Where will the next UK Government security and privacy data loss disaster occur ?
Given how inept the Home Office has failed to implement policies of Data Minimisation (as recommended in the Data Sharing Review by the Information Commissioner Richard Thomas and Dr. Mark Walport), and in its lax supervision of the data handling and security practised by its sub-contractors like PA Consulting, we are very worried by the potential for disaster which will come into force on the 1st October
Specified anti-fraud organisations
2. The following anti-fraud organisations are specified pursuant to section 68 of the Serious Crime Act 2007--
(b) Experian Limited;
(d) N Hunter Limited;
How many unencrypted databases, laptop computers, USB memory devices, CDROMs etc will these organisations, or the public bodies which disclose information to them, manage to lose or have copied by corrupt insiders ?
Sections 68 - 72 of the Serious Crime Act 2007 allows for such notorious data security bunglers as HM Revenue and Customs, or any other public body, to hand over, in bulk, our most sensitive personal financial information to the private sector companies and industry sponsored not for profit organisations.
The Common Law Duty of Confidentiality has been crushed:
(2) The information--
(a) may be information of any kind; and
(b) may be disclosed to the specified anti-fraud organisation, any members of it or any other person to whom disclosure is permitted by the arrangements concerned.
(3) Disclosure under this section does not breach--
(a) any obligation of confidence owed by the public authority disclosing the information; or
(b) any other restriction on the disclosure of information (however imposed).
Note the evil use of the words "any" and "however imposed"
This means that not just purely financial data can and will be shared, but personal names, addresses, medical records (e.g. to insurance companies) , sexual preferences, political allegiances etc. could also be shared, "for the prevention or detection or prosecution" of fraud.
There is a worthless restriction on these infinite powers:
(4) But nothing in this section authorises any disclosure of information which--
(a) contravenes the Data Protection Act 1998 (c. 29); or
(b) is prohibited by Part 1 of the Regulation of Investigatory Powers Act 2000 (c. 23).
However, neither of those bits of legislation place any restrictions on public authorities whatsoever, once the magic words "for the prevention or detection of crime" or "national security" (which includes the vague term "economic interests of the United Kingdom") have been uttered.
There is meant to be a Statutory Code of Practice regarding the exercise of these infinite powers, under section 71 Code of practice for disclosure of information to prevent fraud , but that, of course, is still secret, and has not been debated by Parliament or the public.
Given that it is the inept Home Office which is responsible for supervising this further expansion of the surveillance state, there has to be a genuine fear that millions of innocent people's financial information will be put at risk.
This Order should be revoked until there has been a full public debate on the alleged safeguards in the secret Code of Practice, and until the Home Office has demonstrated that it can handle even its own data securely and properly, before allowing even more data belonging to innocent people to be shared and put at risk.
There must also be robust mechanisms to protect innocent members of the public, including generous financial compensation and prompt public apologies and political resignations, when, not if, it all goes horribly wrong - these seem to be utterly lacking at the moment.
Thanks to Guy Herbert of NO2ID Campaign for making it clearer, that the Data Protection Act has been amended by this Serious Crime Act 2007 section 72 Data protection rules to further reduce the protection of everyone's sensitive personal data
72 Data protection rules
In Schedule 3 to the Data Protection Act 1998 (c. 29) (conditions for processing sensitive personal data), after paragraph 7, insert--
"7A (1) The processing--
(a) is either--
(i) the disclosure of sensitive personal data by a person as a member of an anti-fraud organisation or otherwise in accordance with any arrangements made by such an organisation; or
(ii) any other processing by that person or another person of sensitive personal data so disclosed; and
(b) is necessary for the purposes of preventing fraud or a particular kind of fraud.
As a reminder, here is the Data Protection Act 1998 section 2 Sensitive personal data:definition:
2 Sensitive personal data
In this Act "sensitive personal data" means personal data consisting of information as to--
(a) the racial or ethnic origin of the data subject,
(b) his political opinions,
(c) his religious beliefs or other beliefs of a similar nature,
(d) whether he is a member of a trade union (within the meaning of the [1992 c. 52.] Trade Union and Labour Relations (Consolidation) Act 1992),
(e) his physical or mental health or condition,
(f) his sexual life,
(g) the commission or alleged commission by him of any offence, or
(h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.