Civil servants still sticking unencrypted data in the post
Court case CDs go missing
Groundhog Data Today's story of a cretinous government data giveaway is brought to you by... the Ministry of Justice.
On the scale of government ineptitude this hardly ranks alongside the loss of 25 million child benefit details last year, nor the loss of a laptop containing unencrypted details of members of the armed forces - but it is still serious.
A story in this morning's Daily Mail revealed that four CDs were sent in the post and included details on 55 defendants and other restricted information, "potentially including" highly sensitive details of alleged victims of and witnesses to crimes.
The CDs were sent recorded delivery on 15 December but never arrived. The discs related to people in the Manchester area, and were part of an investigation into claims that magistrates are dropping cases where the defendants do not turn up to court dates.
The paper believes one of the four discs was either password-protected or encrypted.
The Ministry of Justice confirmed the screw-up and said it was investigating. It sent us the following statement:
Her Majesty's Inspectorate of Court Administration (HMICA) confirms that 4 CDROMs are missing. They were sent recorded delivery. Ministers and the Information Commissioner were notified immediately it was recognised that personal data had been lost. An investigation is underway so it would be inappropriate to comment further at this stage.
This looks horribly similar to the HMRC debacle which emerged back in November. At the time, the government kicked off a series of investigations and reviews into data protection. It also pledged to tighten up on procedures, give the Information Commissioner the right to make spot checks on government departments, and to introduce tougher penalties for data breaches.
The head of HMRC, in a letter to people affected by the HMRC data breach, said, "And I can assure you that all efforts are being made to ensure that such a loss can never happen again." Clearly the letter never reached the court service.
Simon Davies of Privacy International said it was unbelievable that there was not a total ban on any government agency sending unprotected discs through the post, and that the government was treating our data with contempt.
The Mail story is here. ®
To any US readers: some part of my previous post _may_ contain irony.
Sorry for not flagging it dilligently enough and all.
Also i want to know why it was four CD's. Any decent IT dept has got DVD writers these days.
I see the problem around me every day.
I'm a local goverment worker and I've been trusted with unencrypted access to the personal data of every child in our district for migration to a new school management solution. This includes names, addresses, medical problems and so on. It's no big deal because I do understand the implications of data security and how to implement it but let's look at this for a second.
I'm the lowest paid technical employee in the team at a mere £15k a year.
I've never had a CRB check.
I've pointed these things out to management and particularly highlighted them in the case of recent breaches but no one cares. Whilst I am trustworthy there's always the chance that others in this type of position might not be - case in point, a few years back someone who worked on the old system was sent to jail after 15,000 child porn images were found on his machine - he also had full access to this data.
So the data is in good hands I promise, I do know what I'm doing but it bothers me that there are people elsewhere in this situation who might not be either competent enough to look after the data or may just be outright malicious. Furthermore I'm just so utterly apathetic towards the job due to management ignorance and low pay amongst other things that even if something did go wrong I don't think I'd really care, besides I've informed management of the issue and they've done nothing to resolve it so I can't help feeling the age old and rather ignorant view of "It's not my problem".
I have a lot of sympathy for the junior staff being blamed for these various breaches because if they're in the same situation as me then it's not their fault, they do what they can to look after the data but they can only do so much and if management isn't listening to their pleas to tighten up the process then what more can they do other than accept they'll have to do what they can with the tools they've got and if management orders them to send the data unencrypted on CDs via unregistered mail then they have to do it or face disciplinary and lose their job? Of course they'll lose it anyway when the blame comes round to them even though they did everything within their power to prevent it bar actually sacrificing their livelihood in protest.
To cite another example, the goverment IT profession, some goverment organisation that basically oversees goverment IT workers has a mailing list we were encouraged to sign up to which I did. When they sent out one of their mailings they'd listed all addresses signed up to the list in the "To" field. As such all recipients could see all other recipients addresses and these addresses included everything from police to MI5 to NHS to parliament to other local goverment addresses. I immediately e-mailed back suggesting they in future used the BCC option to ensure people could only see their own addresses and not everyone elses. If one of those machines had been infected with a virus that spreads via mass mailing there is potential for that virus to spread to every single public sector department in the country. Of course, I never got a thank you or even a response to my notice of the problem that I sent to them but since then all e-mails have been sent such that we could only see our own addresses. Problem averted, but did it really take a £15k a year nobody IT support technician to point it out?
It's frustrating and I say this sincerely, please don't listen to the lies about how it's all the fault of juniors - many of us try, we really do but we're limited by management. If we're going to achieve change then yes it is the goverment that needs to be blamed and in turn the problem needs to be pushed into the hands of upper and middle management to realise the issues and realise that they need to take action to ensure the data of the very people we're meant to be working for - the general public that pay their taxes is kept safe and secure.
As a former employee
and therefore posting anon (strange, clumsy with data, quick sharp on data protection act prosecutions when someone like me criticises), I would like to say that quite apart from the desperately poor management (of which there is far too much, in my area managers of various different grades outnumbered working staff by 2:1) the quality of staff being employed is dropping. Why? Because the pay is utter shite. I was the only person in my office not claiming some sort of state benefit, be it housing, child support, council tax relief etc... (cos I was still living with parents at the time) which seemed ridiculous that the government was paying us £13K pa (before tax) and then shelling out more in benefits. Even as court manager, if I had had to rent I too would have claimed housing. If they want quality staff who don't make mistakes, or to retain those few quality staff who are competent PAY A LIVING WAGE. And all that crap about civil servants having job security and good pension etc etc, maybe once, 10-15 years ago but not any more! I was threatened with redundancy twice and only kept my job by applying for other positions in the HMCS. No-one in their right mind should work for the civil service nowadays.