Ouch. Well, if I had wanted an example of the flexible and sometimes porous boundary between policy and technology in the protection of sensitive data, I couldn't have expected one much better than this, as reported on the BBC site today. According to the news item, a memory stick with personal data has gone missing after being populated with personal data in the course of work undertaken by PA Consulting: "The memory stick contained un-encrypted details about 10,000 prolific offenders as well as names, dates of births and some release date of all 84,000 prisoners in England and Wales - and 33,000 records from the police national computer."
The Home Secretary, Jacqui Smith, is reported as saying that this was data which had been 'held in a secure form' by the government, but downloaded by the contractor despite contrary provisions in the contract under which they were working. The point, surely, is that whatever technical security measures had been applied to the data, the contractors were able to access it (legitimately, one assumes, in the course of their contract work), but that when it came to preventing the resulting information from being copied onto removable media (in this case, a memory stick) the only protection in place was contractual. The Home Secretary appears to have had no reservations about placing the blame squarely on the contractor for an alleged breach of contract. Under the circumstances, I expect a number of people at PA are wondering whether the Home Office had taken all reasonable steps to secure the data technically, as opposed to relying so heavily on the contractual provisions she refers to.
One person ought to be happy, though - Michelle Dennedy, our CPO, will surely enjoy seeing one of her trademark phrases recycled* by the Deputy Commissioner at the UK's Information Commissioner's Office. David Smith is reported as saying that 'the latest loss showed that personal information could be a "toxic liability" if not handled properly'.
*In fact, on investigation, I notice that the metaphor has also been appropriated by Cory Doctorow and, indirectly, Hal Stern.
![[RSS Newsfeed]](/themes/sotto/images/valid-rss.png)
![[This is a Roller site]](/themes/sotto/images/roller-logo.gif){kind=logo}
Robin: All these data breach announcements have a scalability problem. As the number of announcements soars, we need to better define what is a serious breach and what is not. Otherwise, the public drowns in breach announcements, many of which are insignificant. --Ben http://hack-igations.blogspot.com/2007/12/does-lost-tape-equate-to-lost-data.html
Posted by Benjamin Wright on August 27, 2008 at 06:53 PM GMT+00:00 #
Benjamin, that's a very fair point to raise.
A couple of years ago, while the Californian law on Breach Notification was still quite new, a number of people looked at whether notifications ought to be more 'nuanced' - in other words, perhaps who gets notified ought to depend on some scale of seriousness of the breach.
As it happens, that can have perverse consequences. For instance, what do you do if a "slight" breach has to be reported to the regulator but not to the data subject... and the data subject is able to find out (say, though an FOI request) that there has been a breach. Their perceptions may need quite careful management if they are not to end up feeling aggrieved at both the data controller (for allowing the breach) and the regulator (for not warning that it had happened).
However, conversations with US colleagues suggest that "breach notice fatigue" is also a real risk. After the shock of the first couple of notices wears off, few data subjects seem inclined to do anything on receipt of one, so it's hard to tell if they have the hoped-for long-term effect on best practice in data custody.
Posted by Robin Wilton on September 10, 2008 at 02:05 PM GMT+00:00 #