Security expert slams Home Office data-sharing guide

The Home Office has published a code of practice for data sharing between public- and private-sector organisations.

The code, entitled Data Sharing for the Prevention of Fraud, is designed to give guidance to public authorities on disclosing information to third-party anti-fraud organisations. It was presented to parliament this week, following the enactment of sections 68 to 72 of the Serious Crime Act 2007 by statutory instrument last Wednesday.

Information commissioner Richard Thomas welcomed the code, writing in its foreword that "fraud prevention is a key priority for the public and private sectors alike".

"I welcome this high-level code of practice in terms of setting out some broad principles and considerations for participants," Thomas wrote.

The code states that it aims to ensure data is shared in a "necessary and proportionate" way, and that data sharing takes place within a framework that properly protects individuals' rights and the security of the data. It also says the Serious Crime Act does not give public authorities the power to make disclosures that contravene the Data Protection Act.

However, one security expert disagreed. "The code of practice is supposed to regulate the infinite powers given under the Serious Crime Act, which specifically amends the Data Protection Act," security author 'Spy Blog' (who prefers to remain anonymous) told silicon.com sister site ZDNet.co.uk on Thursday. However, Spy Blog said the Serious Crime Act sections introduced a danger of function creep that was not addressed in the code.

Spy Blog said: "What starts as an ad hoc system [of data sharing] could become a system linking many private and public sector organisations automatically. For example, insurance companies need to investigate fraud, all well and good, but insurance covers accident insurance, which means they need to view medical records. Claims looking at medical records get linked automatically, and everyone is linked."

Spy Blog added that the provisions of the code were too broad and may not make data sharing secure, as security methods such as encryption were not specified.

"It's so vague," said Spy Blog. "The thing that struck me is that even after all of the privacy and data breaches with lost laptops, CDs and USBs, there's no mention of encryption."

The Home Office said on Thursday that the code was designed to be "overarching", and that encryption was not specified as data could be provided by a "variety of means".

A Home Office spokesperson said: "The code of practice is designed to provide an overarching code for public authorities disclosing information under arrangements with a specified anti-fraud organisation. The code requires public authorities to have appropriate technical and organisational measures in place to assure the security of information disclosed under these arrangements.

"These measures must be agreed with the specified anti-fraud organisation in an information-sharing document. As data may be disclosed to specified anti-fraud organisations by a variety of means, the code does not specify the exact security measures to be put in place."

The Home Office spokesperson added that the code provides examples of technical and organisational measures for public authorities to consider.

"One of these examples is for public authorities to ensure that 'all computers and buildings used for data processing have physical and logical access controls limiting access to certain individuals'," said the spokesperson. "Encryption for secure data transfer is one method that could be used to limit access."

The code was not available on the Home Office website at the time of writing.

Original article: Home Office publishes data-sharing guidance from ZDNet UK