Yet another data loss by a local council:

Personal data on more than 14,000 voters has gone missing from the offices of a council in Hertfordshire. The data was protected by two levels of security, the council said, but admitted there was a “slight risk” it could be accessed.

Well what does that mean? It turns out that ‘two levels’ of security is actually two passwords: One to access the computer, a second to access the software holding the details. When my old laptop turned up its toes last year, the data-retrievers very kindly set up my new one pdq – and simply scavenged the passwords from my old, dead machine. If you want, you can buy the software to do that online for around a tenner.*

So in other words, we’re talking about rather more than a ’slight risk’. If the laptop has been stolen by someone with no interest in its contents, they probably won’t bother accessing the data. On the other hand, if that ’someone’ realises that there is potential value in the contents, they probably will. That the data can be accessed is almost certain, the only question is whether the thief will bother to do so.

Once again we get this tedious assertion from the recalcitrant council:

the council takes its responsibility to look after their personal data very seriously

I’m trying not to froth at the mouth, but for heaven’s sake! They patently didn’t take it nearly seriously enough! Why keep trotting out this meaningless nonsense? Unencrypted data should never have been on a laptop in the first place. If a council is taking its responsibility ‘very seriously’, then they should be abiding by the Data Handling Guidelines, which have their first birthday next week. Which bit of the following excerpt is unintelligible?

Wherever possible councils should avoid the use of removable media including laptops, removable discs, CDs, USB memory sticks, PDAs and media card formats. Where it is unavoidable, encryption should be used and the information transferred should be the minimum necessary to achieve the business objective.

Presumably the council is also by now compliant with the Government Code of Connection. Amongst other things, councils should have a default position of not using laptops

Removable media
Removable media should be disabled unless there is a business case for its use.

What is the point in all of the time and public money spent on developing security standards when councils simply carry on downloading sensitive data to unencrypted devices?

*Update: ARCH’s webmaster has just helpfully pointed out that you may not even need a tenner

For For the second time this week:

A laptop used by an educational psychologist dealing with some of Leeds’s most troubled children has gone missing.The computer was reported missing to police yesterday after being missing for a week.

Leeds claim that the data on the laptop wasn’t sensitive. So what on earth was the ed psych actually recording on it?

From the BBC:

The private details of thousands of children were found on a memory stick dropped by a council worker…it included the names, dates of birth, ethnicity and contact details for about 5,000 nursery-age children living in the Leeds area.

The council has apologised and started an investigation.

The stick, which was found in a second-hand car, also contained confidential information about child protection and whether or not the children’s parents claimed state benefits.

The data was, of course, unencrypted. Now, you all know the chorus:

A council spokeswoman said: “We take issues of information security very seriously”

This speaks for itself really:

Personal information regarding thousands of children is in criminal hands after a laptop theft. Surrey County Council (SCC) notified the 7,851 children, parents and carers, whose details were stolen, that there had been a “potential security breach” in a letter over the weekend.

Personal, unencrypted data was stored on the laptop swiped from a car belonging to one of the county council’s contractors, Trapeze Group UK Ltd, on November 12.

Unencrypted? Unencrypted? Oh good grief. You’d think they might have learned by now. And in case you’re wondering, Trapeze Group is responsible for arranging transport for children.

Apparently we have to allow the government to use our data as they see fit, and accept that it may end up in a pub car park.:

Gordon Brown has made a frank admission that government cannot promise the safety of personal data entrusted by the public.

The Prime Minister was speaking hours after it emerged that a memory stick containing the passwords to a government website used submit online tax returns had been lost.

“It is important to recognise we cannot promise that every single item of information will always be safe because mistakes are made by human beings. Mistakes are made in the transportation, if you like in the communication, of information.”

He makes it sound as if we didn’t know that already and were the ones begging to have our data harvested.

Perhaps the ‘consent’ forms that children and parents sign when an eCAF is carried out should contain an extra question:

Where would you prefer us to lose your personal information?
(a) on a train
(b) at a disco
(c) via the post/courier service
(d) in a car park
(e) other

PS. I guess it’s appropriate that the Minister responsible for the Government Gateway is the same one who left confidential correspondence from his red box on a train.

