CIS will assist in shaping the biometric-based national ID card programme, currently containing biographical information on the majority of UK citizens, including benefit recipients, pensioners and anyone holding a national insurance number. Since July 2008, CIS has also provided access to HMRC tax credit data.
The breaches, dating back to 2006, were discovered via routine checks, but it’s unknown whether the breaches were made through malicious intent or misuse.
The ‘Housing benefit and council tax benefit general information bulletin’ from
15 January issued by the DWP said that the organisation “will support your [local authority] to ensure appropriate disciplinary or prosecution action is taken, and may consider prosecuting directly under social security legislation.”
In spite of the breaches, the DPW remains positive about their standards, stating that, "The small number of breaches shows that the CIS security system is working and is protected by several different audit and monitoring controls, which actively manage and report attempts at unauthorised or inappropriate access."
“These latest breaches highlight the general inexperience of local authorities when dealing with large amounts of sensitive data,” commented Ken Munro, director at IT security specialist, Secure Test.
“Central government understands protective marking of sensitive data, and vets staff appropriately, while many local authorities are found wanting in this area. Access to data such as this must be purely on a need to know basis, and should be carefully logged and reviewed on a regular basis.
“It is an incredibly difficult process to work out why one operator should or shouldn’t be viewing a particular record. Far better to vet the individuals concerned, so there is a far greater degree of assurance that they won’t be tempted.”
He added that “In cases like this, legislation can act as a deterrent but it’s not prevention.”
Susan Hall, partner and ICT specialist at law firm Cobbetts, remarked that “Surely this must be the final nail in the coffin for the government’s national ID card programme. If council staff are able to snoop at our records so easily and undetected for so long, then how can an even larger and more complex database be safe? Indeed - who guards the guards?
“It has been reported that ‘routine checks’ unearthed these cases” Hall continued, “but, if there are breaches dating back to 2006, then they are not proving very effective. Such negligence reinforces the need for custodial sentences for breaches of the Data Protection Act.”