Last weekend I noticed some tweets from the ever-vigilant Dissent Doe. She said
I’ve spent 5 min on NHS’s web site and still can’t figure out how/where to report or question an IT security issue. Anyone?…It’s 2015. It really shouldn’t be so hard to find a contact email to use to notify an entity of a security breach or vulnerability…So I finally said, “screw this waste of my time,” and emailed @ICOnews to alert them and ask them to pass the notification to
#NHS
Knowing that she wouldn’t tweet this without good reason I made contact, and she referred me to a list of what looked like serious data security vulnerabilities on a range of NHS websites. The list had been posted openly on the internet by a well-known hacker (for obvious reasons I won’t link to it).
In response, I contacted an NHS Information Governance professional, who quickly pointed me towards the IG Alliance. I sent emails to two people, but have not yet had a reply. I even tweeted Tim Kelsey, the NHS’s National Director for Patients and Information, but he didn’t reply. Eventually, a contact managed to contact someone else (I’m being deliberately vague) and I have some reassurance that action will now be taken.
But when I told Dissent Doe this, earlier today (06.02.15) she, although pleased at that outcome, expressed surprise that she had not heard anything from the Information Commissioner’s Office (ICO), whom she had alerted last Sunday. I told her that this had been my, and others’, experience when reporting serious concerns about data protection and data security. The ICO is tremendously over-stretched, and can’t immediately respond to all queries and concerns raised, but there is a community of knowledgeable and dedicated professionals who can help. One of the ICO’s main regulatory roles is, after all
to promote the following of good practice by data controllers and, in particular, so to perform his functions under this Act as to promote the observance of the requirements of this Act by data controllers
Indeed, I’ve written on the subject before, and suggested this
I think the ICO should consider operating a priority alert system when well-informed third-parties alert them to exposures of personal data. They certainly shouldn’t leave those third parties to do in-depth investigation.
I didn’t get a comment from the ICO when I wrote that previous post, but I also didn’t ask them for one. This time I will, and I’ll report back on what their response is.
The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
informationrightsandwrongs 