Matthew Henty

The Pensions Trust have issued an update letter explaining the steps they have taken to deal with the situation since an unencrypted laptop with customer information was stolen from the offices of NorgateArinso.

They seem to have dealt with it pretty well, and it seems unlikely that The Pensions Trust will make the same mistakes again. But does something like this have to happen to each and every organisation before these simple steps are taken? Can’t they learn from the mistakes of others?

Previous post here.

PensionsTrust_1

PensionsTrust_2

I went to Liberty’s 75th Anniversary Conference on Saturday 6 June, held at Central Hall, Westminster. The two morning sessions were of the very highest quality, unfortunately the afternoon didn’t reach the same uniform excellence – although Shami Chakrabarti made a good final keynote – and Louis Christian was a little uneven as the Chair.

The unquestioned highlight was the keynote speech by Lord Bingham, a fantastic explanation and rousing defense of the European Convention on Human Rights (ECHR) and the Human Rights Act (HRA). He addressed many of the spurious arguments made against the Human Rights Act in a simple list of ten points. For example, that it is undemocratic, that it elevates the rights of the individual above the community, that it is foreign, gives judges all the power, that it does not mention our responsibilities only our rights, and so on. And he did so in a overwhelmingly convincing manner.

Is the Human Rights Act a foreign import? Well, no it is an incorporation into British law of the ECHR. And much of the ECHR is based on existing British legal tradition. The drafting of the Convention was overseen by Sir David Maxwell Fyfe. The United Kingdom was the first country to ratify the Convention. And so on.

Does it elevate the rights of the individual over the community? This is often raised when asylum seekers or prisoners, or an “other” uses the HRA to achieve some improvement in their life. Well yes, the ECHR and the HRA do elevate the rights of the individual over the community in some very specific ways: the right not to be enslaved or to be punished retrospectively. Can any person who gives this a moments thought seriously argue the right not to be enslaved should be conditional on the interests of the community? Really?

The most overwhelming case for both the ECHR and the retention of the HRA comes in his tenth and final point:

In the manner of a bad advocate, I save my strongest point for my tenth and last. The rights protected by the Convention and the Act deserve to be protected because they are, as I would suggest, the basic and fundamental rights which everyone in this country ought to enjoy simply by virtue of their existence as a human being. Let me briefly remind you of the protected rights, some of which I have already mentioned. The right to life. The right not to be tortured or subjected to inhuman or degrading treatment or punishment. The right not to be enslaved. The right to liberty and security of the person. The right to a fair trial. The right not to be retrospectively penalised. The right to respect for private and family life. Freedom of thought, conscience and religion. Freedom of expression. Freedom of assembly and association. The right to marry. The right not to be discriminated against in the enjoyment of those rights. The right not to have our property taken away except in the public interest and with compensation. The right of fair access to the country’s educational system. The right to free elections.

Which of these rights, I ask, would we wish to discard? Are any of them trivial, superfluous, unnecessary? Are any them un-British? There may be those who would like to live in a country where these rights are not protected, but I am not of their number. Human rights are not, however, protected for the likes of people like me – or most of you.  They are protected for the benefit above all of society’s outcasts, those who need legal protection because they have no other voice – the prisoners, the mentally ill, the gipsies, the homosexuals, the immigrants, the asylum-seekers, those who are at any time the subject of public obloquy.

The Pensions Trust have written to some of their members to inform them that NorthgateArinso, “delivering HR excellence”, have had an unencrypted laptop containing personal details stolen from their offices.

The personal details stolen, for members of six of the Pensions Trusts 39 schemes (as of May 2007) were:

• name
• address
• date of birth
• National Insurance numbers
• name of employer
• salary details
• information on nominees (name and relationship)
• bank account (for those in receipt of a pension)

That is quite a list. Apparently NortgateArinso were using the now stolen laptop as a, “database for development, training and performance testing.” Why were they using live data for training and testing? Why wasn’t the laptop encrypted? Why wasn’t the laptop physically secured?

The Pensions Trust have reported the loss to the Information Commissioner, and attempt to reassure members that, “the data was password protected and as such, not easily accessible.” and that, “NorthgateArinso regret that this theft has occurred and are doing everything possible to retrieve the data”  but I suspect it is too late.

Scans of letter and factsheet from Pension Trust below the fold.

UPDATE: This is now in the media: BBC News, Professional Pensions, The Register. Also commentary from Jamie Dowling at View From Planet Jamie and logged at DataLossDB and the Open Rights Group UK Privacy Debacles wiki.

Read the rest of this entry »