DOING BUSINESS BETTER. TOGETHER

Data encryption issues brought into focus by HMRC fiasco

18 Dec 2007 12:00 AM | Anonymous

The issue of data encryption has been brought into sharp focus recently with the HMRC data loss fiasco. Since that catastrophic incident, in which the records of 25 million Britons were lost in the post, the Information Commissioner, Richard Thomas, has come forward to warn that several other public bodies have now stepped forward and admitted that they too have lost personal data. It has also become apparent that this is not the first HMRC data loss – there have been seven breaches of data security since 2005. With critical and confidential data of UK citizens floating about everywhere from post boxes to rubbish dumps, the encryption of data is taking on a more and more central role. Data encryption will not prevent these physical losses, but will, of course, mean that this data is not accessible.

A key problem within the public sector is that of awareness – the government admitted that civil servants ignored, or possibly didn’t know, their own security policies and procedures in copying database information to disk and sending it unencrypted in the post. A recent survey showed that almost 90% of public sector IT managers said staff would open unknown e-mails and 75% connect private USB devices to their work PCs. This is a far worse problem than in the private sector. Getting public sector IT managers to understand the issues associated with data encryption is the first step towards solving the problem.

One of the most important questions that needs to be asked is whether public sector organisations are obliged to use data encryption technology. The answer is no – there is no explicit obligation under the Data Protection Act (DPA) to use encryption, although the DPA does state that ‘appropriate technical and organisational measures’ should be taken to ensure data is kept completely secure, which could be taken as referring to encryption. However, it is widely recognised that data encryption helps to secure electronic data and safeguard privacy and therefore it is surprising that not been more widely adopted in the public sector.

A recent survey of UK businesses carried out by the Department of Trade and Industry reported that, of businesses surveyed, 30% of those who use online transactions do not encyrpt them. The Information Commissioner’s Office expects that an organisation’s security policy and practices should reflect the technology that is available. Therefore, as encryption technology become more widely available more organisations should start adopting it.

But how can the public sector better safeguard itself from another HMRC disaster? The simple solution would be not to copy huge reams of information to a disk at all, but to transfer them directly to the receiver in an encrypted form over either internal or external networks. The sender would have to use software that encrypts the data using strong algorithms encrypting sensitive data at source and tightly controlling and monitoring the way people access the database. A common problem that arises when data encryption is on the agenda is that of who has access to the data. The whole point of encrypting the data is to make sure that data thieves and those who have not got permission to access the data are not allowed to use it. Therefore authorised personnel need to be given passwords of a suitable complexity that they can be remembered but not cracked.

This is magnified when the complexities of a shared service centre come into play. Shared services are about the consolidation of a set of services common to multiple business units, such as HR or finance and accountancy. The shared services approach is increasingly being used in the public sector to maximise efficiency. When data is coming in from a number of different sources to a single data processor (the supplier) the encryption technology must meet these added requirements. The contract drawn up with the supplier for multiple end users must accomodate the added complexity of encrypting data from a number of different sources and the complications arising from the different levels of encryption needed within a single centre.

Another occasion in which data encryption is vital is within an outsourcing arrangement. When outsourcing, the public sector body must choose a supplier that can provide sufficient guarantees with respect to the technical and organisational security measures governing the processing of data. The public sector must also take reasonable steps to ensure compliance with those security measures, including undertaking regular audits and reviews.

As HMRC discovered to their cost, data encryption is a vital part of any security system. Using data encryption is a necessity for public sector organisations, but they need to include this within a rounded, holistic security policy including both data and physical security.

Powered by Wild Apricot Membership Software