UK.gov fines itself harshly for hurling NHS records to the winds A defunct NHS board has been posthumously fined £200,000 after thousands of patients' records were found on a second-hand computer sold on eBay. The Information Commissioner's Office (ICO) slapped NHS Surrey with the fine because they failed to ensure that 3,000 records were wiped off a computer before it was flogged. A …
ICO.
Name the f**king company so people can know a)Who does cheap deals b)Who will pimp out your data to anyone they can. Otherwise this is an accounting excercise. And you can bet NHS England will lawyer up and spend another few £100k fighting this case.
Actions without consequences --> BAU.
Of course as a public body isn't the ICO subject to FOI requests?
ElReg would you care to name the outfit?
Why name it? The NHS had no contract with it requiring destruction, who's to say what the actual deal was or where agreed responsibilities lay?
Why should this firm pay for the manifest failings of NHS management?
Never fear through, the NHS managers who caused the problem probably got a tasty promotion.
We expect public bodies to screw up in this area, and NHS Surrey sure are responsible, but security firms and particularly data destruction firms make a good living out of taking on this responsibility for those that don't have the skills themselves.
So what firm was this? Trotters Independent Traders?
It's ridiculous fining public bodies vast sums (or small sums) - the contracts of the staff should be modified (if necessary) so that the individuals ultimately responsible - the managers/board members, not the minion - can be fined a smaller (but appropriate) amount (i.e. a percentage of salary or similar), rather than fining the body itself which hurts no-one but the users of the service.
'NHS Surrey chose to leave an approved provider........'
'the health board did not sign a contract with the firm which clearly explained its legal requirements under the Data Protection Act.'
Looks like there was a dislocation of the Head of IT and Finance/Contracts body that went unattended and ended in a terminal condition.
Now in a ruling vs a private company, you could assume that the board/shareholders would be pissed at having to pay a fine and would internally "punish" those responsible*
However, it this case, what happens? Do those responsible receive anything at all? It is time that the act makes people directly responsible for the actions (and in the case where those people have so much money that fines are not important to them, lock them up!)
*OK in the real world, there are probably some boards where they are more than happy to pay the fine, knowing that it was cheaper than doing things right in the first case (In which case I again recommend locking them up).
there won't be any consequences for the individuals concerned, will there though .. there never are. When was the last time that a govt department / local council actually named the individual(s) responsible and made them pay the fines themselves?
You're right, it's about time the people who accept the salaries for the jobs also accept the responsibilities, and face consequences when they do not, and are not allowed to use public funds to pay fines.
In other news, Southeastern have managed an entire week with every single train on time, and a squadron of flying pigs has been spotted.
"When was the last time that a govt department / local council actually named the individual(s) responsible and made them pay the fines themselves?"
No need to do that, you do what a private company would do; sack them for being grossly incompetent.
And as this is a government agency, you ban them for ever holding a government office again or working on a government contract.
As for trains being on time; easy. Pad the timetables so the starts and ends of the journey match reality and do not count late/missed stations in between. And yes, this is exactly how they lie to you.
Tha hard disks should be removed from the comptuers "before" the computers they leave the hospital.
These disks should then be handled by "validated" security firms that are capable of destroying/wiping the disks correctly.
This is a failure on behalf of the NHS management: in this day and age any manager above a certain level definately should have enough savvy to know the risks involved and the appropriate measures that should be taken. If he does not then he is obviously in the wrong position.
You do not have to be a IT expert to know that confidential data is confidential data.
I agree totally. Every staff member should be signed up to the data protection policies, and (if the organisation is any good) receive training on data security. And breaches of such policies necessitate enforcement and if necessary termination of contract.
You DO NOT entrust hard disks with sensitive data to unknown resellers! You especially don't do it coz it's cheap or free! And you don't then mislay the records of the transactions!
When people talk about "failure of management", it sounds like someone just slipped up. In this case it was a systematic failure, and probably was driven by cost-cutting pressures from above. It in no way exonerates the senior management.
I'm a public sector organisation, with 10000 desktops to retire and replace. Each PC has a hard disk of between 250-750 GB. How long will it take me to securely erase that many hard disks using the Guttman method? And then independently verify that the hard disks were wiped effectively?
What's the solution? As someone who used to work in ISO compliant quality inspection, with high volumes there is an unavoidable small failure rate. 100% compliance is a physical impossibility, human error can never be ruled out, and managers are always pushing deadlines forward, reducing budgets and expecting the impossible. Making a single person liable doesn't introduce accountability, it just ensures that the job position goes unfilled. You want to put me in jail if I make a mistake, either add a few 0's onto the end of that salary, or find someone else.
The real problem is that there is no real pain associated with governance failure, caused not least by the dilution of the term "professional"
Professionals used to be people to whom you could transfer risk (for money, natch) and they would take responsibility for doing what was supposed to happen on pain of serious consequences if they screwed up.
