I think in fairness, good practice and careful implementation of law will result in slow ammendments to data protection legislation. The problem however is that existing law is not enforced, sanctions are not used and data handling obligations are therefore further down the list of corporate responsibilities.

This relates to the corporate arena. Small business data protection is far worse but escapes media attention as the press chase the big fish.

John

http://www.backupanytime.com (link)

Yup, and the NAO internal review presumably, and anything more being done by any of the Select Committees. is there much more apart from that? (link)

This needs some cort of preamble like "These episodes have rightly shocked people. If we're to be seen to get our house in order, we first of all relly and that means we must in reality actually get it in order. This may mean simply making sure that existing policies are followed, but we can't rule out the possibility it will require a more fundamental examination of whether our whole approach to handling personal data is inadequate or even misconceived. We have to approach this question in a spirit of humility and openness. If we pretend everything is basically ok and the events of the last four weeks have merely been several dozen isolated incidents we'll just annoy the tits off people" (i'm not _drafting_ there, mind) (link)

(link)

Hm. To an extent. But also

- Cab Off (and CESG) are responsible for some of the key policies that have got us into this mess - we're all in this together. One nitwit in one department loses trust for all of government. So you cant place each incident of this probelm solely inside one particular department. - but also people generally want the same things that government is trying to achieve, so setting government against people or assuming government has to "do everything to" people is starting on the wrong foot. Any picture of this landscape in which the customer does not loom large is a false and unhelpful one. (link)

Yes, but above all everything it has done to move towards centralised databases, the creation of a culture in which "data sharing" is a benefit per se, pursuit of the notion of personlaised services based on the idea that because CRM is good for Hilton Hotels or Abbey National it's also good for social services. (link)

Regrettably this panoply of impressive-sounding standards, guidance and experts has been found sorely wanting in practice. (link)

Indeed, and for comments on this see http://www.commentonthis.com/infoassurance/ (link)

yes, but what about the threats FROM government? They're the ones you miss, and which fatally undermine trust (link)

but to the odd Permanent Secretary. So this is deadly serious (link)

ContactPoint is inherently insecure, because it has a very large number of users (300,000+) and a large number of data administrators (each LA will have its own data administration team). Data in ContactPoint will be of interest to:

+ disaffected parents wishing to contact - or even abduct - children contrary to directions of a court + those seeking to locate former partners to inflict violence on them + paedophiles + nosey neighbours + vigilantes (e.g. when a child has committed a crime) + press + perspective employers of school leavers

Although ministers maintain that only "basic" data will be maintained in ContactPoint, this underestimates what can be concluded from data concerning a child's contacts with agencies, especially criminal justice agencies such as youth justice and police and health agencies. It also seems likely that the audit log will contain highly sensitive and subjective data which could be very damaging to the data subjects and their relatives if ever released.

ContactPoint must be considered together with the associated system eCAF - a field in ContactPoint points to an eCAF record. eCAF will contain unstructured and highly subjective data concerning all aspects of children's lives (including data classified as "sensitive" under the DPA 1998, such as race/ethnic origin, health, mental health, sexual health/orientation, religion etc.). Most of the data will consist of "assessments" undertaken by a variety of practitioners. Many of these assessments will be highly subjective and judgemental. Parents/children will be asked to consent to the information being stored and shared via the computer system, but they will be doing so in situations in which they are being assessed for a service and may feel compelled to agree. In any case their data must be secured.

eCAF is a a very high risk system which does not seem to be considered in the present review. Highly confidential personal data, some of which will be of a salacious or even lurid nature (consider for example assessments of children suffering soiling, wetting, mental health, sexual dysfunction etc), will be contained in the assessments.

Like ContactPoint eCAF will have a large usership and systems admin. teams in every local authority area.

In my view it is not possible to secure such systems. They are like "honeypots" to cunning, devious and unscupulous people (e.g. paedophiles) who are prepared to go to great lengths to gain information about children and young people. The large userships make them highly insecure. Simply issuing additional procedures to users will be ineffective.

The consequences of getting security wrong here could be catastrophic - children and young people sexually or physically abused, or even killed. Young lives could be permanently scarred by the release of embarrassing or derogatory information concerning development, health or intimate family details. (link)