Electoral Commission confirms that it does not monitor user activity and does not generate real-time security alerts
The Electoral Commission has admitted that it does not have the ability to monitor the activities of users whilst accessing the electoral registers.
In a Freedom of Information act request by LogLogic, it asked if there was a ‘product in place that allows you to monitor and log access and changes to information on the electoral roll register/database?' It responded by saying that it does not have such a product.
It said: “Individual local authorities manage their electoral registers. We do not collate the registers into a single database - this information is managed by local authorities themselves. We are sent secure updates on a monthly basis by each individual local authority.”
LogLogic CEO Guy Churchward said: “Apparently local authorities manage their own electoral registers meaning that there is no central point of control at all. They are sent secure updates on a monthly basis by each individual local authority – how this is done (over email, USB etc.) wasn't stated. The commission did not divulge details on whether each local authority had a product in place to monitor and log access either.”
The next question asked: 'how many people have access to the register/database, and how often was it reviewed'? The commission said that there was a total of 25 staff that has access to the electoral registers in the party and election finance team.
It said: “These documents are stored in restricted folders and can only be accessed by the relevant staff for purposes of checking permissibility of donations to political parties. In addition a number of technical staff (currently eight) in the IT team also has access to this information.
“The electoral register information is only accessed on a need to know basis and these access permissions are controlled by the ICT team with permission given in line with an agreed policy and procedure after obtaining appropriate authority. All information assets, including the electoral rolls, are reviewed annually (and ad hoc throughout the year if there is an indication that this may be necessary or as part of an audit) to ensure that they are handled and used appropriately. In addition, each time there is a change in staff permissions to access the electoral registers are reviewed.”
The next question asked if privileged users were being electronically monitored regarding their activities on the register/database? It responded saying that it does not ‘currently have automated systems to monitor the activities of users whilst accessing the electoral registers'.
Churchward said: “Whilst this sounds reassuring it is important to note that procedures and policies are great – but only if they are followed to the letter. Who is checking that? We would have (hopefully) assumed that privileged users were also being electronically monitored regarding their activities on the registers as a backup, but the answer to that question was no. They do not currently have automated systems in place to monitor the activities of users whilst accessing the electoral registers."
Finally LogLogic asked if the security measures in place conform to ‘data handling in government' guidelines, and were they able to generate real-time security alerts to highlight any suspicious user activity on the register/database?
It responded by saying that its security measures do conform to the Data Handling Review 2008 guidelines and also the Data Protection Act 1998 that governs the use of personal data.
It said: “While we do not generate real-time security alerts, we maintain policies, procedures, training and technical controls to ensure security measures are in place. We conduct an annual review of information security measures to ensure continued compliance with the Data Handling Review mandatory measures.”
It finally confirmed that information is not held in a database, but as files on a shared network drive with permissions controlled as noted previously. It also said that it applies all security patches, within the calendar month in which the patch is released, in line with industry standard practice.
Churchward said: “The need to monitor the digital footprint of employees in order to preserve the confidentiality and integrity of data and monitor privileged user activity is extremely important – especially with regards to public sector information. It's very disappointing. I am hoping that each local authority is a little sharper and is electronically managing and monitoring access to their databases – it is certainly something we should be asking our councils about.
“It is critical organisations like the Electoral Commission implement a central workable and secure solution. They must act upon it, monitor and maintain processes and stay up-to-date with access controls. Well-managed log data can provide them with a vital window on irregular activities. Why wouldn't they implement it?”