On a very busy news day last week an important story was buried. Not deliberately, of course. Although this was no Jo Moore moment, it was nevertheless convenient.
An independent report by Deloitte into the ContactPoin
t database — designed to hold the details of every child in the UK, including their names and addresses — concluded that it would always be at risk of security breaches.
The report said: ‘It should be noted that risk can only be managed, not eliminated, and therefore there will always be a risk of data security incidents occurring.’
A year ago, many would have said that on the balance of things this was probably a risk worth taking if it meant that children could be protected more adequately.
The idea for the database did, after all, come about as a result of the Victoria Climbié inquiry and the need for the authorities to be more ‘joined up’ — for teachers, police, social workers and doctors to share information.
But a year is a long time in security breaches and now that risk feels as safe as a sub-prime mortgage. And the timing of this report could not have been worse. Steve Wright had just been convicted of the murder of five women and Mark Dixie of the murder of Sally Anne Bowman. Both men had DNA stored on the police database, taken for unrelated offences yet linked to the crimes.
Ministers were once again forced to defend their reluctance to approve a universal DNA register. Tony McNulty, crime and policing minister, said he felt the balance was ‘about right’ and the Home Office said there were ‘significant practical and ethical issues’. Yet the detective who led the hunt for Bowman’s killer claimed Dixie would have been arrested within 24 hours if such a database had been in force.
This is worthy of a whole debate in itself. But on one point alone it is going to cause the government a headache — because it comes after a year of security breaches. So many, indeed, that it is hard to know where to begin.
Among them are the junior doctors’ Medical Training Application Service, which revealed names, addresses, religious beliefs, sexual orientation and criminal records; the 25 million people’s child benefit records lost by Revenue & Customs; the nine NHS trusts that lost the records of hundreds of thousands of patients; and the 3 million people who had sat driving tests — a hard disk containing their details was lost in Iowa in the US.
Hundreds of documents containing benefit claim details, photocopies of passports and mortgage payments were found on a traffic island in Exeter; laptops have been stolen or lost from cars and government departments, etc etc.
Only last week, it was revealed that a disk sent by police in the Netherlands to the Crown Prosecution Service, which contained DNA profiles from crime scenes, sat in a desk drawer for a year. Eleven people on that list have gone on to commit crimes.
Freedom of information requests to half a dozen government departments and agencies have highlighted two important facts. Not one of them has a protocol for correcting erroneous data.
So, should you find that you have been wrongly entered into a system, for instance as having a criminal record, then you have a long, probably Kafkaesque fight on your hands.
Secondly, none of the departments or agencies FoI-ed has a policy or protocol for auditing their data protection compliance.
This was one of the issues highlighted in the information commissioner’s report on the medical applications scandal.
The Department of Health was officially warned to encrypt any personal data and to test the systems regularly. Otherwise… otherwise what?
Well, they could be fined if they breach this. But that was the limit of the commissioner’s powers. It should be added that the health department has never felt the need to explain why it had not encrypted the data in the first place.
The information commissioner, Richard Thomas, has made no secret of his frustration at his lack of powers and the need for a strengthening of the legislation, possibly an introduction of criminal charges for the reckless mishandling of personal information.
He would also like to be able to carry out spot checks, which would seem an obvious step. He would not mind some more money, too. Given that his budget is just £10m a year, that is a reasonable request.
Leaving aside the identity cards, the NHS ‘spine’ which will contain all patient notes, and the children’s database ContactPoint, if a universal DNA database were to be introduced the government would, in this current climate, have a lot of trouble persuading the public it was safe in their hands.
Of which ministers are undoubtedly aware.
