UK Government Loses 15 Million Private Records

← Back to Stories (view on slashdot.org)

UK Government Loses 15 Million Private Records

Posted by Zonk on Tuesday November 20, 2007 @04:26AM from the that's-gotta-hurt dept.

bestweasel writes "The BBC reports that a UK Government department has lost discs with details of 15 million benefit recipients, including names, addresses, date of birth and bank accounts. The head of the department involved, HM Revenue & Customs, has resigned and his resignation 'was accepted because discs had been transported in breach of rules governing data protection' so someone thinks it's not a trivial matter. The Chancellor will try to evade responsibility in the House of Commons at 3.30 GMT. A similar leak of a 'mere' 15,000 records from the same department happened a month or so ago. At that time, they refused to say 'on security grounds' whether the information was encrypted." We just recently talked about Britain's consideration of legal penalties for situations like this. I imagine this incident will weigh on that decision.

50 of 339 comments (clear)

25 million now... by Sirch · 2007-11-20 04:27 · Score: 4, Informative

Or so says The BBC...

--
We Build Beautiful Websites
1. Re:25 million now... by Slashidiot · 2007-11-20 04:29 · Score: 5, Funny
  
  Aiming for the World Record of record losing!
  
  --
  Tis women makes us love, Tis Love that makes us sad, Tis sadness makes us drink, And drinking makes us mad.
2. Re:25 million now... by ilovegeorgebush · 2007-11-20 04:31 · Score: 3, Interesting
  
  Indeed. I was going to post the same thing. I'm absolutely shocked they could be so careless. Apparently, it was sent via normal post, without recorded delivery. There's a full summary from the BBC on Alistair Darling's announcement here.
  
  Of particular interest is the fact that it was sent twice. Once again, by recorded delivery, after the initial package was lost in transit.
  
  --
  ilovegeorgebush
3. Re:25 million now... by Billosaur · 2007-11-20 04:49 · Score: 2, Interesting
  How can you be shocked? This is government we're talking about... doesn't matter the country. As soon as you give one group of people anywhere the power to run the whole show, they break down into three categories:
  
  Power Brokers - the people who actually run things (and not necessarily having been elected to do so)
  
  Bureaucrats - the paper pushers, who created the red tape that keeps anyone from actually know what's going on or where the money came from/went to
  
  Grunts - the people who do the actual work, usually for very little money compared to 1) and 2), who will do things the way that's easiest, despite the rules
  
  I think this mess happened due to 3):
  
  "Contrary to all HMRC standing proceedures two password protected discs containing a full copy of HMRC's entire data in relation to the payment of child benefit was sent to the National Audit Office by HMRC's internal postal system operated by the courier TNT.
  
  "The package was not recorded or registered."
  Some guy/gal knew the data had to get out and couldn't be bothered to send it via courier or registered mail. Plopped the discs in an envelope, licked it, stamped it, and dumped it in the post.
  --
  GetOuttaMySpace - The Anti-Social Network
4. Re:25 million now... by bloobloo · 2007-11-20 05:01 · Score: 2, Informative
  
  It WAS sent by courier.
5. Re:25 million now... by keithius · 2007-11-20 05:06 · Score: 2, Insightful
  
  And these are the clowns I'm supposed to trust with all my personal information in their joined-up-mega-database-and-ID-card scheme?
  Yes.
  
  And this is precisely the point that needs to be made. Whenever governments start throwing around words like "central" and "database," you need to point to events like this and ask "have we fixed this sort of thing yet?"
  
  Until the answer is a resounding (and verifiable) "YES," I'd ask my government to keep their noses out of my personal information, thank-you-very-much.
  
  --
  "Programming is the fine art of making a machine that has absolutely no intelligence act as though it does."
6. Re:25 million now... by TheRaven64 · 2007-11-20 05:17 · Score: 5, Insightful
  
  That was my first thought. The one good thing about this kind of disaster is that there is now a strong concrete example of why it is a bad idea to give the government any more data than they absolutely need. Whenever someone suggests a massive central database we can say 'you lost 15 million private records, why should we trust you with any more?'
  
  --
  I am TheRaven on Soylent News
7. Re:25 million now... by Bloke+down+the+pub · 2007-11-20 05:37 · Score: 4, Informative
  
  Weren't these the same idiots who just passed a law to "punish irresponsible data loss"?
  No, that would be Parliament. The people who lost the data were HM Customs & Revenue. These are two different bunches of idiots.
  
  --
  It's true I tell you, feller at work's next door neighbour read it in the paper.
8. Re:25 million now... by cliffski · 2007-11-20 05:53 · Score: 2, Interesting
  
  half a billion? no way more. heres what vince cable had to say:
  
  "As we stand at present, every taxpayer in Britain has something approaching £900 of their money at stake in this small mortgage bank following the £24 billion loan (which excludes the less controversial £18 billion in deposit guarantees).
  
  When Tony Blair was Prime Minister he was widely and rightly criticised for squandering £800 million on the Millennium Dome. This Prime Minister and this Chancellor have invested the equivalent of 30 Millennium Domes in this bank and we don't even have a few pop concerts to show for it.
  
  There are some key questions for the Government to answer:
  
  Will the Government's loan will be paid back in full, with interest, in this Parliament?
  
  Is it true that Mr. Adam Applegarth, who led the bank into its current disaster, can expect a £2 million pension pot and generous bonuses, all underwritten by the taxpayer? How did the Government get into a position of entrusting vast sums of taxpayers' money to a man who showed his own faith in the company by selling his own shares to invest in a country mansion and a Ferrari?
  
  What is the true total figure? We know about £24 billion from media reports, but the Government has not come clean: it has refused to give a figure, refused to confirm the media reports and refused to say whether there are even more loans than those the media discovered."
  
  --
  DRM-free indie games for the PC and Mac: Positech Games
9. Re:25 million now... by Black.Shuck · 2007-11-20 07:26 · Score: 3, Funny
  
  Weren't these the same idiots who just passed a law to "punish irresponsible data loss"?
  The data isn't lost. It's just been inadvertently shared.
10. Re:25 million now... by uncqual · 2007-11-20 07:42 · Score: 2, Insightful
  
  Loosening the tinfoil a bit... ah, there, feels much better... crawling out of basement... ah, there, the view is much clearer from up here... (but, what is that big glowing yellow/orange thing the sky - that is truly terrifying looking...)
  
  Shutting down the ability to withdraw funds for six months for this reason would also require preventing transfers and check payments for the same supposed reason. Doing this would, by itself, probably destroy the entire economy of any modern commerce based society so it would make no sense. It would be like committing suicide to prevent getting a cold.
  
  --
  Why is there an "insightful" mod and why isn't it "-1"? If I wanted insight, I wouldn't be reading /.
11. Re:25 million now... by segedunum · 2007-11-20 10:02 · Score: 2, Informative
  
  "As we stand at present, every taxpayer in Britain has something approaching £900 of their money at stake in this small mortgage bank following the £24 billion loan (which excludes the less controversial £18 billion in deposit guarantees).
  I hear this bandied about time and again, but there is no way the BofE handed over £24 billion to Northern Rock. It doesn't have £24 billion of loose change for a start, and it isn't taxpayer's money. What will have happened is where the BofE says "OK, we think you will be solvent and 100% OK and we think you're viable. We're going to create some money that you are then going to pay back to us at a penalty rate."
  
  This is exactly what the lender of last resort system is for, so please, don't give me any of that media-oriented bollocks about how many Millenium Domes you could get for this, OK?
12. Re:25 million now... by Cassius+Corodes · 2007-11-20 10:52 · Score: 2, Funny
  
  What do you need?
  
  --
  Control is an illusion, order our comforting lie. From chaos, through chaos, into chaos we fly
13. Re:25 million now... by mpe · 2007-11-20 20:49 · Score: 2, Funny
  
  Get your facts straight. HMRC enjoy crown immunity and cannot be prosecuted.
  
  Even if they didn't since they are not a person it's kind of hard to put them in prison.
  
  Personally I think it was honourable of Paul Grey (HMRC's Chairman) to resign.
  
  It's not a good sign when doing the right thing becomes the exception rather than the rule. Wonder if he's taking good care of his P45 and UB40...
14. Re:25 million now... by mpe · 2007-11-20 23:04 · Score: 2, Insightful
  
  Obviously, they'll have to block everyone from taking money out of their bank accounts in order to ensure that the bad guys who stole the account numbers can't take money out.
  
  IMHO part of a solution here would be to change things such that the only thing someone can do if they know the bank account details on these records is to put money into these accounts. i.e. that the information is insufficent to take money out of any accounts... Similarly that the only thing that someone can do with your National Insurance number is pay your income tax/state pension contributions.
  Finally to stop treating such things as knowlage of mother's maiden name, data of birth, past/current addresses, etc as being proof of anything. Let alone "security questions". In all likelyhood alternative ways of doing things, otherwise you'd expect "celebrities" to be the most common victims of "identity theft".
15. Re:25 million now... by mpe · 2007-11-20 23:13 · Score: 2, Insightful
  
  No, the British government are considering a law to punish data loss.
  
  Which IMHO is really the wrong approach. Far better to make the kind of information involved of little value to anyone else.
  Which means rethinking the concepts of "identity" and "proof of identity". Such that knowing lots of facts about someone is of little use in impersonating them. There already appears to exist a group of people who's biographies are easily available who are not constantly plagued with impersonation.
16. Re:25 million now... by Archtech · 2007-11-20 23:26 · Score: 2, Interesting
  
  "No, that would be Parliament".
  
  True in theory. The facts of the matter are these:
  
  1. The UK parliament consists of two houses: Commons and Lords. By constitutional convention, the Lords cannot block legislation agreed by the Commons; they can only delay it for a while and urge them to think it through.
  
  2. Because the British constitution does not separate the legislature from the executive branch, the Prime Minister is the leader of the party with a majority in the Commons. That means that the Commons becomes a rubber stamp for whatever laws the PM wishes to pass. So the law to punish irresponsible data loss was passed by Parliament - true. But it was initiated by Gordon Brown, the PM, and his pals in the Cabinet; and once they decided they wanted it, nobody could stop it.
  
  3. HMR&C is a government department mostly run by career civil servants. But it reports in to the Chancellor of the Exchequer, the government minister responsible for finance, who is the senior member of the Cabinet after the PM. Gordon Brown, the current PM, was Chancellor for the past ten years.
  
  4. So, if you follow the threads of power and responsibility - yes, the loss of data is directly traceable to the same people who passed the law. But they have set up an impressive array of cut-outs and facades to give them every opportunity for "credible deniability".
  
  --
  I am sure that there are many other solipsists out there.
yeah, it'll weigh on them by Nursie · 2007-11-20 04:28 · Score: 2, Interesting

And the government will give itself a nice fat getout clause so that it's immune when it loses everyone's data, but any company or individual outside the government is in trouble.

Just watch and wait.
1. Re:yeah, it'll weigh on them by paeanblack · 2007-11-20 04:50 · Score: 5, Funny
  
  At that time, they refused to say 'on security grounds' whether the information was encrypted.
  
  That should read 'on job security grounds' ...
And they expect us to trust them... by ditoa · 2007-11-20 04:29 · Score: 5, Insightful

With a nationwide DNA database? Please. They can't be trusted with anything.
1. Re:And they expect us to trust them... by magarity · 2007-11-20 04:39 · Score: 4, Funny
  
  Ah, but with a national database of everything, the missing disks could be located with a simple search query!
Trust them with the national ID card program now? by Gandalf_the_Beardy · 2007-11-20 04:33 · Score: 2, Insightful

15,000 records for the pension provider and now somewhat like a third of all peopl in the UK sent on what appears to be unencrypted discs. When I queried this with Standard Life they said that they had no choice but to accept the data like that and that the Govt refused to encrypt it. This being the same Govt that wants to hold all of our medical records in one national database, along with all of the ID card details. For the US peope reading, the National Insurance number is synonmous with your SSN, although not of quite as much use for fraud. It's still not something that you want to allow out into the wild.
Trust the Government by Vanders · 2007-11-20 04:34 · Score: 5, Insightful

The fact that 25million records were being sent via. post burnt on DVDs should give some idea of the level of technical competency in the public sector. Apparently they were being sent to the Audit Office, but why the Audit Office needed an off line copy of the data, and a complete copy at that, isn't addressed: no doubt some ridiculous bureaucratic idiocy that makes Brazil look sane.

The idea of burning an unencrypted copy of your sensitive data to a DVD and handing it to a random delivery company should horrify even the most incompetent sysadmin or DBA. Apparently no one in HM Customs & Revenue thought anything of it.

These are the sorts of people who want to build a massive database of all our personal details and tie them to ID cards. They tell us the data will be "perfectly safe". I wouldn't trust them to run a mail server.

--
Syllable : It's an Operating System
1. Re:Trust the Government by MrNemesis · 2007-11-20 05:41 · Score: 2, Insightful
  
  Password protected? I think that's soon to become NewSpeak for "we didn't use proper encryption". Knowing what I know of some of the incredibly ridiculous levels of beauracracy inside the UK public sector (although I've never been invloved with anything outside of legal) I wouldn't be surprised if this amounted to anything as secure as a password protected zip file, with a short password at that.
  
  But the fact that the whole fecking database went out in the mail is utterly inexcusable. This is akin to me emailing a dump from the financials systems via my hotmail account.
  
  And, just to re-confirm my stance on the UK national ID card along with everyone else, how they expect the public to believe that they can keep a database as huge and sprawling as everyones fingerprints, retinas, tax records, benefits, medical history, travel history and criminal record secure I don't know. I'm not even sure that some of them know the meaning of "secure".
  
  The UK government is many things, but they've proved time and time and time again that, collectively*, they know absolutely fuck all about designing (or rather, outsourcing the design to the lowest bidder), maintaining and running any sort of large scale computing project. All of the ones I can remember throughout my lifetime have been late, massively over-budget and unreliable, and some have even been scrapped way before their EOL due to just plain not working.
  
  On a related note, it's at times like this I wish Google did government consultancy. If anyone can keep a colossal distributed database on track, it's them. And as evil as they might be, I trust them more than I trust Capita or EDS**
  
  *I've met some very smart people working for the government but they're bogged down in a stultifyingly inert beauracracy, worse than anything I've experienced in the private sector. Wouldn't be surprised if Gilliam saw Brazil as a documentary
  
  **Governmental favourites for LCD IT outsourcing with a similar illustrious track record for incompetence
  
  --
  Moderation Total: -1 Troll, +3 Goat
2. Re:Trust the Government by catmandi · 2007-11-20 06:17 · Score: 2, Informative
  
  The audit office specifically asked that they be sent only the national insurance numbers - with ALL personal data removed. This was very clearly stated in the debare in parliament. Their requirements for the data apprear to have been in order to set up an auditing algorithm that would allow them to then go on site and inspect the records. They felt (quite fairly I would argure) that the only impartial way to set up the audit would be to pick numbers at random, without any other information about what the numbers related to). The problem here is the fact that one, or at most a handful of people took it upon themselves to contravene exsiting rules (which are obviously unenforceable, since you'd expect the system to refuse to download a non-encrypted copy of the entire database) and deal with the request without actually doing any work (i.e. by dumping all the information).
  
  Whether that is criminal or simply irresponsible is for a smarter person than me to answer.
  
  --
  I was promised flying cars...Why are there no flying cars?
Where's the Backup? by digitaldc · 2007-11-20 04:37 · Score: 2, Funny

Didn't anyone learn ANYTHING from the last 5,000 years of record keeping?

--
He who knows best knows how little he knows. - Thomas Jefferson
1. Re:Where's the Backup? by Billosaur · 2007-11-20 04:42 · Score: 2, Insightful
  
  Yes... destroy all the records! Leave 'em guessing!
  
  Seriously, it's preposterous to talk of data retention strategies and forcing people to be part of national data banks when there's absolutely no talk about how you're going to make it secure. I would like to think a data center where personal data for users/citizens is kept would be run more like Fort Knox than the McDonald's Drive-Thru.
  
