Gone missing: more reasons to be fearful

Monday March 10, 2008

The main argument against the government’s ill-advised ID scheme is staring us in the face, says Eamonn Butler

Is your data safe in their hands? After Her Majesty’s Revenue & Customs lost disks containing information on 25 million parents back in November – information including their bank account details, dates of birth, and bank accounts – more of us are beginning to think not. And it’s not as if this carelessness with the public’s details is a one-off.

The Open Rights Group have been cataloguing other data losses that have occurred over the last seven years. You can see the list for yourself HERE. Even then, I’m sure it’s far from comprehensive, and that many other official data losses have simply not been reported, or have been quietly covered up by officials and ministers.

Last month a laptop was stolen from a Black Country hospital. It contained the intimate medical records of 5,123 patients. That’s nothing, of course, compared to the NHS admission that data on around 1.7 million patients had been lost in a variety of ways – dumped in a skip, put on a disk that went missing, left in the pub, or filched from lockers.

Missing

But getting your laptop stolen seems to be officialdom’s favourite ways of getting our personal details into the hands of those who have no right to access them. They’re incredibly adept at it. Literally dozens of the things have gone missing, containing information on hundreds of thousands of British citizens.

As recently as January the Royal Navy reported the theft of a laptop containing data on 600,000 recruits and potential recruits, including their passport numbers, National Insurance and bank details. Last December, the NHS revealed that another 3,000 records, including names, addresses, dates of birth and phone numbers, were on a laptop stolen from a doctor’s surgery.

Meanwhile, the Citizens Advice Bureau in Belfast lost a laptop containing details of up to 60,000 people – although at least that laptop was encrypted. Revenue & Customs, once again, lost a laptop holding personal information on people last October.

Worrying

A year ago another NHS laptop was stolen, this time containing information on 11,000 young children – which strikes me as even more worrying than most of these data losses. Then some 16,000 Worcestershire Council employees were put at risk of data theft when a laptop containing sensitive personnel information was stolen in a street robbery in February last year.

Even the police, er, get things stolen. Three laptops, no less, containing the payroll and pension details of over 15,000 Met Police officers were – not to put too fine a point on it – nicked from one of their outsourcing suppliers, back in November 2006.

More recently the police in Devon and Cornwall even managed to throw out a computer disk containing the names, addresses, phone numbers and ranks of their employees. Indeed, losing computer disks, or just putting them into a skip, are another favourite way in which state authorities put us all at risk of identify fraud and worse.

Dropped

Earlier this year it was reported that some 4,000 medical and personal records were on a USB stick that was accidentally dropped by a member of staff. Oops. Well, they’re small and easy to lose, aren’t they?

And at the end of last year an NHS Trust (yes, it’s them again) in East London lost CD cases holding the names and addresses of 160,000 children, while other losses occurred in Bolton, Sutton Maidstone, Sefton, Essex, Hertfordshire, Norfolk, Gloucester…

Round about the same time the Driver and Vehicle Licensing Agency in Northern Ireland lost the personal details of 6,000 people on two disks that were supposed to be delivered to the agency’s headquarters in Swansea. (Not the only cause of red faces there – the details of three million candidates for the UK driving test were on a computer drive that went missing in the United States a few months ago.)

Also at the end of last year the Department for Work and Pensions lost a disk with 40,000 housing benefit claimants on it. That loss isn’t exactly good news, and not just because of its large scale. A year earlier the identities of DWP staff were stolen and used to defraud the tax credit system. In other words, carelessness with public data can and does actually lead to fraud and misuse.

Confidential

In fact, our personal information turns up in the most unlikely places. Files on 20,000 people – including their bank account numbers and health details, phone numbers and addresses, date of birth, pay slips, bank forms and interview records – that Haringey Council had stamped ‘Confidential’ came to light in a building used by squatters.

Of course, you can’t blame the public sector for every loss of our personal data. Norwich Union policyholders had over £3 million stolen from their accounts when the firm allowed fraudsters to ring up and change their details. But at least Norwich Union got fined for its mistake. If some regulator started fining NHS trusts, local councils, government departments and police forces for theirs, it would of course be we taxpayers who would suffer.

The fact that government agencies hold so much sensitive information on us means that, even if they don’t just lose it, they can quite easily abuse it. NHS junior doctors and nurses were rebuked last year, for example, for accessing the medical records of a number of celebrity patients at their hospital.

I have no doubt that information of this sort would be extremely valuable to the tabloid newspapers, which must be rather alarming for people when they reflect that junior staff apparently have the key.

Joke

I thought it was a great joke when HMRC officials tried to explain their 25-million record loss by saying that it was just the action of some junior employee who had copied the files. You mean junior employees can copy 25 million files without managers knowing about it? If it were any other organization I would find that rather surprising.

Some people imagine that the governments proposals for ID cards are no more than that – like carrying some piece of paper with an official stamp on it that proves your name and address. But in fact it’s much more. It involves putting the entire population, names, addresses, dates of birth, biometrics and much more (there’s plenty of space, ministers assure us) on a national database.

No doubt – like the stolen Liechtenstein bank information that governments are now buying up in order to track down tax-dodgers – it would not be long before the personal details of 60 million of us, was making its way all over the planet to other governments and agencies. (It’s hard to imagine that any of those would be even more careless with data than ours appears to be, but it’s certainly a possibility.)

Intimate

And even at best, the amount of information to be loaded on the database (and yes, there is plenty of space and lots of public agencies are very keen to get their particular interests included) means that there are going to be thousands, or even tens and hundreds of thousands) of civil servants with the keys to it.

In other words, some or all of the details on 60 million of us – details which are intimate and private, or details which could be used by fraudsters for identity theft – will be accessible to large numbers of people who recent history has shown very clearly cannot possibly be trusted with it.

They’ll be copying it, losing it in the post, dropping it at the pub, putting it in a skip, getting it stolen. They might even be putting it up on mySpace, selling it to the News of the World, or shipping it out to other agencies in who knows what flaky country?

To my mind, the defining argument against the government’s ID database proposals is the demonstrated inability of civil servants to safeguard even the information that they have on us right now.

Dr Eamonn Butler is director of the Adam Smith Institute

Adam Smith Institute