BBC NEWS | UK | Questions asked after data loss

Peter Tomlinson ukcrypto at chiark.greenend.org.uk
Sat, 23 Aug 2008 09:57:05 +0100 

Mary Hawking wrote:
> I'm sorry, I still don't understand the situation fully.
>> Ian Batten wrote:
>>>  http://news.bbc.co.uk/1/hi/uk/7575989.stm
> In the BBC report, it says that the data was given to PA Consulting as 
> part of a research project on tracing prisoners through the system.
> If that is the case, as with the NAO and HMRC child benefit discs, 
> isn't the live data excessive in the first place - and dangerously at 
> risk just by viewing in situ?
> Each prisoner might need an identifier, a year of birth, a release 
> date, a high level post code etc. - depends on what was included in 
> the tracing project - but not, surely, full information?
> So why was the full data set released to PA in the first place?
>> One of the flaws in large parts of the public sector, also applying 
>> to some of its acolytes, is the divide between management and 
>> implementation.
> I thought that the role of management consultants was to manage the 
> production of solutions and their implementation.
> Have I got that wrong as well?
Yes: the great divide, a hangover from Victorian days when 
communications were slow, is between management (wot makes decisions at 
the centre) and implementation (done by local people in the old days, 
but increasingly now done centrally where it is managed by people 
without the necessary skills and experience - there isn't a chain of 
technical management competence right to the top, whereas Best Practice 
says there must be).

I can think of another project in a neighbouring jurisdiction that, 
nearly 4 years in, has just appointed a programme manager in the govt 
agency to which it was transferred 2 years ago... That is the first time 
for that project.
>> Now one of the tasks that I have is working with a very small trade 
>> association, in the course of which we were involved in the 
>> development of the ENCTS (bus passes in England to you), where a 
>> misleading document called the Plain English Guide was published by 
>> DfT - the source was PA.
> Did DfT not read the document before authorising its release?
I was told that it had been signed off by both the technical consultants 
to the project and by DfT. That doesn't answer your question... The 
excuse was that data protection compliance in this case is the 
responsibility of the LAs - but the ICO now appears to be applying a 
duty of care to central govt.
>> In one of its first pro-active actions, the ICO ensured that the 
>> document was altered to remove misleading advice to LAs that might 
>> well have resulted in personal data of pass holders being stored in 
>> the chip in the passes in a way that was insecure. PA are management 
>> consultants in the area with which we were concerned, not technical.
> I would have thought - being outside this field - that management 
> consultants would be expected to have a good grasp of technology and 
> law: having to repeat all the necessary checks in house must add to 
> the costs of a project.
No, clearly they are not so expected. Or maybe they are, but their 
unwillingness to hire in technical people, and their willingness to take 
on anything offered them under their Framework Contracts, together 
defeat the object. I have recently submitted comments about this to the 
Treasury's Glover Inquiry into the problems that SMEs have with govt 
procurement.
> I still don't understand why anyone - including the individual 
> involved - needed to download the data onto a memory stick (surely PA 
> has a secure LAN in its offices? ) if the stick itself is thought to 
> be in the building?
> And if the individual involved did not have legitimate access, why was 
> the file not adequately protected in the site in which it was being held?
>
> Data security does appear to be managed in a way that might well get a 
> doctor struck off by the GMC: is there any equivalent regulatory body 
> in this field?
>> Peter
> Mary Hawking
Peter