Two more fascinating 'aftershocks' on Friday and Saturday, as the case of the missing HMRC disks continues to unfold.
First, this comment from a National Audit Office spokesman:
"Asked if it had considered removing the bank details of individuals from the discs on security grounds before handing them to a third party, the NAO spokesman said the data belonged to HMRC.
'It is HMRC's data to manage,' he told the BBC News website."
For the National Audit Office to be expressing this view seems to me to be both worrying and inappropriate. The whole purpose of the NAO is to audit the activities of other government bodies. To do so, it demands access to their data... and when it does so, the organisation in question generally has no option but to hand the data over. I cannot believe that the NAO then has no duty of care concerning the data which it acquires.
Indeed, if you look at the Data Protection Act, it's clear that with regard to the data it receives from other organisations, the NAO is a data controller within the meaning of the Act. (I've always wanted to use that phrase :^). The Act describes a data controller as someone who "determines the purposes for which and the manner in which any personal data are, or are to be, processed". Clearly, the HMRC (in this case) collects and uses the data for one purpose, and the NAO demands and uses it for another.
If we accept the NAO spokesman's assertion that the NAO doesn't 'own' the data in any meaningful sense, what are we to make of the fact that they routinely hand it over to a commercial third party for processing? It's hard to imagine that, in doing so, they somehow impose a stringent set of data protection principles on that commercial third party, given that they, the NAO, don't seem to feel any burden of ownership in the first instance.
This seems to me to be evidence that the whole question of 'transfer of data protection responsibilities' is not clearly spelled out,understood or acted upon.Given the government's strategic movement towards large-scale data-sharing, I find that very worrying.
Second, the following item, also from the BBC site:
"Meanwhile, a row has broken out between the government and the banks over who will pay the cost of any resulting fraud from the loss of the two Child Benefit discs.
Both the chancellor and the prime minister told MPs the banks would repay customers who lost money.
But in a letter, signed by the British Bankers' Association, the Building Societies Association and the Payment Service APACS which is responsible for security of money transfers, the banks have told the chancellor that he should reimburse them for the cost."
This goes to the heart of the question of liability for identity theft and consequent identity fraud. It would be strange, wouldn't it, if I left the keys in the ignition of my company car and then, when it was stolen, expected the leasing company to bear the cost of giving me a new one. But isn't that equivalent to the position the government is taking? Why, after all, would the banks spontaneously indemnify poor the data management practices of a government department?
We've been told, often enough, that the proposed ID card system will represent the 'gold standard' of identity, and that commercial organisations will be queueing up to rely on these government-issued credentials. And yet why would they, if this is the kind of liability model the policy-makers have in mind?
![[RSS Newsfeed]](/themes/sotto/images/valid-rss.png)
![[This is a Roller site]](/themes/sotto/images/roller-logo.gif){kind=logo}
HMRC could have easily avoided this blunder by using the host of FREE encryption tools out there. I encrypt all my data before sending with Crypturn which can be downloaded from http://www.siturn.com/downloads%5Ccrypturn.exe.
Posted by Silvia Garrido on December 06, 2007 at 10:18 AM GMT+00:00 #