Pages

Tuesday, 21 June 2011

Data security and the UK census

The claim:
'Census data security measures

Data security and confidentiality is a top priority for the census. In addition to the strong protection provided by the law, ONS has put in place stringent additional safeguards.

All census employees and contractors working on the census sign a declaration of confidentiality to guarantee their understanding and compliance with the law which makes unauthorised disclosure of personal census data an imprisonable offence.

All staff who have access to the full census data set in the operational data centre will work for ONS.

All staff processing any personal census data will be security cleared to the UK Baseline Standard. This requirement has also been extended to all employees of the supplier and their sub-contractors handling any personal Census data.

Staff with access to the full census data set or substantial parts of it will have security clearance to handle material classified as ‘Secret’.

Underlying security requirements for census data are based upon UK Government Security Guidelines issued by the Cabinet Office and by Communications – Electronic Security Group.

Census data is classified as restricted under the scheme of classification of government information. For more details see the link to Cabinet Office website pdf of classifications.

This classification brings a whole set of standards and safeguards which have been put in place to ensure that the data remains secure. This includes control of physical access to any site or room where the data is kept, secure control of access to IT hardware and of course IT systems.

ONS will control system access rights to all systems and data.

All security measures cover the completed questionnaires, the electronic data set, the website, the archive image system and the communications links relating to any of these items.

All of the electronic communications links over which personal census information will be routed, will be encrypted (scrambled) to the levels recommended by the Government Security Services.

The census security programme is being managed to the framework of ISO27001 - the internationally recognised Information Security Management Standard.

ONS will commission an independent review of systems and procedures covering both its own systems and those of all contractors. These reviews will include systematic checks during the operations. The independent security auditors will be accredited by the government security services to carry out these reviews.

Use of census data and data confidentiality

We have secure systems in which to hold data, with stringent controls and procedures in place. We do not store any financial details, and names and addresses are removed from the data sources used for the day to day production of statistical tables.

The information in questionnaires is used only for census related publications and analyses published for geographic areas. These outputs do not attribute any of the statistics back to specific individuals.

Once the analyses are complete and the information is published, archived copies of the forms will be securely filed away and the personal details they contain will not be released for another 100 years.

All handling and storage of data complies with the Data Protection Act.
Census data and the US Patriot Act

Concerns expressed about the possibility of the US Patriot Act being used by US intelligence services have been addressed by a number of additional contractual and operational safeguards. These arrangements have been put in place to ensure to that US authorities are unable to access census data.

Existing law already prevents the disclosure of census data – it is a criminal offence to disclose personal census data and is punishable by a fine and/or up to two years in prison.

All census data is owned by ONS and all of the legal undertakings of confidentiality of personal Census information will apply to both ONS and any contractors.

All census employees and contractors working on the census sign a declaration of confidentiality to guarantee their understanding and compliance with the law.

All staff who have access to the full census data set in the operational data centre will work for ONS.

Contractual arrangements ensure that only sub-contractors registered and based in the UK and either UK or EU owned will have access to any personal census data.

Staff with access to the full census data set or substantial parts of it will have security clearance to handle material classified as ‘Secret’ under the UK Government’s classifications.

The prime contractor is Lockheed Martin UK Ltd. Additional specialist services will be provided by Cable & Wireless, Logica, UK Data Capture, bss, Steria, Polestar, Oracle and Royal Mail. Lockheed Martin UK will design the processing systems for ONS using its expertise and past experience. The day to day running of operational services will be provided by the consortium of specialist service providers. All of these specialist subcontractors are registered and owned in the UK or elsewhere in the EU.

This contractual structure means that no US companies will have any access to any personal census data.

No Lockheed Martin staff (from either the US parent or UK company) will have access to any personal census data.

All data will be processed in the UK and remain in the UK.'


The reality (?):
This morning I am hearing claims that the hacking group LulzSec say that they have obtained a copy of the entire 2011 Census.



My conclusion:
If true this is more than a little disturbing. Will I have a claim against the Office For National Statistics under Information Commissioner legislation?


Oddly I didn't want to fill in the Census but Mrs NotaSheep got jittery at all the reminders and said that we must do it...

1 comment:

  1. I just assumed the Government had arranged to sell all the details anyway. In any case, Government systems have no serious security anyway, so I always assume that any personal information Government have is not confidential.

    ReplyDelete

By clicking "Publish your comment" you indemnify NotaSheepMaybeAGoat and accept full legal responsibility for your comments