Tuesday 2 December 2008

A Hammer To Crack a Nut

A Hammer To Crack a Nut
Brian Collins, chief scientific advisor at the Department for Transport and the Department for Business, spoke at a conference recently about last year's Datagate scandal when HMRC lost the personal details of 25 million people.

He said that the loss should have been prevented, and that the system should have flagged up a warning not to transfer such large amounts of personal data onto unencrypted discs.

"The system design should never have allowed the [data loss].

They should be designed to stop people going off the edges of what is acceptable. Why are we not doing this?

Because it costs
."

Maybe so, most certainly about cost cutting leading problems wrt security and service levels. However, he ignores the fundamental issue wrt Datagate namely that the data was sent by courier on an unencrypted disc.

No expensive system add on was needed to "flag up" that using couriers and unencrypted discs to transfer sensitive data was just daft. Decent procedures and training should have covered that point.

Tax does have to be taxing.

HMRC Is Shite (www.hmrcisshite.com), also available via the domain www.hmrconline.com, is brought to you by www.kenfrost.com "The Living Brand"

3 comments:

  1. But come on, this is HMRC! We're run totally on the cheap here....

    ReplyDelete
  2. Just for a change, I don't quite agree with you here, Ken. Yes, the procedures and training were lacking in many respects. However, no amount of procedures and training are the whole answer in an organisation of tens of thousands of people. The human element means that people will always cut corners to make life easier. Sorry, but they just will. To preempt that sort of behaviour, you have to design the systems and working environment to ensure that people do not have access to, or the ability to lose, data that they shouldn't.

    Of course we'd all like to think that organisations can trust their employees to be honest and competent and, for the most part, they are, but you wouldn't expect a bank's computer system to give its employees access to all of its data and to be able to distribute them, would you? If they did so, no matter how much vetting and training they did, nor what procedures they put in place, somebody would find a way to subvert the system, either for monetary gain, by sheer accident, or simply to make their working lives easier!

    Now I'm not saying that HMRC have got it 100% right. We've all seen that they certainly didn't at the time when Datagate happened, but to suggest that money shouldn't be spent ensuring that systems are designed to minimise the risk of data loss is absolutely ridiculous.

    ReplyDelete
  3. I am not saying that money shouldn't be spent on the systems, but am saying that I suspect that if decent basic training and procedures had been in place the error may well not have occurred.

    I may of course be wrong:)

    ReplyDelete