Revenue-gate
As lots of people are saying, it’s bad. I’m not going to pretend otherwise. It gives rise to three issues.
Firstly and in practical terms, I should think that every governmental organisation is currently sending a very pointed letter to every employee about its data protection policy. That might not be a bad thing. I hope they are also reviewing their technical provisions.
It also shows, IMHO, a certain meanness of spirit in some quarters. Matt Wardman says
Get this bit - Ministers have (according to Radio 5) known about this for 10 days, and have apparently said nothing.Perhaps they were - in the normal fashion - hoping that it would not come out.
Someone will have roast nuts for dinner this evening.
If he’d listened to Darling’s speech, he’d have known that the delay was to give the banks time to put security measures in place. Indeed, Mr Eugenides says as much. The risk here is not only from the records that have been lost, but that anyone who has illegally-obtained data will have a pop at using it in the confusion. By giving the banks a chance to prepare (I surmise), the hope is to minimise the damage.
Iain Dale (in a post, worryingly, about a different problem with data protection at HMRC) refers to ‘misuse’. He is technically correct1 - data has not been used properly. This is, though, incompetence and lack of foresight rather than malice.
As Vince Cable is asking questions about the halting positions of male deer, my second point is about resignations. Ministers are responsible for things that are not practicably under their control. They do bear ultimate responsibility for their departments, but HMRC is a non-ministerial department. Ministers are and should be accountable, but I don’t think there is understanding of exactly what the relationship, whereby policy but not implementation (I think) is set by ministers, is. Equally, I don’t think that calling for heads to roll is a good idea. Certainly, it satisfies the media but, as the Saxons found out, once you have paid the Danegeld, you can’t rid yourself of the Dane. I may return to this in the future, but there should be a generally accepted set of conditions under which ministers resign. I don’t think this is a ministerial resignation issue (and, for the record, the same will be true if something similar happens in the future under a government of a different colour). Mr Eugenides snorts at the suggestion that ‘[h]is [Paul Gray's] decision to take on this accountability is an example of British public service at its best;’ I disagree. The person responsible for the gap in computer security that allowed this to happen fell on his sword.
Thirdly, ID cards are now holed below the waterline. As I understand it, access to a national database for ID cards would have had tougher controls, not least because of the degree of public scrutiny. In the public imagination, and not without reason, the perceived security of information held in governmental (and possibly other) databases is going to be, I think, pretty low. The irony of this is that a central information repository might actually be a good idea. With one, publicly known security policy, unified scrutiny & technical support and, crucially, a single access policy, screw-ups like this might be avoided. For one, you wouldn’t have to put CDs in the post.
I feel sorry for the poor junior who sent those CDs in the post. Like everyone, I’ve known that sinking feeling in the pit of your stomach when you have to ‘fess up to a screw up. That is a hell of thing to which to have to admit.
As I said at the beginning, this is bad. With a bit of luck and a following wind, this may not be a disastrous, but it is possible that the consequences will be profound and long-lasting; an awful lot of data may end up in the wrong hands. I think that some of the responses to date have been a little… shrill. I’m not looking forward to tomorrow’s PMQs.
xD.
1 - yes, technically correct, the best sort of correct.
November 21st, 2007 at 5:13 am
Dave
Lots of good points. And thanks for the link. I’d comment:
1 - In my defence, I wrote my piece at lunchtime, based on various news reports, so well before the speech. I’ll revisit the question this AM.
2 - I agree with you that a large part of the problem for Mr Darling is that he is in the wrong place at the wrong time. However, there are a number of real issues for him about how he managed this crisis, which are serious - such as taking a week (OK 6 days) to even tell the banks that the data was missing.
We all know that the time from getting someones bank data to using it can be much shorter than that. That is a political question.
3 - I think that - although there are political questions involved for this Govt (largely to do with a gung-ho appproach to the risks of large databases and not listening to repeated warnings) - the fundamental problems are deeper than political, and apply to the Conservatives as much as Labour. The questions that need to be addressed are perhaps bigger than any one politician or administration.
4 - The actual practical problem we have seen here is fallout from requirements by politicians (both parties) to change large organisations more quickly than is possible safely. I’d identify repeated NHS, education or Local Gov reform over several decades as exactly parallel problems.
5 - Although there will undoubtedly be letters to employees here, the loss of the disk is the symptom of a cultural problem (not even a procedural problem) due to too rapid change preventing a safety culture developing.
6 - I’d suggest that any large scale change in an organisation with (say) 50,000 employees is a 3-5 (preferably 6-8) year programme. I think in that point I’m probably agreeing with you.
Contrast that with the speed with which the Home Office and the Inland Revenue have been merged.
>That is a hell of thing to which to have to admit.
Agreed.
My thoughts,
Matt
November 21st, 2007 at 8:36 am
[...] Cole made some excellent comments on the affair (I haven’t yet decided whether to call it a -gate, an imbroglio, a disaster or [...]
November 21st, 2007 at 9:46 am
This is an excellent post which puts many issues in perspective. My own initial reaction was horror and last night was spent frantically going through on-line bank details, making approrpiate changes.
There is one matter I would have a minor quibble with, though. I completely take the point regarding notifying banks and a delay in the announcement subsequent to notifying banks is understandable and deserves some credit. However, the other delays are less excusable. The data goes missing in mid-October. The bosses of HMRC are not told until 8th November - more than 2 weeks after the HMRC staff become aware that the material is missing (which is a week after posting by courier). It then takes 2 days to inform the Chancellor (and he is notified on a Saturday). The police are only brought in on the 14th, 4 days after Darling is notified. The banks are not notified until last Friday (according to the spokeswoman for APACs) - almost a week after the Chancellor becomes aware of the matter, more than a week after the bosses at HMRC, 4 weeks after the information goes missing, 3 weeks after HMRC staff become aware that it has gone missing. It is this delay that is problematic from my perspective - and where some accountability is required. Why were the banks not told sooner?
November 21st, 2007 at 11:04 am
The Government lurches from disaster to disaster. Did you notice how unwell GB is looking? I wonder if TB is laughing or just saying to CB “I told you it would be a disaster!”?
November 21st, 2007 at 11:32 am
There was too much of a delay, I grant you, Scott, in the banks being told. I suspect that at each level of the chain, people swore and then called wherever the CDs were sent to ask if they were absolutely sure they weren’t in the back of a drawer somewhere.
I think that answers one of Matt’s points, although the chain of events will become clearer in the coming days.
I think there has been a feeling in education and healthcare (I don’t know enough people in other public service professions to comment on other areas) of permanent revolution of late.
I wonder if data protection is seen in the same light as health and safety… a bit of a pain in the proverbial.
November 21st, 2007 at 12:21 pm
Thanks for your reply
I have worked in the public and private sectors and currently work in education. I can imagine the process you describe, each with a harried - “have you tried looking in the place you were when you lost it”.
Your final point is accurate. In each sector I’ve worked in data Protection is perceived as a bind (and like health and safety viewed as a convenient excuse by people that don’t want to do something that would be very useful)
November 21st, 2007 at 12:54 pm
Thanks for your comments
I’m glad to know that I’m on the right lines… it is a gut feeling with a bit of experience thrown in, but intellectually I think I’m right.
It’s unfortunate that people see procedures that are there to protect them as something to be endured. I really don’t know what the solution is unless HR departments start explaining why DPA, COSHH and H&S are not only necessary but good.