I attended the Information Governance Team meeting. The first item was to review the Service Plan, which comprises 60 actions covering 10 objectives, against which good progress is being made.
Among them is an annual review of the Publication Scheme, which has become a more significant task than previously expected following the receipt of new guidance from the Information Commissioner. Our current scheme format is now inadequate, and more information has to be published by default. Ian is to prepare a briefing note.
One of the actions that I'm interested in, and which is behind schedule, is the development of a "Policy Deployment" (and maintenance) system. I imagine that we all find it hard to keep abreast of the latest policies, guidance and legislation, and ensure that what we're looking at is the most up-to-date. (I do, anyway.) This should help.
We also discussed performance. About 60 requests under the various information governance regulations are received each month. We discussed how we can address the problems in meeting mandatory response targets that often occur because of avoidable delays in services.
I have also asked Ian to draft a Council "Position Statement", for agreement by the Board, concerning our approach to data security – which is obviously in response to the HMRC loss of personal information. In connection with which, I have mixed views about the piece by Frank Abagnale in ComputerWorldUK.
"It was not just a mistake. I truly believe that someone paid for information to be stolen. It's what happens all the time, that someone acted in collusion with somebody else to steal this data," said Abagnale, author of Catch me if you can and a fraud expert who has worked extensively for the FBI over the past 32 years. Governments, corporations and local authorities do a "horrible job of protecting data" said Abagnale.
"Could do better" would be a fair assessment, but we're a helluva lot better than we used to be, and getting better all the time. We're also driven to share information more – and rightly so, when it's to benefit society.
It's crucial, in my view, however, that we do so only though a systems approach (as opposed to downloading, FAX or e-mailing) and having established controls over identity and authentication.
"Don't send sensitive records by courier or through the mail. It's just common sense, and good business practice that someone should not have done that. The UK government needs to do a much better job of protecting the information of it citizens," he said.”
Absolutely – and here's where the whole level of debate has to be shifted. Every day we all receive correspondence containing personal data in the post – not very secure. (I couldn't help chuckling at the HMRC's inclusion of National Insurance numbers in their letters of apology!) Most people still don't shred it, so the easiest way of stealing someone's identity is probably to go through their rubbish.
"The government would not ship gold bullion via an unsecured courier or method and in today's environment, one needs to understand that sensitive personal data is worth just as much as gold bullion."
He added: "This is what scares me about the concept of UK ID card. Taking all of this information, including biometrics information, and putting into one place is dangerous. It is allowing one weak link in the chain, for instance, a criminal to approach someone to steal information," said Abagnale.
This sounds, to me, a bit like the person I met in a "green" debate who objected to the use of Smart 'Phones because they add to pollution! Can we really turn back the clock? The information is already collected and held in massive databases. What we have to do is implement effective systems-based controls...
...but we also need to understand that we all have our part to play in ensuring adequate checks and balances on our systems. Anyone can subscribe to a service, as I do, that lets one know of any irregular activities transacted in one's name – say, a change of credit rating or, application for finance.
Here, again, the Government has to change the level of debate. It should be educating people, and mandating checks and balances because, probably, the completely foolproof system will never exist.
While biometrics is excellent for providing access when entering and leaving buildings, people shouldn't trust the government with their DNA, said Abagnale. "I wouldn't trust them with that information."
Well, too bad, as it's being collected all the time, anyway, and we all freely scatter it any place we go. However – fair point – the Government needs to earn trust.
"[Governments and corporations] won't spend the money to make [IT systems] as secure as they could be. They will skimp on it. Those are my concerns," he added. "The technology is there. There are hundreds of off the shelf identity management software products out there that can do a good job of controlling the data and controlling who sees the data."
In my experience, they have no difficulty in spending the money; it's spending it effectively that's the problem.
"The government needs to be more specific about what it is going to do to protect its citizens if their information is out there. They need to offer a monitoring service to monitor credit records for at least three years, because this activity might not surface for a year."
If the data was stolen, then it is likely the thief would sit on this information for a number of years before harvesting identities, said Abagnale.
"Because the records are for younger people, many may not have a credit record yet. Once they reach adulthood, they could find their identity has been sold before they've even started on life."
HMRC's data loss highlights the difference between data breach notification laws in the US and the UK, said Abagnale. The UK government waited more than 10 days to notify parliament and the public of the breach. But n the US, under current laws, the government would have had to notify everyone affected immediately.
I agree with this.