US govt: Treat personal data 'like toxic waste'

Organizations should treat personal information that can be used to identify individuals "like toxic waste", according to the U.S. federal agency that develops and promotes measurement, standards and technology in information systems.

Information which can be used or combined to identify individuals should be treated like a hazardous substance by those charged with looking after it, according to National Institute of Standards and Technology (NIST) senior supervisory computer scientist Tim Grance.

"If you have high-value personal identifiable information, it's like toxic waste," said Grance at the RSA security conference in San Francisco on Wednesday. "You don't put toxic waste in your car or on a laptop and carry it somewhere. Treat it like it's bad stuff."

Consequences of the loss of high-value information, such as bank details, names and addresses, can be severe, warned Grance. "Think of the impact to your organization of a breach," said Grance. "The consequences are quite real in and out of government. You're only a banana peel away from oblivion."

There have been a series of high-profile data losses by civil servants in the United States and the United Kingdom in the past year, including the loss of 25 million personal details by HM Revenue & Customs in the United Kingdom last autumn.

Grance said that civil servants should work out what information they have, decide what level of sensitivity applies, use technical means to identify records which can then be reconstituted at need and minimize data collection.

Hugo Teufel, chief privacy officer for the U.S. Department of Homeland Security, also speaking at the conference, said that civil servants needed to be educated about the risks of data compromise and how to prevent it.

"My answer is always: educate, educate, educate," said Teufel. "Whenever you have people together--or any carbon-based life forms--they make mistakes."