OUT-LAW published a summary
of all four reports yesterday. Here, Dr Chris Pounder,
a data protection specialist with Pinsent Masons, the law firm
behind OUT-LAW.COM and editor of Data Protection Quarterly,
provides a briefing on The Poynter Report. We have also published a
briefing on Sir Gus O'Donnell's report
today.
Kieran Poynter, Chairman of PricewaterhouseCoopers, looked into
the facts surrounding HM Revenue & Customs' loss of child
benefits data on 25 million individuals. His Poynter
Report (109-page / 1MB PDF) also focussed on the
institutional management structures that would significantly
improve HMRC’s data handling performance in future.
Yesterday's reports, from Poynter, the Independent Police
Complaints Commission, Cabinet Secretary Gus O'Donnell and
Information Assurance Advisory Council Chairman Sir Edmund Burton,
will be followed by a fifth report, on data sharing and data
protection. That report, by Information Commissioner Richard Thomas
and Wellcome Trust director Dr Mark Walport, will look at the
mechanics of data sharing and when and how data sharing can occur
in accordance with the Data Protection Act.
These reports all have the objective of reassuring the public so
they can have confidence that their personal details are safe and
that data sharing can occur. All these reports thus feed into the
Government strategy for modernising the public sector as
modernisation depends, in part, on the utilisation of
computers.
The Poynter Report is in two parts. The first part explores why
the HMRC lost the two discs, whilst the second part explores the
remedial actions that need to be carried out at HMRC in order to
restore public confidence.
Unsurprisingly, the recommendations in the second part chime
with the general forward-looking recommendations of Gus O'Donnell's
Data Handling Review which is to apply to the public sector as a
whole.
In part one, Poynter identifies that the HMRC security policies
lacked sufficient detail and strength to guide staff and that the
policies surrounding removable media and encryption policies were
inadequate. Poynter concluded that better implementation and
enforcement of policy was required, and that policy could be made
more accessible and be better communicated.
Poynter reported that there was a general "lack of awareness
amongst staff of the existence of security policies" and that
"large amounts of data have transferred both within HMRC and to
external government bodies with insufficient regard to risk and
security". In addition there was a lack of training and an absence
of accountability for the ownership and guardianship of data.
In part two, Poynter proposes that HMRC's management correct the
failings identified in part 1, and much of the report is taken up
with 45 recommendations and management actions that the HMRC has
accepted. Anyone familiar with the security standard ISO27001 will
not be surprised by any of them.
Poynter's suggests that there are 10 security principles, many
of which may have general application, and it is these 10
principles that might be of enduring interest to security
practitioners and management consultants.
The principles are:
- Data about an entity (be it an individual or a business)
belongs to that entity. It can be entrusted to other parties but
always remains the property of the entity to which it refers;
- It follows that it is the responsibility of the entity to
maintain its own data;
- Data becomes information when it has value. This typically
happens through context and through aggregation. The ambition
should be never to lose or allow undesired access to information.
Key to this is segregation – i.e. separating out data when it is
stored and designing jobs and the systems that support them to
require a minimum of information;
- HMRC should hold the minimum data required to perform its
functions, including the retention period it holds data for. It
should not, for instance hold data that it can get elsewhere but it
should routinely make use of other sources of data that improves
its ability to tailor its services to its customers;
- HMRC should hold data about entities once – it should move to a
single customer record for individuals and a single customer record
for businesses;
- Effective information security requires both service provider
and customer to play their part. HMRC should have the powers to be
able to specify secure methods of exchanging data with its
customers, starting with businesses and over time including
individuals;
- HMRC should have regard to external sources of guidance on
information security such as the Data Protection legislation and
the guidance given to the financial services sector by the
FSA;
- Transfers of digital data involving physical media should be
phased out completely;
- Paper-based communications should be rationalised as to content
and frequency with a long term plan of substantially eliminating
them; and
- Computers (and in the short term, any removable media) should
be encrypted so that if they are lost or stolen any data or
information on them cannot be accessed.
The Information Commissioner has said that he "will be taking
formal enforcement action against HMRC and MOD following the
serious data breaches that have occurred".
In a statement he said: "The reports that have been published
today show deplorable failures at both HMRC and MOD"
"We will require progress reports to be published after 12, 24
and 36 months documenting in detail how the recommendations have
been, or are being, implemented to improve Data Protection
compliance," he said. "Failure to comply with an Enforcement Notice
is a criminal offence."
Training for you: Pinsent Masons is
running a course on Law,
Security and Data Handling (2-page / 146KB PDF),
which looks at minimising the regulatory risks through good
governance.
Footnote: Dr Chris Pounder was a consultant with Pinsent Masons until September 2008. He now runs a new training business, Amberhawk.
