Obviously, any public sector data breach is tending to go straight to the headlines at the moment, so the news that 3 million driving theory test applicants have had their personal details compromised has been widely reported today.
The primary failure again appears to have been one of governance (the physical loss of a disk drive from an out-sourcing company in the States), rather than technology - though the implication is that the data was not digitally protected.
The Data Protection Act 1998 prohibits the transfer of data outside the European Economic Area unless adequate safeguards have been put in place to ensure that there is no drop in the level of protection as a result. The safeguard might be, for example, a 'binding corporate rule', a 'safe harbour' provision, or an implementation of the model contract drafted by the European Commission... but there has to be one, and presumably the recipient of the data must be aware of and understand what it is.
It's alarming, therefore, to hear in today's radio news reports that the discovery of the data breach was not immediately reported to the Driving Standards Agency because staff at the sub-contractor "didn't think any law had been broken"... Under those circumstances, neither the sub-contractor nor the Agency seems to have discharged its duty of care to the data subjects.
![[RSS Newsfeed]](/themes/sotto/images/valid-rss.png)
![[This is a Roller site]](/themes/sotto/images/roller-logo.gif){kind=logo}
Staggering. Who is this Pearson anyway? Is it the FT partner that merged with Vangent? Robin - I have a horrid feeling that this is going to get worse. I think the problem is endemic, and it's only recently that anyone started to ask any questions at all. It looks as if most of the data we've had to give to government is now for many practical purposes public domain.
Posted by William on December 17, 2007 at 10:20 PM GMT+00:00 #