By Nick Heath, 27 November 2008 17:03
NEWS
One year on from the HMRC's loss of 25 million people's personal data, a chief information security expert at Whitehall has warned there will be more high profile government data breaches to come.
Brian Collins, chief scientific adviser to the Department for Transport and the Department for Business, Enterprise and Regulatory Reform told silicon.com how government is protecting personal data.
"This is being done in a prioritised way. We are going to have to cope with a diminishing number of data breaches but there will still be data breaches," he said.
Speaking at A Fine Balance privacy conference today, Collins revealed that government departments are seven months into an ongoing process of cataloguing all of the information they held for a "register of information assets".
silicon.com Public Sector
Get the latest public sector news straight to your inbox. Sign up for the PS newsletter today!
Cataloguing the "trillions" of pieces of information handled by central government will be a "huge problem" for some departments according to Collins.
He said it is particularly difficult for public-facing departments dealing with health and pension type information.
Deciding which data should be protected first is as difficult as the challenge in "putting a value on a human life" faced by road safety officers, Collins said.
Speaking at the conference he added: "The register of information assets is a really big task if you have never done a proper information register before."
In the wake of the HMRC loss Collins said that government departments had discovered and closed security holes that were "on the edge of being quite dangerous".
Over the last year, around 30 million records have been lost by public and private firms and the government recently supported giving the Information Commissioner powers to fine organisations for recklessly losing data and to carry out unannounced checks on public bodies.
The government is initially concentrating on overhauling information security in those departments that handle the largest amounts of personal and financial information.
A Fine Balance was organised by four of the government-funded knowledge transfer networks, dedicated to promoting the UK business.
Comments
There are 3 comments. Join the discussion
1. Cassandra
The Public Sector Information Directive requires all public sector organisations to have an Information Asset Register. This will hold metadata to describe all public sector information assets that are not published. Generally these will be data rather than documents. We are to publish this register on a public web site and supply metadata to the Office of Public Sector Information central register INFOROUTE. Metadata is to accompany all data on supply.
Most organisations are woefully lagging in this work, there is a tendency to see this as an IT task an imposed on rather than core to business.
External data sharing with non-public sector organisations is a key target. Until the Data Handling Regulations bite many areas have little time and fewer or resources to respond to the need for an IAR.
An IAR is important for accountability to enable governance and data sharing discovery and sharing efficiencies; it can support Business intelligence, data share internally and supply externally as commercial use can stimulate the economy via mash-up applications and purposes.
As the public have already paid for this data why not enable wider use as long as the privacy or sensitivity issues do not prohibit it? Unfortunately where is the resource to develop and deliver this when it is thrown at ID cards?
2. Charles Smith
It is neither difficult nor expensive for the Government to protect personal data.
The only problem is Civil Service and Quango management inertia. "Prioritisation" is a tacit admission of failure.
Proper encryption of exposed data would be one move in the right direction.
Proper control of access, preventing whole file dumps when a selective access is another effective control.
The most effective solution would be to have criminal prosecution and lengthy prison sentences for offenders who are negligent with data. When the jail door first slams on the responsible manager we will suddenly find that the problems gets cured.
If you can't do the job, move over and let someone else handle it.
3. Drew Stephenson
Just to echo CS's comments, the accountability has to be right at the board level. Start jailing a couple of CEOs and people will pay attention. Fire and fine the odd middle-manager and no-one will give a damn