Poynter and Hannigan review reports fail to reassure anyone about UK Government data security and privacy issues - final reports delayed until after the May 2008 Local Elections ?
The Labour government has published the two Interim Reports announced by Gordon Brown and Alistair Darling following their admission of incompetence and betrayal of public trust on November 20th regarding the scandal of the lost CDs containing the entire Child Benefit Award database for the whole country by Her Majesty's Revenue and Customs.
- Read Her Majesty's Revenue and Customs scandal Poynter Review interim report (.pdf 129Kb) 17th December 2007 into HMRC - a mere 6 pages including the covering letter.
- Read the Cabinet Office Data Handling Procedures in Government: Interim Progress Report (.pdf 999Kb - only 14 pages) by Robert Hannigan Head of Security, Intelligence and Resilience.
Neither of these reports shed any new light on what disasters have happened or on what detailed steps are going to be taken to prevent them happening again.
We suspect that the final versions of these reports, and all the other investigations and inquiries, will magically and conveniently for the Labour government, not actually be published until after the May 2008 Local Elections for the Mayor of London, Greater London Assembly, English local government authorities and mayors, and the local unitary local government in Wales, when these electorates will have the rare chance to express their disgust with the Labour regime politically.
The full Poynter Review report now seems to have been delayed by at least 2 months from the original announcement by Alistair Darling on 20th November 2007:
I have asked for an interim report next month and a full report in the spring.
i.e. no later than the end of April 2008
However, according to Alistair Darling's statement to the House of Commons today.
Mr Poynter tells me he expects to conclude his work in the first half of next year
Similarly the Robert Hannigan Interim Report says
47. A further report will be made in Spring 2008
Again, we do not believe that this report will be published before the May 2008 Local Elections.
The Poynter Review covering letter says:
I am pleased to report that all the HMRC officials I have met, from Dave Hartnett the acting Chairman down, have been cooperative. He has expressed his determination to learn from these events and create the world class data security environment you would expect in HMRC.
Why exactly has HMRC not already been a "world class data security environment" since its inception ?
The Poynter review Interim Report says that HMRC has sent
A reminder to all staff from the Chairman of HMRC of the importance of data security with some specific guidance;
A memo or an email to all staff is no substitute for adequate training and re-training of staff at all levels, face to face, about the importance of data security and privacy and about the existing software, hardware and procedures.
9. I have agreed with HMRC to make interim recommendations as the review progresses, with a shared ambition that my final report will record that my recommendations have been fully implemented or that implementation is in progress.
"interim recommendations" privately to HMRC senior management is not the same as publishing, say, monthly interim progress reports, which might reassure the public that this scandal is not just being handled in exactly the same "going through the motions" way in which the half a dozen admitted previous security breaches were - i.e. ineffectively.
Similarly, the Robert Hannigan Interim report also seems to be as we predicted when it was announced.
We wrote:
These Reviews will be causing senior civil servants to dust off their copies of their Departmental Standard Operating Procedures manuals, and Departmental Security Policy documents, If they are feeling truly masochistic, they will actually read the boring and tedious concordance documents which aim to cross reference, often line by line, the current Departmental Security Policy with the Manual of Protective Security and BS7799 / ISO17799 / ISO27001 etc. standards, with which they are meant to have complied with several years ago.
Robert Hannigan reports:
10. The Government constantly develops guidance to support Departments and agencies and keep up with changes in technologies. Advice on the management of information risks is available from the British Standards Institute in the ISO 27000 family of standards for information security management systems. These were developed in close co-operation with experts in the Cabinet Office and CESG, the part of GCHQ that acts as the National Technical Authority for Information Assurance, to address the full range of information security policy and good practice. They are reflected in a
set of information security standards developed for Government, and
incorporated in the Government’s Manual of Protective Security. This was first issued in 1994, and has been regularly refreshed since then.
The Hannigan review interim report has a short paragraph for each of the main central Government Departments, but does not give any details of all their Agencies, Quangos, Non Departmental Public Bodies etc.
There are vague recommendations about increasing the penalties under the Data Protection Act,
Government Departments are to be encouraged to provide a brief summary of significant data breaches in their annual reports - something which still smacks of bureaucratic backside covering coverup and political whitewash, rather than proper public transparency and accountability.
Some Departments seem to have belatedly appointed Senior Responsible Officers for Data Security etc. , however, unless these people really are senior enough to veto policy decisions by a Permanent Secretary or by the Labour Ministers' Special Political Advisers, if their latest "must pretend to be seen to be doing something" policies impinge on the sanctity of data security or privacy, then they will have no more success than their various predecessors.
There is nothing about, for example, linking mandatory awareness training and testing about data security and privacy issues, for all civil servants with their career prospects. Failure to pass such tests should bar any civil servant from promotion to middle or senior grades.
Remember that neither of these Reviews is actually independent of the Labour Government.
Kieran Poynter is the chairman of accountants PricewaterhouseCoopers, who benefit greatly from Government contracts, and who supported Gordon Brown's Labour party leadership campaign
The Cabinet Office review of the review of the data handling procedures of all Government Departments and Agencies, is under the auspices of the Cabinet Secretary Gus O'Donnell .
who is, of course, personally partly to blame for the ineptness at HMRC, as he was the Permanent Secretary at the Treasury under the then Chancellor Gordon Brown, when the monster department was created whilst alleged cost savings were made, supposedly without any detrimental effect.
We have no idea how competent or independent the former Northern Ireland Sir Humphrey i.e. Robert Hannigan, the newly appointed Head of Intelligence, Security and Resilience is either. Unlike the Chairman of the Joint Intelligence Committee, Alex Allan, who is presumably, according to the Butler review recommendations, in his last major Government post before retirement, and therefore less amenable to being pressurised by the apparatchiki and political commissars, the same cannot be said of Robert Hannigan.
These Reviews have already been used as an excuse not to answer any Parliamentary Questions from Members of Parliament about this scandal, with each Government Department promising to "make a statement" some time after the Reviews are published.
Comments
The madness continues.
Ambercat's blog reports three further breaches including Stockport Primary care Trust, Department of Work and Pensions, and the Ministry of Defence.
Posted by: Ambercat | January 20, 2008 4:49 PM