Yet More Data!

So it wasn\’t in fact some junior civil servant solely to blame:

As the scandal over the loss of 25 million personal records escalated, the Chancellor, Alistair Darling, was accused of misleading parliament by saying a "junior official" at HM Revenue and Customs was to blame for the loss of the data, whereas email evidence shows he was told two senior managers had authorised the procedure.

And the bank account information should never have been sent either:

It has since emerged that the National Audit Office, which had asked for the CDs, had specifically requested that bank details and other sensitive data be removed from them when it asked for other copies of the Child Benefit database in March, but a senior manager refused to do so on cost grounds.

This really is turning out to be a fest, a feast even, for connoisseurs of bureacratic incompetence.

Yet the staff member was following procedures laid down in March by senior HMRC managers when a similar request for data was made by the National Audit Office.

!!! The procedures were to send it, unencrypted, through the post! Why were the bank accounts included?

In a briefing paper sent to the Chancellor by Sir John Bourn, comptroller and auditor general, Mr Darling was told that a "senior business manager" sent an email to the NAO, which was copied to an HMRC Assistant Director, saying the information would not be "desensitised" because "it would require an extra payment to the data services provider EDS".

!!!

An almost identical breach of security involving CDs happened in September 2005, when the names, addresses, dates of birth and bank details of UBS customers were lost in the post after being posted by HMRC.

At the time, HMRC admitted that it was "not sure it is the best way to receive information" but that it was "urgently reviewing procedures to make sure this type of incident does not happen again".

Urgently reviewing? Two years is urgent?

In July this year Mr Thomas warned that data protection breaches in Government departments were "frankly horrifying".

Turning to the latest breach, he said: "It is a shocking case. I am at a loss to find out what happened in this situation.

"This goes beyond legal compliance. Any aggregated system for collecting information must be proof against criminals, it must be proof against idiots, it must be proof against those who don\’t follow the ordinary rules of procedure."

It would appear that you can in fact make a computer system idiot proof, but not bureaucrat proof.

One lesson to be drawn from this: as they cannot in fact do the simple things correctly why on earth does anyone task them with doing the complex things?

5 comments on “Yet More Data!

  1. What makes me laugh is that the excuse of being too difficult / expensive to extract the relevant data from the database. It’s a database; retrieval of data not just storage is what they are designed for. Incredible!

  2. The only conclusion one can come to is that this is not, in fact, a database at all but little more than a collection of Excel Spreadsheets…. actually HMRC probably has it all stored in MS word docs….

Leave a Reply

Name and email are required. Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.