Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

NHS Fined After Computer Holding Patient Records Found On eBay

timothy posted about a year ago | from the all-these-billing-addresses-are-identical dept.

Security 186

judgecorp writes "NHS Surrey, part of Britain's health service, has been fined £200,000 when a computer holding more than 3000 patient records was found for sale on eBay. The system was retired, and given to a contractor who promised to dispose of it securely for free, in exchange for any salvage value... but clearly just put the whole system up for sale."

Sorry! There are no comments related to the filter you selected.

How does... (3, Insightful)

Anonymous Coward | about a year ago | (#44275533)

The government fine itself?

Re:How does... (1)

buchner.johannes (1139593) | about a year ago | (#44275587)

Ever heard of separation of powers?

A: Because it breaks the flow of a message (5, Insightful)

DNS-and-BIND (461968) | about a year ago | (#44275723)

Q: Why is starting a comment in the Subject: line incredibly irritating?

Re:A: Because it breaks the flow of a message (0, Insightful)

Anonymous Coward | about a year ago | (#44276315)

Except what you did is put the answer in the subject line and the question in the body which actually *does* break the flow of a message whereas the OP merely started his question in the subject line and answered in the body, which follows the natural order we read text (left to right, top to bottom).

Re:A: Because it breaks the flow of a message (1)

Anonymous Coward | about a year ago | (#44276373)

The natural order to read comments is to skip the subject line entirely.

Re:A: Because it breaks the flow of a message (0)

Anonymous Coward | about a year ago | (#44276443)

Except in threaded comments, where the topic is usually repeated till brain stops even acknowledging it, also in another font, on another background, and physically separated from the text of the message by a block of white background and a gray author field.

Re:How does... (4, Insightful)

Joce640k (829181) | about a year ago | (#44275725)

They shouldn't be fining themselves, they should be jailing the person responsible for handing them to the "unnamed contractor" (who was probably a friend).

Re: How does... (1)

Anonymous Coward | about a year ago | (#44275763)

Why not fine the contractor who was paid in salvage value to destroy the data?

Re: How does... (4, Informative)

Joce640k (829181) | about a year ago | (#44275837)

Because there was no actual "contract" requiring him to destroy them.

That's the real problem in this case - no contract. It's all all in TFA (if you can be bothered with such trivia).

Re: How does... (1)

julesh (229690) | about a year ago | (#44276889)

That's the real problem in this case - no contract. It's all all in TFA (if you can be bothered with such trivia).

Of course there's a contract: there's one described in the summary above. The contractor agreed to wipe the machines in exchange for getting them for free. There, that's a contract. Now, it may be difficult to sue him for breach on the basis that there doesn't appear to have been a *written* contract, but that's an entirely different matter from there being no contract at all.

Re:How does... (5, Insightful)

hairyfeet (841228) | about a year ago | (#44275867)

Actually as a PC repair guy who often does this very thing I say they should throw the contractor in jail, he is making us all look bad.

I've done plenty of work for the city in the past and they know any donations they give to me will be wiped clean so they have no problem handing me desktops and laptops that are being replaced. Is there any records on them? probably but I wouldn't know as the first thing they get is a boot 'n nuke from me, the ONLY thing I don't wipe is the factory restore partition if it has one, everything else? Wiped before I ever mess with the system.

So I'm all for throwing this asshole in jail because its jerks like this that end up causing systems to be disposed of via shotgun. In a dead economy there is plenty of folks hurting out there and these off-lease systems can be used to make sure anybody can have a PC, hell thanks to donations from the city I have a complete desktop system for $50 at the shop. Sure its not the fastest thing in the world but it surfs, burns DVDs, and when somebody needs a PC so their kid can look up info for school reports and they can look for a second job? A system like that can really make a difference. This is why I fricking HATE when assholes like this do dumb shit like just throwing it on eBay, he could have boot n' nuked and been done in no time, throw the lazy ass in jail.

And if you work in a position that has getting rid of older systems as part of your duties? Don't dispose of via shotgun, talk to the local shop guys, talk to the local churches, there is usually a guy like me that is happy to refurb 'em for the poor folks and unlike this douchebag we're happy to do secure wiping on anything you hand us. There is nothing like the feeling of making a difference, just last week I donated a couple of systems to one of the local churches so they could expand their computer classes, they do a lot of work with abused women and teaching them basic computer and office skills helps them get a job and not be dependent on some wife beating scumbag. I wouldn't have been able to hand those systems over if they hadn't been donated to me, so ask around, those old P4s and Athlons may be junkers to you but it could make a difference to somebody else.

Re:How does... (2)

Joce640k (829181) | about a year ago | (#44275989)

How hard can it be for a government to make a CD stick which you insert in a PC which boots up and wipes the hard drive?

