It’s a matter of only twenty-four hours on from Alistair Darling’s statement on the apparent loss of two CDs containing personal information, including NI numbers and bank account information, relating to 7.25 million families who claim child benefit (an estimated 25 million people in total) and yet it seems that an injection of common sense into this situation is already long overdue.

(Especially in view of the amount of overheated nonsense currently being spouted by blogging ‘expert’, Iain Dale, who really should have learned, by now, the folly of stepping outside the limits of your own technical knowledge and understanding. By contrast, Dizzy – who does know his [technical stuff] has some observations that are well worth reading)

Let’s start with the what – what has actually happened? – for which we’ll turn to this summary provided by the BBC:

What has happened?

HM Revenue and Customs has lost computer discs containing the entire child benefit records, including the personal details of 25 million people – covering 7.25 million families overall. The two discs contain the names, addresses, dates of birth and bank account details of people who received child benefit. They also include National Insurance numbers.

How were the discs lost?

They were sent in normal internal mail from HMRC in Newcastle to the National Audit Office in London on 18 October, by someone at a low level, and never arrived, Chancellor Alistair Darling said. That broke data protection laws and is the reason Revenue and Customs chairman Paul Gray has resigned.

What is the government saying?

Mr Darling called the loss “catastrophic”, apologising “unreservedly” and adding that ministers still did not know the whereabouts of the disks. He told the BBC “there were procedures there, which should have prevented this from ever happening in the first place” but that they “appear to have been breached”. People were “entitled to trust” the government to look after data but “that did not happen here”, Mr Darling said.

What this tells us is that two CDs containing highly confidential information were turned over to a junior underling to be forwarded via an ‘internal’ mail system to the National Audit Office, and said underling failed to follow the correct procedure with the result that the CDs are now missing – whether they have been taken by a third party or are merely tucked away in the bottom of a mail sack in a TNT depot is yet to be determined (by a Police investigation).

Which means that the Government is incompetent for losing this information – right?

Not necessarily.

Dizzy, as I’ve noted, raises some very pertinent points about some of the lax data security practices that appear to have been in place within HMRC, i.e. relying on mere passwords rather than data encryption, sending confidential information via a standard internal mail system, handing off responsibility for shipping confidential information to junior, etc. If those are matters of policy within HMRC then there are serious questions to be asked right up to ministerial level – the Government can and should, quite rightly, be held to account for policy failings.

If, on the other hand, all this has come about because HMRC staff have disregarded policy and operated outside specified data security procedures then one can no more hold Alistair Darling personally responsible for the loss of this information than one could reasonably hold the CEO of a private sector corporation to account on discovering that an office junior has been nicking paper-clips. The real lesson here is one that techies like myself and Dizzy know full well, from years of experience, for all that it is too often overlooked in political debates surrounding data security and identity theft; no matter how much time, effort and resources you put into data security, your system is only ever as secure as its weakest link, which has two arms, two legs and a basic ‘operating system’ that hasn’t been substantially upgraded for a couple of hundred thousand years – people.

No government, and certainly no individual minister, can legislate absolutely for individual acts of gross incompetence (or corruption) amongst civil servants working in locations far removed from Whitehall; the best they can do is hope that oversight procedures are sufficiently robust as to weed out the ‘problem’ employees before they cause major problems.

People routinely do really stupid things.

They write the pin numbers to their credit and debit cards on a slip of paper and keep in their wallet with their cards so they don’t forget the numbers. They use the same passwords on every website and on-line system they use, use obvious and easily cracked passwords and – as I’m sure Dizzy will also know from experience – complain bitterly about being required to change their passwords regularly and use ‘strong’ passwords (i.e. minimum eight characters including both letters and numbers). They also put bank statements and other letters in the bin without shredding them, respond to emails from their ‘bank’ asking them to resubmit their username and password by passing on the information without checking exactly where its being sent to and, of course, they send personal information and bank account details to all manner of fake lottery scams, Ponzi schemes and Nigerian generals without a thought, even though such scams are more than well-enough documented.

So far as I can see, at this stage, the government have made the best of a very difficult situation – they were certainly correct in choosing to delay the announcement of the loss of these two CDs until the banks had been given time to ramp up their own security checks and monitoring of ‘unusual’ activity before going public with the news. Quite who might be culpable for the failing that led to this incident and to what extent responsibility can be legitimately ascribed to the various parties involved (HMRC, Treasury, etc.) is yet to be seen and should, rightly, be the subject of an inquiry as soon as the police and IPCC investigations are concluded – one would expect that Public Accounts Committee will be ‘clearing the decks’ in anticipation very shortly, if they’ve not started already.

