I was recently asked to do a presentation on the topic of ‘Effective Information Management’ for a local government organisation. Part of the presentation covered data security and privacy, where I emphasise the the importance of policies and procedures created BY people FOR people. The point being that we already have the technology to ensure data and information remains secure, but if we don’t pay attention to how people use these systems, through appropriate policies, procedures and training, then we’re effectively negating the benefits of the technology.
More worryingly, no matter how many security lapses we hear about, there appears to be a general reluctance in some government departments to ask staff to actually confirm that they have seen, read, understood and agreed to the policy, preferring instead to publish to an intranet and just point people at it.
So, I was naturally drawn to a recent item in Public Sector Forums which provides a chronological list of some of the more recent data security breaches, some of which did not get widely reported in the national press. I’ve reproduced the item in it’s entirety below:
Published: 16 September 2008
Public Sector Forums
As Privacy International’s Simon Davies saidÂ recently in the Times:
“Ever since Revenue & Customs lost the records of 25 million people who claim child benefits last year, there has been a frantic rush of reviews, departmental audits, inquiries, an endless stream of new procedures and sombre ministerial statements promising root-and-branch reform. But almost everyone in government knows that there is no easy solution. Most departments are still struggling to work out what the security challenges facing them are – let alone how to resolve them.”
To appreciate something of the scope and scale of the Government’s data security problem, we’ve compiled a scrapbook of press cuttings on the subject just over the past month. As well as some high-profile breaches, we found some other lesser-known stories which didn’t make the national headlines. Even more troubling is the very real likelihoodÂ this is not even the ‘tip of the iceberg’ stuff. What other ‘hidden’ losses could be lurking out there below the surface which we don’t even know about yet?Â Ponder the list of reports below:
15 August: Colchester University Hospital has fired a senior manager whose work laptop, containing the names, address and treatment details of 21,000 patients, was stolen from his car while he was holidaying in Edinburgh. The data was not encrypted to prevent unauthorised access.
19 August: Personal data belonging to 29 million people was lost by government departments in the last year, according to an analysis by the BBC using details from annual reports and parliamentary questions.
22 August: While working on a Home Office IT project, PA Consulting loses an unencrypted memory stick holding confidential information on all 84,000 prisoners and 43,000 serious offenders. This report came days after the Home Office confirmed another external contractor had lost two CDs containing names, dates of birth, passport numbers and nationalities of 3,000 seasonal agricultural workers.Â Reassuringly, the Department commented: “This is not a Home Office data loss”.
23 August: The Telegraph reports over 160 ‘significant’ incidents of confidential data breaches have been reported to the Information Commissioner’s Office (ICO) by public and private sector bodies since November.
26 August: Restricted and Confidential police documents are found dumped in a skip outside a Hampshire police station during building works.
26 August: Redbridge Borough Council introduces new security measures after staff applications forms for criminal records checks, and their supporting identification documents, mysteriously go missing. Fortunately only three people are affected, but the loss meant the staff were working for eight months at schools without background checks.
27 August: Sensitive police memos relating to a major drugs bust operation, including suspects and witness statements from officers, are found by a member of the public in a bin at a recycling centre in Lancashire.
27 August: ContactPoint, the Government’s forthcoming national database of children in England and Wales, sparks new privacy concerns after it emerges police could be granted access to search for evidence of criminality.
28 August: A computer bought on eBay for Â£6.99 is found to contain council tax data from Charnwood Borough Council, including the names of names, addresses and banking details of thousands of residents.Â The data had not been properly erased from the PC’s hard drive. Police later arrest a council employee.
29 August: FOI enquiries to NHS Trusts in North East England reveal multiple serious security breaches of patient confidentiality. Among the losses were a box of 19 records stolen from a consultant’s car when he left it in his driveway overnight.
1 September: ContactPoint is postponed again after being delayed last year for a security review. The Guardian now reports the project is failing to take adequate steps to protect the data of vulnerable children.
4 September: The Health Service Journal reports out ofÂ 105 clinicians surveyed, 92 saidÂ they carried memory sticks containing confidential patient information -Â of which only five were password protected.
5 September: An unencrypted memory stick containing information on 146 patientsÂ – including test results for sexually transmitted infections – is lost by Chelsea and Westminster Hospital.
5 September: Documents released under the Freedom of Information Act show the Cabinet Office – responsible for ensuring good practice in data security throughout central government – has itself never been independently audited for compliance with data protection principles.
8 September: Highly-sensitive and confidential information on 10 children with special needs is discovered on a USB pen drive found on the floor of a service station in Yeovil. The device contains names, dates of birth and details of the children’s behavioural problems.
