25 million UK citizens exposed to ID fraud by HMRC
I attended the European Leadership Forum 2007 by BusinessWeek at Claridges yesterday.
There were a number of interesting Keynotes and topics including Jim Murphy, minister for Europe, extolling the virtues of commitment to Europe until someone asked him why, in that case, the UK hadn't adopted the Euro, at which point it sort of fell apart. Lord Browne is always worth listening to, and Edward de Bono used an antique OHP to explain the future of 'thinking' which was fascinating and entertaining.
The Lunch Discussion, hosted and sponsored by Burson-Marsteller, emphasised the 'value' of reputation. This, given the recent HMRC debacle exposing 25 million UK citizens on the Child Benefits Agency database to risk of identity fraud, was extremely timely. Undoubtedly the reputation of UK Government has again suffered despite the mea culpa groveling but, according to the press reports that I have seen, there has been little or no recognition of the potential reputational damage and considerable inconvenience that the 25 million individuals could suffer above and beyond financial loss at their bank. HMRC lost similar 'sensitive data' pertaining to 15,000 Standard Life customers in September and, in October, a laptop containing 2,000 individuals ISA data was just one of 41 such 'thefts' in the last year according to The Times yesterday.
I accept that we all make mistakes and, hopefully, learn by them. The government seem to make the same mistake over and over again. Surely Data Breach Notification, as requested by Richard Thomas the Information Commissioner, would be a good first step.
A number of delegates asked me if this could have happened if the government had been using the PAOGA architecture. Simply, No! We have always maintained that 'sensitive data' should be separate from 'application data' so that the NAO request for aggregated data 'without sensitive data' would not have been met with the HMRC response 'too expensive to do'. Indeed, the resulting data set would have no value if lost or stolen and would contain no risk to the 25 million individuals as each record would be unattributable.
So, how do you think that citizens will respond to the National Identity Register or the National Patient Records database now?
Private companies, who have also 'lost' vast amounts of sensitive data, are just beginning to realise the implications and potential consequences of being cavalier with their customers sensitive information and, given the growing influence of social networks and bloggers that were illustrated by Burson-Marsteller, recognise that things have to change. A customer can and do walk away from a supplier they don't trust but it is more difficult for a citizen to walk away from a government they don't trust or a patient from the NHS.
VRM (Vendor Relationship Management) provides individuals with the tools to manage and share relevant information 'under their control, with their consent, for their benefit' as an alternative to CRM which is, by definition, enterprise-centric.
I think that the HMRC data breach was probably the best thing to happen for the UK population in terms of privacy and online identity.
1. It contained enough sensitive data that the public had to be informed.
2. It was significant enough to cause the media to react and huge public outcry to ensue
3. It was big enough in terms of sheer numbers that people and banks could be put on alert, perhaps minimizing the actual effects.
I suspect that the data was simply lost and not stolen for malicious purposes, but I could be wrong there (let's hope not).
Now all of this has caused the government to re-examine their flawed proposals for a national identity card and for centralized databases and insecure data management practices.
I did post a note that asked some questions as to what ID fraud actually is how it was related to the credit scoring system that is currently in place. (http://www.realtea.net/id_theft)
Posted by: Gammydodger | December 01, 2007 at 03:19 PM