BBC NEWS | UK | Questions asked after data loss

Mary Hawking ukcrypto at chiark.greenend.org.uk
Sat, 23 Aug 2008 09:02:45 +0100 

I'm sorry, I still don't understand the situation fully.

>Ian Batten wrote:
>>  http://news.bbc.co.uk/1/hi/uk/7575989.stm

In the BBC report, it says that the data was given to PA Consulting as 
part of a research project on tracing prisoners through the system.
If that is the case, as with the NAO and HMRC child benefit discs, isn't 
the live data excessive in the first place - and dangerously at risk 
just by viewing in situ?
Each prisoner might need an identifier, a year of birth, a release date, 
a high level post code etc. - depends on what was included in the 
tracing project - but not, surely, full information?
So why was the full data set released to PA in the first place?

>
>One of the flaws in large parts of the public sector, also applying to 
>some of its acolytes, is the divide between management and 
>implementation.

I thought that the role of management consultants was to manage the 
production of solutions and their implementation.
Have I got that wrong as well?

> Now one of the tasks that I have is working with a very small trade 
>association, in the course of which we were involved in the development 
>of the ENCTS (bus passes in England to you), where a misleading 
>document called the Plain English Guide was published by DfT - the 
>source was PA.

Did DfT not read the document before authorising its release?

>In one of its first pro-active actions, the ICO ensured that the 
>document was altered to remove misleading advice to LAs that might well 
>have resulted in personal data of pass holders being stored in the chip 
>in the passes in a way that was insecure. PA are management consultants 
>in the area with which we were concerned, not technical.

I would have thought - being outside this field - that management 
consultants would be expected to have a good grasp of technology and 
law: having to repeat all the necessary checks in house must add to the 
costs of a project.

I still don't understand why anyone - including the individual involved 
- needed to download the data onto a memory stick (surely PA has a 
secure LAN in its offices? ) if the stick itself is thought to be in the 
building?
And if the individual involved did not have legitimate access, why was 
the file not adequately protected in the site in which it was being 
held?

Data security does appear to be managed in a way that might well get a 
doctor struck off by the GMC: is there any equivalent regulatory body in 
this field?
>
>Peter

Mary Hawking
-- 
Mary Hawking