In the meantime, much of speculation surrounding this issue is, to say the least, unhelpful, if not entirely nonsensical.

Both Iain Dale and Dizzy query the assertion that the individual most responsible for the loss of the data was a ‘junior official’:

One thing I am waiting on is for a newspaper to identify the idiot who put the discs in the envelope. How junior was this person? I suspect that they aren’t very junior at all, because if they were, they presumably wouldn’t have access to the full data. Or would they? If a junior typist can get access to such data then we all ought to be even more worried that we already are! – Iain Dale

It was a ‘junior official’ that did it – what is a junior official doing have read access to that data? How did they get the data? Did they extract it themselves? If so what does this say about the system’s internal policy procedures that someone who should not have done this had access to production data? Who else, and how many more junior officials have this level of access to this sort of data across Government? – Dizzy

At this stage, its not clear whether this junior official had access to the data on the CD – or any data for that matter – as they may simply have had the task of shipping the CDs delegated to them, but even if the official in question did have access to the data then their apparent lack of seniority in Civil Service terms may have no bearing whatsoever on the question of whether they should have access to this data. The vast majority of data handling jobs, whether in the Civil Service or in the private sector, are routinely considered to be of a relatively low (or junior) status because those jobs revolve around managing information rather than managing people. In fact, the further up the corporate hierarchy one gets, the less likely it is that you’ll actually get your hands ‘dirty’ by dealing directly with this kind of raw information, not when you have subordinates to generate summaries for you. As Dizzy, at least, should know, in a modern corporation no one has greater access to confidential information than the IT department, even though the staff who tend to have the greatest degree of access (operators and data controllers/analysts) are amongst those with the lowest status in the office.

Meanwhile, if you’ve got any sense at all then you’ll completely disregard the ‘advice’ of Iain Dale and his ‘legal friend’ on the subject of suing the government for losing this data:

I asked a legal friend of mine to look at the Data Protection Act and ask if HMRC could be sued over losing 25 million child benefit records. In short, he says there is no exemption for government in this area. He says Schedule 1 of the Data Protection Act is relevant here…

…My contact gives a lot of other reasons why a law suit could work, but they are very technical so I won’t bore you with them here.

Before getting too carried away, Iain’s friend should have paid rather more attention to section 13 of the Data Protection Act 1998, which makes it perfectly clear that a civil action can be taken out under DPA only where an individual ‘suffers damage’ – which will mean primarily a material loss or loss of reputation – or ‘suffers distress’ in addition to damage or where a breach results in personal information hitting the public domain via journalism or in an artistic or literary work.

So unless your bank account does get reamed or personal information ships up in the Sunday’s and you can show that this is a result of the loss of these CDs and not for other reasons – which is a tough ask – then forget the idea of suing the government.

(It’s also worth recalling at this point, before the Tories get too full of themselves on this issue, that one of John Redwood’s proposals for increasing economic competitiveness was to scrap the Data Protection Act. Can we now take it that that idea has gone by the wayside?)

And to kill off another myth that’s rapidly circulating, no this does not mark the end of the Identity Cards project either. Darling has already been quick off the mark with one obvious line:

The chancellor defended the government’s plans to introduce ID cards. He said that without the protection of the scheme, information was more vulnerable than it should be.

And from a pure data security standpoint, there is better ‘argument’ for pressing ahead with a ‘clean’ NIR system than an incident in which another key data system, the National Insurance Number, could be compromised on such a massive scale. If these CDs have got out ‘in the wild’ then one of corrective measures the government should take is to issue new NI numbers to all affected individuals, and its but a short step from there to the suggestion that the National Identity Registration Number should replace in the NI number, which is precisely where things will be heading over time in any case.

No, the National Identity Register is far from being dead in the water at this stage. In fact, once the dust settles you can expect to see this incident spun as further justification for the introduction of the system on the premise that it will add an extra layer of security.

In all this, the one sensible suggestion I’ve seen is this:

What’s more, there should be an Information Security Committee drawn up that oversees Government systems. This should be a body that places information security at its core, not political expedience and be independent of Government. It should be made up of people that actually know about this subject and are not afraid to say “No” and block a system from going live or take a system off-line when it fails to meet the required standards. There should also be a ministerial level role specifically for information security and legislation should ensure that the buck stops at this position.

That’s Dizzy again, and he’s absolutely spot-on with his ideas. The government, and the Civil Service don’t pay enough attention to information security, precisely because most of those in key policy and decision-making positions simply lack the knowledge and understanding of the issues necessary to take those kinds of critical decisions.

