A private sector company doing the same job as this HMRC office would not have had all this information in a live database in the first place. My company for example regularly advises our clients to only load the information that’s actually necessary for each task.

Also do other people find it ironic that the idiots who exposed their fellow citizens to the crooks and spammers are having their own privacy protected?

The problem with this situation (here at least) is that while the security standards exist, and the advice is provided, it is to a large extent ignored as soon as it interferes too much with regular agency business. Why is this the case? Because there is no visible penalty for not following the advice and applying the minimum standards. Compliance with the standards is also not audited (unless you count audits covering 2% of agencies conducted every 5 years). Its incredibly difficult to be in a position where you have to argue for compliance with IT Security standards to agency executives based solely on their being Government minimum standards. When the executive asks “what happens if we dont comply” all you can answer is “well, probably nothing, unless a breach occurs and someone finds out about it”. To get any results you need to justify any security based on risk management principles, and just hope management doesn’t consider IT Security to e a load of rubbish.

So I dont think that changing the structure and organisation of CESG will make a difference. However, auditing and enforcing the standards already in place might.

Am off to GP in a minute, and will be asking them not to put my information on their database…(this all over again…have already asked once, but noticed that they were still putting stuff in last time I went.)

In my experience of working GP surgeries, it was hard enough respecting patient confidentiality with paper files and natural human curiousity. How on earth they plan to make this information widely available yet still confidential beats me.

And the loss of those discs; whatever happened to common sense and individual responsibility? Of course you send things like that by special delivery.

Replacing existing CESG civil servants (the majority of whom, contrary to your opinion, are extremely competent) with non-HMG employees from “outside industry” is going to do nothing to help the problem other than to increase the cost of designing and implementing the same broken solutions.

CESG’s role (albeit as self-styled “authority”) is an advisory one, and as such government departments are free to take it or not. In situations such as the HMRC debacle, it is less to do with CESG *advice* (”thou shalt encrypt data in transit… please”) and more to do with following Cabinet Office *policy* in the form of the Manual of Protective Security.

As you said on Newsnight, such aggregations of data should be treated as, well, something above UNCLASSIFIED at least, and handled accordingly. There is no CESG rule that I’m aware of that says you must encrypt CDs full of data when sending them between departments using official channels.

Password protected disks but not encrypted - hmm, let me think. The disk does not have processor -> it cannot check correctness of the password -> where can it be checked? -> during export/import -> check is only within the HMRC system && the disks are not encrypted -> the disks contain unencrypted data, readily readable by anyone, easily importable into any database you can install on your laptop/PC.

Labour MPs said that it is a mistake of an individual and we shall judge the government according to how they deal with the situation - It is not a mistake of an individual! No one should have any chance to lay their hands on the whole database. If it is possible, my question is - what is the price for which would this “junior official” copy the database for X (X being an advertisement company or supermarket chain or criminal organisation or …)

The data was requested by an audit office which says it wanted anonymised records - i.e. the disks contained much more information than “just” name, address, NIN, bank details. So what do people fill in the forms for child benefits and what information does HMRC collect about you regarding the benefits?

After the ID cards were attacked, Darling said that they would be much more secure, because they are protected by biometric information. This is bullocks. I do not expect politicians to understand technology (far from that) but he apparently did not expect this attack. If he did, even worse.

A claim that no fraud has been detected yet. Thank God but no one has yet explained the government the value of the data.

Newsnight with Ross does not need a comment.

The Labour minister looked very nice, very “mumsy” and very clueless. She had no idea about the scale of the problem, the seriousness of data prtoection. She was not willing to listen to expert advice despite it being very obvious that Ross’s knowledge was huge and hers was less than a grain of sand.

Keep on going. eventually the huge incompetence of government with data will be fully known.

Surely ID cards and the NHS IT scheme must now be shelved.