Revenue blunder is a lesson for public bodies

Tags: Information Commissioner London Security

21 Nov 2007

The Information Commissioner has highlighted the importance of tight security and data protection in public sector bodies, following the security lapse at HM Revenue and Customs (HRMC) leading to the disappearance of discs containing the personal data of 25m people.

Last night the Chancellor, Alistair Darling, confirmed that two computer discs holding the personal details of all families in the UK with a child under 16 had gone missing, after being sent by unrecorded and unregistered internal mail.

The Child Benefit data on them included names, addresses, dates of birth, National Insurance numbers and, where relevant, bank details of 25m people.

Responding to the revelation, Richard Thomas, Information Commissioner, said: “Incidents like these illustrate that any system is only as good as its weakest link. The alarm bells must now ring in every public sector organisation about the risks of not protecting people’s personal information properly.

“As I highlighted earlier this year, it is imperative that organisations earn public trust and confidence by addressing security and other data protection safeguards with the utmost vigour.”

Yesterday the Chancellor made an emergency statement to the Commons, explaining how a junior official at the HMRC sent the entire child benefit database from the HMRC office in Washington, Tyne and Wear, to the National Audit Office in London on 18 October.

In a clear breach of the agency's procedure, the package was not posted via recorded delivery, through contracted courier TNT, and never arrived at its destination. Earlier in the day HMRC chairman, Paul Gray, resigned after the incident came to light.

Thomas has now promised to pursue a full review of this data loss, which he says is now the third such incident the Information Commission is investigating from the HMRC.

“I am pleased that HMRC reported this breach to my office and that the Chancellor has announced that Kieran Poynter of KPMG will carry out an independent review. The Chancellor has agreed that the full report will be made available to my office and we will then decide what further action may be appropriate. Searching questions need to be answered about systems, procedures and human error inside both HMRC and NAO,” he said.

The discs were password protected, and the Chancellor said a junior official should never have been in a position to post the sensitive information, but added that there was currently no evidence to suggest it had fallen into the wrong hands.

“This is a very, very bad situation indeed. There are clear procedures in place which should have stopped anyone, let alone a junior official, from downloading this information on to two discs and putting them in the post unregistered,” the Chancellor admitted.

Yesterday, EHI reported that the Information Commissioner had proposed plans to prosecute doctors who have laptops containing unencrypted patient information stolen from their cars.

Joe Fernandez

Readers Comments

Nothing to hide - nothing to fear?

21 Nov 07 11:44

Let's be clear - the question here is not the failure of the chosen courier service or failure to use strong data encryption.

The real question is this - what was the individual wanting these data in the National Audit office planning to do with the information had the discs arrived?

How can this possibly have been a legitimate request?

Are we living in a State where junior members of staff in one government department freely provide ad hoc reports containing confidential information to (junior?) members of staff in another?

It seems we are - and there are plans to extend this interdepartmental 'sharing' of data for our benefit

http://www.theregister.co.uk/2006/09/14/dca_information_sharing/

Up to now I have been among the critics of the "opt out of NCRS" confidentiality doom mongers. I along with many others may be forced to revise our opinions.

It's what we've been saying all along!!

21 Nov 07 13:58

It's not that the 'Doom Mongers' don't believe in the benefits of electronic health records.

Personally, I don't understand the need for huge, central databases when local one's are more appropriate - over 95% of healthcare is delivered within 20 miles of the patient's home.

I don't trust the government to run the data properly.

I don't trust the government to keep the data safe.

I don't trust the government to use the data with my consent only or only to my personal benefit.

I don't trust the government to not use the data for profit organisations to make more money at the expense of the ill.

I don't trust the government to tell me every time somebody accesses my data (or for me to get a fully disclosed report of such access).

I don't believe the NHS techies who say the security will be bullet-proof.

It is the long 'sleepwalk' into endless problems with patient information at stake but no responsibility or accountability to be assured by.

Who (with a grasp of accurate history) will tell me that I'm wrong?

NCRS use case?

21 Nov 07 16:11

Dear CfH

Guys - can you run a few queries for us over here in MI6

1. Terrorist suspects

Select * FROM NCRS WHERE RELIGION="Islam" and Diagnosis="Psychiatric disorder"

2. Pedophile suspects

Select * FROM NCRS WHERE SEX="Male" MARITAL_STATUS="Single" and DOMICILLARY_STATUS="Lives with mother"

3. All other undesirables

Select * FROM NCRS INNER JOIN E_VOTING ON E_VOTING.ID = NCRS.ID WHERE VOTE NOT "Labour"

Quite so

21 Nov 07 22:16

The first three responses to this piece are among the best postings I have seen on EHI, and the MI6 memo was funny to boot. Keep up the good work. Don't believe a word you are told people, keep asking what they plan to do with the data.