Now we're all "professional" because we've got a stack of qualifications and we want the money for being "professional" without taking the responsibility for outcomes.
This is true everywhere but in the public sector it's worse because there appears to be no darwinian mechanisms equivalent to going out of business
You don't...you destroy them.
When replaced you get a machine with some level of disk/physical encryption.
Classic - "but it's hard" public sector answer... It's not hard, and considering the massive overspend on IT across Government money is not even the problem, it just requires compedency and effort.
Your options
1/you sign a contract with a suitably accredited firm that takes responsibility for disposal and indemnifies you against such fines. You then ask for a quarterly report of wiping and compare with your disposal list.
2/ You wipe them yourself before going off site, will probably take 30 - 60 seconds labour per computer if you have it set up properly. Nothing goes off site unless it has a signed sticker on it saying it has been wiped and attach a copy of the wiping report. do random inspections.
3/ you ask your mate to dispose of everything on eBay without wiping them and feign ignorance when he gets caught. Get your Trust to pay the fine.
"How long will it take me to securely erase that many hard disks using the Guttman method?"
Even Guttman would say that this is irrelevant (used to be here: www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html but it's not loading today). One or two passes of random overwriting would be fine. Of course it would take you far too long to extract the disks, load them into DBAN stations and queue them all through sequentially.
So - don't do it! Before unplugging a desktop from the power and the network to cart off to the store room, boot from a DBAN USB stick and leave it chugging on the desktop. The machines should be wiped before they even leave the users desks.
Wasn't the guttman method superseded around 2003 with the "Secure Erase Standard" ?
Anyhow...
Erasing the drives would be a superfluous process IF the confidential data had been encrypted.
<caveat>Of course there's always some silly sod who keeps passwords in text file on the desktop.
However as most commercial software 'phones home' at boot-up checking for Key validity or updates then bricking the decryption packages on mass should be a simple & speedy affair.
How long will it take me to securely erase that many hard disks using the Guttman method? And then independently verify that the hard disks were wiped effectively?
For any value of "effectively" there is the Bad Sector trick: if you can convince the firmware to map 80% of the drive as bad sectors it won't touch those areas again, not even for a wipe (one of those little neat gotchas).
The only way to do it right is physical destruction, and there are plenty options available for that, usually involving fun bits of hydraulics or metal shredders (although I'm wondering if lining them up somewhere with a nice bit of thermite wouldn't be more fun, sorry, wandering off into wishful thinking)...
Hypothetically - it depends on the data.
Why over write? You could remove and deguass or remove and shred the hard drive(s) - all by an accredited company with each disposal signed off by them, putting the onus on them. The remaining parts sold on.
Or if they just need to be 'Blancco'd' - the contratc by the accredited company should specify - and again each disposal signed off by them.
Not too difficult really.
"100% compliance is a physical impossibility, human error can never be ruled out, and managers are always pushing deadlines forward, reducing budgets and expecting the impossible. "
All very well and good. But I think you'd find that if those responsible for the errors - AND the managers responsible for "expecting the impossible" - were PERSONALLY singled out and punished, compliance would get a lot closer to 100%, and human error would decrease markedly.
Shit happens, true. And as long as contracts have been signed, correct (i.e. vetted) procedures put in place, training given and procedures followed; if something goes wrong you simply have to shrug, call it "systemic" and try to fix the weak point.
But that's not this case is it? The NHS managers failed (no contract for a start!) and faced no comeback. Zero. None. Nada. Zip.
@ Aqua Marina
Is this a serious post?
How long ago did you work in ISO comp QA?
you're trying to DESTROY data, with no margin for error.
typically the corporate beige things being discarded have tiny HDDs, and even if they don't HDD cost is marginal.
What you do is shred the bleeders.
It's quite similar to a tree chipping machine, you throw anything in, full desktop, laptop or just the hard drives and something akin to sand or fine pebbles comes out the other end,
Destroying the data is MORE IMPORTANT than the HDD being included to the guys re-claiming the stuff.
The "recycling company" are then free to flip them on ebay (as seems to be standard practice apparently) or donate them to charity (getting more common).
Responsibly dispose of nearly-vapourised hard drives. Done. The very fact they used any process at all that even HAS a margin for error means they (both parties) weren't doing it properly. This wasn't "error" at all.
I couldn't give you a rate of data destruction, simply tell you it was both very quick (and amazing fun) watching the machine eat them by the bucket full.
That is how you guarantee you've destroyed the data.
Actually you're not. You're trying to ensure that you are following the best practise procedures with sufficient paper trail for audit purposes so that, when the inevitable fuckup happens, you can show the powers that be that your organisation (and, specifically, you) are Not At Fault.
