Security threats Toolkit

Gov't departments deny memory-stick risks

Kablenet.com

Published: 13 Jan 2009 12:45 GMT

The departments of health and transport have denied a report that they allow staff to use USB devices to transfer unencrypted information.

In a report on 12 January, 2008, the Financial Times said that information obtained under the Freedom of Information Act and passed to the newspaper shows the Department of Health and the Department for Transport are still allowing employees to download unencrypted data to USB memory sticks.

But a spokesperson for the Department for Transport told GC News that this was untrue. "Only encrypted memory sticks may be used to connect to the department's IT network, and only where there is a business need to do so. This applies to all staff, including consultants and suppliers," she said.

A Department of Health spokesperson said it had strict rules on data security and that data held on USB storage devices used in its computers is automatically encrypted when the device is connected.

Read this

IT security: The trends to watch in 2009

"In addition, all data on our laptops are encrypted — even if the hard drives were removed, no-one would be able to access the data," he said.

He also said local NHS organisations have a legal responsibility to comply with data-protection rules and that they are expected to adhere to strict rules on data security, including encryption of personal or sensitive data held on USB sticks. They are expected to be open about incidents and about the action taken as a result.

"David Nicholson, chief executive of the NHS, has written to all senior health managers reminding them of their responsibilities," said the spokesperson.

The information was obtained by Lewis PR, which sent Freedom of Information requests to 13 departments asking about their data-handling procedures.