Civil servants responsible for the loss of public data could face prison sentences in future, instead of a brief period in sackcloth and ashes before being shifted into a consultancy role. In his update on the HMRC data loss to MPs yesterday, Alistair Darling said: "There will now also be new sanctions under the Data Protection …
I thought the headline meant Big Brother
...would be on Big Brother.
Funny thing - it didn't even strike me as odd.
Is this really going to have the desired effect or just cause the culprits to work that much harder to cover-up their incompetence post-factum (or just strengthen the "blame the junior" mentality usually displayed)? What good is punishment when there's no culpability?
Who do we really think they'll go after?
When these new penalties are on the books? Any guesses? Anybody think we'll really see any top civil servants end up in chokey?
Or does it seem more likely that we'll see countless SMEs threatened with draconian penalties by an ever expanding bureaucracy, keen to get its claws ever deeper into every aspect of our lives?
But what about the Outsourcing
So the Civil servants get locked up. What happens to the managers in the outsourcing companies (EDS, Capita etc) who the Civil Servants have to use for things due to the Government's anal obsession with outsourcing and PFI?
Oh that's right - they get nice large pay rises and their directors cough up some cash and end up as Lord Sleaze of Corrupt Town.
Though will they be given the authority to undertake their new responsibility?
The civil service still has a lot of people in charge of their computer stuff, charged with ensuring it runs yet, when it comes to telling a more senior person that they must do something (because, for example, the disk is filling up and if it fills, the system will fall down), they are told they cannot tell what a senior-level employee can do because their only an assistant-level employee.
And who is responsible...
I see from related news stories that Ruth Kelly seems to think that when government departments send private data to private contractors overseas who lose it, that "the primary responsibility lies with" the contractor...
Unless and until government ministers actually bother to read and understand the responsibilities imposed on their departments by the Data Protection Act, and actually seek to live up to those responsibilities rather than evading them, things are not going to get better.
Perhaps Ministers who fail to impose a proper Data Protection regime on their departments should also face the big house?
Just out of curiousity, why are there ANY governments handling our personal data without BS7799/ISO27001 certification both for themselves and every contractor they use?
Who goes to jail?
The person responsible for the decision? Or the poor sap ordered to commit the deed? Since the security regulations are apparently kept out away from the junior staff (so they can't know if they're breaching regulations), I'm sure this will have exactly zero effect, and land some innocent people in serious trouble.
Re Mark's comment
Had this with a system I run a few weeks ago, disk had under 1Gb free.
Said I need to move stuff off this ancient server ASAP to something else, either you let me do it within the next 2 days or the server - plus the two apps that run on it - goes down.
They authorised the downtime during core hours.
"Civil servants responsible for the loss of public data could face prison sentences in future, instead of a brief period in sackcloth and ashes before being shifted into a consultancy role."
if only it were true, however the politicos will never pass legislation that would send either themselves or their confidante Sir Humphreys to gaol. Junior staff like Mr S. Capegoat, nay problem for sending down, but anyone above amoeba level? not a chance.
Bear in mind that we live in a neo-Blairite culture where everyone in authority who screws up takes "full responsibility" and apologises, but nothing ever happens to them, only to lackeys who get to be unfortunate patsies. Who's going to rock this particular boat? Not New Labour, wouldn't want to spill any of that EDS/Capita gravy now, would we?
Viva la Revolucion!
Gordon Brown is going to prison becouse he'd been told about the lack of security and thought it a non issue just like everyone else down the food chain?
Thought not. Mr S. Capegoat will be receiving accomidation at Her Majesties pleasure though I'm sure.
PolicyWatcher - you're 100% spot on. However, those were overridden during the whole "EU Personal data v US Homeland security for international flights" debacle, from what I understand. Cracking open that nut basically meant all and any data on EU citizens could flow freely to the US (airline passenger or not) - but US to EU data couldn't.
I'd love to see a circular argument implosion with this one. Dept x loses data offshore. Finding out *who* is responsible is held on an encrypted disk in a UK Govt dept y. Head of Dept y (of course) doesn't know the key to the encrypted disk. Poof, the whole lot disappears in a puff of RIPA illogic.
Missing the point
"the government pointed the finger at a junior official they said had ignored procedures to download the data onto a disk"
...ignoring the biggest problem - that it was POSSIBLE for a junior official to download data worth millions of pounds onto a disk. So we will never know if a junior admin has flogged this information fifty times allready?
