Where will the next UK Government security and privacy data loss disaster occur ?
Given how inept the Home Office has failed to implement policies of Data Minimisation (as recommended in the Data Sharing Review by the Information Commissioner Richard Thomas and Dr. Mark Walport), and in its lax supervision of the data handling and security practised by its sub-contractors like PA Consulting, we are very worried by the potential for disaster which will come into force on the 1st October
Specified anti-fraud organisations
2. The following anti-fraud organisations are specified pursuant to section 68 of the Serious Crime Act 2007--
(a) CIFAS;
(b) Experian Limited;
(c) Insurance Fraud Investigators Group;
(d) N Hunter Limited;
(e) The Insurance Fraud Bureau;
(f) The Telecommunications United Kingdom Fraud Forum Limited.
How many unencrypted databases, laptop computers, USB memory devices, CDROMs etc will these organisations, or the public bodies which disclose information to them, manage to lose or have copied by corrupt insiders ?
Sections 68 - 72 of the Serious Crime Act 2007 allows for such notorious data security bunglers as HM Revenue and Customs, or any other public body, to hand over, in bulk, our most sensitive personal financial information to the private sector companies and industry sponsored not for profit organisations.
The Common Law Duty of Confidentiality has been crushed:
(2) The information--
(a) may be information of any kind; and
(b) may be disclosed to the specified anti-fraud organisation, any members of it or any other person to whom disclosure is permitted by the arrangements concerned.
(3) Disclosure under this section does not breach--
(a) any obligation of confidence owed by the public authority disclosing the information; or
(b) any other restriction on the disclosure of information (however imposed).
Note the evil use of the words "any" and "however imposed"
This means that not just purely financial data can and will be shared, but personal names, addresses, medical records (e.g. to insurance companies) , sexual preferences, political allegiances etc. could also be shared, "for the prevention or detection or prosecution" of fraud.
There is a worthless restriction on these infinite powers:
(4) But nothing in this section authorises any disclosure of information which--
(a) contravenes the Data Protection Act 1998 (c. 29); or
(b) is prohibited by Part 1 of the Regulation of Investigatory Powers Act 2000 (c. 23).
However, neither of those bits of legislation place any restrictions on public authorities whatsoever, once the magic words "for the prevention or detection of crime" or "national security" (which includes the vague term "economic interests of the United Kingdom") have been uttered.
There is meant to be a Statutory Code of Practice regarding the exercise of these infinite powers, under section 71 Code of practice for disclosure of information to prevent fraud , but that, of course, is still secret, and has not been debated by Parliament or the public.
Given that it is the inept Home Office which is responsible for supervising this further expansion of the surveillance state, there has to be a genuine fear that millions of innocent people's financial information will be put at risk.
This Order should be revoked until there has been a full public debate on the alleged safeguards in the secret Code of Practice, and until the Home Office has demonstrated that it can handle even its own data securely and properly, before allowing even more data belonging to innocent people to be shared and put at risk.
There must also be robust mechanisms to protect innocent members of the public, including generous financial compensation and prompt public apologies and political resignations, when, not if, it all goes horribly wrong - these seem to be utterly lacking at the moment.
UPDATE:
Thanks to Guy Herbert of NO2ID Campaign for making it clearer, that the Data Protection Act has been amended by this Serious Crime Act 2007 section 72 Data protection rules to further reduce the protection of everyone's sensitive personal data
72 Data protection rulesIn Schedule 3 to the Data Protection Act 1998 (c. 29) (conditions for processing sensitive personal data), after paragraph 7, insert--
"7A (1) The processing--
(a) is either--
(i) the disclosure of sensitive personal data by a person as a member of an anti-fraud organisation or otherwise in accordance with any arrangements made by such an organisation; or
(ii) any other processing by that person or another person of sensitive personal data so disclosed; and
(b) is necessary for the purposes of preventing fraud or a particular kind of fraud.
As a reminder, here is the Data Protection Act 1998 section 2 Sensitive personal data:definition:
2 Sensitive personal data
In this Act "sensitive personal data" means personal data consisting of information as to--
(a) the racial or ethnic origin of the data subject,
(b) his political opinions,
(c) his religious beliefs or other beliefs of a similar nature,
(d) whether he is a member of a trade union (within the meaning of the [1992 c. 52.] Trade Union and Labour Relations (Consolidation) Act 1992),
(e) his physical or mental health or condition,
(f) his sexual life,
(g) the commission or alleged commission by him of any offence, or
(h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.
While you may make strong and valid recommendations, I suggest that nothing will come of them short of an insurrection. And the British people are already far too docile for that.
We're stuffed and it will only get worse, much worse. But that is no reason for us to stop shouting about it.
@ Yokel - we will see how the bureaucracy respond to this Freedom of Information Act request via the ever improving http://WhatDoTheyKnow.com FOIA request submission and tracking website:
Serious Crime Act 2007 section 71 Code of practice for disclosure of information to prevent fraud
BBC Radio 4's iPM programme may well be looking into this issue this weekend:
http://www.bbc.co.uk/blogs/ipm/
iPM seem to have got a short, misleading. Sir Humphrey Appleby type statement from the Home Office:
http://www.bbc.co.uk/blogs/ipm/2008/09/share_what_they_know.shtml#commentsanchor
The Serious Crime Act 2007 section 72 amends the Data Protection Act, to make legal what was previously illegal, so, by definition "all the requirements" of the DPA apply !
The already weak DPA now no longer provides any protection from this sort of data sharing, which certainly breaks the international Principles of Data Protection.
Where exactly did the Home Office come up with the unsubstantiated guesstimate figure of "£!3.9 billion a year" for "fraud" ? This presumably includes the several billions of pounds of fraud against the taxpayer, which none of these private sector anti-fraud companies will do anything about at all, since it is the Government's business.
By how much will fraud actually be reduced by these specific data sharing measures, to the nearest billion pounds ?
Unknown ? Zero ? Possible increase, given the Government's propensity for losing our sensitive personal data ?
The Code of Practice has been revealed via our FOIA request:
http://www.whatdotheyknow.com/request/serious_crime_act_2007_section_7
The actual .pdf document is at
http://www.whatdotheyknow.com/request/2971/response/7150/attach/3/12761_290510%20Data%20Sharing.pdf
Incredibly, in spite of all the recent data security and privacy breaches by Government departments and private sector companies revealed in the last year or so, there is no specific mention in the CoP of any words like "encryption", which should be mandatory for any such data transfers or storage of personal sensitive data, potentially belonging to thousands or millions of innocent people.