The recent events at HMRC have thrown the issue of data security into sharp focus. This article will examine some of the key technological and social drivers, which are underpinning the increasing focus of the media and the legislators on the issue of data security. I will also examine the ICO’s current guidance on the key Seventh Principle of the Data Protection Act 1998 (which deals with the security of data), what impact that guidance has on the design and operation of data security systems and what steps HMRC could have taken to avoid the difficulties that they now face.
Social Factors
The advent of social networking websites such as Myspace and Facebook has led to a huge rise in the quantity and categories of personal information and data which users are sharing not only with friends but also complete strangers: in addition to the social chit chat exchanged by users on such Web sites, it is commonplace to see users’ profiles containing real names and addresses, photos and dates and places of birth. In the real world the suggestion that a person exchange such personal data with complete strangers would probably be met with concern and yet millions of online users are doing so on a daily basis.
The end result has been a concentration of personal data held in the hands of a relative few vast online databases, which contain highly personal profiles of millions of users. Although much of this personal data would in itself be unlikely to cause any significant harm to a user if it were misused in isolation, when combined with the extensive personal data held in other ‘open’ data repositories such as the electoral roll and ‘closed’ systems such as those operated by private companies and HMRC, it can enable a criminal to build a complete picture of a person to facilitate such activities as ID fraud.
Technological Factors
Two of the main technological drivers that have facilitated the unprecedented rise in the volume of data collection and dissemination have been the Internet and cheap mass portable storage devices and media such as DVD, CD, USB sticks and portable hard drives. The quantity of data that can be held on such devices is staggering. For example, in the HMRC case the records of 25 million individuals are reported to have been stored on just two CDs. When one considers that CDs are at the lower end of the data storage capacity scale, it is not an exaggeration to say that a person can now carry around extensive personal details of the entire population of the UK.
As noted above, the growth in Internet use has also facilitated the dissemination and linking of personal data records, as well as providing an efficient channel for its collection, especially via Websites that focus on user-generated content.
Both of the above factors have led to a society where personal data is continuing to grow in importance – for commerce, the government and, most importantly, for the individual. It is perhaps ironic that, at a time when the public is showing little regard for its privacy in the online world, the security of their personal data is a key concern of that very same public, as evidenced by the reaction to the recent events at HMRC. Indeed that concern is now adding to the body of criticism directed at the implementation of the National Identity Scheme. So how does the ICO approach the issue of the security of personal data?
The Seventh Principle
By way of a recap, the Seventh Principle of the Data Protection Act 1998 states:
‘Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data’.
From this one can see that the Seventh Principle is made up of two parts; firstly, appropriate technical measures and secondly, appropriate organisational measures.
What does ‘Appropriate’ Mean?
In determining what is ‘appropriate’ the ICO’s guidance on the Seventh Principle suggests that the following factors should be taken into account:
• the harm that might result from a breach of security;
• the nature of the data to be protected;
• the state of technological development at any time;
• the cost of implementing any measures;
• the data controller must also take reasonable steps to ensure the reliability of staff having access to the personal data.
Therefore, under the first point above, the potential to ‘pool’ personal data obtained from a variety of open online sources with personal data held by data controllers in closed systems is a factor that the ICO can properly consider when assessing a data controller’s compliance with the Seventh Principle. One can also see from the guidance that what is ‘appropriate’ can and will change over time.
Examples of Appropriate Measures for Data Security Systems
The guidance also sets out an illustrative list of some of the security controls that a data controller is likely to need to consider. I have focused on those points which may have a bearing on the recent events at HMRC. These include security management, controlling access to information, staff selection and training and detecting and dealing with breaches of security.
Security management
• Does the data controller have a security policy setting out management’s commitment to information security within the organisation?
• Is responsibility for the organisation’s security policy clearly placed on a particular person or department?
Controlling access to information
• Are passwords known only to authorised people and are the passwords changed regularly?
• Do passwords give access to all levels of the system or only to personal data with which that employee should be concerned?
Staff selection and training
• Are the staff aware of their responsibilities?
• Have they been given adequate training and is their knowledge kept up to date?
Detecting and dealing with breaches of security
• Do systems keep audit trails so that access to personal data is logged and can be attributed to a particular person?
International Standards of Information Security Management Systems
The guidance also states that such measures should be taken ‘both at the time of the design of the processing system and at the time of the processing itself’, which suggests an ongoing commitment to monitor whether current measures are appropriate and, if not, to update them. This constant monitoring of data security systems and management reflects the international standards embodied in ISO 27001. This document and its companion, ISO 27002, set out standards for the design and implementation of information security management systems. A key feature of these standards is that they adopt a cyclical methodology known as PDCA: Plan; Do; Check; Act.
