LOL it was an amusing listing, is it me though or have the rest of the media missed the boat on this one viz ID cards, just why the NAO would need to see these records, and will the Data Commisioner impose a whopping great (landmark) fine on HMRC???
According to tonight's news, they didn't need to see the records, and after a previous occasion when they'd been sent the entire dataset on CD, NAO had asked them to only send the data that needed to be checked, not all of it.
Apparently SELECT fieldname, fieldname, fieldname was too expensive, when you could just SELECT *...
The whole thing is somehow boggling, yet utterly predictable...
It's just a bunch of civil servants who are a bit (lot) out of their depth, but now less dangerous for that.
If one does need to physically transfer that amount of highly sensitive data you physically walk / drive / fly it to where it needs to go. But what is wrong with remote access? Get your server / database to talk to my server / database. We know it's not that difficult, but I suspect that their IT systems are so wrapped up in protection, isolated from the rest of the world (rest of reality) that no friendly system can talk to another one.
I bet these are people who insist on 15 character passwords with lower case, UPPER CASE, 999, and $&^^%@!$ that change every 30 days which nobody can remember and everybody writes down. *shakes head*
The NAO presumably wanted the records as part of their audit testing. I'm not sure why they wouldn't do their testing and sample selection on site though, which would remove the need to send this kind of data through internal mail.
A question I keep wondering about is why this supposed 23 year old assistant-type person has access to just dump 25 million records onto a CDROM and pop it in an envelope.
I hadn't heard that was had happened, but then I've not listened to the news this evening. My guess would be that the person who had the access just pulled the data and said the the assistant "get that over to NAO" and didn't bother to check exactly was how it to be done. A failure in instructions, as well as a failure in quality control.
I wonder if the assistant even knew what data they were dealing with.
That's just as bad, surely. Equivalent to giving the assistant the password. Worse, really, because so easy to copy a CD and all the records already neatly packaged for transport.
I'm not saying that it is better, indeed I would agree that it is worse.
The point I'm making is that it is the assistant's manager who is at fault, not the assistant themselves; other than perhaps questioning whether they should do it or asking for more details about what should be done. But the level of assistant (which I don't know) would determine whether they had enough knowledge to know to ask.
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
timeasmymeasure
no subject
Date: 2007-11-21 08:42 pm (UTC)no subject
Date: 2007-11-21 09:20 pm (UTC)Apparently SELECT fieldname, fieldname, fieldname was too expensive, when you could just SELECT *...
The whole thing is somehow boggling, yet utterly predictable...
no subject
Date: 2007-11-21 11:02 pm (UTC)If one does need to physically transfer that amount of highly sensitive data you physically walk / drive / fly it to where it needs to go. But what is wrong with remote access? Get your server / database to talk to my server / database. We know it's not that difficult, but I suspect that their IT systems are so wrapped up in protection, isolated from the rest of the world (rest of reality) that no friendly system can talk to another one.
I bet these are people who insist on 15 character passwords with lower case, UPPER CASE, 999, and $&^^%@!$ that change every 30 days which nobody can remember and everybody writes down. *shakes head*
no subject
Date: 2007-11-21 11:09 pm (UTC)It makes me think of the joke about the countryman giving directions :
"well, if I was going where you're going, I wouldn't be starting from here!"
no subject
Date: 2007-11-21 10:07 pm (UTC)no subject
Date: 2007-11-21 10:55 pm (UTC)no subject
Date: 2007-11-21 11:07 pm (UTC)I wonder if the assistant even knew what data they were dealing with.
no subject
Date: 2007-11-21 11:11 pm (UTC)no subject
Date: 2007-11-22 10:47 am (UTC)The point I'm making is that it is the assistant's manager who is at fault, not the assistant themselves; other than perhaps questioning whether they should do it or asking for more details about what should be done. But the level of assistant (which I don't know) would determine whether they had enough knowledge to know to ask.
no subject
Date: 2007-11-22 12:25 am (UTC)Possibly that was what the NAO was testing for!