Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

Census 2011 data privacy questioned

Some critics have pointed to the fact that the data collected in the census will be "processed in a plant run by an American firm whose staff were prosecuted for stealing President Obama's student loan records."

According to the Daily Mail, UK Data Capture Ltd. - the firm named in ONS reports as the sub-contractor in charge of processing census information - is "jointly owned by the examination board Edexcel and the US-owned firm Vangent, which both have a patchy record for data-handling."

"Last year, Vangent, a multi-billion-pound consultancy with a series of lucrative US government contracts, faced embarrassment when nine of its employees were prosecuted for accessing President Obama's student loan records", notes the paper.

"The employees - all of whom were found guilty - had been working on an IT project at the US Department of Education, although many of the company's other contracts in America are with the military", adds the paper.

The Daily Mail goes on to say that Edexcel has faced criticism for its alleged 'dumbing down' of exams and for losing scripts.

The TechEye newswire, meanwhile, quotes a security professor as saying that "Yes, the census isn't new but any extra database is ludicrous. The government has proven time and time again that it can't be trusted with a laptop, let alone the details of millions of people."

"And it's not just the Office of National Statistics staff we have to be concerned about, with the fact that this data will be shared out with the police, MI5 and other `security; bodies all of which will be able to see the information", he told the newswire.

"The question here is - how can they successfully transfer and share this information and how can they ensure it doesn't leak?", he added.

Infosecurity notes that BBC News has posted a video news report on how the Census data is being handled, suggesting that the automated scanners - which process Census pages at the rate of four a second - are being backed up by a number of quality control staff that manually check and correct data on forms.

But what about the management controlling the security of the Census 2011 project?

In a job advert that appeared in the computer press in late 2009, the ONS said it was looking for a Census 2011 security manager to be located at its ONS offices in Hampshire on an annual salary of between £41,666 and £56,211.

The job of the manager, said the advert, was to "support technical leads and contracts team with the delivery of security for the Route C services (including: outsourced recruitment; training and payroll; distribution and secure distribution and logistics)."

"You will provide assurance to the Route C technical leads that the security being implemented for Route C services is appropriate", said the advert, adding that the manager would be responsible for implementing ISO27001 security compliance on the Census 2011.

The manager's contract - which Infosecurity understands was due to start last spring - is due to end this coming June.

Amberhawk Law Training, meanwhile, has investigated the legiislation surrounding the census and claims that several government departments, notably the secret services and HMRC, have access to the data.

"I came across the PIA for the Census (see references). Under the heading `Keeping census records confidential’, the Census PIA states that `Other than for the purposes of conducting the census and in the circumstances set out in Section 39 of the Statistics and Registration Service Act 2007, it is unlawful for any member or employee of the UK Statistic Authority (which includes any member or employee of ONS) or any person who has received personal information directly or indirectly from the Authority, to disclosure such information” (paragraph 12.6.1)", notes the law training firm in its latest blog.

"Section 39 of the Statistics and Registration Service Act 2007 is, so the Act says, about `Confidentiality of personal information'; in practice the section achieves the precise opposite. Section 39(1) begins well enough; it states that `Subject to this section, personal information held by the Board in relation to the exercise of any of its functions must not be disclosed by (a) any member or employee of the Board, (b) a member of any committee of the Board, or (c) any other person who has received it directly or indirectly from the Board'", says the firm.

However, says the training firm, Section 39(4) then states that the disclosure prohibition in section 39(1) “does not apply to a disclosure which”:

"(a) is required or permitted by any enactment,

(b) is required by a Community obligation,

(c) is necessary for the purpose of enabling or assisting the Board to exercise any of its functions,

(d) has already lawfully been made available to the public,

(e) is made in pursuance of an order of a court,

(f) is made for the purposes of a criminal investigation or criminal proceedings (whether or not in the United Kingdom),

(g) is made, in the interests of national security, to an Intelligence Service,

(h) is made with the consent of the person to whom it relates, or

(i) is made to an approved researcher”.

"Section 39(4) therefore possesses all the hallmarks of New Labour’s disdain for personal privacy. It is not a clause to protect confidentiality; it is a clause to remove that confidentiality."