posted by ![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
purplecthulhu at 10:58pm on 25/02/2009
purplecthulhu at 10:58pm on 25/02/2009There have already been 'serious security breaches' in the database that will be used for the National ID Database when (and if) the ill-conceived scheme finally rolls out.
Routine checks have found security breaches by staff at 30 local authorities who looked things up on the database "with no business justification". Chances are those routine checks won't have found all of the breaches.
And this thing is meant to make us more secure?
ETA: Thanks to![[livejournal.com profile]](https://www.dreamwidth.org/img/external/lj-userinfo.gif)
yvonneh for passing this on!
Routine checks have found security breaches by staff at 30 local authorities who looked things up on the database "with no business justification". Chances are those routine checks won't have found all of the breaches.
And this thing is meant to make us more secure?
ETA: Thanks to
yvonneh for passing this on!
(no subject)
That article is maddeningly incomplete: is the phrase 'sensitive personal records' hyped-up headlines from a journalist, or are council officials retrieving peronal data at the level of addresses, phone numbers, age and sex - or even confidential family data?
The next missing detail is: what 'business justification' would get this data? Or rather, would provide authority for retrieval without the risk of a slap on the wrist?
What seems to be happening is that local authorities haven't bothered setting up procedures to control access and comply with the even the minimal standards of privacy that CIS is supposed to support: large numbers of staff have been given passwords and carte-blanche to fish for data. As far as the Local Authorities are concerned, that's all there is to it: it's what the database is for.
Local Authorities are probably even less security-aware than central Government - lost disks and all - and their IT departments will have nothing like the resources to set up and monitor security systems and train the users and their managers.
I wonder how many records have been fished out... Is this more like trawling, with bulk downloads ending up on a CD or a USB key? That would be a good reason for the phrase 'serious security breaches' being bandied about!
I have to wonder whether the local authorities involved in this have set up any kind of security system at all. For that matter, I would wonder what is happening in places where the staff already have the 'business justification' that is so terribly limiting for council bureaucrats.
(no subject)
(no subject)
Regarding IT provision in Local Authorities, the norm in London these days at least seems to be that IT and infrastructure are outsourced to CapGemini, Serco or their ilk. The security provision tends to be roughly at the level of a medium-to-large corporation (indeed, LAs are behaving internally more and more like companies in general).
I work for the team at my Local Authority which administers the databases that store children's information - essentially a record of details and school history for every school age child in the borough. Myself and my colleagues in the team have 100% access to the database for administration purposes, but we are fully aware that trawling through to find out about schoolfriends, or the bloke who lives next door, is not acceptable behaviour.
This awareness results from the fact that one or two of us are particularly switched on regarding data security. I've personally read the reports from central government, the LA umbrella organisations, the DCSF and the Information Commissioner's Office on the subject. As a result, behaviours here are changing for the better (though we weren't bad before). Other individuals within the council have limited access where necessary to carry out their duties (e.g. the school admissions team can monitor the applications/admissions process for schools in the borough).
I don't believe any of this awareness extends upwards in the organisation however. Our chief exec doesn't even know the system we manage exists, and yet it not only contains records on 40,000 children, but detailed case information on all children with special needs, disabilities and social services involvement in the borough. I hate to think what the situation would be like if the staff in my department were less security-aware than they are.
In the end, people need to be having serious conversations about what their databases are actually for. For the most part, the databases we keep are necessary, inasmuch as they allow social workers to efficiently monitor their caseloads and they allow us to comply with statutory data requirements of the DCSF. ContactPoint, however, is a load of crap.
(no subject)
My contacts with said databases (and the firms selling them) - from the Civil Service side - are one of the reasons I am dead set against not just the ID one but all the others with all our data on it them, and not just because of the breach of our civil liberties - they won't work properly and will be a money pit.