By Tom Espiner, 10 October 2008 08:40
NEWS
The Home Office has published a code of practice for data sharing between public- and private-sector organisations.
The code, entitled Data Sharing for the Prevention of Fraud, is designed to give guidance to public authorities on disclosing information to third-party anti-fraud organisations. It was presented to parliament this week, following the enactment of sections 68 to 72 of the Serious Crime Act 2007 by statutory instrument last Wednesday.
Information commissioner Richard Thomas welcomed the code, writing in its foreword that "fraud prevention is a key priority for the public and private sectors alike".
"I welcome this high-level code of practice in terms of setting out some broad principles and considerations for participants," Thomas wrote.
The code states that it aims to ensure data is shared in a "necessary and proportionate" way, and that data sharing takes place within a framework that properly protects individuals' rights and the security of the data. It also says the Serious Crime Act does not give public authorities the power to make disclosures that contravene the Data Protection Act.
However, one security expert disagreed. "The code of practice is supposed to regulate the infinite powers given under the Serious Crime Act, which specifically amends the Data Protection Act," security author 'Spy Blog' (who prefers to remain anonymous) told silicon.com sister site ZDNet.co.uk on Thursday. However, Spy Blog said the Serious Crime Act sections introduced a danger of function creep that was not addressed in the code.
Spy Blog said: "What starts as an ad hoc system [of data sharing] could become a system linking many private and public sector organisations automatically. For example, insurance companies need to investigate fraud, all well and good, but insurance covers accident insurance, which means they need to view medical records. Claims looking at medical records get linked automatically, and everyone is linked."
Spy Blog added that the provisions of the code were too broad and may not make data sharing secure, as security methods such as encryption were not specified.
"It's so vague," said Spy Blog. "The thing that struck me is that even after all of the privacy and data breaches with lost laptops, CDs and USBs, there's no mention of encryption."
The Home Office said on Thursday that the code was designed to be "overarching", and that encryption was not specified as data could be provided by a "variety of means".
A Home Office spokesperson said: "The code of practice is designed to provide an overarching code for public authorities disclosing information under arrangements with a specified anti-fraud organisation. The code requires public authorities to have appropriate technical and organisational measures in place to assure the security of information disclosed under these arrangements.
"These measures must be agreed with the specified anti-fraud organisation in an information-sharing document. As data may be disclosed to specified anti-fraud organisations by a variety of means, the code does not specify the exact security measures to be put in place."
The Home Office spokesperson added that the code provides examples of technical and organisational measures for public authorities to consider.
"One of these examples is for public authorities to ensure that 'all computers and buildings used for data processing have physical and logical access controls limiting access to certain individuals'," said the spokesperson. "Encryption for secure data transfer is one method that could be used to limit access."
The code was not available on the Home Office website at the time of writing.
Comments
There are 6 comments. Join the discussion
1. Roger Huffadine
I thought that encryption would be the main thrust of this guide. It just shows the Home Office as out of touch with both reality and security.
If a robust encryption protocol were enforced it would be a simple matter to close down any errant database connection together with all of the data stored by any errant organisation. This would also work on all of the historic data that had been downloaded prior to any breach of the usage rules.
Data on the recipient databases would remain encrypted forever but a [say] daily key would enable the recipient organisation to decrypt the information for 'read only' - any attempt to write the record away elsewhere would lockdown the whole database and raise the alarm of misuse.
The system need not be a single layer multiple key system which would become easier to crack the more you used it - but a multi layered key system which would add minimal overheads whilst providing very strong security.
The treat to recipient organisations of loosing all data access and the certainty of a prosecution for the chief executive would tighten up the shared data security to a level where I might have a degree of confidence.
As things stand today you might as well just give password free access to every government database - because there just isn't any incentive to hold data securely - nobody has gone to prison for wantonly revealing secure data.
2. anonymous
Did anyone need a "Security expert" to tell them that this Gov and particularly the Home office can't be trusted with data and know nothing about data security? I can't think of a public body less qualified and with less credibility to take on this exercise.
Yet again our Gov lets us down and embarrasses us all with their total lack of knowledge and forethought. I wonder how much cronies of the HO have earned from us tax payers for the preparation of these patently useless guidelines?
3. Matt Fisher, FrontRange Solutions
While it is good news to see that the govenment is taking issues of data security seriously by putting in place a proper framework to manage the sharing of sensitive information, the numerous high-profile breaches we have seen in recent months suggest that the government is yet to prove its capabilities when it comes to protecting confidential data. The government needs to ensure that both private and public sector organisations recognise the importance of protecting customer data and that network governance and data encryption are in place to assure the public that their information is secure. If information is to be shared between organisations, secure lines of communication and strict technological methods of protection need to be installed to prevent important data from being lost, and to ensure that, in the case of a breach, the data is encrypted and the risk is therefore minimised.
4. Karen Challinor
and once more the government attempt to become an authoritative voice in a field beyond their collective expertise
the woolly definitions and 'catch all' clauses provide yet more sticks with which to beat the non compliant while at the same time absolving government departments of any hint of error or fault when problems occur
security is the last thing this document is about
5. Chris Goodman
Another example from the moronic Home Office of a vague blanket "guide" not really worth the cost of it's production.
Unfortunately that is what we get in a civil service that does not have a "weed out" procedure to prevent promotion above ability (reaching one's ceiling!) thus allowing mediocre civil servants reaching the top echelons.
6. Cassandra
Apart from encryption - there is also a consent issue. Although the insurance industry might have an interest in a person's medical records it has no right to view or share them without explicit consent of the individual and then only for a specific and declared purpose. Sharing personal identifiable medical data across the industry in general, is not an option. Only a company I have a contract with or am in dispute with has any reason to see any medical records and nformation and only parts relevant to a claim or contract.