Government at a loss over data security

You can't steal IDs you can't read and aren't there. Is this so hard to understand?

With the Ministry of Defence's loss of more than half a million personal details from a car in Birmingham, the best that can be said is that it's nearly 24.5 million fewer records than HM Rrevenue & Customs managed.

No doubt Gordon Brown will be announcing this as a 98 percent reduction in serious stupidity per quarter. Even at this rate, however, the entire country's private information will be in criminal hands by 2012. The Home Office could save time by starting up an RSS feed.

Such levity may not be appropriate to the scale of the problem, but it's matched by the lack of practical concern shown by the civil service and its masters. Reviews have been set up and investigations launched, but these are foundering due to the sheer scale of internal disorganisation they're uncovering. With nobody in charge, nobody can be brought to book.

This is the first thing that must change. We don't much care who takes control, as long as they're competent, open and ruthless — a combination of Alans Turing and Sugar — but clarity of purpose and lines of command are essential.

The policy that's needed is one of zero tolerance to mass unencrypted data beyond the firewall. The only time your address should be visible to the outside world is when it's printed on an envelope and handed to the postman. No more laptops with files in clear text. No more CDs in the mail. And no more junior officers, managers or civil servants running around with half the population's private details at their command. Access to this information en masse has to be taken as a serious responsibility, by organisations who understand how to structure such things with suitable checks and safeguards.

We're no longer in the age when massive buildings full of manilla folders define the state's knowledge of its citizens. We are also no longer beholden to the idea that systems, as well as their contents, must stay secret. Public review of safeguards and protocols is a must: assume people know how things work, assume mistakes will happen, and demonstrate that this openness and these mistakes don't matter.

Until the public servants can do this, there is only one reaction to any future plans to increase state data holdings, such as ID cards and databases: loud, raucous and unstinting laughter.