Friday, November 23, 2007

ARCH on the HMRC data loss

ARCH has been deluged with requests for advice in the wake of the HMRC data loss.

"I doubt there’s anyone who doesn’t know about HMRC’s Child Benefit debacle by now. As you can imagine, we’re a bit busy and the phone has got heat exhaustion.

This is the press release we put out earlier (NB the numbers have gone up since we sent this out):

FOR IMMEDIATE RELEASE 20TH NOVEMBER 2007

CHILDREN’S RIGHTS ORGANISATION ‘STUNNED’ BY HMRC DATA LOSS

Action on Rights for Children is stunned to learn that HMRC has lost computer disks containing the details of the UK’s 15 million children.

Terri Dowty, Director of ARCH said: “This appalling security lapse has placed children in the UK in immediate danger especially those who are already vulnerable. Child Benefit records contain every child’s address and date of birth. We are not surprised that the Chair of HMRC’s Board has resigned immediately.”

Last year Terri Dowty co-authored a report for the Information Commissioner which highlighted the risks to children’s safety of the government’s policy of creating large, centralised databases containing sensitive information about children. The government chose to dismiss the concerns of the reports authors.

“The government has recently passed regulations allowing them to build databases containing details of every child in England. They have also announced an intention to create a second national database containing the in-depth personal profiles of children using services. They have batted all constructive criticism away, and repeatedly stressed that children’s data is safe in their hands.

“The events of today demonstrate that this is simply not the case, and all of our concerns for children’s safety are fully justified.”

NOTES TO EDITORS

The report ‘Children’s Databases: Safety and Privacy’ can be downloaded from: http://www.fipr.org/childrens_databases.pdf"



Kim Cameron says the government should be listening to folks like Terri.

"Here is more context on the HMRC identity catastrophe.

According to Terri Dowty, Director of Action on Rights for Children (ARCH):

“This appalling security lapse has placed children in the UK in immediate danger especially those who are already vulnerable. Child Benefit records contain every child’s address and date of birth [italics mine - Kim]. We are not surprised that the Chair of HMRC’s Board has resigned immediately.”

Last year Terri Dowty co-authored a report for the British Information Commissioner which highlighted the risks to children’s safety of the government’s policy of creating large, centralised databases containing sensitive information about children. But the government chose to dismiss the concerns of the reports authors.

Dowty’s remarks demonstrate a clear instance of my thesis that reduction of identity leakage is still not considered to be a “must-have” rather than a “nice-to-have”

“The government has recently passed regulations allowing them to build databases containing details of every child in England. They have also announced an intention to create a second national database containing the in-depth personal profiles of children using services. They have batted all constructive criticism away, and repeatedly stressed that children’s data is safe in their hands.

“The events of today demonstrate that this is simply not the case, and all of our concerns for children’s safety are fully justified.”

The report ‘Children’s Databases: Safety and Privacy’ can be downloaded here.

I urge fellow architects, IT leaders, policy thinkers and technologically aware politicians to consider very seriously the advice of advocates like Terry Dowty. We can deeply benefit from building safe and privacy-enhancing systems that are secure enough to withstand attack and procedural error. Let’s work together to translate this thinking to those who are less technical. We need to explain that all the functionality required for government and business can be provided in ways that enhance privacy, rather than diminish it or set society up for failure.

Today the “inconvenient” input of people like Terry Dowty is often dismissed - much the way other security concerns used to be - until computer systems began to fall under the weight of internet and insider attacks…"

No comments: