back to article Home Office kept schtum on more than 30 data breaches last year

The Home Office suffered 33 data breaches during the last financial year – and did not report any of them to the Information Commissioner's Office (ICO) The department's annual report and accounts 2014-15 (PDF) reveals 33 "Personal Data Related Incidents" that took place in the last financial year, but were not formally …

  1. dan1980

    ". . . no legal obligation on data controllers to report breaches of security"

    Well there's your problem right there. In a world where our governments insist they know increasingly intimate details about our lives, and that they be trusted to do so, it's simply not good enough that all possible measures are taken to secure what data is collected and held, no matter the reason for its collection.

    One would argue that a strict, mandatory reporting requirement would be the very basis of any such program. The word they need to become acquainted with is "accountability". Not a popular word amongst civil servants but one could argue that it goes with the the title - if one is a servant of the people then it stands to reason that one should be accountable to those people.

  2. nsld
    FAIL

    Seriously?

    Nearly three a month and from the descriptions it appears that encryption is not part of the policy and policy/security standards are poor yet the data controller still has a job?

    I do wonder if loss of job and the forfeiture of his tax payer funded pension would help to focus the rest of the government on its duty to protect data as it's clear that currently they have no incentive to care about data protection?

    I also wonder if the victims of the breaches have been notified?

    Whichever way you try to polish it this is an epic turd of fail and people should be fired and pay the fines instead of the taxpayer.

    1. Doctor_Wibble

      Re: Seriously?

      > I do wonder if loss of job and the forfeiture of his tax payer funded pension would help to focus the rest of the government on its duty

      This is something that should happen in *every* department when someone is noted as being incompetent or corrupt or with too many chums in associated industries.

      In any case, the top layer of civil service should be terminated every election or two just to make sure nobody gets too comfortable.

      1. Dan Paul

        Re: Seriously?

        No, IMHO that any government "official", "employee" or "Contractor" in any government agency that loses the proverbial keys to the henhouse should be required to give up all of their income, savings and assets to pay for their shoddy work and the ensuing identity theft.

        If that doesn't get their attention then perhaps being burned at the stake will do it.

    2. Afernie

      Re: Seriously?

      "Nearly three a month and from the descriptions it appears that encryption is not part of the policy and policy/security standards are poor yet the data controller still has a job?"

      Didn't you know? Only criminals use encryption, thus the Data Controller was simply leading by example, and can expect a promotion shortly. All hail the wise and tech-savvy Dave.

  3. Jesper Frimann

    Well, you were lucky! That was luxury. We used to get up in the morning....

    Only data on 1500 persons ? Here in Denmark we do Things the hard way.

    https://translate.google.com/translate?sl=da&tl=en&js=y&prev=_t&hl=da&ie=UTF-8&u=http%3A%2F%2Fwww.version2.dk%2Fartikel%2Fcpr-laek-csc-blev-rykket-robinson-liste-og-udleverede-halvfaerdig-version-med-cpr-numre&edit-text=

    That is 900.000 social security numbers, out of a population of less than 6 million people.

    And did anyone get held responsible ? Naahh... nobody got fired.. ... ...

    // Jesper

  4. John Smith 19 Gold badge
    Unhappy

    The Home Office *all* your date safe in their hands?

    What do you think?

  5. Graham Marsden
    Holmes

    Gods forbid...

    ... that our Government should tell us anything that would make us think that they can't be trusted with all our data...

  6. nhawthorn

    This is why informing the ICO should be mandatory

    I don't believe that informing the ICO should be optional.

    The new EU Data protection regulation that is under discussion now makes informing the regulator mandatory, let's hope that this isn't watered down during the negotiation process.

    1. paulf
      Holmes

      Re: This is why informing the ICO should be mandatory

      It won't get watered down in the negotiation process. That happens in the massive lunch and brown envelope process.

  7. Otto is a bear.

    I love it

    Lots of assumptions here by people who obviously know next to nothing about the subject, and certainly don't think through their suggestions on reform or culpability.

    But then I guess you must all be perfect.

    If you change the management each time you change the government, then you would have a huge layer of people who were beholden to the party in power, and if that isn't a recipe for corruption, I don't know what is.

    The data controller's I've dealt with are very conscientious and always recommend the best processes, usually to be overridden by higher-ups on cost grounds. You can never, in any system, protect against theft, internally or externally, and you certainly can't stop people being absent minded.

    I wonder how the Home Office compares to the NHS, or a major bank, or supermarket chain, perhaps if we knew that we could truly draw some conclusions.

    1. Anonymous Coward
      Anonymous Coward

      Re: I love it

      Who are you apologizing for?

  8. Steve Evans

    Amateurs...

    Even after all the taxi cab laptop incidents, unencrypted information is still being allowed to leave the building!

    Are there any details on the punishments handed out to the employees concerned? Given the way these leaks were hushed up, sorry, I mean conveniently not mentioned, I would suspect the punishment was very light.

    Taking unencrypted information off site and losing it should be gross misconduct. Hell, just taking it off site and not losing it should be gross misconduct.

    As for the stuffed shirts who allow this joke of an IT operation to continue, they should be retired.

    1. Anonymous Coward
      Anonymous Coward

      Re: Amateurs...

      Having spent a year working for the home office I know at least one part takes it seriously. Lap tops encrypted, usb memory sticks disabled, network access out of the office restricted,and phones locked away before you went into the office. But others.....

  9. Stolen Time

    Erratum on definition of personal data

    "Personal data is defined as any data that may be used to _identify_ a living individual".

    I think that's a common misconception, the correct definition is in the link given in the article to the ICO's site. Basically, personal data is any information _about_ a living individual. That applies whether the individual can be identified from the data itself, or by cross-referencing with some other records.

    The test depends on who has the data. For example, a spreadsheet without any names or addresses etc. might be "personal data" for the Home Office, if they know which individual each row corresponds to; but just anonymous data for you or me.

    That makes it hard to tell from the report how serious this really is. If the incidents relate to individuals identifiable just from the data, it's a lot more serious.

  10. batfastad

    Data breach...

    Or as it's also known... GCHQ. Saves all those legal fees for all those secret lawyers and secret judges to sit in secret inquiries/trials anyway. Just leave a USB on the tube.

    Also El Reg, you owe me a new laptop. Every time I see a picture of that witch I have an uncontrollable urge to punch the screen.*

    * Not advocating violence towards females btw. Just horrible witches that stand for everything I hate about GB.Plc.Uk.Gov.London and all of the aftermath of Tone Blair's New Labour Marketing Company "Hate+Fear", now based in the hip hate/fear startup hub of his massive estate in Tuscany. **

    ** Not sure where I was going with that but sounds good enough for a Reg comment after a few pints.

  11. Wolfclaw
    WTF?

    Covered Up

    Any data breach should be reported, no doubt reporting wa slost down the back of the couch just in case it hurt Theresa May chances of becoming the next PM, heaven help us !

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like