The nation’s headline writers did not hold back when HM Revenue and Customs was forced to admit that it had lost the confidential details of every child benefit claimant in the country.
Words like “shocking” and “fiasco” featured above the first stories about how the information had vanished after a “junior official” put it onto two, unencrypted disks for delivery to the National Audit Office – which never received them.
The hyperbole was justified. The HMRC incident, lost laptops and other data breaches from the MoD and other public bodies, have already had far fetching consequences.
The government was almost immediately forced to promise new powers for information commissioner Richard Thomas, including the right to conduct unannounced “spot checks” on private and public bodies.
And new legislation is likely to follow. In January, the Commons’ justice select committee called for new laws to force companies and public bodies to disclose data losses and to make them criminally responsible for breaches of the data protection act.
Meanwhile, the criminal justice and immigration bill will provide tougher legal penalties for individuals who knowingly or recklessly breach the DPA.
Tougher penalties were first proposed last summer, when the information commissioner’s What Price Privacy? report showed that journalists, private detectives and others routinely trick or pay staff in public services for information about users.
But in evidence to a Lords inquiry, assistant information commissioner David Smith said they might be used more widely. “Say a doctor or hospital leaves a laptop containing patients’ records in his car,” he said. “It’s hard to say that’s anything but gross negligence.”
Tougher sanctions against individuals who breach the DPA have been backed by the Department of Health as a way of promoting confidence in the systems being delivered by the National Programme for IT in the NHS.
However, another effect of the HMRC incident has been to increase scepticism about big government IT projects. The government has announced that it will push ahead with the controversial children’s database, ContactPoint, and with ID cards - but it has been forced to review the first and re-launch the second.
Meanwhile, the Conservative Party has called for the NHS care records service to be scrapped in favour of “storage on local servers with interoperability between them” to reduce the risk of “catastrophic data loss.”
Predictably, NHS Connecting for Health has rejected these demands. “The IT systems implemented as part of NPfIT have the highest standards of security control,” it said in a statement.
“Access to specific clinical information is controlled by [a] smartcard and requires a legitimate relationship with the patient. Audit trails will reveal who has accessed a record and NHS management is alerted to any inappropriate access.”
While this is true, campaigners have queried how robust the arrangements are in practice. It recently emerged that healthcare assistants have been printing off summary care records inRoyalBoltonHospital’s A&E department, despite the supposedly tight, role-based controls on who can see them.
The HMRC incident has had other impacts on the NHS. The DH was already undertaking a review of informatics, which is due to report this spring.
But at the start of December, NHS chief executive David Nicholson wrote to chief executives to remind them that they are now responsible for “securing effective information governance” in their own organisations.
His letter noted that trusts had to complete this year’s annual information governance self-assessment, using the NHS information governance toolkit, by the end of March. And it drew particular attention to the security of data in transit.
Mr Nicholson said he expected boards to assure themselves that their arrangements met all existing DH guidelines and “that there are robust procedures to make sure they are followed.” Recognising that this might take some time, he urged the NHS to stop bulk transfers of person identifiable data until it was done.
He also urged chief executives to check their security policies for laptops and other “portable media” and to make sure they do not hold PID unless it is encrypted.
Unsurprisingly, most analysts are predicting a big increase in the use of encryption technologies in both business and the public sector, as well as increased take-up of Microsoft’sVistaoperating system, with Bitlocker drive encryption.
However, the mantra of security experts everywhere is that good information security comes from a combination of good policies and procedures, good behaviour and good technology. And there is considerable concern that in the wake of the HMRC scandal, there will be a tendency to focus on just the first or the third of these.
Back in November, Prime Minister Gordon Brown asked the Cabinet Office to “ensure all departments and all agencies check their procedures for the storage and use of data.”
An interim report issued in December shows that the DH is far from being the only government department to have sent out reminders to its operational agencies about the need for good information governance policies and procedures as a result.
However, HMRC had polices to prevent data leakage – it just didn’t follow them (partly because its databases had been constructed in such a way that it would have cost money to strip out the information that the NAO actually requested).
At the other end of the scale, research and consultancy Forrester has found that European IT managers have tended to put information governance behind other priorities, including reducing costs.
Analyst Thomas Raschke says there is also a tendency for companies and public bodies to “mainly respond to and react to new threats, instead of proactively plugging holes and enforcing data policies.”
He predicts there will now be more interest in a wide range of “data leak prevention” technologies - ranging from network and wireless security to identity and access management, and from audit to “post leak” solutions, such as remote-kill. But he also points out that these “don’t fix inherently broken policies and processes.”
David Lacey, a member of the British Computer Society’s recently formed security forum, says new thinking is needed to bridge this gap between policies and technological fixes. “One of the problems we are facing is that the world has changed,” he says.
“We now live in a much more networked world - one in which people expect to do home-things at work and work-things from home. So the days when managers could lay down a set of rules about what could be done on ‘the’ computer system are gone.
“What we really need is a change of culture - one that brings policies and processes alive by engaging people about why they are important, and which uses technology to reinforce that.
“There is no point, for example, putting all your policies in an archive somewhere, and expecting people to find them. You need to use things like social networks, so people can ask questions about what they are doing, and to build prompts into applications that encourage them to do the right thing.”
This, of course, requires sophisticated thinking about the context in which people are working and the risk that their actions present, as well as investment in technology. But the change of mindset is undoubtedly necessary.
Instead of simply supporting organisations, IT is increasingly being used to deliver policy objectives and to change the way services are delivered. This makes it more important for policy makers and managers to consider IT early and to build staff and public support for change - not least by instilling confidence that data will be held securely and only used for authorised purposes.
The HMRC data loss and similar if smaller incidents have dented that confidence. So far, government departments have responded by reminding their agencies about the importance of having good information security policies.
However, both security experts and privacy campaigners would like policy makers to go further; by recognising that privacy, as well as information sharing, has a value to service users, by taking stapes to minimise the amount of information that is collected about them, and to be clearer about the uses that will be made of it.
Meanwhile, in reacting to the HMRC incident, Richard Thomas said it was no longer good enough for public bodies to blame breaches on “junior officials” or a failure to follow policies.
“Any aggregated system of collecting information must be proof against criminals, it must be proof against idiots, it must be proof against those who do not follow the ordinary rules,” he said. And he emphasised that the stakes are high, by adding that: “Anything less could inflict serious damage on institutions and, potentially, the e-government project.”