NAO did not ask for data

stressfreedave@hotmail.com

21 Nov 07 22:25

The NAO did not ask for the information that was being supplied. They had asked for information but this was to exclude name, address DOB(?) and bank info. They were being sent it because it was to awckward for the data to be supplied in that format (aprently the database the info is held on does not seem to be able to run a querie that excludes such info).

NSTS only just waking up.

23 Nov 07 11:24

Ripples: Now NSTS (the huge database of identities and NHS Numbers) say they wont accept information for batch tracing unless it arrives by recorded or special delivery and is encrypted. Just how were people sending this information before? It defies belief that people were sending such data with out giving it adequate protection - but why should I be suprised, clinicians and staff are forever emailing info to each other, often without even password protecting it. And all this happens when there are easy ways to do it properly, such as using NHS Mail, which is free and easy to use.

re: Undesirables

23 Nov 07 13:42

Cross departmental data flow from central NHS sources has already occured

>>the NHAIS sites identified some cases where the person appeared to have subsequently returned to the UK. Details of these were passed to the Home Office for them to consider what, if any, action should be taken. Based on this information the Home Office has made a number of deportations<< from the National Duplicate Registration Initiative report 2006 - http://preview.tinyurl.com/yhum37 and previously discussed here - http://www.e-health-insider.com/comment_and_analysis/164/no_mistake

There is obvious value to the taxation, immigration, child support agency, police services etc in NHS demographics registers (the medical information is irrelevant). People otherwise wishing to keep a low profile may need scheduled NHS treatment but are unlikely to be filing tax returns etc.

Several other countries are comfortable with a single unique ID/entitlement card to cover interactions with all government departments (e.g. Denmark). Such single IDs often subsequently become a prequisite to opening bank accounts etc. That potentially extends data mining expeditions deeply into private transactions.

One may or may not regard this as a good thing.

One undeniable appeal is avoiding the cost of separate multiple-billion pound contracts for the maintenance and development of standalone registers which the current administration is committed to.

Frank political dialogue about these choices is lacking. Sadly the current "CD-gate" furore is unlikely to become this much needed debate.

Meanwhile we bear the expense of multiple identity databases and incur only the disadvantages of a single one.

Dr Malcolm H Duncan

Informed Consent - new wording.

23 Nov 07 18:38

Informed Consent - new wording:

"I have read your statement on confidentiality and security of personal and sensitive information, and I now understand that any information I give you will be copied and distributed, with or without your or my knowledge, to whomsoever you please, including person or persons unknown, for any purpose. I also understand that you can summarise, corrupt or alter information to conceal true facts and that I will be liable for any civil or criminal offence that you subsequently determine I have committed based solely on the computer-held information that you control. I can try to present facts to support my innocence, but you will take no notice as the data I present will not be corroborated with the false information that you hold. In the event that any inaccurate medical data you use results in my death, you will consider offering an apology to any of my surviving relatives provided they can prove beyond all reasonable doubt that they are who they say they are. To this end they will need to produce their national identity card(s) and my national identity card together with DNA samples and biometric evidence as necessary to establish their entitlement to an apology. The decision to grant an apology will be made by the quantum random number generator that is currently being designed by the ICT industry and that is expected to come into service in 2108 (or at some subsequent later date as may from time to time be advised)."

NHSMail no panacea

23 Nov 07 21:00

The previous post implies that NHSMail would solve all these problems. Whilst data is encrypted in transit, it ensures nothing about what the recipient does with the data, or who they send it onwards to.

re : undesirables

24 Nov 07 20:55

Fascinating post and links above, the report identified 10,000 patients who had died more than 15 years ago, with GPs still claiming them as patients, at an excess cost to the taxpayer of £6M.

So are the undesirables those practices who fail to cancel patients who leave or die ?

The removed asylum seekers was a retrospective notification that they had gone, rather than a trawl of the NHS database to find candidates for removal.

The acceptance of widespread use of a single number in Sweden and elsewhere is because it is longstanding practice, from a period when governments were more trusted.

What I have not seen yet is what audit the Child Support data was being sent for, or why this analysis was in turn outsourced to an accountancy firm.

I too think there is a balance to be struck. Security must be reviewed, but this is an ongoing challenge, and always has been.

Informed Consent - new wording

25 Nov 07 16:21

Nice try with the new wording, but it doesn't matter how hard the creator tries, he or she can't really exaggerate the monumental horror of what the government is doing. They are passing round our personal information like a bag of sweets at the cinema. The monstrous complacency and incompetence defies belief.

