27 Nov 2008
A government chief scientific advisor has admitted that last year’s HM Revenue & Customs (HMRC) data loss scandal should have been prevented.
Speaking at a privacy conference held by the government-backed Cyber Security Knowledge Transfer Network, Brian Collins, chief scientific advisor at the Department for Transport and the Department for Business, said that the system should have flagged up a warning not to transfer such large amounts of personal data onto unencrypted discs.
Collins explained that, just as security software informs the user if they are about to visit a dangerous web site, so government information systems should inform users if they are about to do something which could put citizens’ data at risk.
"The system design should never have allowed the [data loss]," he said. " They should be designed to stop people going off the edges of what is acceptable. Why are we not doing this? Because it costs."
Collins added that, as part of its data handling review, the government is taking significant measures to improve data handling policies, including the formation of a pan-governmental identity management and assurance group, and the introduction of privacy impact assessments for all online services.
"We are never going to end up with a situation where no breaches occur, but we can do as much as we can," he said.
Privacy expert Jeremy Hilton of Cardiff University said that users should be involved in the design of new systems if organisations want to improve their information assurance standing. Staff should also be properly trained and made aware of their accountability in the information chain.
"This is fundamental to changing behaviour, and will lead to an adherence to controls," he said. "This approach will lead to improved information sharing and handling policies and procedures."
Claire Wardle, head of the legal team at the Post Office, said that the organisation has benefited from building security into its data handling systems. For example, it implemented a system which automatically notifies supervisors when their data handlers access too many records, requiring an audit report to be completed.
"It's a balance. How much do you want to pay for your information to be safe? " she said. "If you actually build it in at the beginning then it’s like doing disability improvements: it doesn’t cost anymore, provided that you think about all the bits upfront and pull them all together upfront."
Have your say on this article
Newsletters
Latest stories from Privacy
Latest videos
You may also like
Privacy jobs
Technology Patent Wars
Staff are increasingly using their personal devices for work. Productivity may increase as a result, but the trend brings with it security risks
Case studies from large organisations across all sectors
... And rich media, and flexible working, and peaks in traffic ...
Upcoming Events
Join us for this Computing web seminar, in which the Head of BI at the Co-operative Group Nick Colebourn will be explaining just how he reigned in the Group’s sprawling database estate and how significant savings were realised and data quality improved as a result.
Date: 31 May 2012
Time: 11:00 AM
Live June 13th 11:00am: Register now. During this web seminar we will be looking at the sorts of incidents that can bring data centres grinding to a halt and what can be done about them.
Date: 13 Jun 2012
Time: 11:00 am
Receive the latest jobs direct to your inbox
Are you being paid what you are worth?
