Saturday, 19 January 2008

Roadside Personal Data Dump

Personal Data Dump From: BBC News 18/01/08

“Hundreds of documents containing sensitive personal data have been found dumped on a roundabout in Devon.

Details of benefit claims, passport photocopies and mortgage payments were included in the confidential data.

The discovery could be another potential embarrassment for the government.

Last October, two discs containing the entire child benefit database were lost in transit after they were sent by HM Revenue and Customs to the National Audit Office without being registered or encrypted.

Then in December it was revealed details of three million driving theory test candidates were on a computer hard drive that went missing in the US.

And earlier this month the personal details of hospital patients were lost by the NHS.”

Oh boy. There seems no end to these stories. Surely there hasn’t been a massive upsurge in the public's confidential data being lost, leaked and dumped across the UK in the last 12 months? But it sure seems that way. The scariest thing, I suppose, is that perhaps these sloppy practices have been occurring for years and have gone largely unreported. Maybe it's only now, as such stories have come into vogue and the media and public alike have latched on to the seriousness that such security lapses pose, we’re hearing of fresh privacy breaches virtually every month. Who knows?

I also noticed a reader’s comment on the BBC news website saying: “The first thing they should do is stop putting the data onto laptops”. As I’ve said numerous times on this blog, the long-term answer to these problems is not going to be found from one source alone; there can never be a panacea to issues such as this. No, for these data protection fiascos to be combated, law, technology and working practices must work in harmony towards a common goal. Simply stopping the practice of putting confidential data onto laptops is never going to be part of the solution. In reality, the continued functioning of companies and institutions who handle private data, is heavily dependent on employees accessing or carrying data with them in electronic format. And laptops, USB keys, portable hard disks and the like, are always going to be lost and misplaced. However, making it a criminal offence for confidential information relating to the public to be held in electronic format WITHOUT being encrypted would be a useful first step.  Equivalent requirements could be implemented for hard copies of personal data.

But encryption alone is not going to solve the soft-copy problem; data must always be unencrypted to be viewed or edited. Software and hardware advances are needed to complement changes in the law to create systems where, say, data is automatically saved and returned to its encrypted state within a pre-determined time of the user being detected as away from the data source e.g. a laptop. Further, extra layers of security could be achieved by the widespread and compulsory use fingerprint and biometric verification built into the hardware.

And finally, long-term compliance with the new laws and adherence to stringent working practices can be encouraged by harsh civil and criminal penalties imposed on those who fail to conform. Ultimately, though, these measures are going to be costly in both time and money to implement. Plenty of time for a few more sackfuls of personal data to be found scattered across the UK and a couple of dozen unencrypted laptops to go walkabouts, in other words

No comments:

Post a Comment