The expansion of the DNA database – has it become a data security issue?

Last autumn, while visiting the London HQ of the Forensic Science Service, Tony Blair, who was still Prime Minister at the time, called for the national DNA database to be expanded to include every UK citizen.  Gordon Brown raised the matter again in a speech this week.  In light of continuing high-profile breaches of data and information security in the public sector, and concerns that even the highest profile information systems are not safe, has this debate become a data security issue?

What are the arguments for the database?

So what are the implications of this? The arguments for a DNA database are compelling:
1. Without DNA evidence convictions may not always be secured.
2. Police time can be saved by narrowing down suspects very quickly.
3. Unsolved crimes spanning many years can be solved and the criminals brought to justice.

A case in question centers on Mark Dixie, a pub chef from Surrey, as detailed in this article from The Times Online by Richard Woods and Daniel Foggo earlier this year:

“Dixie was regarded by friends as an ordinary guy who enjoyed a party. He had managed to keep hidden a history of violent sexual assaults and had emigrated to Australia in 1993 before the collection of DNA became routine. He was not on the national database when he returned to Britain.

In September 2005 Dixie was prowling the streets in the early hours when he chanced upon Sally Anne Bowman, an 18-year-old aspiring model, returning home. He pounced in the driveway of her house and stabbed her repeatedly, inflicting wounds that one detective said were “off the scale”. Dixie sexually defiled Bowman’s corpse.
Although police recovered DNA samples of the attacker, the database held no match. For nine months the murder investigation made little progress. The police, believing the killer lived locally, had a list of more than 22,000 suspects.

Then in June 2006, Dixie was arrested after a fight broke out among football fans watching an England match in a pub.

The police were puzzled as to why he burst into tears as he was taken away. Dixie knew what was coming. His DNA was taken and within days was matched to the Bowman murder case. Dixie was sentenced to life.”

And the arguments against?

But what about the arguments against a DNA database?
1. Is the data held accurate? Or can mismatches occur?
2. Is this data secure and safe from malicious interference?
3. How would it be used and can we be sure it won’t be used inappropriately?

Expanding on point two you have to look at recent and past high profile breaches in data security, and the government’s record on securing data. Most recently there is the case of a “serious” security breach after a civil servant lost top-secret documents containing the latest intelligence on al-Qaeda!

Then we have the Prime Minister who used a speech on the June 17th to claim the government’s policies of creating a DNA database were protecting civil liberties rather than eroding them. His bid, however, to champion the security agenda was undermined when it emerged that Hazel Blears, the Communities Secretary who has been spearheading a “hearts and minds” campaign to fight extremism, had her laptop stolen from her constituency office in Salford! The computer contained restricted government files on extremism and defence, although aides stressed none of the files were “top secret”!

Conclusion

To conclude I would suggest that the majority of the general public would welcome such a database, but ONLY if they knew that:
• The data held was 100% secure
• That it would not be used or accessed inappropriately

But as history has proven that neither of these points, currently, have the remotest chance of being met, we have compelling arguments against an idea that should, in reality, stand up on its own!

No Comments »

HMRC fires staff for reading personal data

An MP has revealed that over 600 staff at HM Revenue and Customs have been disciplined for reading tax payers’ personal histories. Treasury Financial Secretary Jane Kennedy said that 238 people were disciplined in 2005, 180 in 2006 and 192 in 2007.

While some employees received a reprimand, the MP revealed that a large number had been fired.

Kennedy said that HMRC has a “strict policy forbidding staff to access customer records unless they have a legitimate business need.

“Breaches of this policy are taken seriously and will result in the commencement of disciplinary proceedings,” she said. “Each case is treated on its merits but, in many cases, the disciplinary penalty for breach is dismissal.”

The cases highlight continuing concerns about the department’s competence in handling data on UK citizens.

“The data loss that occurred last year at the treasury was the start of a string of stories concerning the mishandling of Government data. What for years was a trusted area is now under the spotlight, where revelations such as this will undoubtedly raise eyebrows,” comments Derrick Cameron, from IT firm Eximium.

“Businesses must deploy an information security solution, which hides sensitive data unless the request is genuine, if they are ever to completely overcome human curiosity and error,” adds Cameron.

No Comments »

Firms should think about email leaks

Around half of all employees have sent emails to the wrong person. In a month dominated with news headlines over missing data on disc, a new report shows that misfiring e-mails can cause serious problems for leaked data. Businesses are increasingly concerned about sensitive company information being leaked by email.

Research conducted by IT security firm Sophos has highlighted the problem and concludes that half of all employees have admitted to sending an embarrassing or sensitive email to the wrong person. The potential level of trouble for a company is high because as much as 80 per cent of a company’s business records are contained in emails.

“As more and more business and personal interaction is conducted via work email, the risk of clicking send without double-checking the recipient’s details is growing,” said Graham Cluley, senior technology consultant at Sophos.

“I think most people have experienced that heart-stopping moment when they realise that their message is heading towards the wrong person. I received an e-mail last week revealing an MD of a company has serious mental issues verging on a breakdown. The e-mail was rapidly recalled but by that time I had read it and the damage could have been serious” says Derrick Cameron MD of IT firm Eximium “Technology can make human error faster and more damaging”

There is now technology which scans messages for sensitive data and keywords, and that uses encryption to ensure that business critical emails are sent securely. “Most data leakage on email is accidental and not malicious. Companies should put a solid security policy in place, and educate employees on how to use email with care. Whilst this won’t eliminate the problem, it will reduce the number of red faces experienced in 2008” says Cameron.

No Comments »

Small Firms unaware of Data Protection issues

Small businesses have a much lower awareness of the principles of the Data Protection Act than larger organisations, according to a new research commissioned by the Information Commissioner’s Office.

Whilst over half of small businesses recognise the importance of keeping customers’ personal information secure, only 22 per cent are aware that the Data Protection Act requires them to keep all customer information accurate and up to date.

In an age when the risk of identity fraud is increasing, these findings are a worry and a potential risk to smaller firms. Derrick Cameron of Eximium comments “Whilst individuals are regularly urged to protect their personal information, companies of all sizes also have a responsibility to be certain that customer data is secure and accurate. This is a serious issue that can easily come back to haunt companies - ignorance is no defence in law”.

Full information on the law is provided in the Good Practice Notes published by The Information Commissioner’s Office.

No Comments »