Who will guard the guardians?
The constant tidal wave of revelations about government failure to protect sensitive data reads like an improbable Monty Python storyline. The problem with government control of sensitive data, if control it can be called, is that all the evidence demonstrates that there is a serious questionmark about trusting them with it.
The latest fiasco arose when a memory stick was found in a pub car park. It transpired that this was not just any flashcard, but one containing confidential passcodes to the online Government Gateway system. This allows online government services to be proceeded with, such as tax returns, VAT etc. Although there have been assurances from the Department for Work and Pensions that the security system has not been breached, that does not mean that a breach could not have been possible. (Nor does it necessarily mean that no breach has occurred: it is not exactly unusual for skilled hackers to cover their tracks). Sensibly, the system was shut down. "The Government Gateway is temporarily offline. We apologise for any inconvenience. Normal service will be resumed as soon as possible." was the message that was given. Whilst no doubt normal service will be resumed and a thorough investigation will take place, a potentially damaging loss occurred.
If you want to use the system, you have to register. A variety of personal data can be required as part of the registration process. This might include names, addresses, credit card details, details about wages, and National Insurance numbers. All of this is exactly the sort of information which would be of enormous use to fraudsters. Assurances that encryption would prevent access are not necessarily correct. It all depends upon the level of detail already lost, as well as the skill of those attacking it. You would not want to rely upon an assumption that a determined hacker could not use the information in order to obtain enormous potential benefits.
The stick was lost from the company which manages the government Gateway. Inevitably private companies will be involved in managing government data, although this in itself does not make the data any less secure. Recently the Information Commissioner announced that there had been 277 data breaches (loss of a laptop or a memory stick is a breach) since the furore about the loss of details of some 25million child benefit records within the past year. That is not exactly a proud record. Shami Chakrabarti, director of Liberty and one of the best-known human-rights lawyers in the country, has stated that Liberty's own audit demonstrates that the Government have lost 30million pieces of data in the past year, which she described as "one data bungle for every two people in the country".
It also apparently took over a week from the memory stick being found before the Department of Work and Pensions were informed. Moreover it appears that the memory stick was lost by a 29-year-old analyst. The company employing him have stressed how seriously they take the loss, and how removal of the stick from company premises was a direct breach of the company operating procedure. However, as analysis of many factory accidents would show, employees frequently fail to follow operating procedures. There will usually be an entirely innocent explanation. Often it is a conscientious employee wanting to make sure that they finish the job and comply with deadlines. People end up taking short cuts. We do not know what happened in this instance, but the idea of an employee wanting to finish something off at home and deciding to break the rules is hardly unusual. It will be done assuming that no harm can come of it. Then of course sooner or later someone loses the information.
I have registered on the government Gateway. That was a matter of personal choice. If necessary, details can be changed, credit cards can be cancelled. However the identity card system if introduced is mandatory, and biometric data cannot be changed. The history of the last 12 months shows that if ID cards are introduced then as night follows day sooner or later there will be a serious loss of information. Those who lose out through this will have had no choice about the provision of their data, and with the biometric data it will be impossible for them to ever change it. They could be permanently blighted. If ID cards are introduced on a compulsory basis including such information, despite all the assurances that the data will be secure, human error means that it is inevitable that sooner or later data will be lost. All the evidence demonstrates that it is impossible to entrust such information to the government. That sadly is unlikely to be any different whichever government is in power.