We spoke to Crispin Blunt, Conservative MP for Reigate, about what the public sector is doing to prevent data breaches, and how a department as large and diverse as the House of Commons can keep up to date with IT while maintaining the security needed for a national government.
How does the House of Commons supply itself with IT equipment?
The House of Commons is slightly atypical if you're looking at it as a government department. There are 651 MPs who are all allowed to equip their own offices to a degree. There's a certain element of independence about that. However, there are central contracts provided by the House of Commons authority, which most MPs will use.
So you've got MPs offices, but then of course you've also got the whole presentation of collective services by both the House of Commons and the House of Lords Authorities, so there are about 5,000 people working on the parliamentary estate.
We're all using the information services, and we're all managing information on behalf of our constituents. And there are also libraries producing an information service for the members of parliament. All that data has to be managed securely as well.
So what is the public sector doing to prevent data breaches?
I remember one occasion from my time as the prisons minister at the Ministry of Justice, there was an occasion when someone at a prison sent the wrong email somewhere, because their processes weren't up to snuff, and three people suddenly found that they had the criminal records of a significant slice of the population in particular.
That was brought to my attention immediately, and then all kinds of processes went into place to retrieve the information. All that stuff is then reported in the usual course of events to the Information Commissions Office (ICO). But one would expect the public sector to be absolutely punctilious about their processes.
We hear about a lot of public sector data breaches, but is this only because the public sector is under a greater obligation to report breaches when they occur?
It's interesting to ask whether the public sector has more onerous demands on its processes, but of course the private sector is making a value-for-money judgement about its management of data. The loss of customer data by a private company could be catastrophic as far as shareholder value is concerned.
Data breaches can be so terminal to a corporation's future. The reputational risk is enormous, so whether a further level of punitive sanctions being put in place by parliament, either criminal, or some form of civil binding process – I would have to see some kind of evidence that more punitive sanctions would make a significant difference to corporate behaviour.
I have no reason to believe that there's a need right now for some kind of emergency legislation to address this kind of manifest failure. We have a pretty strong regulatory system under the Information Commissioner, there are legal sanctions available against people who are wilfully mismanaging data, and there are sanctions against those who just cock it up. But when it's a fight to the death, as it were, it may not make a difference.
Does the Commons have a bring your own device (BYOD) policy?
Members of parliament are registered data controllers under the Data Protection Act, so they have responsibility for their own data in their own office. So you effectively have 651 small businesses in that sense, all with a responsibility to their particular market. So if I allow my staff to bring their own devices in, and access constituents' data, then I'm obviously personal responsible for the management of that data.
So do you allow people to access data on devices of their choice?
No, the people in my office use equipment that is provided by the House of Commons estate, and as far as I'm aware they're not downloading anything onto their mobiles or anything else, and can't take it home. Indeed, the information management systems that I've put in place are sustained on the PCs and laptops and the central server suppliers, a system called CR5, that manages the information of my constituents. I'm extremely conscious that the last thing I want to be responsible for is breaching a constituents' confidentiality. Reputationally, that would be – how shall we say? Negative.
Crispin Blunt is the Member of Parliament (MP) for Reigate in Surrey. He entered the House of Commons in 1997. From May 2010 to September 2012 he was the Parliamentary Under-Secretary of State for Prisons and Youth Justice within the Ministry of Justice.
Image: Flickr (rowl images; West Midlands Police)