They could insert one in every PC before they remove it from the person's desk. It would take about ten minutes. If they're doing a roomful of PCs (as they mostly do) then by the time you got around to putting the CD in the last machine, the first one would be finished.

Re: How does... (1)

NadMutter (631470) | about a year ago | (#44276133)

10 mins? Really. The last disk I decommissioned took 24 hours to shred (4 passes, the longest time being for the 2 random writes). OK that was a failing Seagate 2TiB drive but for sensitive data, more passes is standard.

Re: How does... (2)

Joce640k (829181) | about a year ago | (#44276193)

Ok, let's agree it more than 10 minutes. Now can you address the actual point...?

(I should have known better than to put an actual number on slashdot...)

Re: How does... (2)

Joce640k (829181) | about a year ago | (#44276227)

... for sensitive data, more passes is standard.

Somebody needs to question that standard. There's no credible evidence that data can be recovered after writing a single pass of random data.

Even if there was any evidence (and let's be clear, there isn't...), if anybody wants to spend that much money trying to recover data from machines bought randomly on eBay they should be encouraged to do so. The sooner they go bankrupt, the better.

Re: How does... (0)

Anonymous Coward | about a year ago | (#44276611)

It is one of those things we are stuck with. Fear. The people who do the policies on information protection read these whitepapers that talk about reading the remnant "edges" of the data on disk (which, as you say, hasn't been shown to be viable for getting real world data as of yet) and they insist of these awful procedures. It takes us a couple of hours to prepare a machine for disposal. These are machines where the disk is already protected with 256 bit AES encryption and it is setup in such a way that we can throw away the key and remove it from anywhere on the drive (with multiple overwrites of that small area) in less than 5 minutes. But can we dispose of the drives this way using secure encryption? Nope. Why? Because fear...

Re: How does... (1)

sjames (1099) | about a year ago | (#44276677)

For that matter, simple zeroing is quite sufficient for data that is merely confidential (though government standards may insist on more). Nobody is going to buy a machine off of ebay and scan the disk platters with a force microscope.

Most of the concerns are based on outdated information relevant to much older MFM drives where the recording density was much lower and tracking errors much larger.

Re: How does... (1)

BrokenHalo (565198) | about a year ago | (#44276653)

The last disk I decommissioned took 24 hours to shred

You're doing it wrong. I used to be a professional blacksmith in an earlier life, and I still have all my tools, which include a 1500lb pneumatic power-hammer. That mother can deliver 1.5 blows per second at full power, and if I stick any hard drive under that, it'll be thinner than a bee's dick in a couple of seconds.

However, I do like to take out those cool lanthanide magnets first... :-)

Re:How does... (1)

Idimmu Xul (204345) | about a year ago | (#44276155)

How hard can it be for a government to make a CD stick which you insert in a PC which boots up and wipes the hard drive?

http://killdisk.com/downloadfree.htm [killdisk.com]

unbelievably easy

Re:How does... (0)

Anonymous Coward | about a year ago | (#44276173)

Wipe a 100+ GB HDD in minutes? You're doing it wrong. A single pass though the entire drive will take longer than that and you do need to do a full pass even if the HDD wasn't full.

Re:How does... (1)

Joce640k (829181) | about a year ago | (#44276203)

Sigh.

OK, let's agree it more than 10 minutes.

Now can you address the actual point, which was: "It's not difficult to wipe hard drives in a time frame which is consistent with upgrading a room full of PCs."

Re:How does... (0)

Anonymous Coward | about a year ago | (#44276259)

How hard can it be for a government to make a CD stick-

I wanna see a "CD stick". It's both a disk and a stick?

Re:How does... (1)

_Shad0w_ (127912) | about a year ago | (#44276287)

Secure data destruction involves a very large shredder which just turns the disks in to scrap metal. There's even video of it being done to the HDDs that were holding the ID card database before it was scrapped.

Re:How does... (1)

Joce640k (829181) | about a year ago | (#44276309)

But as pointed out this is unnecessary and those PCs/disks could benefit a lot of needy people. Securely re-imaging a hard disk isn't difficult.

Re:How does... (1)

Shikaku (1129753) | about a year ago | (#44276719)

http://www.dban.org/ [dban.org]

Such a project already exists.

Re:How does... (1)

jamesh (87723) | about a year ago | (#44276137)

Actually as a PC repair guy who often does this very thing I say they should throw the contractor in jail, he is making us all look bad.

Making you look bad is not a criminal offense. You'd need to take it up in a civil court, and they don't throw people in jail.

Re:How does... (1)

sjames (1099) | about a year ago | (#44276801)

No, but it is a motive for him to want to see criminal offenses prosecuted.

Re:How does... (2)

julesh (229690) | about a year ago | (#44276913)

No, but it is a motive for him to want to see criminal offenses prosecuted.