Having given this much thought over the last year or so, let me very briefly put up a suggestion that I’ll return to in due course, one that may prove a touch controversial in some quarters – the suggestion that we may actually need a national identity system…

…just not the one that the current government are seeking to implement.

I’ll leave that hanging for the moment, aside from pointing to one of key things I’ll be raising when I return to the subject. See if you can work out exactly how the concept of ‘zero-knowledge proof‘ comes into this debate and how that might change its parameters considerably.

UPDATE – 22/11

The story has moved on this morning, largely thanks to a memo obtained by Edward Leigh MP, Chairman of the Public Accounts committee, from John Bourn, the head of the National Audit Office:

Ministers insist a mistake by a junior official led to the loss of the data – which includes bank account details – by HM Revenue and Customs (HMRC).

But the Conservatives say the fault lies in part with senior management.

They say the National Audit Office, which was due to receive the two discs sent via internal mail, had asked for bank account details to be removed.

But HMRC allegedly declined the request as it would be “too costly and too complicated”.

Shadow Chief Secretary to the Treasury Philip Hammond said: “It was made clear the Revenue would not be able to make it available in that form because it would involve an additional payment to an IT firm.”

He said an assistant director at HMRC was copied in on the decision by e-mail.

“Alistair Darling told the House of Commons this was a single maverick junior official operating in contravention of the rules,” Mr Hammond told the BBC.

“This seems to suggest a decision was made at a senior level not to desensitise the data simply to reduce costs.”

He called on the chancellor to say whether he knew senior officials were involved in the decision before he made his Commons statement on Tuesday.

Clearly, if any of this is accurate, then there are some serious issues to be dealt with, of which the question of what Alistair Darling might have known, and when, is of relatively minor importance outside the confines of the Westminster Village.

First and foremost, just what the hell kind of contract does HMRC have with EDS if it entails additional payments for obtaining properly sanitised audit data? Civil Service IT procurement is renowned for being, well, crap at the best of times, but to omit basic audit provisions from the standard contract seems to amount incompetence on staggering scale, when it relates to a government department with major audit responsibilities.

Next, allowing for the fact that it appears that this whole farrago may stem from a decision in senior management to put saving money ahead of data security, exactly who made that decision and, more importantly, what knowledge, experience and understanding of data security do the possess of the kind that might reasonably qualify them to make such a decision? You’ll excuse me for being a tad suspicious here, but I have to think that the individual in question is likely to one who possesses the kind of IT/Information Systems background that would leave them struggling to move a mouse and chew gum at the same time.

This backs up Dizzy’s point about the need for an Information Security Committee and Commissioner – it doesn’t matter how far up the Civil Service food chain the buck stops, the individual in question should not have had the authority to override what are, to an IT professional, very basic security protocols.

Answer those questions and then we can get around to what Alistair Darling knew, or didn’t know, on Tuesday – and to be fair to him, I cannot think that he would deliberately have misled the House on an issue of this importance, which rather suggests that he’s been comprehensively ‘Sir Humphrey’d’ by an underling, the kind of underling who should now be expecting a P45 in the post.

One still has to be a touch careful here, not least because there are some signs of a ‘not me Guv!’ turf war brewing between HMRC and NAO, but all this does seem to reinforce the impression that there are systemic failures at work here of a kind that seem all too common in the modern Civil Service.

Personal note: If I can crave a moment’s indulgence, problems with a domain registrar have resulted in MoT’s domain going off-line until I can sort out a few things with Nominet. In the interim (and probably permanently as I may just use a redirection when I get this sorted out), my personal blog, the Ministry of Truth, has moved to a new url – http://www.ministryoftruth.me.uk.

About the author
'Unity' is a regular contributor to Liberal Conspiracy. He also blogs at Ministry of Truth.
· Other posts by Unity

Filed under
Blog ,Civil liberties ,Crime

Reader comments

Reactions: Twitter, blogs

1. There is a system problem « OurKingdom

   [...] of information rather than the ID card itself. Two recent posts on the issues are by Unity in Liberal Conspiracy and also Dizzy whom Unity links to. The techies are getting cross at the superficial politicisation [...]

2. The Tories and the Data Protection Act « Flip Chart Fairy Tales

   [...] Protection Act 22 November, 2007 Posted by Rick in Uncategorized. trackback Someone else has noticed that Conservative MP John Redwood wants to repeal the Data Protection [...]

3. The Great Blogging Divide

   [...] Update. Well, there’s this by Unity. [...]