The data security and privacy disaster involving the lost CDs containing the entire Child Benefit Award database by Her Majesty's Revenue and Customs and the National Audit Office, seems to have spawned several Reviews and Inquiries, at least two of which are due to report in mid December 2007.
These Reviews will be causing senior civil servants to dust off their copies of their Departmental Standard Operating Procedures manuals, and Departmental Security Policy documents, If they are feeling truly masochistic, they will actually read the boring and tedious concordance documents which aim to cross reference, often line by line, the current Departmental Security Policy with the Manual of Protective Security and BS7799 / ISO17799 / ISO27001 etc. standards, with which they are meant to have complied with several years ago.
Such voluminous documents probably already list all the relevant eventualities, but are of little practical use, where a culture of data security sloppiness, incompetence and management penny pinching has been allowed to develop.
The process of these reviews will probably stifle all decision making on any new IT systems, whilst the "Sir Humphreys" are engaged in Cover Your Backside and inter-departmental Empire Building campaigns, well into the New Year.
It is hard to see how any honest, uncensored Review, either by Kieran Poynter of PricewaterhouseCoopers, by Robert Hannigan Head of Intelligence, Security and Resilience in the Cabinet Office, by the Information Commissioner Richard Thomas, by Dr. Mark Walport of the Wellcome Trust, by the Independent Police Complaints Commission, by the Metropolitan Police Service, or by the Treasury Select Committee of the House of Commons etc. etc. can fail to blame the senior civil servants and politicians who were in charge of the Treasury and monster Her Majesty's Revenue and Customs department, at the time when the first of the the data security and privacy breaches occurred i.e. back in March 2007.
The "Sir Humphrey" at the Treasury back then was Sir Gus O'Donnell, the current Cabinet Secretary, and the micromanaging control freak politician in charge as Chancellor of the Exchequer was Gordon Brown, the present Prime Minister.
We will therefore be extremely surprised if any actual direct criticism or blame emerges from these soon to be censored, "must be seen to be doing something" Reviews.
The Terms of Reference for the Kieran Poynter and Robert Harrigan reviews:
Today the Treasury has announced the terms of reference for the Review by Kieran Poynter, a senior partner with the firm of accountants PricewaterhouseCoopers (PwC) ,
His interim report is due to Chancellor Alistair Darling on Thursday 14th December 2007, with a further report in the Spring of 2008.
23 November 2007
Terms of reference for the Poynter Review
The Treasury has published terms of reference for the Poynter Review, which will investigate security processes and procedures for data handling in Her Majesty’s Revenue & Customs.
Terms of reference
To establish the circumstances that led to the significant loss of confidential personal data on Child Benefit recipients and other recent losses of confidential data and the lessons to be learnt, and in the light of those circumstances to examine:
- HMRC practices and procedures in the handling and transfer of confidential data on taxpayers and benefit/credit recipients;
- the processes for ensuring that these procedures are communicated to staff and the safeguards in place to ensure they are adhered to;
>li>the reasons why these failed to prevent the loss of confidential data;
- whether these procedures and processes are sufficient to ensure the confidentiality of personal data.
The review will report initially by 14 December on the exact circumstances and events that led to the loss of the Child Benefit data, taking account of the ongoing investigation by the Metropolitan Police. It will make interim recommendations on any further, urgent measures that HMRC should put in place to guarantee the confidentiality of personal data.
The review will also consider wider implications, reporting in the Spring and, in consultation with the Independent Police Complaints Commission (IPCC) and Information Commissioner, make recommendations on:
- how internal processes and culture can be strengthened to achieve appropriate data security in the future;
- whether HMRC’s wider procedures for the handling of confidential data and liaison with other organisations should be changed to reduce the risks and how this might be done.
Notes to editors
1. The Chancellor of the Exchequer, the Rt Hon Alistair Darling MP, announced the review in a statement to the House of Commons on 20 November.
2. Kieran Poynter is Chairman and Senior Partner of PricewaterhouseCoopers and will report to the Chancellor of the Exchequer. The review is being carried out with the knowledge and cooperation of the Independent Police Complaints Commission (IPCC) and the Information Commissioner.
PwC are commercial rivals to KPMG, who are the outsourced audit partners of the National Audit Office, which is allegedly independent of the Government.
Who, if anyone, will be conducting a similar review of the data handling arrangements of the National Audit Office (NAO), who are also not entirely blameless ?
There is also the Cabinet Office Review of Data Handling procedures in Government:
Review of Data Handling procedures in Government
23 November 2007
The Prime Minister has asked the Cabinet Secretary to establish a review into data handling procedures in Government.
The Review will be led by Robert Hannigan, Head of Intelligence, Security and Resilience in the Cabinet Office, working closely with heads of departments.
The Cabinet Secretary wrote to all Heads of Departments on Thursday 22 November setting out the terms of the Review.
The terms of Reference of the Review will be:
- the procedures in Departments and agencies for the protection of data;
- their consistency with current Government wide policies and standards;
- the arrangements for ensuring that procedures are being fully and properly implemented;
and to make recommendations on improvements that should be made.
The process will be carried out in two stages:
- first, to ask urgently for an analysis of Departmental and agency systems and procedures to identify compliance with policies and standards, and recommendations for practical improvements and better management of risk that can be identified. Each Department is asked to complete this, covering their agencies as well, by 10 December so that the Prime Minister can be advised by the end of the year.
- Second, to then look collectively at improved standards and procedures, including the role of the centre and governance mechanisms as well as the introduction of better compliance and audit arrangements. A plan to deliver any changes will also be produced. The aim is to complete this early in the New Year.
This Review will also take into account the work being done by Kieran Poynter of Pricewaterhouse Coopers into HM Revenue and Customs data handling procedures and the work being done by the Information Commissioner and Mark Walport of the Wellcome Trust on the security of personal data across society as a whole.
Will our personal data really be any safer from abuse by criminals , terrorists, spies or officious bureaucrats, after these Reviews have been completed ?
Will the Data Protection Act actually be strengthened with proper criminal penalties which apply to Government departments as well to the private sector ?
Will there be a Californian style Data Privacy Breach Notification law ?