What has changed since two government departments suffered embarrassing losses of public data? Derek Parkinson finds out.
"My impression is that the minds of senior civil servants are filled with the issue of data security. I imagine hot notes are being issued to senior people all over Whitehall, and some of them probably have their heads in their hands.”
So says Robin Guenier, former chief of the Cabinet Office Central Computing and Telecommunications Agency (CCTA). He continues to take a close interest in the NHS IT modernisation programme, and as a senior figure in the IT Livery Company still has access to senior civil servants.
Responsible for overseeing IT modernisation during the final years of John Major's government and Tony Blair's first term, he had first-hand experience of attitudes in the higher echelons of Whitehall. “Data security and control of data wasn't regarded as an important issue. When I was in the Cabinet Office, that was true of politicians and senior civil servants, and I don't expect they have changed that much since. The attitude is that IT will somehow just work – they tend to be somewhat naïve about it,” he says.
No one in central government can remain naïve following hugely embarrassing data losses by the HMRC and the Ministry of Defence. The Independent Police Complaints Commission (IPCC) launched an investigation with a remit to discover whether any criminal conduct or disciplinary offences had been committed by HMRC staff. Although clearing individual staff, the IPCC identified systemic failures within the department, notably a “lack of understanding of the importance of data handling” and “a ‘muddle through' ethos”.A broader remit was taken by Kieran Poynter, UK chairman of PricewaterhouseCoopers, who was invited by Chancellor Alistair Darling to offer a diagnosis of HMRC's condition and suggest a cure.
A striking aspect of Poynter's involvement is the speed with which he identified a lack of accountability for data security among senior HMRC staff. “I found it difficult to relate roles and responsibilities among senior management to accountability,” said Poynter in a letter to the Chancellor.
The Poynter Review offers clues as to how, in the policy-oriented world of central government, comparatively junior members of staff were able to breach the most basic requirements of data security in such a spectacular way. It is worth recalling that although the loss of disks was a new development, downloading large amounts of confidential data on to removable media with little, if any, protection was not an isolated case.
Although HMRC had data security policies available on its intranet, staff seemed unaware of them, Poynter's team discovered. “Almost all interviewees expressed a lack of knowledge as to exactly where on the intranet security policy is to be found,” Poynter said.
In the absence of written guidance it might be thought that staff would consult a senior member of staff before sending an entire dataset offsite. But here too there was misunderstanding. It appears that junior HMRC staff responsible for sending the data were unclear about their obligations to the National Audit Office (NAO), thinking the requesting body had “absolute authority” to access any information held by HMRC, and that their over-riding duty was to provide it.
An important precedent was set in March 2007, several months before the disks vanished. The full dataset was provided to the NAO on this occasion, even though it had only requested a sample, with sensitive data redacted. According to Poynter, HMRC staff appeared unaware of the capabilities of their IT system, not realising it contained software capable of extracting the sample data “at virtually no cost”.
From top to bottom the concept of data ownership appeared unclear within HMRC. Although both HMRC and NAO had single point of contact (SPOC) procedures for data requests, these were not adhered to. Within HMRC “there is no formal definition of the SPOC role, and hence those undertaking such a role are not aware of their obligations and responsibilities,” says Poynter. “There appears to be no link between SPOCs and data ownership responsibilities.”
The Review makes 45 recommendations in total, of which HMRC has made progress on 39. The recommendations cover all levels of the organisation, including the appointment of a chief risk officer (CRO) and a chief information security officer (CISO) at a senior level. HMRC will have a professional risk management function with a brief to support its operational arms, liaise with the CRO to identify strategic risks and oversee regular security audits.
Each business unit will have a senior member of staff responsible for data security and new security policies and procedures. Data guardians within the units will be explicitly responsible for the people-related aspects of security, including staff training programmes.
The loss of the disks added fresh urgency to a wider review of data sharing between central government departments. Overseen by Cabinet Secretary Sir Gus O'Donnell, the report includes prescriptions for improving data security across Whitehall. Among the key recommendations are obligatory use of protective measures such as encryption and penetration testing, as well as fresh restrictions on the use of mobile devices and access to records.
Although the Cabinet Office sets the data security standards for the rest of central government, it is a relatively small department and does not have the resources or powers to check compliance. In future there will be closer scrutiny in this area through the NAO, and “targeted intervention” by CESG, the information assurance arm of GCHQ.
Regular privacy impact assessments will be carried out as part of service delivery in all departments and will be mandatory when new services are planned. Currently, large IT projects must pass a “traffic light” review by the Office of Government Commerce – an arm of the Treasury – to assess their fitness before a budget is allocated. In future, this process will include a data security audit.
Independent scrutiny by the Information Commissioner's Office (ICO) will also play a part. In the wake of the data losses by HMRC and the MoD, the ICO is to serve enforcement notices on both agencies – the strongest intervention available under its existing powers – requiring progress reports to be published after 12, 24 and 36 months. Failure to comply is a criminal offence.
