What about the burners?
This is a start but they still need to ensure that staff use the encryption when it is available and that keys are never allowed out of the office with the encrypted data.
Even more basically they need to stop storing information that they don't need and format/index the data properly so that personal data is not transmitted (securely or otherwise) when it is not needed - as was the case in the HMRC data-dump fiasco
Finally CD burners and USB ports be claw-hammered out of every UKGov computer.
The phrase I'm looking for contains the words:
Horse, Gate and Bolted...
nope, it's gone and clean slipped my mind, ah well, pass the USB stick I gotta copy the database....
PH icon obviously because she's a shining example to us all at keeping highly personal data safely tucked away....
Surely someone's telephone number counts as personal data? Does this mean no mobile phones containing the name and phone number of any living person can be taken off the premises?!
Best wipe everyone's contacts list then. What use is the phone now?! Sure, they can receive incoming calls, but since no-one is going to make any calls, that means no-one will receive them! ROFL!
What sort of mobile?
Not allowing people to take their mobiles /PDAs might be a tad on the harsh side.
If they are using Activesync surely they can just use the handy 'Mobile Admin' tool which allows you to send out a command to delete all emails & contacts which are synced with the Exchange server if the phone goes missing.
If this service is available on a Microsoft system surely other systems have even better loss /theft data loss prevention measures in place.
Granted it's not perfect- all you have to do is keep the device offline & everything is still there but not allowing people to take mobile devices out the office seems to kind of defeat the purpose of a 'mobile' edvice non?
Re: But WTF
I think the point is that they've just caught up with normal industry practice (at least where I work) in that any laptop gets an HDD encryption system installed by IT before it gets to a user and every user of that laptop has an individual username/password that is needed before the laptop won't even boot ('cos without authentication the code that handles the decryption of HDD won't decrypt).
If you read the article carefully it's only banning unencrypted laptops from being taken out.
properly administered database, anyone?
Obviously it will take months or years to implement but the real answer is secure database on a server and vpn style access for mobile users to get their needs on the move from some appropriate front end. Obviously a bit of encryption is all well and good, but we all know laptops and pda's are bound to get lost or stolen, so really the best answer is for the data not to be on the *??* thing in the first place
A relative (an IT contractor) has just been summoned by a senior mandarin demanding to know why data is being moved on CDs. Answer - you, O great one - have vetoed all the many proposals to move it some better way. Says it all, really...
@But WTF by Paul
Ah, but under this guidance laptops can leave the office if the laptops hdd is encrypted.
(Even if the encryption phrase is written down on the laptop or, more likely, written on a yellow sticky accompanying the laptop - that's what happens when the focus is on encryption and not on security.)
@ Paul / But WTF...
"Any source of information about 1000 identifiable individuals or more [...] Clarification is being sought". Lovely. Now, I only have to worry at the moment if I'm on a list of 999 people or less.
Erm, lots of organisations use laptops for preference over desktops. And many of those same organisations don't let you take them home. Just because it's a laptop doesn't mean that you *must* take it out of the office every night - usually it's so that they can walk between departments and take their laptops with them (often stuff isn't centralised on a server or their laptops are so individualised that they like to have the correctly-configured apps with them all the time; I used to work for an organisation with exactly this sort of setup, laptops for all). Don't be so naïve.
Weel Gee, no-one ever moves from their desk to a meeting room, or goes to another part of the building, so why on earth should they have laptops.
And, in any case, they're NOT saying the laptops can't leave the office, they're saying they can't leave the office unencrypted, if they've got PII on them.
Which should have been the case before.
Yes, it's after the horse has bolted, but at least they are now/finally taking steps to stop any more horses bolting
Re: But WTF...
Laptops are very popular in offices when you can't rely on the electrical supply. Desktop systems suck if you get brownouts several times a day. Laptops were suddenly very popular in Californian offices when they ran out of electricity.
Anyway, the point that is being hammered home is you can take the laptop out but you must leave the personal data behind ... unless it is properly encrypted.
I'm sure the MRC has lots of statistical data or technical data that escape these restrictions. Statistical data on a drug trial may be commercially sensitive but it's not personal data.
Ahem. Anyone else spotting the uk-sized loophole?
Noone employed in those affected departments are allowed to bring the data out of the hose on enencrypted passwords.
How many consultants are they currently hiring?
And, have the UK all-of-a-sudden standardized on a sane encryption scheme that couldn't be decrypted using a 1940s computer setup?
Are they supplying all of their contractors with something resembling a sane standard to use for those CD's they are sending out to developers?
How about the data they are shipping abroad, quite possibly to countries where encryption that cannot be brute-force opened on a 1990s pda, such as France?
