outsourcing GP appointments to India: is this legal under DPA?

Ian Batten igb at batten.eu.org
Sun Jan 16 22:46:00 GMT 2011

> On the other hand, I read an article this week about BYOC (bring you own computer), which is a scheme to outsource the supply of thin clients to employees.

It's hardly news: BP and Cisco are apparently doing it de jure, and in universities it's happening de facto.  I have a suspicion that some university staff conceal that they're mostly using their own laptops, for fear of the IT bogieman, but it seems very common, and of course the infrastructure is mostly open to non-issued machines because undergraduates are increasingly self-providing.   
> http://www.bbc.co.uk/news/business-12181570 [1]
> And the "global law firm" (and their supplier) which was quoted must have done a proper audit of the security issues of data leaking off[2] Citrix PCs and into the local (potentially hostile and unsafe harbour) environment. I don't pretend to understand the details of how that security is implemented though. But if it's good enough for them, would it be good enough for the NHS?

Well, there are a variety of thin and semi-thin solutions which in various ways make it harder than it might otherwise be to access USB sticks (for example).   Some are fairly crude (the thin viewer can disable cut and paste outside itself), some are rather fancier (type 2 hypervisors).   I'm not remotely convinced they're either used or effective.  Not used, because environments in which people never need to move data via USB sticks are rare.  Not effective, because (again invoking my concept of "law abiding criminals") if someone is being paid to obtain half a dozen addresses, they can carry the data out of the environment in their head, on a piece of handwritten paper, using a camera to photograph the screen, etc, etc.   Just because you erect a defence against the theft of bulk data doesn't mean your adversary is going to helpfully abjure from any attempt to steal individual items.  In the case of the NHS, what's the perceived threat?  That someone downloads the whole demographic database?  In which case, yes, worrying about data location and endpoint security matters.  That someone looks up names for money and returns individual postcodes?  Well, that's a horse of an entirely different colour.

> Digressing slightly, I'm not a great fan of thin clients due to seeing various industry colleagues struggling to read their emails over dodgy connectivity in far flung parts of the world; whereas all I need is a whiff of port 110 now and again.

Thin clients aren't necessarily a good solution for fully mobile staff.  They're a great solution for call centre workers.  The debate is therefore the middle ground between those extremes.


More information about the ukcrypto mailing list