Monday, December 17, 2007

Data Security Lapse

According to the latest press releases, it appears that 3 million L-driver details for the driving theory test have gone missing:
"The details of three million candidates for the driving theory test have gone missing, Ruth Kelly has told MPs.

Names, addresses and phone numbers - but not financial data - were among details on a computer hard drive which went missing in the US in May.

It belonged to a contractor working for the Driving Standards Agency, the transport secretary told MPs.

It is the latest in a series of data losses since discs with 25m people's details on were lost by HM Revenue.

Ms Kelly said the details of learner drivers had been formatted specifically for the contractor, Pearson Driving Assessments Ltd, and was not readily accessible or usable by third parties.

Risks 'not substantial'

She said the details were not sent in the post - but the hard drive had not been found where it had been expected to be, in the "security facility" in Iowa.

She said the Information Commissioner had judged the risks presented by the loss were not "substantial" as the details did not include bank account details, National Insurance numbers, driving licence numbers or dates of birth.

But she apologised for anyone for any "uncertainty or concern" caused to anyone whose details might have been included - who took a driving theory test between September 2004 and April 2007...

However her Tory shadow Theresa Villiers said the government was failing in its duty to obey its own laws on data security and said it was further evidence of a "systemic failure" by the government in handling people's private data."

Source: BBC Millions of L-Driver Details Lost

The scale of the data lost is unfathomable - again, the Data Protection Act 1998 is clear, under the 7th data protection principle that:

"Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."

This is further elaborated under Part 2 of Sch. 1 of the Data Protection Act 1998:

Having regard to the state of technological development and the cost of implementing any measures, the measures must ensure a level of security appropriate to—

(a) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and

(b) the nature of the data to be protected.

10 The data controller must take reasonable steps to ensure the reliability of any employees of his who have access to the personal data.

11 Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller must in order to comply with the seventh principle—

(a) choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and

(b) take reasonable steps to ensure compliance with those measures.

12 Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller is not to be regarded as complying with the seventh principle unless—

(a) the processing is carried out under a contract—

(i) which is made or evidenced in writing, and

(ii) under which the data processor is to act only on instructions from the data controller, and

(b) the contract requires the data processor to comply with obligations equivalent to those imposed on a data controller by the seventh principle.

Rights of those affected - The Data Protection Act 1998 (DPA) is clear to provide rights to data subjects affected by breaches under the DPA 1998.

s 10 of the DPA 1998 Right to prevent processing likely to cause damage or distress AND

s 13 of the DPA 1998 Compensation for failure to comply with certain requirements

For more information on this, visit the UK ICO's website. More powers for the ICO including a new criminal offence for knowingly or recklessly flouting data protection principles has been called for, so one awaits to see whether we will see a strengthening of the Data Protection Act 1998!

See also:

No comments: