The Loss of personal data by the DVLA

[BankFodder]

The real story is much juicier than the version which has been put up on the Beeb website so far.

 

 

BBC NEWS | UK | UK Politics | Millions of L-driver details lost

and

 

 

BBC NEWS | UK | UK Politics | 'No cover-up' on lost driver data

 

 

In the feedback comments to this article on the BBC website, a fairly common comment is: "What was the data doing in the USA anyway?"

 

 

The author of this story has missed a very significant point which is that the USA does not have data Protection laws in place which are considered acceptable to the members of the EU. This means that EU countries are forbidden by law from doing any business with the USA or other countries where it mean that personal data is passed to that country.

 

Because the USA is such an important trading etc partner for us, we have, as a "patch-up solution", instigated a "safe harbour" system. This means that a USA company merely self-certifies that they have in place a system of data protection which is equivalent to the regime which is in place in the EU by law - and Hey Presto, we are allowed to deal with them.

 

Safe Harbor

 

The self-certification system is merely an on-line form which seems to be inaccessible unless you have some kind of user account!!! (if someone can send me an accessible link to the form or a pdf copy, I would be very grateful)

 

 

Here is a review of the safe-harbour system. - Pretty sceptical conclusion

http://www.compseconline.com/free_articles/clsr1901.pdf

 

Amazing that USA companies are allowed to self-regulate in this way - and also who ever checks that they really do have a proper data protection system in place (no one, I'll bet.)

 

Are we sure that the American company in this scandal did actually self certificate.

 

Exactly the situation occurred with the American mail order company TK Max which at the end of last year revealed that it's database had been accessed by hackers. (ITPro: Security: News: TK Maxx data theft: UK shoppers at risk) But here also, no one asked about their Data Protection status.

 

 

 

Why are governments insisting that hundreds of millions of pounds are being spent on Data Protection in the EU and simply accept self-certification of companies in the USA? This is not even a US government thing. This is not self regulation of an entire industry in the USA overseen by a government appointed official. It is voluntary self-certification by any company which wants to have a trading opportunity in the EU.

 

I don't know why no one focuses on this much more important long term piece of slackness. This arrangement permits unfair competition from companies in the US who do not have to incur the expense of conforming with a fairly demanding Data Protection regime - and of course, as see here, it is the public which are put at risk.

 

What is government agency like the DVLA doing anyway, going for the cheap non-secure option. Frankly this is precisely the data protection equivalent of "extraordinary rendition". (Extraordinary rendition - Wikipedia, the free encyclopedia)