who has a National
Insurance Number - i.e. nearly everyone in the UK."

But the CIS does not meet the Cabinet Office's latest security standards. The new rules were written after the loss by HM Revenue and Customs of 25 million child benefit records.

The National Audit Office said in a report on the DWP's computer schemes in November 2008:

"The Customer Information System has not yet received full data security accreditation under the new Cabinet Office rules for personal data. Work is underway to reach the necessary level."

Today, nearly a year later, the CIS still hasn't received accreditation - and the system is used by 200,000 civil and public servants, said the NAO.

The new Cabinet Office rules included a provision that:

"new systems containing protected personal data will be subject to mandated accreditation". This involves, in part, CESG, the commercial arm of intelligence centre GCGQ."

A spokesman for DWP told Computer Weekly:

"CIS is authorised for use and has robust security measures in place. Accreditation provides additional assurance through a comprehensive review of risks and measures. The process of upgrading CIS's security accreditation is underway and is expected to be completed in 2010.''

A spokesman for the Identity and Passport Service, which runs the ID Cards scheme, said that the use of CIS for ID Cards biometrics data is only an "option for the future". He said :

"There are no plans for the CIS to be used as the National Identity Register. All of the information relating to people issued with the first identity cards for British citizens will held securely by the Identity and Passport Service on a system provided by IPS contractor Thales.

"In the longer term we will put in place new systems for issuing both fingerprint biometric passports and identity cards. One option is to hold biographic information independently, but on the same technology used to hold biographic information by DWP for its CIS. However, IPS will only hold personal information in a way which is both secure and reliable."

Links:

Officials back away from scandal-hit database - ComputerWeekly.com

New Cabinet Office rules on personal data - Cabinet Office website

DWP Customer Information System - DWP website

NAO report on DWP systems including the CIS - NAO website

Glyn Moody

ID Cards security a problem? - well I never - No2ID Birmingham