You'd think that after all the previous publicity......
The UK's data protection watchdog has fined the Nursing and Midwifery Council (NMC) £150,000 after it deemed its failure to encrypt sensitive personal data stored on DVDs that were lost to be a serious breach of the Data Protection Act. The nursing and midwifery regulator had arranged for the DVDs, which contained confidential …
Thats the real issue..
They dont think. They dont think because they know there are NO repercussions for the people involved.
Firstly, no back up of the data, secondly, its almost impossible to protect a dvd that follows normal standards. Every DVD duplication protection has been hammered into the dust.
So, the IT/Security/commen-sense devoid management should be sacked, held accountable and placed in the corner with a pointed hat.....
The case will almost now surely fail due to lack of evidence...
and you can't really claim ignorance, when all these companies / organisations are registered under the data protection act (although that does just seem to be lip service; my previous employer forgot to mention in their registration that they had a CCTV system installed, including in the offices to watch employees, and at one time, even in a toilet).
It seems to me that the current system is not enough of a deterrent. Maybe they could gaol time to the registered DPA officer at these organisations, but probably the DPA officer does not have the power to change things. I think that the Chief Executive should be held personally responsible. Perhaps a change of law is in order, together with notices sent out by the ICs office just to bring the message home.
It should not be too hard to meet the requirements, and I don't know if the IC does something a bit more that just say that you should use protection; giving some examples to help small outfits would be nice (Physical locks tend to have BS numbers stamped on them so that people know, perhaps the IC could say things like: does the cncryption built-in to windows meet the requirement? is a password protected zip file OK?)
Re: Thats the real issue..
They don't think, agreed.
But this shouldn't be about DVD copying/protection mechanisms. The video files should have been on the DVD as data files, not as transport/packet streams, i.e. readable and (un)encryptable by a computer, not playable on a DVD player.
Re: Thats the real issue..
And it wasn't - the fine was because nobody in the organisation had even bothered to give any thought to protecting the details of the people they are caring for.
If they had sent a regular DVD of the video footage but kept the identifying details and names/addresses encrypted or anonymised they would be fine.
The need for security isn't exactly unknown in medical data. We generate test files for CT scanners and have to anonymise the "patient info" in the DICOM file of a density wedge before the hospitals will accept it!
Everything that is wrong with ICO...
...in one neat package.
NMC is the professional regulatory body for Nurses & Midwives. It has no shareholders, it isn't run to make a profit. Unlike previous penalties handed to local government that simply move public sector slush around, in this case the penalty is ultimately paid by nurse & midwives through their subscriptions. How does that impact those responsible? Why, in the wider context, would individuals in other organisations feel vulnerable, or motivated to improve if the only penalty is a fine that they don't pay?
Sacking should be a last resort, but there are other approaches to resolving problems. However, the ICO's fondness for monetary penalties is a subsititute for doing something useful. And since the ICO clearly aren't stopping data breaches (most of which seem to be self reported anyway), it makes me wonder if we should do away with ICO as yet another useless regulator.
When a bureaucracy (such as the public sector) or a charity/not for profit body breaches the law, the penalty needs to be something that they find organisationally uncomfortable, not some "fine" that can be hidden away in the accounts. Like forcing the head honcho and the head of IT/data protection to write to every council tax payer or member in a dedicated letter explaining what they did, what went wrong, how sorry they are, and what they are doing to ensure future compliance. In these situations, I suspect embarassment for the big wigs is a far more powerful tool than fines that they don't suffer.
Re: ...embarassment for the big wigs is a far more powerful tool...
A better idea - a public flogging!!
The only way to ensure that public sector and NFP organisations invest in due process and rigour to protect personal data is for the ICO to be able to hand down jail time to Senior Management.
Not sure "ICO to be able to hand down jail time" is such a great idea!.. job of judges, due process, etc... but criminal prosecution powers like those of the CPS... or at least remit to work in conjunction with the CPS just as other policing bodies do... would surely be appropriate? Isn't something like this already in place? If not, why not?.. and if so, why isn't it used?
Fines only work up to a point. Organizations might take data protection a bit more seriously if the penalty for a serious breach was a spell in prison handed down by a judge rather than a "civil monetary penalty " imposed by the ICO. Even more so if it meant the chief exec faced being put in the clink.
Re: unencrypted DVD
Clearly an MPAA violation!
Which, being outside America, we don't give a flying fuck about.
Best example of this inability to understand that US laws cease to have effect at their borders was when the US president gave Sweaty Gordon a stack of DVDs as a present. The NYT printed a mocking article pointing out that, as they were all Region 1 disks, the caledonian spendthrift would be unable to watch them. In fact, of course, I'm sure that 10 Downing St. has a multiregion player, as do most of us outside the United Soviets of America.
