Data security in Government: a briefing on the Poynter report

OUT-LAW published a summary of all four reports yesterday. Here, Dr Chris Pounder, a data protection specialist with Pinsent Masons, the law firm behind OUT-LAW.COM and editor of Data Protection Quarterly, provides a briefing on The Poynter Report. We have also published a briefing on Sir Gus O'Donnell's report today.

Kieran Poynter, Chairman of PricewaterhouseCoopers, looked into the facts surrounding HM Revenue & Customs' loss of child benefits data on 25 million individuals. His Poynter Report (109-page / 1MB PDF) also focussed on the institutional management structures that would significantly improve HMRC’s data handling performance in future.

Yesterday's reports, from Poynter, the Independent Police Complaints Commission, Cabinet Secretary Gus O'Donnell and Information Assurance Advisory Council Chairman Sir Edmund Burton, will be followed by a fifth report, on data sharing and data protection. That report, by Information Commissioner Richard Thomas and Wellcome Trust director Dr Mark Walport, will look at the mechanics of data sharing and when and how data sharing can occur in accordance with the Data Protection Act.

These reports all have the objective of reassuring the public so they can have confidence that their personal details are safe and that data sharing can occur. All these reports thus feed into the Government strategy for modernising the public sector as modernisation depends, in part, on the utilisation of computers.

The Poynter Report is in two parts. The first part explores why the HMRC lost the two discs, whilst the second part explores the remedial actions that need to be carried out at HMRC in order to restore public confidence.

Unsurprisingly, the recommendations in the second part chime with the general forward-looking recommendations of Gus O'Donnell's Data Handling Review which is to apply to the public sector as a whole.

In part one, Poynter identifies that the HMRC security policies lacked sufficient detail and strength to guide staff and that the policies surrounding removable media and encryption policies were inadequate. Poynter concluded that better implementation and enforcement of policy was required, and that policy could be made more accessible and be better communicated.

Poynter reported that there was a general "lack of awareness amongst staff of the existence of security policies" and that "large amounts of data have transferred both within HMRC and to external government bodies with insufficient regard to risk and security". In addition there was a lack of training and an absence of accountability for the ownership and guardianship of data.

In part two, Poynter proposes that HMRC's management correct the failings identified in part 1, and much of the report is taken up with 45 recommendations and management actions that the HMRC has accepted. Anyone familiar with the security standard ISO27001 will not be surprised by any of them.

Poynter's suggests that there are 10 security principles, many of which may have general application, and it is these 10 principles that might be of enduring interest to security practitioners and management consultants.

The principles are:

1. Data about an entity (be it an individual or a business) belongs to that entity. It can be entrusted to other parties but always remains the property of the entity to which it refers;
2. It follows that it is the responsibility of the entity to maintain its own data;
3. Data becomes information when it has value. This typically happens through context and through aggregation. The ambition should be never to lose or allow undesired access to information. Key to this is segregation – i.e. separating out data when it is stored and designing jobs and the systems that support them to require a minimum of information;
4. HMRC should hold the minimum data required to perform its functions, including the retention period it holds data for. It should not, for instance hold data that it can get elsewhere but it should routinely make use of other sources of data that improves its ability to tailor its services to its customers;
5. HMRC should hold data about entities once – it should move to a single customer record for individuals and a single customer record for businesses; 
6. Effective information security requires both service provider and customer to play their part. HMRC should have the powers to be able to specify secure methods of exchanging data with its customers, starting with businesses and over time including individuals; 
7. HMRC should have regard to external sources of guidance on information security such as the Data Protection legislation and the guidance given to the financial services sector by the FSA;
8. Transfers of digital data involving physical media should be phased out completely;
9. Paper-based communications should be rationalised as to content and frequency with a long term plan of substantially eliminating them; and
10. Computers (and in the short term, any removable media) should be encrypted so that if they are lost or stolen any data or information on them cannot be accessed.

The Information Commissioner has said that he "will be taking formal enforcement action against HMRC and MOD following the serious data breaches that have occurred".

In a statement he said: "The reports that have been published today show deplorable failures at both HMRC and MOD"

"We will require progress reports to be published after 12, 24 and 36 months documenting in detail how the recommendations have been, or are being, implemented to improve Data Protection compliance," he said. "Failure to comply with an Enforcement Notice is a criminal offence."

Training for you: Pinsent Masons is running a course on Law, Security and Data Handling (2-page / 146KB PDF), which looks at minimising the regulatory risks through good governance.