But as nobody has suggested a criminal offence of which the contractor may be guilty, it hardly seems relevant.

Re:How does... (4, Insightful)

beltsbear (2489652) | about a year ago | (#44276145)

Agreed. I used to do the same, take in free donated systems and wipe them with dban or other zero writing software. It was easy and ensured the buyer got a clean system. The main reason why people destroy perfectly good machines out instead of giving them to someone like me (or charity) is fear of the type of behavior shown.

And for god sakes, you do not need to DESTROY the hard drive. Zero writing is fine for anything not containing national security level secrets.

Re:How does... (1)

jellomizer (103300) | about a year ago | (#44276177)

While I agree it is the contractors fault. However when you deal with a contractor you better be sure your contract has him to do what they say they will do. The contractor will probably do more what is in the contract however if failure to not do more that is in the contract could have a negative effect it should be protected.
Such as delete your drives beforehand, or make sure the contract has him do this work, and perhaps a measure stating he will do what he says he does.

Re:How does... (1)

sociocapitalist (2471722) | about a year ago | (#44276371)

Actually as a PC repair guy who often does this very thing I say they should throw the contractor in jail, he is making us all look bad.

I've done plenty of work for the city in the past and they know any donations they give to me will be wiped clean so they have no problem handing me desktops and laptops that are being replaced. Is there any records on them? probably but I wouldn't know as the first thing they get is a boot 'n nuke from me, the ONLY thing I don't wipe is the factory restore partition if it has one, everything else? Wiped before I ever mess with the system.

So I'm all for throwing this asshole in jail because its jerks like this that end up causing systems to be disposed of via shotgun. In a dead economy there is plenty of folks hurting out there and these off-lease systems can be used to make sure anybody can have a PC, hell thanks to donations from the city I have a complete desktop system for $50 at the shop. Sure its not the fastest thing in the world but it surfs, burns DVDs, and when somebody needs a PC so their kid can look up info for school reports and they can look for a second job? A system like that can really make a difference. This is why I fricking HATE when assholes like this do dumb shit like just throwing it on eBay, he could have boot n' nuked and been done in no time, throw the lazy ass in jail.

And if you work in a position that has getting rid of older systems as part of your duties? Don't dispose of via shotgun, talk to the local shop guys, talk to the local churches, there is usually a guy like me that is happy to refurb 'em for the poor folks and unlike this douchebag we're happy to do secure wiping on anything you hand us. There is nothing like the feeling of making a difference, just last week I donated a couple of systems to one of the local churches so they could expand their computer classes, they do a lot of work with abused women and teaching them basic computer and office skills helps them get a job and not be dependent on some wife beating scumbag. I wouldn't have been able to hand those systems over if they hadn't been donated to me, so ask around, those old P4s and Athlons may be junkers to you but it could make a difference to somebody else.

It depends. It's easy enough to blame the contractor but there are factors that have to be taken into account.

Is there a written security policy that states that the drives have to be wiped (and with what method or methods)?
Was the contractor presented with said policy and asked to sign each page to indicate that they've seen it?
Was it written into the contract with the contractor that they read and will follow said security policy?

Yes the contractor (if there was one - I didn't read TFA) fucked up but they may not have been the only ones.

Re:How does... (0)

Anonymous Coward | about a year ago | (#44276703)

Amen to that.

For years while I was working, I took old DOS laptops, installed Typing Tutor III (bought a stack of TT3 programs for a dollar apiece), and lent or gave them to the adults around me who never learned to type. Little machines that couldn't go on the web or otherwise get people into trouble, mono screens usually. Wonderful typing teachers.

You'd be amazed -- until you got to know the messengers and mailroom and janitor folks around you -- just how many smart, older adult workers never learned keyboard skills, along with not learning English as their first language often enough --- and are stuck in dead end jobs.

Re:How does... (0)

Anonymous Coward | about a year ago | (#44275859)

The government fine itself?

By simply taking from a branch to give to an other branch.
resources are finite, and therefore allocated. Look at the fine as a reallocation.

Re:How does... (0)

Anonymous Coward | about a year ago | (#44275895)

Yep. Because the department that just lost 200,000 quid really gives a shit.

The people responsible are thinking "Thank goodness ... we thought we'd actually be personally punished."

As another poster said: prison / direct fining / sacking / suspension without pay.

Re:How does... (1)

91degrees (207121) | about a year ago | (#44276333)

Of course, in this case the net result is that the public has been fined £200,000 worth of health care.

I'm sure there has to be a better way of penalising government institutions.

Re:How does... (1)

julesh (229690) | about a year ago | (#44276931)

Of course, in this case the net result is that the public has been fined £200,000 worth of health care.

I'm sure there has to be a better way of penalising government institutions.

