Wednesday, November 21, 2007

Child benefit data: Making the simple expensive

One thing that particularly appals me about this fiasco, on top of all the things that appal us all, is the revelation, here, that
Mr Leigh said the reason given for turning down the NAO request was that desensitising information would require an extra payment to data services provider EDS.
Have we really surrendered so much control over government IT to consultants, that simple operations on the data are now impossible?

A colleague of mine was working a few years ago, on a job which involved having customer information on a laptop, which he would carry about with him. One simple step he took before leaving the building was issue a command to his copy of the database, such as
UPDATE Customers SET BankAccountNo = '12345678'
This obliterated all the bank account numbers, replacing them with 12345678, thus rendering the laptop rather less sensitive. It would probably take 30 seconds to type and run. And it is not rocket science: you could learn sufficient SQL for this sort of operation on a 1 day course, if you were not smart enough to get it from the manual.

Even this, of course, was not good enough. The company should have had a security policy and a security system that prevented the bulk capture of this sort of data. He didn't need these bank account numbers in the first place - it was just simpler to copy the whole database.

The idea that such a simple operation might involve a significant cost is breathtaking. I can understand that if a consultant has to be called in, even for 30 seconds work, there are many ancillary costs, and a fairly hefty bill may be reasonable. But this just emphasises the importance of having some basic competence over your core activities. By all means outsource development projects, but don't outsource control or understanding.

1 comment:

Tony Kennick said...

There has been lots of discussion at work recently whether we should ape the PCI-DSS credit card standard for other sensitive data our clients hold like bank account numbers etc or keep on with our current minimum standards which while lesser than those suggested by visa and mastercard kick the arse of the standards the government are using into a cocked England round-ball game manager.