Housing Corporation lost data on the Tube

A disaster recovery exercise by the Housing Corporation last month left officials visiting London Underground's lost property...

A disaster recovery exercise by the Housing Corporation last month left officials visiting London Underground's lost property office in the hope of reclaiming mislaid back-up tapes containing commercially confidential information on hundreds of UK housing associations.

A document from the corporation's internal audit department, seen by Computer Weekly, admitted the embarrassing loss of information about organisations that receive £1.3bn of taxpayers' money each year from the corporation.

"Fortunately, due to system design, the security risks associated with this are small. It would not be possible to use the lost data to transfer funds," noted the document.

"Nevertheless," it went on, "there is a small risk that commercially confidential data could be compromised."

The corporation's audit department highlighted efforts made to recover the lost tapes. "As a 'lost property' item several visits have been made to the Transport for London lost property office and ongoing recovery action remains in place," the document stated.

Although the corporation did not try to simulate the loss of its main datacentre, the exercise uncovered a series of weaknesses in the organisation's preparations.

It noted a failure to document procedures and system installation requirements and highlighted failures to lodge passwords and details of bespoke software build with the corporation's solicitors.

The document pointed out potential financial problems with its current application service provider contractor, Freedom 2000. It also highlighted staff opposition to moves to extend outsourcing to cover desktop services - the controversial contract with Elonex that the Housing Corporation hopes to sign in the next few weeks.

"The general staff situation remains unsettled and there is considerable resistance among IS department staff to the transfer of operations to an ASP," the internal audit report warned. "It would be unwise to assume that in a real disaster recovery situation staff co-operation would be totally forthcoming.

"At the present time we have not demonstrated our ability to recover our systems without the involvement and full co-operation of IS department staff," the document stated.

Computer Weekly comment:
Housing Corporation should focus on IT

Last week, solicitors representing the Housing Corporation wrote to warn Computer Weekly against pursuing our investigation into its ongoing IT problems.

The move came in response to a story revealing that the corporation is pressing ahead with an outsourcing project despite failing to satisfy the recommendations of successive Gateway reviews.

We ran this story because we believe it is in the public interest that a body responsible for allocating more than £1.3bn a year to housing associations is held accountable, should bad project management squander taxpayers' money. The outsourcing project is expected to cost the corporation £16.7m over seven years.

Computer Weekly has long campaigned for greater transparency in public sector IT expenditure. The corporation's letter reached us in the week that the National Audit Office produced a damning report on the Lord Chancellor's Department's progress in building a national system for magistrates courts in the UK. Computer Weekly's 10-year coverage of problems with courts' IT was significantly instrumental in the House of Commons Public Accounts Committee's commissioning of this report.

Instead of channelling time and money into silencing journalists, we would prefer that the corporation focused its efforts on improving the IT that supports the payment of grants to support public housing.

We resent the Housing Corporation's attempt to gag us - and we reject it. This week we highlight the parlous state of the corporation's disaster recovery provision, because we feel there are important lessons to be learnt - and because we believe it is in the public's interest that our voice is heard.

Read more on IT risk management