Maybe they should consider firing the person who made the decision to pass on confidential data to an uncertificated contractor without performing any due diligence, or is that perhaps a little too radical?

Re:How does... (1)

3seas (184403) | about a year ago | (#44275887)

Raises taxes?

Re:How does... (1)

Cornwallis (1188489) | about a year ago | (#44275965)

Raises taxes?

Bingo.

Re:How does... (-1)

Anonymous Coward | about a year ago | (#44275903)

The government fine itself?

They just don't let the folks from NHS attend the next Strippers & Coke party but they pay for the party out of the NHS budget.

Re:How does... (3, Informative)

jellomizer (103300) | about a year ago | (#44276123)

Simple, there are a bunch of ministries, departments, and divisions and other units all with a degree of autonomy, their own budgets, and other stuff.

When you ask nearly any government employee of where do they work. They will not say I work for the Government. They will say I work in the Department of whatever...
So if you fine a government agency the money leaves their budget and goes away from their department and to an other area. Leaving that department with less money budgeted towards what they need to do. As well it would effect their influence of getting additional funding for the next year.

Re:How does... (0)

Anonymous Coward | about a year ago | (#44276237)

When you ask nearly any government employee of where do they work. They will not say I work for the Government, unless they work for the NSA. They will say I work in the Department of whatever...

TFTFY.

Re:How does... (3, Informative)

Kat M. (2602097) | about a year ago | (#44276321)

First, the Information Commissioner's Office is an independent body, subject to supervision by the courts, not any ministry. It cannot and does not care (modulo human error) whether the responsible entity was a public or private body, except where the law distinguishes between them.

Second, an NHS trust (which NHS Surrey is) is technically not part of the government, but a public sector corporation with separate auditing requirements and separate liability. Another example is that NHS trusts are also vicariously liable for malpractice by doctors and nurses they employ.

While it is correct that in the end all the fines do come out of the UK's budget and go back into the UK's budget, separate liability arrangements allow for more fine-grained auditability and accountability. Fines may be budget neutral overall, but they still are highly undesirable for the sanctioned body, creating an incentive to avoid them.

No encryption (1)

flyingfsck (986395) | about a year ago | (#44275543)

The NHS fine should be doubled for stupidity.

I wonder (5, Funny)

Davo Batty (2855025) | about a year ago | (#44275573)

If prism will be selling their old computers too?

Re:I wonder (1)

cold fjord (826450) | about a year ago | (#44275651)

It is possible that they might, but since the data they process is Top Secret, the hard drives will be destroyed, and probably the ram as well.

Re:I wonder (1)

Davo Batty (2855025) | about a year ago | (#44275727)

I destroyed a hard drive recently, it took several blows with a large hammer before I was satisfied. Will governments trust third parties to destroy something that they could sell instead?

Re:I wonder (1)

cold fjord (826450) | about a year ago | (#44275819)

For systems that have held Top Secret data the media won't be sold, it will be destroyed. The consequences of possible loss are considered too severe. I believe I've read that they have facilities for destruction themselves. It looks like one of the ways they do it is the use of High Security Disentegrators which reduce everything to no more then 3/32" size. Examples here [semshred.com] .

I suppose it is possible that they might outsource it, but there would obviously have to be tight controls in place to assure destruction.

 

Re:I wonder (0)

Anonymous Coward | about a year ago | (#44276121)

been there, done that:
1: degauss on-site
2: shred on-site
3: incinerate at garbage incineration facility, off-site but witnessed by 2 security officers till they see the shreds actually going into the oven. (transport in seald containers, always 2 security officers etc.)

Re:I wonder (1)

Gription (1006467) | about a year ago | (#44275847)

Secure destruction happens onsite. If you don't have a verifiable chain of custody then you don't have secure disposal.
http://www.youtube.com/watch?v=yd_O7-rqcHc [youtube.com]

Re:I wonder (1)

Joce640k (829181) | about a year ago | (#44276003)

Formatting works perfectly well for data destruction.

(cue line of geeks with theories about why it isn't despite the fact that they can't come up with a single example of data recovery after formatting...)

Re:I wonder (1)

RDW (41497) | about a year ago | (#44276069)

Hope you don't work in data security! Every decent file recovery tool (Recuva, PhotoRec, etc.) can restore files from a formatted drive. Secure wiping (as with DBAN) is a different matter.

Re:I wonder (1)

maxwell demon (590494) | about a year ago | (#44276107)

Hope you don't work in data security! Every decent file recovery tool (Recuva, PhotoRec, etc.) can restore files from a formatted drive. Secure wiping (as with DBAN) is a different matter.

Not if it is true formatting (as opposed of the simple rewrite of file system master structures which these days is done when "formatting"). I don't know if modern hard disks actually still support true formatting, though.

