Out-Law News 4 min. read
26 Jun 2008, 1:03 pm
OUT-LAW published a summary of all four reports yesterday. Here, Dr Chris Pounder, a data protection specialist with Pinsent Masons, the law firm behind OUT-LAW.COM and editor of Data Protection Quarterly, provides a briefing on The Poynter Report. We have also published a briefing on Sir Gus O'Donnell's report today.
Kieran Poynter, Chairman of PricewaterhouseCoopers, looked into the facts surrounding HM Revenue & Customs' loss of child benefits data on 25 million individuals. His Poynter Report (109-page / 1MB PDF) also focussed on the institutional management structures that would significantly improve HMRC’s data handling performance in future.
Yesterday's reports, from Poynter, the Independent Police Complaints Commission, Cabinet Secretary Gus O'Donnell and Information Assurance Advisory Council Chairman Sir Edmund Burton, will be followed by a fifth report, on data sharing and data protection. That report, by Information Commissioner Richard Thomas and Wellcome Trust director Dr Mark Walport, will look at the mechanics of data sharing and when and how data sharing can occur in accordance with the Data Protection Act.
These reports all have the objective of reassuring the public so they can have confidence that their personal details are safe and that data sharing can occur. All these reports thus feed into the Government strategy for modernising the public sector as modernisation depends, in part, on the utilisation of computers.
The Poynter Report is in two parts. The first part explores why the HMRC lost the two discs, whilst the second part explores the remedial actions that need to be carried out at HMRC in order to restore public confidence.
Unsurprisingly, the recommendations in the second part chime with the general forward-looking recommendations of Gus O'Donnell's Data Handling Review which is to apply to the public sector as a whole.
In part one, Poynter identifies that the HMRC security policies lacked sufficient detail and strength to guide staff and that the policies surrounding removable media and encryption policies were inadequate. Poynter concluded that better implementation and enforcement of policy was required, and that policy could be made more accessible and be better communicated.
Poynter reported that there was a general "lack of awareness amongst staff of the existence of security policies" and that "large amounts of data have transferred both within HMRC and to external government bodies with insufficient regard to risk and security". In addition there was a lack of training and an absence of accountability for the ownership and guardianship of data.
In part two, Poynter proposes that HMRC's management correct the failings identified in part 1, and much of the report is taken up with 45 recommendations and management actions that the HMRC has accepted. Anyone familiar with the security standard ISO27001 will not be surprised by any of them.
Poynter's suggests that there are 10 security principles, many of which may have general application, and it is these 10 principles that might be of enduring interest to security practitioners and management consultants.
The principles are:
The Information Commissioner has said that he "will be taking formal enforcement action against HMRC and MOD following the serious data breaches that have occurred".
In a statement he said: "The reports that have been published today show deplorable failures at both HMRC and MOD"
"We will require progress reports to be published after 12, 24 and 36 months documenting in detail how the recommendations have been, or are being, implemented to improve Data Protection compliance," he said. "Failure to comply with an Enforcement Notice is a criminal offence."
Training for you: Pinsent Masons is running a course on Law, Security and Data Handling (2-page / 146KB PDF), which looks at minimising the regulatory risks through good governance.