Once we get that certificate from the expensive secure disk destructo-bods saying this disk has been (lies. They mean it will be) subject to secure disk destructo then secure disk destructo-bods can take the contents and spray it all over WikiLeaks if they wish and we're safe from the ICO.
Information Governance is about reducing the potential for leaks and ensuring that, when some data inevitably slips through the cracks, your arse is covered.
It should be said that, it seems, NHS Surrey did neither, heard the word "Free" and then probably moaned at the bloke who set up the original, approved solution, for wasting money.
Now, to us geeks that's distasteful politics and we know the only good retired disk is one that's been verifiably smashed into powder, preferably by us with our own disk smashing equipment whilst drinking whisky and exclaiming to the obsolete hardware that you knew you'd win in the end.
In reality a note from another company promising to do it for you is the best we're likely to be offered by the beancounters.
NHS Surrey was criminally negligent. You are required to comply with NHS SyOp 7.13 for the destruction of data, and they didn't do it.
IIRC, SyOp 7.13 states that data should be destroyed on site under the presence of a member of your staff <U>before</U>!!! allowing the removal of the equipment from the site.
Whomever was responsible for this should be fired at the least. Sadly in the world of the NHS they might get put on an improvement plan...
I was careful to the point of paranoia managing the destruction of IT equipment. We degaussed the drives with to 4 times the required destruction standards, then had them physically destroyed on site by a contractor under observation by our own staff and we then allowed the remains of the drives off site to be melted down. I can state categorically that not a single drive that left my site had any recoverable data on it.
And we didn't pay anything for this, because the company involved calculated that 2k hard drives was worth their effort to come to site and destroy and collect the drives because of the payoff from the amount of precious metals in that many HDD's.
There is no excuse FFS!
The truly staggering lack of any decent IT across the Government spectrum of departments is just no surprise anymore.
The first question to really ask is .....why was the data on the drive not encrypted to start with?
Problem is we all know the answer. Despite that we (taxpayers) pay about 40 times the cost for state run IT than a private company would, and we get zero value for it.
From my personal experience having to deal with Government IT, +their contractors, the compedence level and skill set is so astondingly low for internal staff, with the contractors often not a lot higher, plus there is little incentive to finish a project ontime or on cost on either side. Internal don't get fired, contractors want longer contracts...
Very brokennnn
I know it's only a guideline but that ICO doc is full of "should"s rather than "must". There is a vast difference between what you should do and what you must do: it is easy to comply with most of those guidelines by doing sod-all. In the past I've had the "should", "shall", "will" and "must" discussion with a contract lawyer (the strongest is "must") because I've seen this kind of thing before.
That's why those things are called guidelines, which in the public sector can usually be translated as 'proof we issue best practice proclamations however, enforcing those regulations falls outside our remit'. Most public sector guidelines are written by legal to be as vague as possible and still make sure there is zero accountability.
If government put as much work into doing things properly as they do into dodging responsibility then things would be a lot better for everyone.
"But the health board did not sign a contract with the firm which clearly explained its legal requirements under the Data Protection Act. The board also "failed to observe and monitor the data destruction process"
So name and shame the board. The buck ultimately stops with them... This was a problem of oversight. But the main problem as always is- no one ever gets fired for incompetence in Government (well hardly ever)! We need to know who the key NHS decision makers were....
If they're still working in the NHS they should be forced to resign or fired for incompetence. A message has to be sent. This same shit happens every single day... Yet here we are sleep walking to a privacy time-bomb.....
I know for a fact that one major surrey hospital mis-filled heart testing results for one patient in another patient's medical records.
Fortunately the over worked junior doctor was awake enough to realise the results did not relate to the patient he was dealing with, and the actual patient was fortunate that she did not need a follow up from that test.
Word from retired staff at that hosipital is that given the trollies of unfilled patient records floating around, this is the tip of the ice berg.
The ICO needs to remove the fence post from it's rear and get out there and INVESTIGATE!, they are a F**ck@$g law enforcement body
The guidelines provided by the ICO, as well as from other regulatory bodies, are ambiguous and offer no leadership or advice to the IT asset manager. The statement from the ICO slating selection of free recyclers without any other vetting is the first real indication of the ICO's view on the ITAD sector.
Data Eradication is a massive, specialist industry. It has a cost as you would expect. So when someone comes along saying "hey we will do this for free" surely alarm bells should be ringing???
ADISA (Asset Disposal and Security Alliance) is a DIPCOG recognised body and can provide details of an accredited ITAD local to your business. There are approximately 30 accredited members, in the UK you will find almost 700 non accredited ITADs. The UK government recognise the ADISA standard and ADISA uis being rolled out internationally. If your preferred ITAD is not on the ADISA approved list then ask yourself why. At the very least carry out your own audit of your IT recycler.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