Re:I wonder (1)

nojayuk (567177) | about a year ago | (#44276249)

Some data recovery can be done even off multiply-overwritten tracks but it takes serious engineering of the sort only police forensics and national security can afford in terms of cash and time. Even then there is no certainty of success.

The head positioning system in a disk drive is not 100% accurate pass to pass and remnant magnetic data can persist on the edge of the main track after an overwrite or two on some sectors. That data can be read using scanning electron microscopes, SQUIDs and other exotica and some of the disk's original contents reconstructed. One (public) example where this has been carried out is where someone wiped their collection of child porn but the prosecution were able to prove the disk contained a few illegal images, enough to secure a conviction.

If you're wanting to destroy the data on a disk for sure, shred it into chips if you have the facility (most big data centres either have their own shredder or they can bring in a truck-mounted shredder and shred them on site to preserve chain of custody). Failing that, if you have the time and curiosity take the drives apart, remove the platters and next time you have a BBQ toss them in the charcoal or put them on the grill after cooking. They'll slag down but more importantly the heat will push them over their Curie point totally randomising the magnetic data. You'll also get some kickass fridge magnets out of the deal.

Re:I wonder (1)

pnutjam (523990) | about a year ago | (#44276575)

Everything you said should have been preceded by "In theory..." There is no evidence any of that sort of data recovery is possible.

Re:I wonder (1)

aurizon (122550) | about a year ago | (#44276281)

In Canada the military thermally destroys the drive and PCB to a molten state. In the days of large mainframe hard drives I was told the CIA would first open the drive platter case. separate each platter and mount the platters on a lathe and mill them down to bare aluminium, which was melted.
I would anticipate the NSA/CSA/FBI would perform a similar level of destruction, the IRS, I have heard of them selling systems with only the directory wiped, so ant expert person could read the scattered data files and make some attemt to re-catenate them?

Re:I wonder (1)

gl4ss (559668) | about a year ago | (#44276063)

It is possible that they might, but since the data they process is Top Secret, the hard drives will be destroyed, and probably the ram as well.

well sure, if their contractors aren't cheapening out...
or if anyone knows what the box going to the dumpster is.

This is what will happen when cloud providers die (1)

Anonymous Coward | about a year ago | (#44275613)

This exact leak of data will happen repeatedly. A cloud provider goes under, machines get sold, the buyer is free to do what they want with the data on them, even if it is a torrent of people's personal and banking info.

In theory, the auction site should blank the machines... but what's a blank? A fdisk is still recoverable.

Re:This is what will happen when cloud providers d (0)

Anonymous Coward | about a year ago | (#44275805)

but what's a blank? A fdisk is still recoverable.

dd if=/dev/urandom of=/dev/sda bs=1M

Re:This is what will happen when cloud providers d (1)

maxwell demon (590494) | about a year ago | (#44276141)

Of course there's still a small risk that important data has gone to a bad sector which is no longer mapped and thus also not rewritten in the process.

However if confidential data is stored strongly encrypted (as it should be), then as long as your key is reliably wiped out, it doesn't really matter if the rest of the data is still there. Nobody will be able to read it anyway.

Well, unfortunately "should be" is entirely different from "is" ...

Re:This is what will happen when cloud providers d (0)

Anonymous Coward | about a year ago | (#44276759)

Close, but not quite. Overwriting with dd won't overwrite sectors which have been remapped by the drive's firmware (and it's not hard to reinstate these sectors so their contents can be read).

The correct way to wipe a drive is with "hdparm --security-erase" or "hdparm --security-erase-enhanced". That will overwrite everything, remapped sectors included. The only downside is that you can't wipe specific partitions (e.g. leaving a factory restore partition intact), only the entire drive.

If you have a drive which is so old that it doesn't support the secure erase command, it's probably too small to be of use to anyone (and who would trust data to a drive that old).

Solid-state drives can't be securely wiped, period. Physical destruction is the only solution.

Re:This is what will happen when cloud providers d (1)

CadentOrange (2429626) | about a year ago | (#44275811)

dd if=/dev/zero of=/dev/hda bs=1M

Or something equivalent. It's not hard to blank out a hard drive, just time consuming.

Re:This is what will happen when cloud providers d (0)

Anonymous Coward | about a year ago | (#44275949)

It's not hard, but who is going to pay me to type that command after the cloud company went bankrupt ?
If the debt collectors think the computers are more worth with software and interesting marketing data than with blank drives, they certainly won't wipe the drives before selling them.

Re:This is what will happen when cloud providers d (0)

Anonymous Coward | about a year ago | (#44276507)

dd if=/dev/zero of=/dev/hda bs=1M

Or something equivalent. It's not hard to blank out a hard drive, just time consuming.

 
My equivalent is a 9mm round. Pierces a hard drive case easily from 25 feet away. It's a thing of beauty watching a drive buy it.

