Saturday 31 January 2015

CDs lost in the post (again)

I was interviewed last Thursday evening on Radio 5 Live.  I had been asked to comment on the news that CDs containing information from three sensitive police inquiries, two of which involved‪ highly controversial shootings in London, have gone missing after being sent through the post.

The information covers probes into the role of the police in the deaths of three men – Mark Duggan, Azelle Rodney and Robert Hamill.

Ministry of Justice officials realised the discs had gone missing three weeks ago. A member of staff has since been suspended.

Duggan was shot by police in 2011 while Rodney died in similar circumstances back in 2005. The third case related to the 1997 murder of Hamill by loyalists in Northern Ireland, which his family and campaigners claim involved police collusion.

Each case involved testimony from witnesses, including police officers, who were offered anonymity. It's unclear whether or not copies of the missing documents included the personal information of witnesses.

Preparing for the interview, the only useful background information I could find was contained in a BBC news report. Subsequently I noticed that the Ministry of Justice had released an official statement, providing a little more material – but answering none of the questions that the privacy community really wants to raise.

Were the discs encrypted? If they were, I would have expected the MoJ to have said so by now. Instead, the official statement ominously comments that: “It is essential to take the most precautionary view and to take all necessary steps to safeguard the interests of anyone whose information could be disclosed. Police and other agencies have undertaken their own risk assessment, and have identified and taken any steps necessary to ensure the protection of officers.”

From this, I am assuming that the material was not encrypted. It might have been password protected, but that’s not the same as encryption.

I also asked why it was decided to send such sensitive information by post, given that anyone with even basic security training would be well aware of at least some of the secure file transfer technologies that have been available for many years.

Just what sort of risk assessment took place before the material was sent?

And even if the discs had to be physically delivered, why were they not couriered to the recipient?

My final point was that the cost of a courier was highly unlikely to exceed £180,000, an amount that the ICO has, on two occasions in the past year, fined the Ministry of Justice and the Department of Justice in Northern Ireland for their poor data protection handling practices.

Given the huge array of security policies that Government Departments have in force that make whatever happened indefensible, I struggle to understand why, on this occasion, public officials were not given the right tools to enable them to do their job properly.

Yes, I understand that someone has been suspended over the incident. But is this person just the poor wonk that popped the discs in the post, or is it their manager, who is (quite possibly) much more accountable for the incident, because they failed to ensure that their staff had the tools that were necessary to enable them to do their job?

Lots of questions. The privacy community (and the victims of this deeply troubling incident) are looking forward, with considerable interest, (and no doubt a certain amount of trepidation) to learning the answers.