8 September: EDS loses a portable hard drive holding the names, dates of birth, national insurance and employee numbers of 5,000 staff in the National Offender Management Service in England and Wales. The hard drive had been lost for over a year until the details came to light.
9 September: An unprotected memory stick with details of troop movements, including times, locations and travel and accommodation details of 70 military personnel, is found on the floor of a Cornish nightclub.
10 September: After the high-profile theft of a laptop containing confidential information from Hazel Blears’ constituency office, Kensington, suppliers of notebook security locks, offer 150 MPs a free kit to help make sure their own laptop doesn’t go walkabout. Â Just eight responded.
11 September: PA Consulting is sacked by the Home Office over the recent data loss of prisoner data. In a statement, the company says: “It is clear from the events of recent weeks that the challenge of managing necessary confidential information held by government, and in particular of eliminating human error, is industry-wide.”
11 September: Unencrypted data on 15,000 patients is lost after a burglar steals computer back-up tapes from a GP’s office in Winchester.
11 September: A survey of 47 NHS authorities finds little or no action is being taken following data losses. FOI enquiries by medical publication Pulse found since January 2007, there had been 188 reports of staff breaching data privacy rules or accessing patient data without authorisation and 75 reported losses of data. Only 14 of the 263 incidents were followed up with formal disciplinary action.
15 September: West Midlands Police confirm they are investigating the loss of a memory stick after it was taken out of a police station by an officer on patrol. The force has refused to comment on its contents, however local press reports suggest it held highly-sensitive information on terrorists. The Independent Police Complaints Commission, which is investigating the loss, described it as an “extremely serious matter”.
16 September: Surrey and Sussex Healthcare NHS Trust owns up to over 50 ‘known’ losses of confidential patient information in the last three years. According to a press report, sensitive medical notes were once found in a public toilet and sent on five occassions to the wrong people.
16 September: A memory stick containing confidential records of 200 mental health patients is found lying in a street. The Tees, Esk and Wear Valleys Trust said the ‘serious breach of patient confidentiality’ occurred after an IT technician lost the device. The stick contained entire medical histories of patients, as well as national insurance numbers and addresses.Â Early investigations into the breach found other members of staff were breaching security policies by storing patients’ private details on their hard drives.
16 September: Personal details of 17,990 NHS staff in London have gone missing in the post after four CDs were lost en route to a payroll contractor. The discs were last seen on July 22 when they were left in an envelope on a post tray marked ‘recorded delivery’, however there was no record they were actually sent. They contained name, date of birth, national insurance number, start date and pay details of current and former staff, and some addresses. A NHS employee has been suspended.
It is maybe worth noting that not all of these security breaches were caused by government staff – service suppliers were at fault in at least two incidents.Â However, one common thread running through all of the incidents is human failure. Which brings me back to my original point – it’s the people that really matter, the technology is secondary. Until public sector organisations invest time, effort and money in training staff in how to manage secure data, then the billions being spent on developing technology for things like a national ID scheme will count for nothing.Â I’ve found the 80:20 rule works quite well here, i.e. when developing and implementing any new technology, budget for 20% of the cost on the actual technology and 80% on getting people to use it effectively. I haven’t seen any evidence that anything like this ratio is being used for technical infrastrucure projects in government.Â Someone tell me I’m wrong!
Amen. I think there are two jobs being done though. First, getting the policies designed and in place so that the organisation can justifiably say that it has recognised the issue and taken steps to address it, and taking away the ‘I didn’t know X was against the rules’ defence from foolish or malicious staff. It makes managers sleep easier, but as you say, it really shouldn’t because it doesn’t mean that disasters are any less likely.
So second – the 80% – is actually changing the culture within the framework created by the policy (but in reality, pretty much independently of it) so that people behave in different ways. I’m struggling with this one a bit myself in a different field, but for the example you cite I think it involves reducing the options to err (encryption, password rules etc), making compliance easy (password rules that humans can cope with, templates and tools that save time), formal training for people who like that kind of thing, self-paced online learning for people who like *that* kind of thing, and coaching/’superusers’ for people who only learn when the person next to them shows them over and over. And maybe some figurative skulls on pikestaffs too to show the consequences of disaster?
Steph – thanks for the comments. Sensible perspective as always. There’s a good point you make about reducing the options to err, which to me means understanding the areas of (security) weakness. For example, forcing users to change strong passwords every two months will only encourage them to write the passwords down somewhere – thus defeating the original objective. You can’t write policies or deploy security techniques in complete isolation from the system user.
You wrote some good parts here. I searched for the topic and found plenty of people who agree with you.