Waste of time
Government impose budget restrictions that others have to work to. The managers pass the buck down as it has to be done somehow within budget.
The poor worker at the bottom does the deed to the best of its ability given the constraints.
To me the buck stops at the treasury who imposed unrealistic limits or the government who imposed unnecessary outsourcing requirements, but legally I am pretty sure the responsibility will stop at the bottom, thus screwing up some other unimportant peasant's life.
I have been utterly amazed that since Bliar came to power the impetus has been to mark every criminal for life so that they never have a future, while politicians may just say "Sorry, Let's draw a line under this" and then prosper even more.
Animal Farm was supposed to be a satirical look at communism, not a political blueprint for New Labour.
However, I do think that the junior level (Mr S Capegoat) need to have the balls to turn around and say "No, I'm not doing that". The best and easiest way to do that is to make sure you don't need the job and the best and easiest way to do that is to ensure that your spending is less than your earnings. After a while, you've got enough tucked away to last 6 months or more and you can afford to tell your boss who says "get this data sent to my buddy in the USA" "unencrypted? No.".
They just don't get it....
Having a centralized database will always ensure that data is insecure.
Some place gets a big target mark placed on it.
Data should be diversified, and stored in variable locations. Any access to data should also require the notification and the agreement of the person who is having the data accessed.
The responsibility of holding the key is the person whose information it is, they should be given the ability to hand out a one time key and have the information viewed in a one time viewer not linked to any other output device.
Problem is, people think that a computerised solution should be faster than a paper one, they forget that a computerised solution could be slower but also offer another more secure paradigm than a paper one. When it comes to government, we should be looking to increase our rights by the use of computer systems, not fritter them away for the sake of sloppy expediency.
We need to make government servants accountable for every view of personal data, and track their every move when it comes to information about us. If a data breach occurs we don't sue the government (who just tax us) we sue the individuals, and those responsible for them, who accessed the data resulting in the breach. If this was in place watch how quickly data breaches would become a thing of the past, the government is the weak link in the chain at the moment when they really should be setting the example by which the private sector operates.
Oh, and data on UK citizens should not leave UK shores, that is a no brainer and we can also concentrate on improving our part of the internet, not so much to traffic shape our traffic but to look for leaks primarily coming from the government departments; they appear to be the enemy of common sense at the moment.
Stupid, pointless, ... or is it ?
Stupid and pointless for two reasons. Firstly because it's just another example of the incumbent administration's predilection for announcing new legislation as a panacea for every problem they experience, even when it's clear that existing legislation has not been enforced.
This is especially relevant with data protection issues, the MP who forced the FOIA exclusion for MPs business because some of his constituents data was released in error for instance. In that case, had the existing DP regs been followed, there would have been no data breach.
Everyone who's worked for an org that handles large amounts of personal data knows that the DPA is given lip service at best, and that's being fairly generous. In the case of the HMRC data, the same appears to be true. Had the existing legislation (or possibly even the departments own guidelines) been followed, or even taken seriously, there would have been no problem. But it wasn't.
Proposing new legislation when existing legislation is not being enforced is a waste of everyone's time and money.
Secondly, the threat of a prison sentence is likely to ensure that the next time this happens we simply won't hear about it, or if we do, it will be impossible to find anyone who was responsible. Civil Servants (especially senior ones) are notorious for avoiding blame and responsibility, upon this foundation are successful CS careers built . You can bet that they'll muddy the waters even further in order to cover their own asses.
Of course, a cynical person could easily conclude that encouraging silence about ,and cover ups of, politically damaging incidents is the intended outcome of such an announcement.
The understanding is lacking.
Sadly there is no understanding of, or real attempt to educate about, security inside any government departments except the MOD. I've worked for local and national government in various roles. Oh they're great at making getting in and out of buildings convoluted and irritating, in some places, but have no idea about data.
I actually worked on a government e-mail migration project some years back where our solution to get to their mailboxes was to hack into their accounts!
Some form of PKI would be a good initial move and the costs of implementing it would be trivial compared to what the government is going to fork out to Cable & Wireless for them to change infrastructure halfway through the National Health IT Project - there's a story that's gone unreported if ever one was!