.comment-link {margin-left:.6em;}

Saturday, July 25, 2009

More lost data

Just when you thought that the public sector had learnt its lesson about the correct storage and encryption of data another story hits the headlines.

This time it is Neath Port Talbot Council, long held up by Labour politicians as an example of a high-performing local authority despite a number of issues that show that it is as vulnerable as any other council to mistakes and inefficiency. They are one of the few Labour run Councils left in Wales and have one of the highest Council Tax rates. If every Council asked their citizens to pay what Neath Port Talbot charge then the quality of service provision would rise across the board. But I digress.

The Western Mail report that an employee of Neath Port Talbot Council lost a memory stick which had information on it relating to 65 children but it was not password protected or equipped with encryption software. The Information Commissioner’s Office has now told the council to take remedial action, including the encryption of portable and mobile devices which are used to store and transmit personal data. These include laptops and other portable media.

The paper says that the council’s chief executive Ken Sawyers has signed an undertaking to assure the information commissioner that personal information will be kept secure in future. The council will also make staff aware of its policy regarding the storage of personal information and ensure they are appropriately trained on how to follow that policy. Why were they not doing this before? In fact can we be assured that any one of the 22 local Councils are doing this? I intend to write to all of them and find out.

The Western Mail lists other breaches of the Data Protection Act in Wales. In March a memory stick belonging to the Vale of Glamorgan Council and containing confidential child protection information, medical records and details of court cases was found in the street. It was not encrypted or password protected.

In January the Information Commissioner's Office criticised Abertawe Bro Morgannwg University NHS Trust after a laptop containing the names and addresses of 5,000 patients and, in some cases details of their medical records, was stolen from Singleton Hospital.

And in June the Welsh Liberal Democrats released figures that showed that the Welsh Government had 'lost' 31 laptops, 10 Blackberry devices and six mobile phones in the past three years. The Government spokeperson said at the time that personal and sensitive data was not put at risk and all its IT devices were encrypted. However, that spokesperson did not say what was on the devices or to what level they were encrypted. It is difficult to believe that in most cases it was more than a password log-on.

There are many more examples, all of which leave little confidence that government at any level can confidently handle and protect even more data and yet that is what is proposed through the National Identity Database. Surely a rethink is called for on this project even at this late stage.


all of this is what is actually reported! Tip of the iceberg stuff. You will find that in future
local authorities and other public bodies will do their very best not to pub a big enough hole for licise tht info devices such as laptops, memory sticks etc have disappeared, just hoping a sea lamphrey which digs a hole in the river bed will dig a big enough hole for the blackberry!.. With more data it seems that the issue of data storage and there inevitable loss will become more sophisticated..more allegations of loss and more denials...maybe even the finding of a device that was deliberately not reported lost...is the Info commissioner ready for that?
It is the job of the Chief Executive of any Local Authority to coverup such mistakes; why isn't Sawyers doing his job?
Sawyers is retiring. His successor will probably be appointed by council this coming week. I must check the job spec to see whether data security is in the job description.

I believe the flash memory incident is one I blogged about some time ago, when I suggested that desktops used by central and local government officials should not have USB ports or writeable disk drives.

It may be a coincidence, but not long afterwards the NPT council system was rejigged so that external drives (including flash memory) are no longer recognised - to councillor sign-ins, anyway.
It should be noted that a similar act of carelessness has just cost HSBC £3m (BBC report here. I should like to think that this amount would be taken out of the directors' pension pot, but no doubt we account-holders will contribute a few pence each to pay the fine.
Post a Comment

<< Home

This page is powered by Blogger. Isn't yours?