I doubt if anyone has missed the news that EDS has lost a portable hard drive containing:

the names, addresses, passport numbers, dates of birth and driving licence details of those serving in the army, navy and RAF. It also includes next-of-kin details, as well as information on 600,000 potential services applicants

As you might imagine, while attention has focussed on serving forces personnel, it’s the 600,000 potential recruits that particularly worry us. Presumably a fair number of those are still in their teens and won’t discover for a while yet whether this latest data debacle has made them sitting ducks for identity fraud.

For several years now, the US media has been reporting the increasing use by fraudsters of children’s identities. The Federal Trade Commission points out that they are ‘perfect targets’ because they have clean credit histories, and are unlikely to know what has happened until they open a bank account or apply for credit.

MPs have apparently demanded ‘a “cultural change” in public sector data handling’. Good luck with that – the rot goes deep. Only last week, a company called Databarracks published the results of a survey of schools that showed:

92% of education institutions say they back up their data, however, analysing this further, the survey shows that while 60% take the data offsite, 55% of them have this function performed by a member of staff who takes the data home.

No doubt Databarracks has its own agenda, but its findings do echo an earlier study that found almost half of schools taking unencrypted pupil data off school premises.

You only need to read UK Liberty’s pages on data loss to see the scale of sloppy public sector data-handling practices.

It would be nice to think that things would have improved by the time the national Contactpoint and eCAF databases make their entry on to the scene, but it’s not likely. Just substitute ‘Contactpoint’ or ‘eCAF’ for any of the systems mentioned on UK Liberty, and you’re looking into the future.

Incidentally, on the subject of Contactpoint, you may have missed a letter in the Telegraph from the CE of Barnardo’s objecting to conservative plans to scrap the system. He says:

I would ask Mr Gove to think long and hard about whether or not Barnardo’s, which works with more than 100,000 of the most disadvantaged and vulnerable children in Britain, would support ContactPoint if we thought it would, as Mr Gove suggests, increase the risk of children being abused.

What a relief. If Barnardo’s says it’s OK, that must be right. We can go back to sleep.

An impressive hat-trick this week. On the bright side, it’s good to see that nobody has made any of those irritating claims about taking data security ‘very seriously’.

First off the blocks:

The discovery at a Cornish nightclub of a computer memory stick with details of troop movements on it is being probed by the Ministry of Defence (MoD).

And then two in quick succession:

Discs containing personal information on almost 18,000 NHS staff have gone missing from a north London hospital.

Followed by:

A police force has undertaken an urgent hunt for a computer memory stick after admitting it has been lost by an officer on duty. West Midlands Police would not confirm or deny reports that the data stick contained information on terrorism.

Two on the same day, eh? The pace is hotting up. UK Liberty is keeping a tally.

Update 7pm: We spoke too soon. It’s now four this week:

An NHS trust has apologised after a computer memory stick, containing the confidential files of 200 patients, was found in a street.

Tees, Esk and Wear Valleys Trust said the stick was found by a member of the public in Barnard Castle, Co Durham. It stored a summary of medical histories and patients’ national insurance numbers and addresses.

This is just ridiculous.

Not exactly reassuring news about Contactpoint et al:

Government efforts to improve interactions with the public through the use of Web 2.0 technologies are being stymied by security fears…

A high-level source working with the Swiss government IT department confirmed that attacks against government web sites were reaching epidemic proportions. Speaking on the condition on anonymity, he told IT Week that his department was frequently under attack from groups looking to steal personal information.

He added that he had spoken to counterparts at the DCSF, who had confirmed they were experiencing “similar” levels of attacks.

You might think that DWP staff would have been chastened by the child benefit Chernobyl into some basic grasp of data security, but apparently not:

The government has been sending out highly sensitive data in packages with the passwords necessary to access it, it has been revealed today.

