A recent BBC article (called “UK’s families put on fraud alert”) provides more details about a recent incident happened in UK, where two CDs containing the personal details of all families in the UK with a child under 16 that have gone missing:
“The Child Benefit data on them includes name, address, date of birth, National Insurance number and, where relevant, bank details of 25 million people.
Chancellor Alistair Darling said there was no evidence the data had gone to criminals - but urged people to monitor bank accounts "for unusual activity". The chancellor blamed mistakes by junior officials at HMRC, who he said had ignored security procedures when they sent information to the National Audit Office (NAO) for auditing.
Mr Darling told MPs: "Two password protected discs containing a full copy of HMRC's entire data in relation to the payment of child benefit was sent to the NAO, by HMRC's internal post system operated by the courier TNT. The package was not recorded or registered. It appears the data has failed to reach the addressee in the NAO.”
It looks like good practices and processes were in place but nevertheless the system failed. I see the limitations of any privacy enforcement system, in this context.
I wonder if a “Risk-Driven Decision Support System” would have been of some use in this context, to discourage this action (given the existing policies and the potential involved risks) and suggest more compliant ways to proceed …
--- NOTE: my original HP blog can be found here ---
No comments:
Post a Comment