Councils are failing to prosecute staff caught using a sensitive government database to snoop on celebrities and members of the public, disclosures under the Freedom of Information Act have revealed.
Computer Weekly has established that staff from at least 34 local authorities have misused the Department of Work and Pensions’ (DWP) Customer Information System (CIS) database to look up personal details of the public.
The database, which holds 92 million records on the population, underpins the government’s ID card programme. It stores sensitive data such as ethnicity, relationship history and whether someone is being investigated for fraud.
Nine staff have been quietly sacked from their local authority jobs for abusing the database, nine have been given official warnings, two have been suspended, four resigned and six had their database access privileges removed, Freedom of Information requests lodged by Computer Weekly have revealed.
But none of the local authorities have chosen to bring prosecutions against their staff for abusing their access to the CIS database.
Abuse of access rights
The revelation has promoted accusations that local authorities and the DWP are trying to keep the breaches quiet.
Phil Booth, national organiser for campaign group No2ID, said, “They are reluctant to prosecute because that will give the wrong message that the database is insecure from the inside.”
“These are the people we are supposed to be able to trust,” he said.
“It is the job of the keepers of the National Identity Register to keep external hackers out. The problem is insider access by people already authorised.”
Local authorities are required to sign a Memorandum of Understanding that permits them to access the “restricted data” on the CIS. It contains the threat of criminal prosecution of staff who abuse their access rights.
“DWP will consider prosecuting individuals for misuse of information held on CIS. DWP will support your local authority to ensure appropriate disciplinary or prosecution action is taken in serious cases,” it states.
The Memorandum of Understanding gives the DWP rights to withdraw CIS access from local authorities when “any individual user is suspected of misusing the system”.
Data and the law
But many of the councils told Computer Weekly that their decision not to prosecute staff who have used the CIS database to snoop on members of the public was taken in consultation with the DWP.
Peter Sommer, an expert witness in computer crime cases and visiting professor at the London School of Economics, said the breaches have raised concerns that the law might be too weak.
The Computer Misuse Act could be used to prosecute someone for unauthorised access to a database, he said, but not for looking at information they should not see on a database they are authorised to use.
The Memorandum of Understanding between local authorities and the DWP says that requirements to keep data on the CIS database confidential are “underpinned by legislation” in the Data Protection Act 1998, the Social Security Administration Act 1992 and the Computer Misuse Act 1990.
“[This] binds DWP and your local authority to handle customers’ personal information in confidence… Your local authority has an explicit responsibility for the security of the information and is accountable for the actions of users with access to the CIS,” it says.
The Social Security Administration Act 1992 could be used to send people to prison for snooping on social security databases they were otherwise authorised to access, but only if it were proven they had disclosed their findings to others, say experts.
In at least one instance, a council worker passed on information to a family member. The worker was given a warning.
A DWP spokesman said, “It is the duty of local authorities to consider and enforce what is appropriate, including legal action against their employees.”
National Identity Scheme
A Home Office spokesman said the CIS breaches should not reflect badly on the National Identity Scheme, which is still in development. The CIS might be pegged as the biographical store for the Identity Scheme, he said, but Home Office data would be stored separately from data held by the DWP and protected by “strict access controls”.
“IPS [Identity and Passport Service] will make the systems supporting the National Identity Scheme as secure as possible, building on an excellent track record with the current passport database,” he said.