Another week, and there is still no sign of the missing unencrypted CDs containing personal details of 25 million people, which were lost by Her Majesty's Revenue and Customs (HMRC).
It is clear that even the massive publicity over the HMRC affair has still not had any effect on the culture of incompetence, which has infected public sector organisations, who are continuing to betray their duty of trust and confidentiality when dealing with people's data , the protection of which they merely pay lip service to e.g. The Scotsman summarises::
First, it emerged two computer discs with details of more than 7,000 Northern Ireland motorists had got lost in the post after being sent to the DVLA in Swansea.
Then it was disclosed that confidential personal details of dozens of prisoners, including their criminal records, had been delivered to a private company instead of going to Norfolk Police.
And trade unions on Merseyside revealed that personal details of 1,800 health-authority staff, including their salaries and pension details, had been accidentally sent out to a number of private firms.
This is in spite of the Cabinet Office Review, of all Government Departments and Agencies, chaired by Robert Hannigan, the newly appointed Head of Intelligence, Security and Resilience, which was supposed to have reported on Monday 10th December 2007.
Will politicians and the media be pressing for this to be published, or will the Government spin doctors try to supress it until the New Year ?
The other Review, resticted to just Her majesty's Revenue and Customs, by Kieran Poynter, the senior partner at accountants PricewaterhouseCoopers (note the stupid "brand name" capitalisation) is due to report this Friday.
There do seem to have been some "locking the stable door" diktats at HMRC::
Written answers Thursday, 6 December 2007
Revenue and Customs: Data Protection
John Hemming (Birmingham, Yardley, Liberal Democrat):
To ask the Chancellor of the Exchequer if he will ensure all CD burners are removed from HM Revenue and Customs computer departments until security
Jane Kennedy (Financial Secretary, HM Treasury):
I understand that staff access to removable media has already been disabled. Desktop PCs and laptops in HMRC are no longer able to read CDs, floppy disks, USB storage and other memory card devices. This facility can only be re-enabled with the authorisation of a director or the senior member of staff responsible for data transfer in the appropriate business area.
On 20 November, the Chancellor announced an independent review of HMRC's data handling procedures to be conducted by Kieran Poynter, the chair of PricewaterhouseCoopers.
Does "staff" mean all the EDS IT subcontractors and other consultants as well as HMRC permanent staff ? Probably not.
"Desktop PCs and laptops" does not include all the file, application, print and media servers.
"no longer able to read" does not necessarily mean "no longer able to write" !
What about the higher capacity DVD disc writers rather than CD writers ?
What about USB external or removable hard disk storage ?
What about backup tape systems of all sorts ?
What about NetBIOS based Windows file sharing over ethernet ?
What about WiFi or BlueTooth based file transfers ?
It sounds as if all they have done is tick a few boxes in the Windows Security Policy on the Enterprise Domain Controllers rather than actually physically removing or disabling these devices and interfaces.or installing the extra software necessary to do this properly.
Given the prevalence of USB keyboards and mice and even of USB Smart Card readers, these days, how do they really expect to prevent USB hubs and memory sticks (some models of which can appear to the BIOS and operating system as bootable CD or external hard disk devices) from being used by those people determined to steal valuable personal data, rather than those who just handle it ineptly but without malice ?