Friday, November 23, 2007

Idealgovernment on the HMRC data loss

William Heath's initial reaction to the HMRC 25 million data loss is worth reading.

"CIO responsibility

Paul Gray who chairs the Board of HMRC assumed responsibility and has gone, but this is fairly and squarely a CIO responsibility. We need CIOs to run reliable systems that respect people’s personal data, and to educate their Boards about the political and business risks of what they are being asked to do in creating e-enabled “transformed” public services. I dont believe they have. I wonder how HMRC’s CIO and the HMG CIO see this today.


People like Ross Anderson are dismissed as “having an agenda” and vilified behind their backs (or in the case of Simon Davies, publicly).


Value of the data

What were those disks worth? The FT tells us a person’s full bank account details sell for £15-200 on the black market. We’re dealing here with a fuller profile also including NI number and dates of birth for the whole family. And there are 25m records, and 7.25m families. Assuming the families have one bank account each that values the data at £100m-£1.5bn.


Now, it is implied this data was lost by a nitwit, and doubtless there are some honest incompetents still working in the ever-leaner HMRC. But plenty of people working there will be smart. And if it’s possible to create disks of this sort of value, which can easily be copied before they’re posted, we can see there has been an irresistible temptation for some time now. It would be extraordinary, an unbelievable tribute to the universal integrity of human nature (and an insult to the energy and ingenuity of the contempory British crook) if this data had not been stolen already, perhaps many times.


After rightly resisting for about six hours the shrill Paxman/Peter (thingy from Radio Five-Live) calls for the government to recompense any financial loss we read in today’s FT that Darling says the government WILL cover losses. This means that banks (who are now the only people able to manage this greatly increased risk) can pay out money to the wrong place confident that the taxpayer will pick up the bill.


Lessons for the ID System

The Chancellor seems to think this episode strengthens the case for ID cards. I disagree.

It may underline the case for good ID management now and in future, but underlines that
- government is not the right place to do it (remember the Home Office is way below HMRC on the scale for competence, quality and morale of staff etc)
- such data should not be centralised
- it’s bad enough losing our NI numbers and account details but worse still to put our biometrics into wide circulation
- and that government is clueless about restitution when it all goes wrong (which is the only thing we want - we all know nothing is secure).

The more we control and manage our own data the less likely this sort of thing is to happen. And we are the ones who care about it most. "

William is also working with Blindside to provide the government with some constructive feedback on this incident. Sadly Nu Labouts ...sorry... Nu Labour is so committed to transformational government - putting more and more personal data into bigger and bigger databases to which hundreds of thousands of people need access as a routine part of their job - that it is virutally impossible to break through their fingers in the ears NOT LISTENING NOT LISTENING instinctive reaction to any feedback, constructive or otherwise, on the subject. One of the most important things government could do is, as Wendy G says in commenting, is to:

"stop dismissing the advice of
knowledgeable experts such as those at FIPR, No2ID,
Privacy International, the LSE, Cambridge University’s
security folks (Ross Anderson et al), and ORG as to
the risks involved on the grounds that they are “a
vocal minority” (that can be safely ignored)"

No comments: