Access to local government data centers in the UK had to be restricted after it was revealed “worrying” numbers of people had access to facilities containing potentially confidential information.
The Eastern Daily Press reports that the number of people with access to the Norfolk County Council’s data centers, including external contractors, has been reduced from approximately 80 down to around 20 after an audit was conducted.
“When we did this audit, we did find that quite a few people seemed to have access to the data centers, which is worrying, because we would have expected this to be restricted to a few people for certain reasons,” said county council officer Teresa Sharman.
Access tightened, no sensitive data reportedly accessed
According to minutes from the Norfolk Council site, the authorization process for anyone requiring access to data centers has been “tightened up to ensure only people with a proven need to access data centers was able to do so.” The minutes also note that if temporary access had been granted for tasks such as maintenance processes had been “strengthened to ensure temporary access permission was removed quickly once access was no longer needed.”
People who had access to the facility, via a card, reportedly could not see the actual data as it is encrypted and password protected. The council said the most sensitive system containing data on adult and children's services social care is hosted in a separate dedicated high-security data center elsewhere in the UK.
“Errors will occur and be corrected, but the apparent lack of oversight in this particular case is very disturbing,” said Brian Watkins, Liberal Democrat county councilor for Eaton who raised the question. “The public relies on the council to keep its confidential data private, and it must do all it can to ensure it has the confidence of the public to do so.”
Geoff Connell, director of information management and technology and chief digital officer at the council, said it takes data security “very seriously” and has “extensive controls in place” to that ensure data can only be accessed by those authorized.
“We regularly commission audits to identify opportunities for improvements, which as demonstrated in this case, were implemented very quickly.”