http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2007/11/25/ncustoms625.xml By Andrew Alderson Chief Reporter 25/11/2007 The Government failed to heed warnings that would have averted last week's fiasco involving HM Revenue and Customs (HMRC), it can be disclosed. The concerns were raised two years ago by Dr Mark Walport, who ironically was asked by Gordon Brown last month to head a six-month review on the use of personal information. The security expert co-authored a report for the Council for Science and Technology, an independent government advisory body, which warned that departments needed to "streamline data protection protocols" and improve security. The 37-page report, published in November 2005, was commissioned by the Government for Tony Blair. It correctly predicted that the unauthorised use of personal data would "damage [the] government's reputation with political ramifications". Last week, the warnings came back to haunt the Government as it was revealed that HMRC had lost two CDs containing sensitive personal details of 25 million people. In an interview with this newspaper, Dr Walport described last week's disclosure as "a disaster". The report, called Better use of personal information: opportunities and risks, said: * Sensitive data should be encrypted to make it more secure; * New systems, or filters, should be introduced to enable data to be released selectively; * An independent watchdog should monitor security procedures; * Stiff penalties should be meted out to those who failed to comply with legal safeguards. The data on the two missing discs sent from the HMRC office in Washington, Tyne and Wear, was not encrypted: it was simply protected by a password that experts say could easily be worked out by a computer hacker. The lack of "filters" on the data also meant the HMRC sent out sensitive information including parents' addresses and bank accounts even though they were not requested by the National Audit Office, the body to which the discs were sent but failed to arrive. Richard Thomas, the Information Commissioner, complained last week that his body did not have enough powers, including the ability to carry out spot checks on government departments. He also called for reckless security breaches to be a criminal offence echoing Dr Walport's earlier urgings. Dr Walport, who is now director of the Wellcome Trust, a charity funding health research, said: "This has been a disaster, frankly. The responsibility of holding this [sensitive] data means there need to be extraordinarily careful processes to make sure that disasters like this don't occur." Dr Walport, 54, who along with Mr Thomas will deliver the new report next year, said "common sense" suggested that it was wrong for a junior official to be able to gain access to so much sensitive information so easily. "When things like this happen, it is rarely down to a single individual. It is much more down to processes," he said. "We need to design systems which minimise the risk of human failure because there isn't one of us who isn't fallible. We can all make mistakes. It is about having the right processes in place to minimise the risk of human error." Dr Walport said there were great benefits from data sharing, but that computerisation, with its ability to store large amounts of data in a compact fashion, increased the risk of data loss. __________________________________________________________________ Visit InfoSec News http://www.infosecnews.org/
This archive was generated by hypermail 2.1.3 : Sun Nov 25 2007 - 23:28:07 PST