Specific Security Measures – Data Encryption
It is important to note that the ICO guidance on the Seventh Principle does not contain any requirement on data controllers to use a particular type of technology or security system. Although the guidance to the Seventh Principle mentions the use of password protected access to personal data, there is no specific mention of data encryption. However, the ICO has now published specific guidance on encryption in a document entitled ‘Our approach to encryption’. This states:
‘The ICO recommends that portable and mobile devices including magnetic media, used to store and transmit personal information, the loss of which could cause damage or distress to individuals, should be protected using approved encryption software which is designed to guard against the compromise of information’.
The guidance also makes it clear that where personal data has been lost due to the loss or theft of data on a laptop in circumstances where that data has not been encrypted, then the ICO will take enforcement action in the future.
Encryption technology is in a constant state of development. Back in the 1970s IBM developed the DES encryption standard. DES is an example of what is known as public key cryptography (PKC). PKC uses two keys: a ‘public’ key which is made openly available and a ‘private’ key. Once data has been encrypted with the public key the only person who can decrypt it is the holder of the private key. A good example of a PKC system is the Secure Sockets Layer (SSL) protocol used for secure payment transactions on the Internet.
Although DES is still widely used today it is no longer considered safe, due in part to its short key length of 56-bits: the strength of PKC systems is usually measured by the bit length of the encryption key: 56-bit, 128-bit etc. The more bits used in the key the harder it is to decrypt the data by using a brute force attack. PKC encryption is also theoretically susceptible to an attack on the software algorithm itself. DES is being replaced by modern encryption standards such as Triple DES (3DES) and, more recently, the Advanced Encryption Standard (AES), the latter of which uses key lengths of 128, 192 or 256-bits. Whilst such modern standards are still theoretically open to attack, they are infeasible to mount in practice.
The Government has responded to the strength of current encryption technology by introducing legislation that specifically addresses the issue: under Part III of the Regulation of Investigatory Powers Act 2000, designated public authorities can now serve a notice either demanding that a person decrypts any encrypted data, or hands over the private key that would enable the data to be unencrypted.
Events at HMRC and the Seventh Principle
Following the ICO’s guidance regarding the loss of unencrypted personal data on a laptop, it would be difficult to see how enforcement action against the relevant data controller would not be taken in circumstances where unencrypted personal data was downloaded onto a CD and sent to a recipient using a public distribution system. This was of course the situation that occurred in the HMRC case.
Whilst password protection technology was used by HMRC to protect the data on the CDs from unauthorised access, passwords can be easily compromised: either by the persons to whom they have been given, or by the use of software programs that conduct a search of all password permutations. The latter is known as a ‘brute force attack’. Even relatively ‘strong’ passwords: those containing 8 or more characters with a mix of numbers and upper and lower cases letters can be cracked in a matter of hours or days by using a brute force attack.
For those reasons and because encryption technology is readily and cheaply available as a second line of defence, the use of password protected access to personal data (in the absence of any other technical security measures) is unlikely to comply with the Seventh Principle. This is particularly so when password protected data is in transit via a public postal system or other unsecured network.
A further factor which is relevant when assessing HMRC’s compliance with the Seventh Principle is the fact that the personal data in question was accessible by junior personnel within HMRC. As we have seen above, technical measures are only one aspect of an appropriate data security system. Equally as important are the organisational measures used to control the access to personal data and its subsequent dissemination. For example, it would have been possible for HMRC to use a system which combined a dual approach, whereby only senior staff had access to data and when such staff sought to download the data onto portable media it was then subject to automatic encryption.
Conclusion
Based upon current ICO guidance it seems beyond doubt that HMRC’s loss of unencrypted personal data in the manner reported represents a breach of the Seventh Principle. Whilst the government has stated that the loss arose due to a failure of officials to follow HMRC’s data security policy, the fact that it was possible to deviate from the policy in the way that occurred does suggest that the policy itself can be called into question. Encryption technologies do provide data controllers with a cheap and efficient means by which to secure data but even the best encryption technology will not assist if it is deployed ineffectively. HMRC are now faced with possible enforcement action by the ICO and there is also the possibility that individuals who were the victims of the data loss may have grounds for claiming compensation against HMRC.
Simon Morrissey is Head of Technology and a Partner in Lewis Silkin’s Media Brands and Technology Department: simon.morrissey@lewissilkin.com