Data encryption and policing sensitive information

Experts believe that headline-making data losses are symptomatic of the public sector being under-resourced when it comes to IT security. However, an increasing number of police authorities are now adopting a pro-active approach to security, particularly with centrally-driven initiatives around the security of police data residing on mobile devices. Police Professional examines the importance of data encryption

A report by the Joseph Rowntree Reform Trust warning that a quarter of all the largest public-sector database projects, including the ID cards register, are fundamentally flawed and breach European data protection and rights laws, has again raised concerns concerns about data security.
The report, Database State, says that two-thirds of the population no longer trust the Government with their personal data.
Reports that Lothian and Borders Police recently lost a USB memory stick containing vehicle registrations and other information has only added to these concerns.
There are certainly lessons to be learnt by a modern police service becoming increasingly reliant on technology to carry out its day-to-day operations.
Twenty five police forces recently benefited from second-round funding of £30 million as part of the Mobile Information Programme to deliver on Sir Ronnie Flanagan’s Review of Policing recommendation to reduce bureaucracy with the roll-out of state-of-the-art handheld computers to frontline officers.
This funding is in addition to £50 million provided by the Government last year to deliver 10,000 devices by the end of September 2008 for phase one of the programme – a target that was exceeded with over 13,000 handheld computers being used by frontline officers.
The multi-million pound expenditure aims to provide a total of 30,000 handheld computers by March 2010 for forces across England, Scotland and Wales.
But mobile data transmission, by its very nature, poses critical security issues.
In every case, the mobile devices will have to conform to security standards set by the Communication Electronics Security Group (CESG). This will include the use of strong encryption on the data channels used – whether commercial mobile services or government TETRA – and the devices themselves will not store any data onboard.
Gordon Rapkin, CEO of enterprise data security management specialists Protegrity Corporation, explained: “Best practices dictate that we protect sensitive data at the point of capture, as it’s transferred over any network (including internal networks) and when it is at rest. Malicious hackers won’t restrict themselves to attacking only data at rest, they’re quite happy to intercept information at the point of collection, or anywhere in its travels. The sooner encryption of data occurs, the more secure the environment.”
Dr Bernard Parsons, CEO of data encryption specialists BeCrypt, told Police Professional: “Historically, the Government has well understood the need for data classification as a tool for protecting information. It has a well established scheme of protective marking that applies from state secrets, to information that would cause only embarrassment if lost.
“However, systems and processes that have worked well for decades, have failed to meet today’s demands. In the UK Ministry of Defence (MoD) report commissioned following last year’s data losses, Sir Edmund Burton describes how the well-developed [security] processes ingrained during the Cold War have not translated into the ‘Information Age’.”
He added: “The mindset of today’s ‘Facebook generation’ is as applicable to the public sector as it is elsewhere, and they expect easy access to and sharing of data. However, even for those familiar with technology, security risks are non-intuitive: a single CD struggles to command the same respect as a box of paper records.
“The UK Government data security policies have historically prioritised confidentiality at the expense of availability and data integrity, with this in-balance frequently detracting from system usabilit