I guess the real improvement will only happen when an EU-Directive establishing a standard for encrypting private data surfaces, and this standard of course should establish a clear and consise method for several vendors to implement software to handle the files. Any other option would be illegal, since there would be no possibility for competing products. Since such a standard would have to be established all over EU, the maximum level of encryption, would be the lowest common multiplum limited by local laws. Unless our frogeating friends has fixed their hopeless law, we can look forward to a standard resembling the CSS of DVD. Thus, the encryption will be on level with ROT13.
Isn't this wonderful?
From an Anon-y-mouse MRC employee
The guidelines apply to all removable media.
This being the MRC (Medical Research Council) this is about personal info collected about people in the course of research so what must be encrypted is the database that connects details of which sample (blood, tissue etc.) belongs to which patient and any details we hold about that patient.
This kind of information is never on file without the people concerned knowing because we only got it by asking them.
You can take your laptop from the office if either it has none of this type of information on it or this information is encrypted. Similarly for mobiles.
I work at an MRC unit but don't have any of this type of information anyway so this doesn't even affect me. Most people at most MRC units will probably be mostly unaffected. We don't keep large databases of peoples information. We keep small ones for specific research projects.
Start with the fundamentals - unlike this letter
How about 'WTF is there any personal data on laptops in the first place?'.
There are *very* few reasons why there should be original source data (as opposed to obfuscated) on laptops.
If they need personal details as part of a study it could (and should and *must* ) be changed so as to contain the same *type* of data, but none of the original details. And then encrypt *that* data. Its just a matter of time before some buffoon puts the key on a yellow sticky, as already pointed out.
Encryption gives them an excuse to store data they shouldnt be keeping to start with.
If you look at laptops in Tesco...
...they're big brutes. But they look to use less electricity than an equivalent PC, they have something very like a UPS, and you could put the whole machine in secure storage at the end of the day.
What I find a little worrying about the letter is the slightly odd definition of "personal data". It's something defined by the Data Protection Acts (and the exemptions for medical data are about patient access, not about security/safety of data..)
I'm not sure just what they mean when they talk about "in the public domain", but I'm guessing that it includes anything in a telephone directory. Is there a telephone directory for mobile phone numbers?
Maybe we're missing some of the context?
Not so mobile.
A lot of people use a laptop in preference to a desktop for a variety of reasons these days. But even so this does smack of the company that bought the sales force laptops so that they could use them on the road and then chained them all to the desk after a couple got stolen.
Simple solution just keep all the Government officials locked up. Result no loss of data period.
From a personal perspective.
There have been rules in place to stop this from happening in our department for years.
However the users just ignore them or get upper management to make is carry out their requests.
And whenever I say that we need to educate the users using a taser, big stick, hessian sack and a bottle of water they call me crazy.
I have seen claims where the User address is *PERSONAL*
Is considered private and confidential. Telephone numbers are iffy(IMO) as they are published in the telephone book or they can be found at your local white pages (in the US not sure about across the pond).
I am not sure that the privacy rules for the EU are the same as the US.
How very interesting that so many people are jumping on the band wagon of Encryption. I would just LOVE to see how many Private Sector laptops are stolen/lost during a WEEK, let alone a year.
Name ONE good encryption package that doesn't make a laptop a futile mess of electronic parts.
Having been working in the Private Sector for over quite a few years, I'm surprised by some peoples comments regarding encryption on laptops when there is virtually zero encryption on private sector laptops with financial details for hundreds of thousands of people. Just because it's the UK gov, everyone starts to jump on the "Ah, they are muppets" or "wtf? Horse, bolted.." band wagon.
I say, good on them for reacting quickly, rather than sweeping it under the proverbial red carpet. Might not be pro-active, but it's better than most of us departments in the private sector.
This is just sensationalist to the extreme...
Re: Er ... how do you encrypt a telephone number?
Ah. You can do that with a BlackBerry... of course its a bit of a hassle as doing stuff the "real secure way" means that getting an incoming call while the device's locked will only show the Caller ID, but not the Contact Info you have in your phone (as it is encrypted and the private key's wiped out while the BB's locked down.)
Still, that is assuming everyone even *has* Blackberries... I doubt they'd supply an entire fleet of BB's to ever man+dog in the place just because of new security requirements.
At least they are conscoius now; I have been in places where access to sensitive stuff like root passwords are kept in cleartext ... in a financial institution. Or having some hassle with "something about SSL certs" and Management giving the green light on firing up a *production* service *without* SSL as a temporary solution. Oh, would the SOX guys feast on such stuff...
Oh, and only 4 of us even knew of PGP. Of course, all my sensitive stuff was PGP'd, so much that I think no one will be ever able to get useful info from my former PC ever again... ;)