DWP staff ignoring new data protection rules
Despite beefed up security policies at the Department for Work and Pensions (DWP), staff have continued to transmit password-protected data together with passwords, according to what appears to be an internal email leaked to a web site last week. The amended policies follow last October's loss by HM Revenue and Customs (HMRC) of the entire Child Benefit database, which had been dispatched unencrypted on two CDs.
An email forwarded to the Dizzy Thinks political blog last week indicated that revised security policies had been put in place following the HMRC leak, but that DWP staff have disregarded the policies.
According to the new rules, staff are required to send password-protected data separately from the password, but in some instances although staff initially sending out data had followed this procedure, "... once the data and the separate password are received, staff are then forwarding the data and password on together, this defeats the purpose of the security measure entirely." A DWP spokeswoman said the department is currently investigating the lapse.
"We take the security of individuals' data extremely seriously," the DWP said in a statement. "We have carried out a major review of procedures around the transfer of data to ensure the security of customer information. We expect all managers to monitor the application of our security controls and ensure that the correct action is taken in all cases."
The HMRC incident of October 18 2007 led to the resignation of HMRC chairman Paul Gray. The lost CDs were unencrypted – merely password-protected, a level of protection that is considered simple to bypass. In January 2008 the Ministry of Defence (MOD) admitted to losing the personal data of 600,000 recruits and applicants to the armed forces when a laptop was stolen. Soon after, UK defence minister Des Browne admitted that the MOD has had 279 laptops stolen since 2005. (Matthew Broersma)