In the aftermath of the leak of the personal details of 600,000 recruits on an unencrypted stolen laptop, UK defence minister Des Browne has admitted that the MOD has had 279 laptops stolen since 2005. He added that the MOD has "clear policies" that enjoin encryption and screening. The Cabinet Secretary has responded to the current incident by circulating a memo to the effect that "... from now on, no unencrypted laptops or drives containing personal data should be taken outside secured office premises."
Funny they never thought of that before. But one has to wonder whether, in the face of an obvious and long-standing culture of negligence, this injunction will make much difference. Plus, it sidesteps the most important point made yesterday by the Information Commissioner: that we should be concerned about so much personal data being stored on a single device, whether or not it was encrypted. There is a strong possibility that the storage of a such a vast volume of data on the stolen laptop was in breach of Principle 3 of the data Protection Act (‘Personal data shall be ... not excessive in relation to the purpose or purposes for which they are processed.’) merely by virtue of being on it, regardless of whether the data were at risk of theft.
The government constantly falls back on the argument that technical measures such as encryption will adequately protect the public. But such measures have to be applied and they need to be managed properly. It emerged during the investigation of the recent HMRC incident that data sometimes were encrypted before dispatch by post, but that the decryption keys were often included in the same package.
We don't need ever more complex layers of technology covering the backsides of incompetents, but simple, effective policies that are adhered to, plus a modicum of common sense. What we do need is a willingness on the part of officialdom to take responsibility commensurate with its power over our personal data. It's not rocket science: when handling personal data, consider the implications of your actions. Make sure they're proportional, justified and lawful. So says the Data Protection Act. If we can't trust our public servants to take our privacy and security seriously enough to abide by their own laws, why should they be trusted to legislate us into further exposure by implementing the National Identity Register?