Reply to comment

Sherlock Holmes: a modern data protection parable?

The final episode of the second series of the modern BBC adaptation of Sherlock Holmes opens with serious security breaches at the Bank of England, The Tower of London and Pentonville Prison. The breaches are apparently caused by a piece of malware created by Holmes' nemesis Moriarty.
Towards the end of the episode, Moriarty reveals that the malware is a hoax: it does not exist. Instead the security breaches were caused by collaboration by insiders induced by threats and bribes.
This storyline is a modern parable for data protection: it's easier to hack the people than the technology.
Thus, while faxes pose a major threat to data protection, ( see my blog from 24 Oct 2011), people pose the greater threat.
Here's a selection of recent highlights from the ICO:

• A former Health Care Assistant in the outpatients department at the Royal Liverpool University Hospital, has pleaded guilty to unlawfully obtaining patient information by accessing the medical records of five members of her ex-husband’s family in order to obtain their new telephone numbers.
• A receptionist who unlawfully obtained her sister-in-law’s medical records in order to find out about the medication she was taking has been found guilty of an offence under section 55 of the Data Protection Act. She was given a two year conditional discharge and ordered to pay £614 prosecution costs by Havering Magistrates Court today. Ms Patwal had made a call to Gateway posing as an employee of the King George Hospital in Romford, Essex, on 29 December 2010. Further enquiries found that the sensitive medical information had been faxed to Ms Patwal at the Lawns Medical Centre where she was employed as a receptionist.

This illustrates that people pose a risk as much by incompetence as deliberate malice, in this case, he sender of the fax did not check that the proposed recipient had a legitimate reason for asking to receive the information.
People show a depressing inability to learn from mistakes.
On 6 December 2011, the Information Commissioner's Office (ICO) served a monetary penalty of £130,000 to Powys County Council for a serious breach of the Data Protection Act where the details of a child protection case were sent to the wrong recipient. This was the highest fine that the ICO had imposed since it received the power in April 2010 partly because it follows a less serious, but similar incident, which was reported by the council to the ICO in June last year. The latest breach occurred in February when two separate reports about child protection cases were sent to the same shared printer. It is thought that two pages from one report were then mistakenly collected with the papers from another case and were sent out without being checked. The recipient mistakenly received the two pages of the report and knew the identities of the parent and child whose personal details were included in the papers. The breach followed a similar incident - which was reported to the ICO in June 2010 – when a social worker sent information relating to a vulnerable child to the same recipient. The child named in the report was again known to the recipient.

Of course, technology can help people to do stupid things more easily. The very attractive features of memory sticks, small size, light weight and portability seems to encourage people to put sensitive information onto them and then drop them, leave them or just forget where they put them.
After all you wouldn’t pick up a filing cabinet and then leave it on the bus by mistake would you? It's just too big.
As with the Sherlock Holmes storyline, it often suits everybody to balme the technology, but in defence of technology in general and memory sticks in particular, they don't walk out of secure environments by themselves, and technology can help people protect data too. Portable devices from laptops to memory sticks can all be encrypted.
Sherlock Holmes was not one to tolerate fools gladly. One imagines that he would have little time for people failing to take basic precautions with their personal data!