And in a predictable mismatch of words and actions, a DWP spokeswoman said:

“We take the security of individuals’ data extremely seriously”

If you’re wondering where you heard that before, it was last uttered a month ago by the LGA.

I think this is called having your cake and eating it. Engaged in the nerdy pursuit of trawling the last few days of parliamentary questions, I found the following written answer from Ministry of Justice Minister David Hanson to a question about young people serving indeterminate prison sentences – not something the government enjoys talking about:

These figures have been drawn from administrative IT systems which, as with any large scale recording system, are subject to possible errors with data entry and processing so numbers have been rounded to the nearest 10.

And here we were thinking that Contactpoint and eCAF would be infallible. In similar vein, the BBC reports that in the last 3 years:

More than 600 staff at HM Revenue and Customs (HMRC) have been disciplined for accessing personal or sensitive data, it has been revealed

Treasury Minister Jane Kennedy is keen to stress

However, this represents less than 1 per cent. of total staff for each of the three years in question

Let’s see, if Contactpoint and eCAF have 330,000 users and just 0.5% misuse their access, I make that 1,650 people. Despite ministerial assurances that employees are always caught (and how do they know about the ones who weren’t?) it’s clear from the HMRC figures that the risk hasn’t acted as a deterrent over the past few years.

The latest news on data breaches:

Government departments and private companies have reported an “alarming” number of new data breaches in the wake of the recent HM Revenue and Customs fiasco.

Details of nearly 100 cases of data breaches, two thirds committed by government departments or other public sector bodies, have been passed to the authorities, the Information Commissioner, Richard Thomas, said.

He warned organisations to step up security as he released details of the wave of new breaches, including unencrypted information lost on laptops, computer discs, paper records and memory sticks lost, stolen or missing in the post.

Undaunted, the government bulldozers ahead towards its goal of a single record system. I’ve just been re-reading the government’s ‘Harnessing Technology’ (pdf) today. Ostensibly it’s about using ICT in education, but as the role of schools expands into welfare, inevitably education and social care records start to merge.

It’s an extension of the approach piloted in Connexions, where personal problems are seen as ‘barriers to learning’ that must be dealt with. Thus the government wants to:

Ensure integrated online personal support for children and learners…

Support children’s and learners’ transition and progression by developing and implementing a common approach to personal records across education and children’s services, including public and private organisations and industry.

It hardly needs saying that the scale of data breaches can only increase with the amount of data collected. How strange to think that the government was once so wary about the collection of children’s personal data that they introduced the School Census one small step at a time. Less than ten years later, it’s hard to think of any personal data that isn’t fair game for the ‘joined-up’ treatment.

The BBC has been doing some digging:

Personal data about members of the public has been lost or wrongly revealed by 13 London councils in the last year, a BBC survey has found… In one instance, sensitive information about children in care was stolen when a youth worker took files into a bar.

This response is frankly irritating:

Tim Allen of the Local Government Association emphasised that data security was very important to local government

It’s demonstrably not important enough. There seems to be a second story here, too:

Some 23 councils replied to the freedom of information request

But there are 33 councils in London, all of them public authorities bound by the Freedom of Information Act. What happened to the other 10?

…Though our prolonged silence might have made you think otherwise. It’s been one of those intensely busy periods with no spare blogging time at all.

I did notice recently that an opinion poll carried out for the Information Commissioner’s Office found:

three-quarters of us were more worried than ever over access to personal data. And 70% said they felt powerless over how organisations kept an eye on data.

The survey comes after the government lost computer discs containing the entire child benefit database.

From the look of the other news around, people’s worries are entirely justified. There was this:

Documents containing payroll information relating to 182 NHS staff members have been have been found dumped in a street…The documents had been in the care of company Capita when they were lost.

They contained information, including addresses, bank account and National Insurance details, from five trusts in Leicestershire and Northamptonshire.

And this from the Liverpool Daily Post:

an investigation by the Daily Post, using the Freedom of Information Act, has revealed the loss of 230 records by health staff in the region.

