Opinion

Public data loss

There appears to be a lot of "data loss" about — the Independent on Sunday has talked about the MOD admitting "more than 400 laptops stolen over the past five years, including 68 stolen in 2007 alone" [page 19 IOS 20 January 2008] not just the one that was recently in the news — or the three that were admitted on the news on 21 Jan!

There is no doubt that this government has failed to match its avidity for collecting and sharing our personal data with adequate security and protection measures as required by the Data Protection Act 1998 — which itself was about as weak as the government could get away with and still comply with the EU Data Protection Directive [European Union Directive 95/46/EC, “On the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of such Data”, OJEC L281/31-50, 24 October 1995].

Recent legislation that facilitates "data sharing" and "anti-terrorism" has very much weakened the concept that "Data given for one purpose should not be used for any other purpose without consent" and this has made matters much, much worse without any comparable development to ensure a corresponding and appropriate security culture for handling these sensitive data mountains.

The government is busy building up databases for children, DNA profiles, video recordings and ID cards — to name but a few of the most sensitive and notorious. In addition there is the development of the NHS electronic patient record to which it is expected that 250,000 people will have access. The question is what steps has the NHS taken to ensure that it is fit for handling these data confidentially and securely.

The mobile methods of working that are now so common require extra security measures rather than less and the Information Commissioner requires more staff and more powers to carry out audits of the data protection and security policies adopted by all organisations — but especially government departments and large multinational businesses.

This is especially important when our personal data is being processed under contract outside the EU beyond the control of EU legislation. In theory a proper risk analysis, possibly using CRAMM (CCTA Risk Analysis and Management Method), is required for all personal data to determine the necessary security counter-measures. Where the processing happens outside the UK or EU these security counter-measures must be built into the processing contract.

From the succession of security breaches, it is difficult to believe that, in its race to obtain more and more of our personal data, the government has carried out the necessary risk analyses and established and enforced appropriate security measures. In the NHS it appears that building a security culture has been neglected in the rush to implement "top-down" IT projects in a world of arbitrary and ill thought-out DH targets and performance measures.

The comforting adage that is trotted out after each security breach is that "if you have nothing to hide you have nothing to fear" and it is, of course, quite false:

1. If the recorded personal data is wrong and it is acted upon you may be subject to all manner of legal penalties while trying to prove your innocence (as happened a few years ago to a British pensioner who went on holiday in South Africa and was imprisoned for about three weeks because he happened to have the same name as someone on the American "Most Wanted" list).

Increasingly we rely on data systems to hold our data and the old paper systems do not work as fast, are not maintained as fully as previously and are not so easy to invoke. One is forced into the position of having to prove innocence whereas in court it is up to the prosecution to prove guilt! The government's demand to imprison "suspected terrorists" for 42 days without charge is a clear reason why one would not wish to be suspected as a result of wrong information!

2. Data may, also, be correct but not understood in its proper context and therefore it may lead to misleading conclusions on the part of government officials or multinational organisations especially when outside one's own country.

This can easily happen when the model behind the computer system that captures data does not properly reflect the real situation. Think how often one is faced with trying to make something happen on the internet and one cannot get the system to understand.

I had a relatively trivial instance of that where I was trying to arrange a courier to deliver a package to my home. The postman and the postcode knows where my flat is in the very long road, but couriers from out of the area need to be told that the block of flats is between 32 & 34 — so we use 32A to do so. However, the computer ordering system would not accept 32A and all I could do was to enter 32. For the moment number 32 is empty and items posted in their box are lost, possibly for ever.

3. Finally, the data may be correct and the individual wishes it to remain confidential for quite valid personal reasons. It may cause minor or major embarrassment if revealed and in the absence of any legal requirement to defend oneself against some criminal charge, there is no reason why the information should not remain confidential.

Personal Health Records tend to come in this category and are given higher protection in the EU Directive and under the 1998 Act. The casual and irresponsible disclosure of personal health data as a result of inadequate security or access control to the data is one reason why many people may not wish to participate in the electronic patient record system.

There a number of reasons for legitimate access, but the key to this is the established relationship between a doctor and a patient. Normally a court order is required to get access to these records in any other circumstances and this is only given for good and significant reasons.

The security breach at the Stockport PCT is another instance of the failure of the government to ensure the confidentiality and security of the data that they collect.

Regarding the PCT's press release on 18 January, there is no telling what additional information may help someone fraudulently with the process of identity theft, however much it is convenient for the Chief Executive to claim otherwise.

The issue is what sort of data protection and security policy was in place, what training was given to staff and others and what auditing was being done to ensure that the policy was implemented.

In all areas of life mistakes happen but the issue is what steps had been taken to see that they do not happen. I notice that the Chief Executive said that the data loss had been reported centrally. Was the Information Commissioner's Office consulted or was the report simply to the strategic health authority or the Department of Health?