Government still losing at least a computer a week
Don't care, won't care
A year and a day after losing child benefit records for every family in the UK and promising to reform data handling the British government is still losing a laptop every single week.
Figures collated from Parliamentary answers reveal the government has lost 53 laptops since 20 November 2007 when Alistair Darling told the House of Commons that unencrypted discs containing the entire child benefit database had been lost.
Tory shadow housing minister Grant Shapps asked each department how many machines and storage devices it had lost this year. All answered except the Ministry of Defence and the Home Office - traditionally top performers in the government computer loss league.
53 computers have gone walkabout, 36 BlackBerrys, 30 mobile phones and four memory sticks and four disc drives.
The Department of Health came out on top with 14 laptops lost.
Shapps called for a government review of data handling although the last year has seen four such reviews as well as investigations into other data breaches likethe MoD's loss of 600, 000 records.
Despite a £20, 000 reward for the child benefit discs and a 47-officer strong police investigation they were never found.
Easy. They're *ALL* to blame. The flunky who forgot to lock down his laptop before having a pint, the manager for assigning an untrustworthy person to the task, the OP wonks for populating the laptop with more than was necessary, for not forcing encryption, and probably for not using a "thintop" access policy, and the minister for not setting up a DTA data protection policy nor enforcing what's already there. *Someone* must be held accountable, but that doesn't necessarily mean the blame must be limited to *one and only one* someone.
"We don't need a review of policies . We need hefty fines and prison sentences for INDIVIDUALS RESPONSIBLE for the loss of equipment containing unsecured personal data. Simple."
Ah, but which individual is responsible, pray tell? The lowly flunky who had the misfortune to have a laptop stolen while refreshing himself after an arduous workday? Or his manager, who clearly didn't *manage* him? Or the operating policy wonks who fill notebooks inches thick with detailed, explicit policies, but never trouble themselves to tell the troops about them? Or, God forbid, the minister responsible for the department at fault? (BTW, what ever happened to the concept of ministerial responsibility? Did Wakkyjakky have her way with it? <shudder>)
Ash's emphatic demand that _somebody_ be held accountable is understandable given the repeated demonstrations of public sector IT muppetry, but I fear his proposal would become an excuse to make the proverbial lowly flunky a scapegoat for more profound failings much higher up in the hierarchy.
And thus serve as a mechanism for those truly responsible to escape all blame. Since it seems to be a guiding principle of NuLabour that all blame must be avoided, you can see how the proposed policy would play into the hands of Those We Love to Hate.
The loss of sensitive and especially classified government data IS a crime, as it is a failure of adhering to government protocols and potentially even a threat to national security.
Anyway, if you want to protect sensitive data, you must treat it like a scant resource--only to be handled as absolutely needed and under full audit. How's this for a working theory. First, ensure only one active copy of any file exists--disable copying, moving, deleting, and the "Save As" function system-wide (this will handily take care of removable media as well). Backups are permitted only on an encrypted system-wide basis. If a copy *must* be made, then it must be cleared by security--such security people only possess permission to alter permissions, not files themselves outside their own internal scope. All files should possess full version tracking so each and every edit can be tracked. Laptops in such a system should be registered, possess GPS trackers and should really be no more than thintops--encrypted remote login devices with no local storage to speak of. If data *must* be taken to a location where the Internet is not reliable, then the laptop should only contain as much data as needed and require two-factor authentication just to turn it on--and it must be brought by two people (as remotely separate as feasible), each possessing only one of the factors. Basically, treat it like a priceless treasure because it just may well be.