More than half of the trusts which replied to a request for information confirmed they had lost data. It is also revealed that the largest data loss – 100 records held on a “memory stick” by Liverpool Primary Care Trust, was not reported to the patients involved.

Even the prison service is doing its bit:

Prison Service and IT staff are trying to correct errors in the networked Local Inmate Database System [Lids] – which holds records on more than 80,000 prisoners – after the Service’s IT supplier EDS discovered that thousands of records contained incorrect information or data was incomplete or missing.

Yet more symptoms of what the Joint Committee on Human Rights describes as:

“The Government’s failure to take safeguards sufficiently seriously”

and

“insufficient respect in the public sector for the right to respect for personal data.”

Someone has to be telling porkies here:

A patients’ group said it is astonished that three inquiries into how medical records came to be strewn on a road failed to find anyone responsible.

The records belonged to patients from London’s Whipps Cross University Hospital and St Bartholomew’s Hospital, and London Ambulance Services (LAS). The papers were found in Northaw, near Potters Bar, Hertfordshire, in January.

Probes by the hospitals trust, LAS and by Bywaters waste management company found their procedures were “robust”.

It’s just endless:

The Ministry of Defence is launching a new inquiry after admitting to the loss of two more laptops containing unencrypted personal details. The additional losses came to light during the investigation of the theft earlier this year of a laptop containing 600,000 peoples’ personal details.

This takes the biscuit:

Departmental minister Parmjit Dhanda told MPs, “The official data on each of the laptops was not encrypted because none of the information was classified.” In an attempt to reassure MPs, he added, “Each laptop was password protected.”

1) This morning the papers are full of the news that a disc containing data about convicted criminals was ‘mislaid’ for a year, eventually turning up covered in dust on someone’s desk. Doubly appalling is this gem from the CPS statement:

“This is not a data security issue as this information was always in the possession of the CPS.”

2) BBC local news a couple of nights ago carried this story about a heap of files that turned up in a derelict council building in North London. When Lynne Featherstone, MP for Haringey, challenged the council, she was astonished to be told that they were only ‘old’ files.

3) You may remember that we blogged in December about schools taking unencrypted pupil data off school premises – a story covered on BBC R4’s ‘Learning Curve’ last week.

After we spoke to Annette Brooke MP, LibDem spokesperson on children, she asked the following question – and got a deeply worrying answer:

Annette Brooke: To ask the Secretary of State for Children, Schools and Families what steps his Department is taking to prevent school staff removing unencrypted sensitive pupil data from school premises. [178044]

Jim Knight: Becta is responsible for producing and publishing guidance for schools on how to ensure the security of their IT systems. Becta’s latest guidance was published in September 2007 and is available on its website. This guidance includes information for schools on monitoring the physical security of ICT equipment, data security and the security of pupil information and data.

In other words the government abrogates all responsibility for data security in schools to a Non-Departmental Public Body.

Three separate examples, but one underlying factor. Despite the CPS insistence that “this is not a data security issue” (“these are not the droids you want”?) all three go to the heart of the real problem: the biggest threats to data security come from insiders who do not take their responsibility for other peoples’ data seriously enough.

No amount of money spent on ’secure’ systems is going to stem the tide of data breaches if those in charge of the data cannot recognise that their attitudes are the real data security problem. And until that culture-change happens, our private information is simply not safe in their hands.

From the BBC:

A laptop containing the medical records of more than 5,000 patients has been stolen from a Black Country hospital.

Following on from yesterday’s post, a sad illustration of the damage that corrupt data-disclosure can cause. Following a row over a car parking space:

Three people appeared at Nottingham Crown Court on Monday and denied the manslaughter of Bernard Gilbert, 79. He collapsed and died after a brick was thrown through the window of his home in Spondon, Derby, on 28 January 2007.

How did the defendants track Mr Gilbert down? Through a friend of a friend, who happened to be a serving police officer with no scruples about misusing the Police National Database.