Re:This is what will happen when cloud providers d (0)

Anonymous Coward | about a year ago | (#44275829)

a) Who the hell said anything about cloud?
b) That's not how cloud storage works. Data is scattered across thousands of drives, stored in a strange format that requires terabytes of meta data to make any sense of. Having one drive would be like having one drive out of a RAID 5 set: utterly useless.

Contract not signed (1)

Alain Williams (2972) | about a year ago | (#44275625)

It does not matter if a contract was not signed, there was still an agreement. All that signing a contract means is that the agreement is provable and, hopefully, responsibilities clearly defined. Here: there does not seem to be a dispute as to who should have deleted the data (destroyed the disks), it is the contractor they should pay every penny of the fine.

All of the above written without knowing exactly what was agreed!

Re:Contract not signed (0)

Anonymous Coward | about a year ago | (#44275639)

I think they should both be fined, personally. NHS for not ensuring things were done properly, and this "data destruction provider" contractor for not doing what they said they would. It's the fault of both that this has happened, after all, so just fining the NHS doesn't seem fair.

Re:Contract not signed (0)

Anonymous Coward | about a year ago | (#44275835)

How it works is rather: NHS was responsible for ensuring confidentiality, thus they are responsible and get fine.
If they had a contract with someone, they can sue them for not fulfilling the contract. The sum they get out of the this can be 0, less than the fine or vastly more than the fine, mostly depending on the exact terms of the contract.

Re:Contract not signed (1)

Joce640k (829181) | about a year ago | (#44276013)

... mostly depending on the exact terms of the contract.

You know how I know you didn't read the article?

Outsourcing (1)

lobiusmoop (305328) | about a year ago | (#44275629)

FTFA:
We should not have to tell organisations to think twice, before outsourcing vital services to companies who offer to work for free.

Relevant Dilbert [dilbert.com]

salvage value.. (1)

gl4ss (559668) | about a year ago | (#44275635)

well duh, obviously this was the highest salvage value they could arrange.

Re:salvage value.. (0)

Anonymous Coward | about a year ago | (#44276307)

Arrgghh, those English pirates at it again!

Fines.. (5, Insightful)

Bert64 (520050) | about a year ago | (#44275663)

Fining the NHS is pointless, it only harms the NHS itself... Those responsible don't care because its not their money.
They should fine the contractor instead, as it was his laziness/incompetence that caused this.

Re:Fines.. (3, Insightful)

Fjandr (66656) | about a year ago | (#44275681)

While there was negligence on both parts, I definitely agree that the contractor should be penalized for failure to perform the promised service.

Re:Fines.. (1)

Joce640k (829181) | about a year ago | (#44275757)

If you read TFA you'll see there's no contract. The word "contractor" implies it but really they were just handed to a guy who crossed his heart and promised to do it before putting them on eBay.

OTOH, you're right that the NHS shouldn't be fined. The person who handed over the computers (presumably to a friend of his) needs jailing.

Re:Fines.. (1)

mpe (36238) | about a year ago | (#44275775)

Fining the NHS is pointless, it only harms the NHS itself...

Fining any public body tends to be at best pointless, at worst counter productive. (Another common example of this kind of daftness is fining police forces when prosecution of police officers would be more appropriate.)

Those responsible don't care because its not their money. They should fine the contractor instead, as it was his laziness/incompetence that caused this.

The most obvious thing to do would be for NHS Surrey to sue the contractor for all of their costs, including the fine. (Possibly something more like £300k.) But the former may well mean they won't bother.

Re:Fines.. (0)

Anonymous Coward | about a year ago | (#44275899)

Fining the NHS is pointless not because it harms the NHS, but because the NHS is funded by the public. How does that even work?

Re:Fines.. (3, Informative)

leathered (780018) | about a year ago | (#44276023)

Look up Vicarious Liability, it's a tenet of Common Law.

Too many MBAs believe that when you outsource, you are offloading responsibility. 'It was the contractor's fault, your honour' will not wash in any court of law.

Re:Fines.. (1)

drinkypoo (153816) | about a year ago | (#44276903)

If the idea is to punish someone to try to correct the behavior, then fining the NHS is a fat fucking waste of time. Fining whoever hired the contractor personally might help. Fining the contractor should be mandatory when one is involved.

Re:Fines.. (1)

Faluzeer (583626) | about a year ago | (#44276083)

Hmm

They should punish all involved in NHS Surrey. Hit them where it hurts, final warnings, no pay rises, no promotions, no pension contribution for the year.

Re:Fines.. (1)

nukenerd (172703) | about a year ago | (#44276331)

Fining the NHS is pointless .... Those responsible don't care because its not their money. They should fine the contractor instead, as it was his laziness/incompetence that caused this.

