The Information Commissioner's Office (ICO) has found that the organisation which investigates the care of Scotland's most vulnerable children had twice failed to protect sensitive child welfare information. In January 2011 the Scottish Children's Reporter Administration (SCRA) sent legal papers containing sensitive information …
They used email?
They sent legal documents including "details relating to physical abuse and included the identities of the child's mother and witnesses" by email?
In the UK? A country where Phorm, Vodafone, Bluecoat, BT, Yahoo, Experian Hitwise, Huawei, TalkTalk are criminally and illegally intercepting private/confidential unencrypted telecommunications?
That in itself ought to be grounds for a switft belt around the head with a LART.
Can be acceptable...
> In the UK? A country where Phorm, Vodafone, Bluecoat, BT, Yahoo, Experian
> Hitwise, Huawei, TalkTalk are criminally and illegally intercepting
> private/confidential unencrypted telecommunications?
The problem is more about using unencrypted email; sending DPA-protected information over external networks via unencrypted email is a breach in itself.
But email *can* be secure - if you're sending it point-to-point between trusted MTAs, you can encrypt at the transport layer. this is the default condition for many mail servers (including the ones I set up).
But if they're sending to the wrong bloody address, it's pretty clear that such security is not in place. Someone needs a beasting...
 Not that the ICO will ever do anything about it, of course.
Isn't Phorm dead?
I thought phorm bailed out of the UK amid a storm of bad publicity and plummeting shares, in no small part due to el Reg's coverage. If they're still around, I'm sure everyone would appreciate an update on their schemes?
Ok smart arse...
...whats the alternative?
Courier? So what if they loose it, happend before.
Fax? Wrong Number (plus could eb 500 pages long)?
Letter? Well two words, Royal Mail?
Someone drive there? Great all we need is serveral hundred more staff to do this one function.
Direct ftp? To every courthouse and solicitors in the country?
So come on then...whats the great answer oh wise one?
Got any "O's"?
They did loose it.
They let it loose to the outside world by flogging it off to a secondhand shop.
People want freedom of information and then moan when it happens. I dunno, there's no pleasing some folks.
re OK smart arse...
Yes because there were clearly no transfer of legal documents before email was invented so none of those options are credible.....
It's a question of duty of care - if you use a courier, or *registered* mail (or recorded delivery) then you have exercised reasonable care in transporting sensitive material. If you elect to transfer the material yourself through the use of unencrypted email and have no checks in place to confirm you are sending to the correct address then you have *not* demonstrated a reasonable duty of care.
Re: Ok smart arse...
> ...whats the alternative?
Well they could try sending it to the correct address for a start. I don't think it unreasonable to expect people to make sure that they are using the correct information expecially when it involves a legal matter.
However, there are other options - a collaborative space on a server that someone could gain access to using a 2 factor authentication is one that immediately springs to mind. Encryption also seems reasonable. Both easily set-up and managed.
However, I would also state that no system is ever 100% proof - the human factor is always the weakest link and I would accept that things do go wrong. But the real issue is that these public bodies seem to wring their hands, create "new" policies and then do nothing to actually fix the main underlying issue; which is that people do really stupid things.
Encrypt the documents before sending and then get the person who's receiving them to ring you to get the decrypt code...
Might be a pain if you're sending them to loads of people but it'd be a start...
Won't they ever learn?
You would have thought that all the recent and high profile publicity surrounding these sorts of muckups would have made them take extra care. Just goes to show that you can set up all the policies you want, but if you employ monkeys, they will fling peanuts and poop all over the place!
The problem with SCRA is that they barely employ anyone anymore; among admin staff they have a 50% vacancy plan and are in the middle of a significant reorganisation. They dont use the GMPS markings for their material and most of it goes by Royal Mail, albeit in sealed bags that the posties must know contains all sorts.
Will no one....
Think of the children!!!...oh.
Why not Zip it up with password protection (AES 256-bit) then talk to the recipient by phone and tell them the password. If it's important (of course it is) then it's worth putting a little bit of extra time and effort into it. (I realise that this needs staff at both ends who 'know about computers')
That is the only thing that will make sure that people take data security seriously.
Until that starts to happen. Why bother nothing will happen.
Tail of destruction?
Surely destroying a filing cabinet is a rather extreme form of shredding (and very wasteful too) ?
And filtering set up so anything sent unencrypted goes to manual moderation., much like anything with swear words.
Doing it right can also endanger your job.
I've had the joy or trying to explain to another organisation why we couldn't just e-mail them some sensitive information. They couldn't apparently deal with encrypted files as for 'security reasons' they could only deal with Microsoft DOC format and anything else couldn't be received. Had a nice interview with my boss about being 'uncooperative' on that one.
I then had the joy of explaining to his boss, when I was covering for him going on holiday, that he shouldn't be sending sensitive files to my home e-mail address so I could follow-up on some work. Another nice interview where I had to explain the difference between our internal e-mail system and what could happen when you send sensitive material outside it's protection.
Unless data protection is hard wired into communications systems it will always fail under the demands of ignorant managers.
IT staff incompetent
Clearly their IT policies are useless or non-existent.
Sack the IT executive and get a real one?