UK government staff caught snooping on citizen data

UK government staff caught snooping on citizen data

Summary: What a surprise: the U.K. government was forced to reveal under Freedom of Information laws more than 1,000 civil servants have 'snooped' on British citizens' private data.

SHARE:
TOPICS: CXO, IT Employment
10

Don't worry about hackers illegally accessing government systems. It turns out government workers and civil servants who are trusted with private citizen data are more likely to access your data illegally.

The U.K. government is haemorrhaging data --- private and confidential citizen data --- from medical records to social security details, and even criminal records, according to figures obtained through Freedom of Information requests.

Just shy of 1,000 civil servants working at the Department for Work and Pensions (DWP), were disciplined for accessing personal social security records. The Department for Health (DoH), which operates the U.K.'s National Health Service and more importantly all U.K. medical records, saw more than 150 breaches occur over a 13-month period.

And all this comes to light no more than a fortnight after the Queen formally announced the U.K. government will monitor all Web and email traffic, and log all landline, mobile phone, and Skype calls.

And it's the privacy campaigners who are in the wrong to say that the data won't be illegally accessed or abused?

There is one, simple fact: from health records to criminal records, employment details and other personal data, government databases are not only open to abuse, but are actively being exploited by the very people we supposedly trust with our data.

Crunching the numbers: the DWP has a database of around 100 million people. More than 200,000 civil servants have to be vetted to extremely high standards before they can access this database.

Between April 2010 and March 2011, 513 civil servants were found to have made "unauthorised disclosures of official, sensitive, private and/or personal information”. The year continuing, between April 2011 and January 2012, more than 460 staff were disciplined.

The DoH on the other hand said it did not log each and every breach of unlawful access to U.K. medical records. It did say there were 158 recorded breaches in 2011. Only four years earlier, there were only 28 cases, representing a fivefold increase.

The FOI requests were made by Channel 4's investigative series, Dispatches.

Out of the hundreds of thousands of employees in both departments, the numbers represent only a fraction of the total staff. Having said that, it took only one person --- allegedly --- to leak more than 250,000 U.S. diplomatic cables to Wikileaks, the largest unauthorised release of classified data in the history of the United States.

Currently, under the Data Protection Act, it is a criminal offence to obtain or disclose personal data without permission or procure disclosure to other persons. The penalties for a criminal offence go up to £5,000 ($7,900) in a lower magistrates court, or an unlimited fine in a higher Crown court.

Some British politicians even called for some extreme data breaches to result in prison sentences --- something dismissed by other parliamentary committee members.

Rarely does the fine rise to five-figures, let alone six. Only recently, one Scottish local authority was fined £140,000 ($220,000) for five separate data breaches --- the highest fine imposed by the courts to date.

But as is often the case, the financial benefits from selling personal data are rarely outweighed by the fines or penalties imposed.

Under new legislation presented by Europe, if a data breach occurs, whether by an individual deliberately acting outside the law, or accidentally due to unforeseen events, the person for which that data relates to must be informed.

But those laws are at least two or three years away, and until then, companies and public sector organisations will face meagre fines compared to the €1 million flat-rate or 2 percent of their annual global turnover.

Image credit: ZDNet UK.

Related:

Topics: CXO, IT Employment

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

10 comments
Log in or register to join the discussion
  • No real penalties for abuse.

    Yes, there are laws. No, they are not enforced. Out of the thousands of breaches that are [i]known[/i], none of the actual perpetrators were really punished. Letters of reprimand, hah ...

    And of course the known cases are only the tip of the iceberg, since ALL parties have an incentive to hide the wrongdoing as much as they can. The ones being reported are usually just the clumsiest ones that can't help but get caught.
    terry flores
    • so much true

      and that is the reason all sane people are against governments spying on citizens: there is being much more harm done to society (by government criminals) than any benefits (against non-government criminals).
      polarcat
  • I can't believe such things are being done in the free West

    I'm shocked I tell you, shocked to my bones. Please tell me this is just another bad dream -- or some Monty Python skit gone awry.

    *pinch*

    No it's real.
    klumper
  • UK government staff caught snooping on citizen data

    my classmate's sister-in-law makes $84 hourly on the laptop. She has been fired for 7 months but last month her income was $9078 just working on the laptop for a few hours. Go to this site[N][u][t][t][y][R][i][c][h].[c][o][m]
    ArmandoWhite
  • Really

    Is there anyone who is actually shocked that a government entity is spying on its citizens? For that matter, does any one know of any government that DOES NOT spy on its citizens?
    rgor@...
    • Sadly not.

      Even in Freedonia they spied on its poor innocent citizens. Horrible.

      http://www.marx-brothers.org/watching/film/Duck_Soup.htm
      It'sNotMe
  • The way forward... logging and limiting access.

    Access to the data needs to go through a service which logs who and when it occurred, along with a justification. Then this needs to be visible by the citizen.

    Also, bulk data access should be prevented. If a government employee attempts to access large quantities of data (for example, twice more than their role requires), an alert should be triggered and an investigation launched. Another trigger can be set up to automatically block access (for example, five times more data than the role requires). This would prevent large data leaks.

    If bulk data is required, for reporting/statistical/analysis/etc, it should first be anonymised, with a qualified expert judging the anonymity. Access to this bulk data should then be controlled. If a government employee has access to more than one type of bulk data then the aforementioned expert should perform another anonymity check to ensure cross-referencing does not remove any level of anonymity.

    It's not a difficult thing to implement, especially if the system is yet to exist.
    vodzurk
    • Or...

      We could just not trust government with our data. Government, particularly in Western Europe and more and more often, in the U.S. are overstepping the bounds of why they exist. Government is not here to provide healthcare or jobs or pensions. Government exists to protect your rights from infringement by any other entity, even government.
      swmace
    • It never works

      What you are essentially saying is that government should set up a system to limit its access by its own agents. Guess what? They already have laws for that, and the laws are broken every single day. No "system" is going to change that, especially if the "system" is under control of the people who are breaking the laws in the first place.

      As swmace has said, the only way to keep the government from abusing the data is to not allow them to have it in the first place.
      terry flores
    • Or eliminate unlimited contracts once more people rely on broadband...

      And why limit it to just private sector people? Get everyone involved as it means higher profits for each 10GB they want... even though it'd be more beneficial to them to charge by the single GB, but profiting is about the benefit of the provider. Not the customer. And if the provider can convince the customer that they are getting a good deal, clarify the word "they" and then think of other people in the same boat...
      HypnoToad72