Wrong, I think you would find those responsible DO care and are feeling very embarrased about this. Nevertheless, the episode shows that they were incompetent and should simply be sacked. There are too many incapable people holding jobs they are not up to, and too many capable people unemployed.

Apart from that, there is no way that the NHS should have been letting PC's off the premises with data on the drives, contract or no contract. If they had to employ a contractor, the work should have been done on NHS premises, and a responsible and cabable NHS IT guy check each one before releasing it.

If the NHS have no responsible and capable IT guys, then it's time to employ some. FFS, I know how to wipe a HD and I do not even work in IT.

Re:Fines.. (1)

Livius (318358) | about a year ago | (#44276441)

They should fine the contractor instead

Suing the contractor is hopefully NHS's next step.

Re:Fines.. (0)

Anonymous Coward | about a year ago | (#44276497)

Not true. The NHS can now turn around and sue the contractor for damages. They can't fine the contractor directly, but with the NHS suffering actual measurable financial loss a lawsuit is not only possible but quite winnable.

Should be fining the contractor, not the client (4, Insightful)

radio4fan (304271) | about a year ago | (#44275753)

I don't really get this. The NHS contracts out the disposal of the machines to a private contractor, who then royally screws up, and it's the fault of the NHS?

Surely the responsibility lies with the contractor?

FTA:

“Should they [the contractor] be accountable? Definitely not, because NHS Surrey have been entrusted with the welfare of their patients. Should the contractor be responsible? Absolutely, yes,” Jones added.

This seems to me an argument that the NHS cannot outsource or subcontract anything.

What is NHS Surrey supposed to do in this scenario? Use in-house people to analyse the machines to make sure there is no data remaining before disposing of them?

Or just keep data-disposal services in-house? Personally, I think this would be a great idea, but it goes against the dogmatic 'privatise absolutely everything possible' trend in the UK.

“We should not have to tell organisations to think twice, before outsourcing vital services to companies who offer to work for free.”

Except they didn't work for free: they worked for the salvage value. I can't really see how the low value of the contract proves fault.

Re:Should be fining the contractor, not the client (0)

Anonymous Coward | about a year ago | (#44275799)

Except amongst your quotes from TFA you omitted one:

The NHS body didn’t sign a contract with the provider and failed to determine whether the hard drives have been wiped, the ICO said.

In essence, they handed the drives to someone's brother-in-law, and who knows what was actually promised?

All we know is that

  • Bro-in-Law got the drives.
  • When next seen, said drives were available for purchase on eBay in an un-erased state.

Re:Should be fining the contractor, not the client (1)

radio4fan (304271) | about a year ago | (#44275825)

Except amongst your quotes from TFA you omitted one:

The NHS body didn’t sign a contract with the provider and failed to determine whether the hard drives have been wiped, the ICO said.

Thanks, I must have glossed over the fact that they can't prove that they instructed the contractor to destroy the data.

But still the issue remains that verifying that the data has been destroyed is more work than destroying the data, so is the ICO really saying that responsibility for data security cannot be subcontracted?

Personally, I hope so. But like I say, it flies in the face of privatisation dogma.

Re:Should be fining the contractor, not the client (1)

gl4ss (559668) | about a year ago | (#44275941)

nhs shouldn't be giving them away out of their control in uncleaned condition. that much is simple.

nhs can try to sue the contractor on contract breach still though. but if getting rid of responsibility was that easy there would be none.

Re:Should be fining the contractor, not the client (1)

jimicus (737525) | about a year ago | (#44276079)

Not really. You can't discharge responsibility just by contracting someone else to do something; the principal is responsible for the actions of their contractor.

Of course, the NHS could sue the contractor, assuming they had a contract that mentioned secure disposal.

Re:Should be fining the contractor, not the client (1)

mrbester (200927) | about a year ago | (#44276663)

Even if there wasn't a contract to shred the data, the contractor can still be prosecuted as they broke data protection laws. Putting an unwiped machine on eBay is all on the contractor.

Re:Should be fining the contractor, not the client (1)

jimicus (737525) | about a year ago | (#44276951)

The ICO doesn't need to prosecute anyone.

They did need to some years ago, but today they can simply march in, investigate and levy a fine. You disagree with the fine? It's down to you to appeal the fine at a tribunal.

Re:Should be fining the contractor, not the client (0)

Anonymous Coward | about a year ago | (#44276757)

" but it goes against the dogmatic 'privatise absolutely everything possible' trend in the UK."

Actually the tide is turning on this and there's a push to in-source more things again. As is the cycle.

What I fail to believe (0)

Anonymous Coward | about a year ago | (#44275783)

Is that the NHS owns any computer equipment with residual value, even for eBay. The average NHS computer is an ancient, square, clunky CRT affair with horrible cheap plastic parts, usually running Win 3.1. Nor is it for lack of spending on "ICT" (don't ask); I wonder where the money ends up. It sure as hell isn't spent on patient healthcare.

