I’ve blogged before about some of the security issues around the NHS’s Personal Demographics Service – a mammoth database with 80,000,000 personal records in it, yet with 700,000 people granted access to it – and with such limited auditing systems that experts have concluded it is “incredibly difficult if not impossible” to detect or trace misuse of the data.
So it was good to see Julian Huppert take up with issue with a Parliamentary question, asking the Department of Health what assessments it has made of how adequate the safeguards in the PDS really are at preventing illegal access to personal data.
Two points are notable in the answer from Health Minister Simon Burns. First, despite being asked what assessments had been made, his answer does not give details of any assessments having been carried out – which is hardly reassuring as it implies that no recently thorough assessments have been conducted.
Second, the answer makes the classic IT security mistake of talking at some length about the protections against outsiders hacking in and then glossing over the risks of insiders misusing data. It is a classic mistake, because insiders are often the cause of IT security problems – even when the number of insiders with access is far fewer than the 700,000 with access to the records in the case of the PDS. All Simon Burns had to say about this is that it is the responsibility of hundreds of other bodies, all of which should be following the rules – and without any action having been taken to check if they really are.
All a bit of a gamble. Or rather, given 80,000,000 records, 700,000 people having access and no proper audit systems – a mammoth gamble.