It is good to see that Paul Gray resigned from his position as chairman of Revenue and Customs. (It was even better to see Alistair Darling squirm, but that was a more vindictive delight). I’m wary of gratuitous scape-goating with this business of the CDs that have gone missing containing the details of 25m people and 13m bank accounts. However, whatever way I look at it I come back to the thought that there are two ways to secure data, and both start right to the top.
The first way to secure data is physical: you make it physically impossible for your staff to export data. You install PCs without CD drives and disable the CD drives on the PCs which have them. While you are at it you disable the USB ports and impose limits on sending emails with attachments. You place limits on the changes that most people can make to their PCs, and provide them with a help desk and an audited order process to use when they want to do something outwith their permissions. None of this is hard and none of it is particularly expensive, though all of it makes things inconvenient for your staff. Not as inconvenient as having to clear up the mess when the details of 13,000,000 bank accounts get into the wrong hands, of course, particularly when the banks turn sulky and say “we’ve done nothing wrong and we aren’t paying for your mistake Mr Darling”. The banks have every right to be irritated since they do make sure that it is very hard for any member of their staff to steal data. This approach does require that those at the top take security seriously and ensure that adequate security policies are written and that the technology is configured to support those policies. Not rocket science, more a question of those at the top prioritising security, employing competent staff and saying “Make it so”.
The second way to secure data is through cultural norms. You make it impossible for someone to think it’s ok to copy personal data on to CDs and bung them in the post. Likewise you make it impossible for someone to think it’s ok to use real data as test data for new systems, or to dispose of confidential waste other than by shredding it, or to walk away from their desk without activating a password controlled screensaver, or to write passwords on post-it notes, or to look up someone’s personal data without a valid reason, or to leave a laptop in a car or an unlocked cupboard. You make it socially acceptable for someone to say “no, I’m sorry, I’m not swiping you in to the building with my card” or “no, you can’t use my account if you’ve forgotten your password”. This sort of security-focused culture is hard to create where it does not exist already, but it is relatively easy to maintain. The code-breaking at Bletchley Park remained a secret until the 1970s despite the fact that over 10,000 people worked there. A culture of treating data security responsibly is, without a shadow of doubt, down to the leaders to create, take seriously, pay for and maintain.
Slackness about data appears to be endemic at HMRC, which is the point that I am making. According to the Guardian “The chancellor explained that in September the records of 15,000 Standard Life customers had been lost in transit from HMRC offices in Newcastle; in the same month a laptop and other materials were also lost.” The article also mentions 41 missing laptops.
So no matter how I slice and dice this one, I cannot let Gordie off the hook. HMRC was his bailiwick before it was Darling’s. This is the government who’s attitude to security was sufficiently cavalier for the personal details including names, addresses, religious beliefs and sexual orientation of tens of thousand of doctors to be posted unsecured on the internet. This is the government who wants to put you full medical history on the NHS spine. This is the government who want to impose ID cards on us all.
Data is incredibly powerful when it gets into the wrong hands.
The problem is, it’s already in the wrong hands.