Already "processing" abroad

26 Nov 07 09:17

I understand that there have been concerns raised today that CfH is considering "processing" some NHS data overseas. I believe that a number of NHS Trusts are already using overseas agencies to produce letters from dictation generated here, containing personal and clinical details. So these data are travelling out, being processed by non-NHS staff, and then travelling back in their processed format.

Data processed overseas

stewart.smith@cd-tr.wales.nhs.uk

26 Nov 07 12:09

But you don't need to worry your head about data being processed overseas. ESR data falls into that category and I am assured that it is done in compliance with the 8th Data Protection principle. Yeah, right. I am off to catch the pig that flew past my window.

yet more on the bandwagon

26 Nov 07 13:55

Come on, we've known about appalling breaches of patient confidentiality in the NHS for years: Receptionists discussing patients' histories loud enough for people waiting for appointments to hear. Back-up tapes sent to primary care software providers via unregistered post and never arriving (some with 30,000+ patients and histories on). Batches of registration documents supposedly sent between HAs when people move, turning up at random addresses, either as text files on floppy discs, or hardcopy.

Nothing's been done about this situation, but now people are jumping onto the bandwagon to use the latest government cockup to scare people even more. Why not get one of the tabloids to give the public an accurate picture of how the NHS mishandles our personal data on a daily basis?

Time to wake up, smell the coffee and make a choice: An antiquated set up, with paper records going missing, data sent out with no security, and a duplication of effort. Or... An electronic system, pen tested with full security measures, audited access and communication between the various branches of healthcare, and RSA secured remote access rather than usb drives which fall out of doctors' pockets at the end of a shift.

I don't understand why people think regressing to paper records will stop Big Brother from watching them - systems already send in patient data, and often to third parties who pay for your medical histories to be sent via unsecure and in a PI state. Should we add the ID card argument into the pot to muddy things even more?

For the person who doesn't trust the NHS techies to make things bulletproof... NO system which can be accessed is bulletproof. Even servers which are only available on internal networks can be stolen (a GP surgery I once supported in Birmingham had their server room broken into twice in one week, with all their patient histories available to whoever took the kit). As with so many other things, it's a case of risk mitigation vs usability. Please get off those soapboxes and put the same amount of effort into constructively supporting the project as you do to peddling doom and gloom.

Comment Timing

28 Nov 07 09:36

Why are all the above comment postings made at 11mins past the hour? Are the e-Health Insider servers subject to external surveillance? I think we should be told.

The eleventh minute

28 Nov 07 22:16

ALL ehealth insider postings are shown as 11 minutes past the hour - not just these ones. Definitely something fishy here!!! It is now 22:18 on the 28th November. I wonder what time will be shown on the posting? Come on ehi - fess up.

This is what comes of 'asking Fred'.

chris@cjsquire.plus.com

29 Nov 07 13:55

My niece, who is middle manager for one of the IT consultancies, told me she was unsurprised by this fiasco. They would probably have quoted a fee of £10,000 to create a file with the unwanted fields stripped out. The job would however have been treated very seriously, authorised, checked and signed off by senior management at every stage. Her firm would be very alive to the reputational damage that a mistake could do.

Government departments are always strapped for cash so they naturally 'ask Fred' to do the job in-house for nothing the best way he can. She takes some pleasure that this has happened, as it will strengthen their case when they argue that these special jobs [which are an important contribution to the total profit on a contract] must be done by the book in future.

No one should 'take some pleasure' from this...

30 Nov 07 12:19

.. I'd assume from the last comment that a letter of apology from HMRC didn't arrive through the correspondents letterbox or that of the aforementioned niece this week as it did through mine. There are many things to learn from this pathetic sitiuation but 'taking pleasure from it' - I don't think so.

I wonder what the qualifications are to become a middle-manager in an IT consultancy?

Asking Fred

30 Nov 07 14:24

Aside from taking pleasure, unfortunately, it very often takes a disaster or near miss to convince those with the purse strings to spend money on IT in the public sector, I have seen it too many times. And the prime reason for such scepticism amongst senior management is the capacity of large-scale projects to mess up. "Not another Wessex RISP" was always the cry. Now that is many times eclipsed by the NPfIT, for excess spend with little value.

re: This is what comes of 'asking Fred'

30 Nov 07 16:04

>>They would probably have quoted a fee of £10,000 to create a file with the unwanted fields stripped out.<<

"SQL For Dummies" available second hand from Amazon. Factor in the time for Fred (doubtless on minimum wage) to read chapter one and run the query - and you still have change from a tenner. The resulting data (of no interest to fraudsters or pedophiles incapable of identifying a child without first knowing their name and address) - send unencrypted by first class post.

But of course you are correct - the HMRC couldn't manage that... it is pathetic that public sector IT is so de-skilled as to be dependent on external consultancy for tasks that would be trivial for a small business :-(