Security experts slam government data retention

22 Nov 2007

Following a massive data breach by the UK Government as two discs containing the personal details of 25 million people went missing, several organisations have spoken out against the very concept of data retention and how safe it is in government hands.

While the UK Government has shown that it is capable of losing the contents of an entire database, our own Government supports laws requiring telephone companies and internet service providers to spy on all customers, logging their movements, telephone calls, emails and internet access, and to store that information for several years, says chairman of Irish civil rights group Digital Rights Ireland (DRI), TJ McIntyre.

“There is no reason to think that these databases will be treated with any more care,” he says.

“It is only a matter of time before that information is compromised as well, putting the most personal details of all Irish citizens at risk. We now call on the Government to act to repeal these laws before this happens.”

While DRI sees the British Government’s massive loss of sensitive data as a reason to repeal existing data retention laws, UK analysts Ovum points out that this is not just a one-off event.

“It is the third major data leakage from HM Revenue and Customs in just three months,” notes Graham Titterington, principal analyst at Ovum.

Although junior officials are being blamed for this disaster, this is not an excuse, says Titterington, because a basic data security plan would include risk analysis that would plan for when things go wrong.

“If the data has fallen into the hands of identity thieves, which is unlikely, the entire national identity ecosystem is undermined for two generations. The UK Government, and the nation, is reduced to hoping that these two CDs are languishing in a trash can somewhere,” says Titterington.

What went wrong? According to Chris Mayers, chief security architect at Citrix: “It sounds like a fundamental failure of proper data protection planning that such a large volume of sensitive data would ever be moved in any format without the strictest digital and physical security in place.”

Mayers goes further to ask if this information even needs to be transported at all. He says: “In these days of secure remote access there is rarely any need for data to be written onto a CD and transported anywhere.”

Data security problems are by no means isolated within the UK with several examples of this happening recently in Ireland involving employees in the Department of Social and Family Affairs who accessed and leaked out sensitive information to the media.

By Marie Boran