ID cards database breached by nosey council staff

Staff at 30 local authorities have been responsible for "serious security breaches" in the government database that will form the core of the national ID cards programme.

Staff at 30 local authorities have been responsible for "serious security breaches" in the government database that will form the core of the national ID cards programme.

Local authority staff have viewed sensitive personal records on the Customer Information System (CIS) run by the Department for Work and Pensions (DWP), it emerged today.

The database contains information on nearly everyone in the UK, including all benefit recipients, pensioners and anyone with a national insurance number.

Routine checks have unearthed security breaches by staff at 30 local authorities since 2006, who accessed personal records "without business justification".

The DWP CIS database will form the core of the biometrics-based national identity register, under the government's ID cards programme. DWP data is kept separately from the national identity register data on the CIS system.

Prosecution warning

The DWP warned local authorities in January that it might prosecute staff found accessesing the CIS illegally if the local authorities did not take action.

"Regrettably, checks have identified some local authority staff are committing serious security breaches," the DWP told local authorities in its Housing Benefit and Council Tax Benefit General Information Bulletin on 15 January.

"DWP will support your local authority to ensure appropriate disciplinary or prosecution action is taken, and may consider prosecuting directly under social security legislation," it said.

The bulletin said staff should not access CIS records about or on behalf of their or their colleagues' friends, relatives, partners, or acquaintances. Nor should they share their government passwords with other people.

The DWP said the breaches were all "view only" accesses of personal information stored in CIS records where there was no business justification for the access.

Security vulnerabilities

The latest breaches demonstrate how there may be security vulnerabilities inherent to the government's data sharing programme. Councils which use the CIS database can also access HM Revenue & Customs data.

The courts, legal services, the Department for Schools and Families, and others have access to DWP data under data sharing arrangements. The DWP also gives the private sector access to its CIS. BT uses the CIS to administer its social telephony scheme. It is not known whether security breaches have been committed by staff accessing the CIS database from any of these other organisations.

The DWP said in its statement that the CIS breaches were few and demonstrated how secure its systems were.

"The small number of breaches shows that the CIS security system is working and is protected by several different audit and monitoring controls, which actively manage and report attempts at unauthorised or inappropriate access," it said.

An Identity and Passport Services spokesperson said, "The IPS will make the National Identity Scheme database as secure as possible, building on an excellent track record with the current passport database.

"Legislative protections will ensure deterrent protection against people misusing the system.

"Furthermore, it will be a criminal offence to make any unauthorised disclosure of information from the database.

"The database will also be subject to the independent scrutiny of both the Information Commissioner and a new Identity Scheme Commissioner."

Read more on IT risk management