Here we go again, someone at Barnet Council decided to store unencrypted data about school children on CDs and USB sticks which were then stolen in a burglary and are out at large. Just another example of the incompetence that exists at every level in our public services related to the protection of data.
Firstly, the council say that the person in question has been suspended but why aren't they jailed? Why do we still not take data protection seriously. More importantly, the council says they have now blocked external drives to prevent this - why wasn't this already the case? Why, when there could be a simple 2-sided document on data protection sent to all public services in the country, was this a reactionary measure rather than a proactive one? Why do companies still assume that people can be trusted to do do something properly? People are not perfect, they do not always understand what they are doing, they sometimes act maliciously or to make their life easier so quite simply you must prevent people as far as possible being able to circumvent protection tools.
Interestingly, the data in its normal form was encrypted so the council presumably partly understood what they were doing but didn't go far enough.
"An independent review is underway". What's the point? We have enough of these already, let me give you some free very obvious advice and pass this onto the IT Services division of the Cabinet Office:
"Put together a small team of experts in IT security and decide what all public services must adhere to in terms of data security. Imagine all scenarios, lay them out, send the document to all public departments and make them follow it at pain of prosecution" Why is that so hard?
No comments:
Post a Comment