I'm not sure what was funnier; The sheer ignorance displayed by the NYT, or the fact that the British press duly trotted that load of bollocks out en masse without thinking.
They won't care, it's not their money
Why do government bodies that issue fines fail to understand even the simplest of concepts? This fine isn't paid by those responsible. In this case, it's paid by those people who pay their subscriptions and literally had nothing to do with the whole issue. Those responsible won't be punished to a level anywhere near what is deserved.
They need to get more inventive on the punishments because sacking people would violate their employment T&Cs as they're protected from being a moron and aren't responsible for their own actions.
Maybe they should be made to stand in the corner of their local shopping centre for a week to think about what they've done.
Re: They won't care, it's not their money
"In this case, it's paid by those people who pay their subscriptions "
Subscriptions which conveniently have been increased by 32% this year, significant other is not impressed.
"Like forcing the head honcho and the head of IT/data protection to write to every council tax payer or member in a dedicated letter explaining what they did, what went wrong, how sorry they are, and what they are doing to ensure future compliance"
better still if the letter has to refer explicitly to the implications for each specific recipient, and the heads of department / responsible individuals have to write the letters themselves, on their own time and with no assistance, and pay for the paper, ink and stamps out of their own pockets, and be given a limited time for letters to be received (not just allegedly sent)
Fines are a really silly idea for punishing public sector / quangos, because the individuals concerned don't pay them. A publicly named single individual should be responsible for DP compliance in those organisations, and be held liable for the fines. If they can't afford to pay the fine, then go up the management chain as far as it takes to collect it, ultimately the elected people responsible for oversight should have to pay if the fine can't be collected lower down. And it needs to be a "one strike and you are out" rule; you mess up with public information & privacy, you are not allowed to work with public data ever again.
Anyone else wonder
1) why are you shipping DVDs around, and
2) how many gigs of data did you have on each nurse?
Re: Anyone else wonder
1) why are you shipping DVDs around, and
Yup. Methinks it should be conceivable, even to management types, that some kind of electronic transfer - secure FTP and the like, even something as crude as attaching the data (once encrypted) to an email - would be altogether quicker, cheaper, more reliable and more secure than burning the sensitive cleartext to a DVD then handing it to some geezer on a motorbike! The only explanation I can think of is that there could be some archaic procedure necessitating evidence be submitted in a physical form? If that's the reason for this nonsense, perhaps it's time court clerks were trained to use an FTP client?
"Here's some DVD's that need sending over by courier"
"OK, I'll just pop them in this envelope"
"Courier please take this to...."
"Please sign for this package"
"Hang on, who would send over an empty package?"
Just makes you wonder where the point of failure was.....and where the DVDs really are. Shouldn't be too difficult to find out.
I suspect the package was opened to find DVDs of an operating system, some Excel files, ABBA, whatever. Someone grabbed DVDs and shoved them in the jiffy-bag, and who knows? Maybe tried to dance to the video. Or threw them out. Or realised that they had screwed up big-time and quietly dumped them in a rubblish bin on the way home one night.
ICO is pushing for authority to impose custodial sentences.
It's not hard to use DVDs safely. It doesn't even cost money. Stick everything in a TrueCrypt container and burn that to DVD. Phone the intended recipient and give them the key.
User awareness is the big and hard step and those upstairs don't want to do it because it doesn't get them in the local papers or tick their bonus boxes.Security is sewage to them. Only important when it goes wrong, otherwise to be avoided.
I'm wondering if this really would have been a practical solution for the people involved. They're a bunch of nursing watchdogs, not tech gurus. They were probably pretty chuffed to have got the video off the camera at all, congratulated themselves when they managed to burn it to a DVD - a form that would actually be playable by their similarly tech incompetent colleagues - and then arranged the most secure transfer method they could think of - a courier. Only it all went pear shaped.
And now some clever chap on a tech-forum is telling them they should have used TrueCrypt. With their field-of-competences? Their lack of training and experience? And that of their colleagues? Not a chance.
I imagine that the ICO levy fines because it's cheaper than giving the staff the training they need. And when the fines are big enough to bankrupt the nursing watchdogs, I suppose we'll do without them then, will we?
to ensure that an empty package is not delivered by courier!
Re: TrueCrypt, really?
But it's not even just technical wiles that are scarce in these arenas, it's a basic conceptual understanding of WHY you should encrypt, from my experience. They can't get their heads around what is, fundamentally, a common sense principle that takes no technical understanding to apply. TBH, this crew are still at the *shouting at the 'broken' computer 'screen' when they input incorrect passwords* stage. They learn 'IT crap' (as I've heard it called) parrot-fashion and without any idea what they're doing. I've been berated for being 'difficult' and 'making work' for highlighting data in clear, just freely burnt to optical disc and couriered / posted.
Or you're told 'they can't open it at the other end'. Well, if 'they' can't follow simple instructions and key / paste a password in, then you're dealing with equal ignorance at the receiving end and round and round we go.
