Leaked email reveals civil service laptop rules
Civil servant finally leaks data correctly - to us...
The Register has received the email sent out to all staff at the Medical Research Council passing on instructions from the Cabinet Office that the ban on taking laptops out of the office could apply to mobile phones too.
The mail was sent to senior staff on Wednesday afternoon, but forwarded onto to everyone within the department this morning.
It warns staff that the first step is that no unencrypted laptops or drives containing personal data should be taken outside secured office premises. The mail said: "Clarification has been given that this applies to any mobile device with storage capacity, including mobile phones and PDA’s."
The email also provides a definition of what "personal data" actually is:
Any information that links one or more identifiable living person with private information about them” or “Any source of information about 1000 identifiable individuals or more, other than information sourced from the public domain.
The mail says senior staff are seeking clarification on what this will mean in practice, but meanwhile staff are told to "err on the side of caution... we should assume for the time being that emails and contacts stored in an email system count as personal data."
Here's the whole thing:
Sent: Wednesday, January 23, 2008 3:56 PM
Subject: Personal Data Security and Restrictions on use of Laptops
Following the recent government-wide review of procedures for the storage and use of data, we received a letter this morning from Ian Watmore, Permanent Secretary of the DIUS containing new Cabinet Office instructions and guidance on personal data.
There is a programme of actions that have to be undertaken, but the most immediate states that “From now on, no unencrypted laptops or drives containing personal data should be taken outside secured office premises.” Clarification has been given that this applies to any mobile device with storage capacity, including mobile phones and PDA’s.
Personal data is defined as “Any information that links one or more identifiable living person with private information about them” or “Any source of information about 1000 identifiable individuals or more, other than information sourced from the public domain”. Clarification is being sought urgently on the interpretation of these rules in practice but as we have been instructed to err on the side of caution, we should assume for the time being that emails and contacts stored in an email system count as personal data.
With immediate effect therefore, please ensure that your Establishment complies with the instruction not to allow unencrypted laptops or drives containing personal data, including emails, to be taken outside of secured office premises.
We will be disseminating information about the other measures as soon as we can. If you have any questions about this, please contact the MRC’s Information Security Officer email@example.com and he will do his best to answer them for you.
20 Park Crescent
London W1B 1AL
Staff have been told encryption software will be installed on their machines next week. ®
How the hell..Doesn't this count as a restricted circular under the official secrets act?
I don't think the civil service culture can take this seriously.
Re: Er ... how do you encrypt a telephone number?
Ah. You can do that with a BlackBerry... of course its a bit of a hassle as doing stuff the "real secure way" means that getting an incoming call while the device's locked will only show the Caller ID, but not the Contact Info you have in your phone (as it is encrypted and the private key's wiped out while the BB's locked down.)
Still, that is assuming everyone even *has* Blackberries... I doubt they'd supply an entire fleet of BB's to ever man+dog in the place just because of new security requirements.
At least they are conscoius now; I have been in places where access to sensitive stuff like root passwords are kept in cleartext ... in a financial institution. Or having some hassle with "something about SSL certs" and Management giving the green light on firing up a *production* service *without* SSL as a temporary solution. Oh, would the SOX guys feast on such stuff...
Oh, and only 4 of us even knew of PGP. Of course, all my sensitive stuff was PGP'd, so much that I think no one will be ever able to get useful info from my former PC ever again... ;)
How very interesting that so many people are jumping on the band wagon of Encryption. I would just LOVE to see how many Private Sector laptops are stolen/lost during a WEEK, let alone a year.
Name ONE good encryption package that doesn't make a laptop a futile mess of electronic parts.
Having been working in the Private Sector for over quite a few years, I'm surprised by some peoples comments regarding encryption on laptops when there is virtually zero encryption on private sector laptops with financial details for hundreds of thousands of people. Just because it's the UK gov, everyone starts to jump on the "Ah, they are muppets" or "wtf? Horse, bolted.." band wagon.
I say, good on them for reacting quickly, rather than sweeping it under the proverbial red carpet. Might not be pro-active, but it's better than most of us departments in the private sector.
This is just sensationalist to the extreme...