Re:What I fail to believe (0)

Anonymous Coward | about a year ago | (#44275905)

What century are you living in?

I use the NHS in Surrey on a regular basis (I have Leukaemia). Everywhere you go there are flat screens and Dell boxes that are not all that old. Many are running Vista or XP but I have started to see Win 7 in the past few months.
The IT Systems are pretty integrated these days. My GP can see the results on my blood tests within an hour or so of them being taken at the hospital.

IMHO, systems where this sort of thing happens IS spending on patient healthcare. In my case it allows my doctors to see the test results and make the appropriate treatment decisions quickly. For me this can mean the difference between feeling unwell OR a few weeks in ICU. Which would you prefer?

Re:What I fail to believe (0)

Anonymous Coward | about a year ago | (#44276209)

Obviously I'm not from the future, where you're from. I'm also forced to rely on the NHS regularly. My GP has to wait over 2 weeks for the results of blood tests by snail mail, if they ever arrive (which they sometimes don't). I've seen ancient flat screens and indeed Windows 95 in some places, but also ancient text mode DOS crap. And no, I'm not stuck out in the sticks, I live in central London (the huge area covered by St Barts)

I'm very sorry to hear you have Leukaemia, but happy that you seem to have a local health authority that seems to be able to take care of you. I wish mine was. In honesty, I'd not care about my health details going missing if it meant being able to get decent treatment. Like I say, the money isn't going on patient healthcare here.

Re:What I fail to believe (1)

uglyduckling (103926) | about a year ago | (#44276603)

The 'text mode DOS crap' is probably a proprietary pathology lab system, and it's likely not DOS at all but a unix running over telnet. Old but super fast and efficient, and not easy to upgrade without replacing expensive lab gear that interfaces with it well. You may also be seeing EMIS, or similar, a GP health informatics system that's again super-fast and reliable. There is an upgrade path to a Windows clients and more modern backend but most areas are following a phased rollout. As for path results - GPs can phone and get the results within 24-48hr, but it's not practical to do for every patient.

Re: What I fail to believe (0)

Anonymous Coward | about a year ago | (#44275945)

Working for the NHS we have a load of new i3s running windows 7 and some pretty new server tech. Although we tend to keep are machines for four years anyway so they won't be worth much when we've finished. Although we donâ(TM)t resell our machines we have them destroyed.

Re:What I fail to believe (1)

uglyduckling (103926) | about a year ago | (#44276565)

None of the NHS trusts I've worked for are using Windows 3.1 or CRT monitors, except for maybe esoteric lab equipment which isn't worth upgrading. I agree that NHS informatics is generally a mess, but the hardware isn't generally as bad as you're making out.

So? (1)

Murdoch5 (1563847) | about a year ago | (#44276031)

Your records aren't secure or private in the first place, no matter where you live or get health care. I've had 5+ sets of digital AND paper records just magically go missing from several hospitals. The doctors didn't get really care, they just re-ran the tests and in one case the re-run results also went missing. If you believe in an illusion of privacy and security with your countries health care system then you've been fooled.

BBC article has some more info.. (0)

Anonymous Coward | about a year ago | (#44276275)

http://www.bbc.co.uk/news/technology-23286231 [bbc.co.uk]

Seems like NHS Surrey was being wound up, so I guess they simply didn't give a damn what happened to their PCs and data...
Nice professional job guys...
Since NHS Surrey is now no more, fine will be paid by another Gov department.

Of course, all this is just bullshit, the Gov taking your money out of their left pocket and sticking it back into the right...

Meanwhile, the people who were trusted with confidential patient data, and abused that trust, appear to remain unpunished.

Good (0)

Anonymous Coward | about a year ago | (#44276471)

Not just that the thing was found, but also that the contractor did that and caused it to be found out. Getting someone to "promise to dispose of it securely for free" without the right paperwork is not a policy for a government agency.

How hard (1)

EmperorOfCanada (1332175) | about a year ago | (#44276481)

How hard is it to wipe a machine? I've never been a fan of the wasteful practice of physically shredding hard drives. But a simple policy is that you physically take every drive out of the machine, hook it up to a master machine, and run a reliable drive wiping program. As for the reliability of these drive wiping programs, I have not only not heard of something slipping by them, there is one company that sells hard drives that have been wiped with only zeros and has a cash prize if you can restore the data. So if you are doing a two pass random data wipe you are way ahead of the state of the art.

I am fairly certain I could set up a drive wiping station (with a multi drive connector) for about $200. Then if you occasionally did get a drive with a weird issue where you couldn't wipe it then you use the hammer next to the station and bonk the drive a few times and throw it in a special box for physical destruction.

This is not rocket surgery.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?