Getting Irate So That You Don't Have To

Getting Irate So That You Don't Have To

Friday, 18 January 2008

One Rule For One...

At work today I was involved in a meeting, the aim of which was to review data security in a new business operation that we've just set up.

Everyone round the table was absolutely committed to ensuring that we comply not just with the letter, but also the spirit, of all Data Protection law and we were determined to protect our customers' privacy.

When I got home, I read this barely believeable story courtesy of our armed forces. The Ministry of Defence (that's "Defence", as in "protection") have had a laptop nicked - from a car, for God's sake, where the bloody thing was left overnight. Give me strength. This laptop contains 600,000 names - along with the the usual government giveaways (you know the form by now) passport numbers, National Insurance numbers and bank details.

Hey, don't worry, folks, that data's so sensitive it's bound to have been encrypted, isn't it ? Well, no, actually, it wasn't. The identity of 600,000 people, people who'd expressed an interest in joining, or who had joined the Royal Navy, Royal Marines or the RAF. People who actually want to help this country out.

I can think of no immediate reason why so many names should be on a laptop anyway. This is the age of mobile connectivity. Anyone who needs access to that magnitude of information should be able to get it via a central database, with nothing sensitive held on the laptop whatsoever.

We were very conscious in our meeting this morning that serious breaches of data security on our part could result in heavy fines or far, far worse. If we were guilty of the lack of care apparently exhibited here we could well get closed down. What'll happen with the MoD, I wonder ? No, I don't wonder, I know the answer; nothing.

1 comment:

Mrs Smallprint said...

Big organisations and Government have become very careless in allowing employees and contractors to copy sensitive information at will. This is wrong, as you say it is also unneccessary these days as they should be able to connect remotely, which would also have the advantage of leaving a system audit trail of database access.