A committee of MPs has dismissed government denials that recent data losses were the result of individual failures and called for legislation to punish such reckless treatment of private data in future. The Commons Justice Committee recommended the introduction of new offences so that a data controller could be charged for …
The BBC website suggests that the government response to this report is that they "were already planning on strengthening the data protection act".
Which could mean they could conveniently find a loop hole to be exempt from criminal charges conveniently.
Remember this story:
McDonalds fines people who park too long in their car parks. A camera records the registration plate and people who park too long receive a fine at their home..... wait, AT THEIR HOME? How come they can convert from car number plate to home address? Isn't that private information given in confidence to the DVLC?
"If they stay too long, the details of the registered keeper of the vehicle are obtained from the Driver and Vehicle Licensing Agency (DVLA), and he or she is billed."
Wow, they release your private records to civil entities on request. What next, inland revenue releasing tax records on request from loan companies? Hospitals releasing health records to insurance companies?
Since when has McDonalds agent had the right to request PRIVATE information handed to the government to enforce their McFines?
If I have a dispute with McDonalds employees can I obtain THEIR car registration home address? How is this any different? All men are created equal, but McDonalds agent are more equal than me in the eyes of the law?
The DVLC takes the word of this agent at face value and releases your private data based on that word? Are they insane? If you can't release the number plate information of McDonalds employees to ME but you can release MY plate details to THEM, then there is something very very wrong here with releasing that information..... since we are all equal under the law.
Again it's a classic information leakage problem, data trusted to the government is selectively revealed to private entities with no legal process, and no prosecution possible if that data is misued, passed on to other people or obtained under false pretence.
The REAL problem here is that the Government cannot be prosecuted for these lapses. Until the senior managers of these agencies and departments have their freedom and pensions at risk nothing is really going to change.
"Since when has McDonalds agent had the right to request PRIVATE information handed to the government to enforce their McFines?"
Unfortuntley for your argument everyone has the right to request data from the dvla although a fee is normally paid for the service. Its best used when your checking the details on a future purchase and wanna check the information held by them on their database or if you've been hit by a driver who hasnt stopped and you've manged to take his plate down (always handy if he's a tw4t and you wanna teach him a lesson
back on topic, nothings gonna change regardles of what new laws are brought in since the senior managment will just find a way to wiggle of the hook and force somebody else to take the blame
OK - MPs are probing, shame about the conclusion
This committee of MPs concludes, inevitable given that they are merely legislators, that the appropriate response is *more* law.
They are, of course, completely right to conclude: "There is evidence of a widespread problem within government relating to establishing systems for data protection and operating them adequately"; the proposed response of adding new offences with associated swingeing penalties to the Data Protection Act is a knee-jerk 'shutting stable door after horse has bolted' answer that is sadly completely wrong.
The problem needs to be addressed by prevention. There already exists a vast body of guidance material and basseline security measures that is mandated for all HMG departments about how to "establish systems for data protection and operating them adequately" - it is called the Manual of Protective Security. All HMG departments are required by the MPS to develop a departmental security policy that captures the minimal baseline measures in the MPS the resulting departmental policy should then add measures tailored to the business needs of the department. All information systems are to be accredited (a process of 'permission to operate' based on some form of assessment of correct implementation of technical countermeasures and relevant and appropriate procedural measures) prior to being used. All systems in all departments are SUPPOSED to be audited, frequently (enough). There is a growing body of evidence that many HMG departments are rigourously and dangerously ignoring pretty much everything that the MPS requires of them. Clearly, HMG has not provided sufficient resource to enforcing adherence to the MPS, this is young Milliband's job at the Cabinet Office.
Nothing new then
Yet another NuLabor knee jerk reaction (the word knee might not be required).
MP's voted amongst themselves to be above the data protection act and all it contains anyway. So what is the point. one rule for us and one rule for them.
Guy fawkes was right... but then again I expect my ISP now (or El Reg') to be asked for my IP address so terrorist claims can be brought against me for daring to threaten implied or not that parliament should be attacked and all my Pc's nicked by the plod because I might have something dodgy on there etc etc etc. and FAST because I can't prove in all honesty that I bought some of the software because you have to keep the main box to be 100% sure and if it was free with a magazine it didn't have a box and some Mp3's are probably illegal because I got them years ago. So go tell the record companies. etc etc etc.
<insert lots of swear words> government shambles.
"Unfortuntley for your argument everyone has the right to request data from the dvla although a fee is normally paid for the service."
Wow I've just read the form V888 and it allows claims like that (of vehicle X172 YAH hit my car, I want the persons details) to be made without even a corresponding police report.
That's insane, pretty much any stalker could obtain that information with only a false claim, any burgler, wife beater, anybody. Since the owner is never contacted about the release of the vehicles details, nobody ever gets to contest the release of information. The DVLA are in no position to determine the truth of those claims.
In what sense is this data protection? When they don't even ask the person whose details they are about to release about the truth of the claim? Who do they imagine will contact the police and file a report if the claim is fraudulant?
New law? Why?
All that's needed is a single additional sentence in the Data Protection Act and the removal of any clauses that contradict it. Here's the sentence:
"This Act and all associated penalties apply in full to all Government departments, agencies, contractors, elected representatives and their staff."
The only way to keep your data safe from government arrogance and stupidity is to keep it to yourself in the first place.
Personally I'd like to see a law that mandates that whenever a govt department loses someone's info, the senior managers are required to publish the corresponding info about themselves in the national press - at their expense, naturally.
Martin Gregorie is entirely correct in his comments that the present laws simply need to be actually applied to Government agencies and bodies,because as usual they seem able to wriggle out of things and the Information Commissioner is a waste of time and effort as he does zilch about any complaint.
Spot on, Peter
There's no point *fining* any corporate entity for any breach of any rules. All they will do is pass on the fine/costs to the the people who pay their wages (typically, Joe Public).
As Peter says, these rules won't work right until identifiable individuals can be held accountable - fined as individuals, or if necessary locked up. That should focus folks' attention. Pour encourager les autres, as they may (or may not) say in China where management occasionally receive the ultimate penalty for non-performance.