It's too often the case that the sender yields to ignorance at one point in the chain and gives up on best practise, so as to not be the one to 'make a fuss'. This will happen ad infinitum.
What to do with the money...
A simple fine like this is pointless, taking money from one organisation and sending it to another one isn't going to make a difference.
What the ICO should do is say "You will budget this money to conduct a comprehensive review of your data security procedures and ensure that proper measures are implemented to ensure that it does not happen again".
That way the money will actually do some good.
Re: What to do with the money...
True. The logical end result of negating end-user stupidity is highly unpalatable to most companies though. i.e. USB/drive lockdown. Staff hate it. Most places end up with loads of 'special cases' of middle managers / directors who have it disabled after repeated veiled job-security threats to IT.
Custodial punishments for simple lapses of procedure would be ridiculously unjust and disproportionate. What on earth are some of you smoking?
Data will out. The best you can do is train, raise awareness, and root cause any breaches as thoroughly as time and money allow. Let's live in the real world for once.
If there is lapse in basic procedure then someone needs to be held accountable.
With all the previous press coverage why did these people think it was OK to send disks out unencrypted?
I wonder how long it will be until these type of story blend into "We can't get your data back, because it's encrypted and we've lost the key."
I used to work at a major UK (global) FI, we decided not to encrypt backup tapes because we'd need to have every tape drive in the world (over a thousand) be able to restore tapes encrypted by any other drive. It was considered that the key management involved was far too coplex. To protect the customers' data we decided that we would:
1) Never let a tape out of a datacentre
2) Never store tapes offsite (preferably never out of a tape library)
3) Shred any tape (or, disk drive) before it leaves a datacentre.
4) Any required data transfers will be sent over private or virtual private connections (a luxury available in a global FI)
My worry is that, as we can see from comments above like "just use trucrypt" the complexity of proper, secured, encryption isn't well undersood by even technical people. If smaller, less IT savvy organisations start encrypting, it's only a matter of time before they either store keys with encrypted files or loose them because they're not next to each other, or they're written down etc.
Oh great, now nurses will have to pay more extortion charges^W^Wfees to pay up for these clowns' mess.
How about a cut in salary of those in charge when this happens? I bet security would improve massively.
If the package was empy...
...how do they know if the DVDs were encrypted or not, or even if they ever existed in the first place?
Purpose of the fine
IMHO isn't so much designed to be punitive to the body they are fining but more a big show "pour encourager les autres".
I've had the conversation regarding purchasing IT security solutions. "If it hasn't happened before, why should we spend tens of K making sure it doesn't happen in the future?" When the ICO raised the max fine to 500K then it suddenly made financial sense to buy the kit just in case.
Now the ICO is actually handing out large fines and I think the message is that these numbers are actually real and organisations really would be staring down the barrel of a six figure sum unless they spent some money now to sort out their non-existant data protection regimes.
Some, alas, are still not getting the message.
Re: Purpose of the fine
a good and valid point: still doesn't address the issue that the responsible people don't actually pay the fines personally, which is simply unjustifiable.
Anyone remember the Yes Minister about "failure standards"? The proposal slipped to the minister in a brown envelope was to make a named individual responsible for the success - or failure - of a given project (which should extend to task or role). Even allowing for the fact it was a TV comedy show, it's depiction of the entire civil service (both national and in local government) being horrified at that thought is clearly true, and almost certainly extends to the quangos and almos that run half of the public sector, otherwise any sensible government (of whichever party, the series was made in the 80s so all three major parties have had a chance by now) would have done it. Another reference from same series? The opposition in parliament is the "opposition in exile": the bureaucracy is the "opposition in residence".
I think "midwifery" is a funny word.
Don't know why...
The ICO can already prosecute
The ICO already has the power to haul employees of an offending company into the Crown Court for prosecution, they just haven't yet exercised this ability.
The good thing about this power is that it only applies to members of the "body corporate". In other words, the ICO can only prosecute employees down to the level just below Director - general managers, department heads, and assistant directors in the NHS.
This is intended to force senior staff to retain responsibility and accountability for the performance of their staff. The large cause of many of these data breaches is management either creating environments that force insecure behaviour, not providing the funding for technology to secure this data, or not ensuring adequate levels of concern and knowledge in the staff working for them.
The potential outcome for these staff prosecuted in this manner? An unlimited fine (unlike the corporate fine that's limited to £500k) and up to two years in prison. If the ICO would go down this route it would certainly focus the minds of those in charge!
Moving to this form of response would stop the public paying for these offences by having public funds removed from the organisation, or the organisation's service being effected by a now limited budget. Instead, the effects would be felt where it hurts most - in the Chief Exec or Director's wallets! No taxpayer's money involved!
Anon because... hey, I actually like my NHS based job! :P