Stronger powers will be granted to the ICO as part of the new Criminal Justice and Immigration Act, including the freedom to perform spot checks on organisations, and impose “substantial fines” on those that deliberately or recklessly commit serious breaches of data protection law.
In parliament, some argue that fundamental aspects of our data protection law need a serious rethink. After hearing evidence from Information Commissioner Richard Thomas and human rights minister Michael Wills, the Joint Committee on Human Rights concluded that the underlying presumption that public and private sector bodies are free to share personal data unless explicitly prevented is insufficient protection against breaches of human rights. The committee expressed particular concern at the prospect of the government pressing ahead with plans for a national identity register with the current safeguards in place.
The issue of public trust ran through all the formal investigations into the government's security lapses. The impact of the lost disks is difficult to gauge accurately, but research carried out by the ICO in February suggests that more than half of us no longer have confidence in the way organisations such as banks, local authorities and government departments handle our personal information.
Bodies as diverse as the National Consumer Council and the House of Lords Science and Technology Committee are lobbying for tougher legal requirements for all organisations holding personal data, similar to those in the US. These would require the holders to notify individuals in the event of a security breach, a requirement that was first introduced by the Californian legislature in 2002, and has now been adopted in various forms by a further 38 states.
The prospect of such a law in the UK has raised concerns about how it might be implemented, as well as the broader unintended consequences that could follow. The California legislation defines a security breach as an “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business”, but doesn't define the term “unauthorized” or specify what evidence should trigger the obligation to notify individuals. The statute has also raised concern because of its ambiguity about how organisations should actively monitor security breaches.
Concern about data security led US banks to implement the Payment Card Industry Data Security Standard (PCI DSS). Although European retailers are signing up to PCI DSS, putting an accurate figure on how many have done so is difficult because the PCI Security Standards Council does not collect such data, leaving this to the card issuers. To date, the card issuers haven't published regular figures for participating retailers. “Based on the numbers of global organisations joining the council to be part of the standards setting process, we believe that PCI DSS is top of mind for organisations that transmit, process or store cardholder data” the council says. Nevertheless, the general consensus seems to be that take-up in Europe is some way behind the US.
The proliferation of data-breach notification laws is the primary driver of take-up in the US, suggests independent security consultant Rob Newby. “The thing that made the US move to protect their data was not PCI DSS, but [the breach notification law] SB1386, a stringent piece of legislation,” he claims.
Other security experts express doubts about the wisdom of making detailed technical prescriptions part of security standards, let alone legislation. “Enshrining technology in law is a bad idea – the focus should be to protect the data, not devices,” says Paul Simmonds, co-founder of Jericho Forum, an international association of leaders in IT security, and a former CISO at ICI.
Protecting data is often a time-sensitive activity, Simmonds points out. “Think about a company making an important announcement in the City. At 8:59am on a Monday morning that information might be known only to five people in the world. Then at 9am it goes from being secret to being public,” he says. If we are to protect data adequately while recognising the sensitivity of security to time and place, we need security classifications, he suggests.
This is the key to ensuring data is handled by the correct processes and appropriately trained people, while exploiting the benefits of the rich types of collaboration that new technologies can provide, says Simmonds.
A weakness in many organisations is an over-reliance on what people know about security policies, rather than what they do with them, suggests Danny Dresner, a security standards expert at the National Computing Centre. “What do you mean by policy? Is it one of those nice things to hang on the wall?” he asks.
HMRC appears to have gone a stage further, to the point where staff were unsure whether policies even existed, or where to find them; but data security is fundamentally a people issue, and effective policies must reflect this, he suggests. “People will be your firewall. But if you lock everything down and use so many controls that you make it difficult for them, they will find ways to work around them, which can create new security risks,” Dresner warns.
Effective policies are more than wall hangings, and being an information security professional requires more than decorating skills. Raising awareness of the importance of implementing knowledge is a key aim of the Institute of Information Security Professionals (IISP).
It is the first organisation of its kind to take this approach, says Paul Wood, the IISP board member representing corporates. “Why has it taken so long? Because corporates and the industry itself haven't taken it seriously enough,” he says. IISP hopes to have 200 members by the end of the year,” he adds.
Disasters such as the lost HMRC disks have undoubtedly raised awareness of the importance of data security, and the profile of security professionals with it. But they can only do so much, and if repetitions of such events are to be avoided, the most senior people in an organisation must be directly responsible for data security, says Simmonds. “If the board had to sign it off – as they do for financial results – the whole organisation would be focused on security,” he says.
“Is there really ever any significant penalty for breaches of security? Do people lose their jobs because of it?,” asks Guenier. “A chief executive can be fired for not meeting targets. Maybe it should be a sackable offence,” he suggests.