Data protection

Ho ho ho, yet another story of missing government packages. Aren’t we glad the government isn’t organising Christmas?

But does this really reflect badly on the people who work for government? I’m not sure it does, because it’s IT companies and couriers that have been losing the data, not government departments or people. In this latest story the problem is with Pearson, a global media company (Financial Times, Penguin etc.) who run the test centres. I noticed this a few months back, and thought it was odd that they have this contract / that it’s contracted out at all. However, the Thatcher/Blair consensus seems to be that the private sector does things more efficiently so that’s what happens (efficiency being achieved by??? cutting corners?).

This means that the management of government is now done with contracts not directives. In the old days the minister and civil servant said X, and this got transmitted down the heirarchy into actions. Yes, it was subverted and translated, but in the worst case scenario someone got sacked or resigned. In the new world of contracting, the policy (X) gets drawn up into a contract, which is then interpreted, subverted etc. Same issue, different lines of accountability. When it comes to data protection, do we really know what each party really means. If you tick a box to say you don’t want data to go to ‘another organisation’ does this include subcontractors? No: the data being with Pearson is taken as still being with the Driving Standards Agency. The DSA retain responsibility and, as far as I can tell in the guidance, don’t need to ask permission of the data subject (i.e. us) to transfer data to a private and/or overseas company (see this too).

So instead of focusing on the little mistakes, shouldn’t we really be asking why a hard drive with UK driver data on it can go missing in Iowa in the first place. We didn’t ask for our government to be outsourced, we didn’t ask for our data to be transferred into private hands, and we didn’t expect the database state to be run by multinational IT and media companies. Ironically, if I want to copy a picture from a Penguin book (perhaps the cover of 1984) to illustrate a lecture on government and data, I have to ask permission from them.

P.S. These issues aren’t that new.

P.P.S. Another issue for later. Pearson produce textbooks for schools, and own EdExcel that produce the examinations. Is that not a conflict of interest?

Advertisement

My stats: UK ghettos

I don’t put much up on this blog, because I’m too busy writing elsewhere. However, I’ve noticed that the one entry that repeatedly gets read is the one on ghettos in the UK. It seems people are always looking for information about ‘UK ghettos’, suggesting that race and racism are very much ‘live’ topics.

Government data

I got my letter from HMRC at the weekend, apologising for losing some CDs with information about myself and my family. Unfortunately, all the apology, and all the news has been about the wrong problem…

Most of the comments have focused on the facts that the CDs weren’t sent by registered post, and that the files were just protected with a zipfile password…

(technically this is encryption, so I’m guessing that all the nonsense about ‘password protected but not encrypted’ was to say that it hadn’t got strong encryption, but if they’d put the key on the disk anyway, what difference does it make)

Now of course these aspects of the affair are just stupid: stuff gets lost in the post all the time, and if you are going to use physical media it makes sense to encrypt it as strongly as available, and to send the decrypt key separately or electronically.

More importantly, though, we have to wonder how on earth this state of affairs came about. I know in other parts of government there are secure networks: if you want to work from home in some government organisations you can’t use your own ISP, but you get an extra line that connects to government servers. In this case there would be no need to use the post. Indeed, for important mail you’d think the government would use its own internal mail service, Government Mail, although this is run with a private company and it’s possible that HMRC had to get the best deal, and this turned out to be TNT.

And why and how was the information sent out in this format in the first place. Apparently a junior manager burnt the data to CD and sent it out, but surely this is something that should only be done with authorisation at the highest levels. Otherwise, what’s to stop a corrupt employee doing this with all records: just copy them to a memory stick and leave the building and no-one would ever know.

More importantly, the auditors didn’t want all this information anyway. They wanted all the address, bank and parent details removed, but the HMRC people reckoned this was a burden too much, and could cost £5k to do ‘additional data scans/filters’! Now I know it’s a big database, but once the query is set up, it should only take minutes to make a new query without this data. Even if this couldn’t be done, it would have been easy to run a query on the outputted dataset: at most an hour’s work and then leave a computer to get on with the new output. This suggests that the IT providers have got the government over a barrel. The database is set up in such a way that the HMRC staff (and I assume someone there could do the work) can’t get full access to it. And then they charge five grand to come and make minor changes.
Herein lies the rub. EDS (I believe it’s them) have designed a system in which the end user (HMRC) can export data from a query that uses every record to a CD, yet can’t create or modify queries; the government have their own ‘secure’ mail network but they don’t use it, and have their own secure intranet but don’t use that either.

It just goes to show how well ‘competitive tendering’ works. It reminds me of a conversation I had with an IT professional who said that the industry was slowing down because they could no longer ‘rip off the government’. He said that in the past they could charge the government ludicrous amounts for small amounts of work, but that the government had got wise to it and new contracts were much less profitable. Looks like the HMRC job was sorted long before this, though.