This database has the greatest audit resource of any system, and still officers are willing and able to access it improperly. It doesn’t inspire confidence for the future security of data on Contactpoint and eCAF.

HT: UK Liberty

The Sunday Times carried news of a recent report on forced marriages, from which this paragraph jumped out at me:

According to the report, women who go to the authorities to seek protection have been tracked down through their mobile phones or even by leaks of confidential information from government databases.

No great surprise there, I guess. One only has to remember the Information Commissioner’s 2006 report ‘What Price Privacy?’ (pdf) which detailed:

“…a flourishing and unlawful trade in confidential personal information by unscrupulous tracing agents and corrupt employees with access to personal information.”

I wonder how many girls will remember to apply to have their Contactpoint record ’shielded’ when they run away…?

From today’s Independent:

Official figures revealed through parliamentary answers show that in the last year all government departments reported at least 208 laptops, and a number of PCs, stolen. By far the worst culprit is the MoD. Since 2003 it has reported 420 laptops stolen. An MoD spokesman yesterday said he could not say whether the laptops contained sensitive information or not.

“This has to be seen in the context of a department which employs 300,000 people,” he said.

By coincidence, that’s around the same number of people who will have access to Contactpoint and, presumably, the national eCAF database.

Last October we found ourselves accused of ‘alarmism’ by the government. Amongst our (many) concerns aired in a Lords debate was this:

Baroness Morris of Bolton: My Lords, I am grateful to the Minister for giving way; I will be brief. One of the big concerns is that people are filling in eCAF forms on laptop computers. This is highly sensitive information that flags up that a child is vulnerable. Will he please look into this before he responds to us?

Lord Adonis: My Lords, I have undertaken to look into it, but the advice that we have been given is that the processes are secure. We do not believe that the concerns that have been raised are valid

Believe me, it will give me no pleasure whatsoever to say ‘told you so’.

The first of yesterday’s data debacles:

Hundreds of documents containing sensitive personal data have been found dumped on a roundabout in Devon. Details of benefit claims, passport photocopies and mortgage payments were included in the confidential data.

Followed by:

The personal details of 600,000 people who had expressed an interest in joining the armed forces have gone missing after a laptop belonging to a Royal Navy officer was stolen, the Ministry of Defence said last night.

In another breach of government security, police are investigating the theft of the laptop, which was stolen from a vehicle in the Edgbaston area of Birmingham this month and contained, among other information, passport, and national insurance numbers and bank details.

It’s time to give your MP a nudge about signing up to the Contactpoint Early Day Motion.

This one is gobsmacking:

A break-in at Middlesbrough Council has resulted in the loss of nine laptops containing sensitive case files on up to 63 vulnerable children.

The laptops, used by social workers to keep case records about vulnerable kids and their families, were password protected and protected by “some encryption”, the BBC reports.

“some encryption”?!

A bit more sensitive data goes walkabout:

An investigation has been launched after an NHS hospital lost 20 years worth of payroll data on its staff.

Queen Mary’s Hospital in Sidcup, south-east London, has informed police about the data, which was lost when a room was cleared for office space.

Work on the government’s much-trumpeted C-Nomis offender management system ground to a halt last summer when it became clear that the original £230m estimate was wildly inaccurate, and now the coup de grace has been delivered:

A £500 million computer project to underpin the criminal justice system and protect the public has been scrapped… after spending more than £150 million, David Hanson, the Justice Minister, pulled the plug. He said steps would be taken to increase data shared between prisons and probation.

This item only made it as far as the Guardian’s News in Brief:

A survey of almost 1,000 primary schools found that 49% were backing up pupil data on to discs, memory sticks or tapes which were taken off the school premises, exposing the material to loss or theft. IT experts RM School Management Solutions, which carried out the survey, said that only 1% of respondents encrypted the data. A further 4% of schools were leaving sensitive and unprotected data at unsecured locations on the school premises.

For spine-chilling effect, one only has to look at this to get an idea of the depth of data collected on school pupils, and remember that there are around 350 school break-ins in each police area every year.