  --
  GetOuttaMySpace - The Anti-Social Network
This give us hope by owlnation · 2007-11-20 04:41 · Score: 3, Funny

We've been heading towards the totalitarian Peoples Democratic Republic of (formerly Great) Britain for some time now. This kind of thing is actually encouraging.

In a country where you are watched by security camera most of the day, and can be detained without charge for longer than anywhere on Earth, it is reassuring to note that the UK Government is so incredibly incompetent that there will always be a way to escape. No need for tunnels, gliders, or under the floor of a Trabant -- it should be pretty much possible to just walk through the border with a library card altered in crayon.
1. Re:This give us hope by MadMidnightBomber · 2007-11-20 21:14 · Score: 2, Funny
  
  "If you want a vision of the future, imagine Brazil (the film) run by Dilbert's boss - forever."
  
  --
  "It doesn't cost enough, and it makes too much sense."
Offering 100,000 - 1 odds it was clear text by lena_10326 · 2007-11-20 04:46 · Score: 5, Insightful

At that time, they refused to say 'on security grounds' whether the information was encrypted.
Then it wasn't. If it had, the first thing out of their mouths would have been "relax, it was all encrypted".

--
Camping on quad since 1996.
1. Re:Offering 100,000 - 1 odds it was clear text by Zelos · 2007-11-20 05:06 · Score: 3
  
  Exactly - all they'd have to say is "it's encrypted using AES-256/whatever, everyone whose details are on the disk will be dead by the time it's decrypted".
  
  Although, considering that the government is using the time taken to break decryption as an excuse to raise the time they can hold 'terrorists' without charge, they probably want to avoid mentioning that.
2. Re:Offering 100,000 - 1 odds it was clear text by TheRaven64 · 2007-11-20 05:23 · Score: 4, Funny
  
  - STOP BUGGERING ME!! I strongly suspect that this doesn't mean what you think it means...
  
  --
  I am TheRaven on Soylent News
Three times! by Dr_Barnowl · 2007-11-20 04:49 · Score: 5, Insightful
The first time this happened was in March - the discs were not lost, and were returned to sender after use, not that that actually makes any difference, since the data could easily have been copied.

The real WTFs here are
- That the database was being sent in it's entirety to the audit office when they only asked for a sample.
- That the whole data was sent when they only wanted a subset of the fields.
- That junior officers in the civil service have enough access to dump entire databases.
- That they trusted a third-party courier instead of delivering it by hand.
- That the files were "password protected", which is clearly code for "not encrypted properly" (probably a ZIP file..).
Ok, it's probably worse than that though.
1. Re:Three times! by Anonymous+Cowpat · 2007-11-20 05:07 · Score: 5, Funny
  
  no no, why would you think that the people in the UK government would be that incompetent? The files were no doubt secured with a 30 character password, with no dictionary words or contiguous number sequences, a mixture of capitals and lower-case, numbers & other characters with not a single person's mother's maiden name in sight. Obviously, with such a complicated password, it would have to be included on a post-it note with the disc so that the audit office could actually use them.
  
  --
  FGD 135
2. Re:Three times! by Anonymous Coward · 2007-11-20 05:10 · Score: 3, Informative
  
  This is 25 million people who receive child benefit, which is a small amount paid to people with children under the age of 16. So what it really means is that nearly half the population has children.
3. Re:Three times! by amw · 2007-11-20 05:12 · Score: 2, Informative
  
  I know such a thing would require effort, but if you were to read TFA you may notice that the loss covers _child_ benefit, not _unemployment_ benefit. Take a step forward. And then note that when the information was first lost, they simply sent a second copy ...
4. Re:Three times! by jonbryce · 2007-11-20 07:01 · Score: 4, Informative
  
  Child benefit is paid to everyone who has a child regardless of how much other income they have.
5. Re:Three times! by imipak · 2007-11-20 07:42 · Score: 2, Funny
  
  (Why, yes, I am a Randian Libertarian.)
  Am I right to surmise that's another American expression with which I am unfamiliar, roughly equivalent to the contemporary British colloquial usage "twat" or "arsehole"?
6. Re:Three times! by EnglishTim · 2007-11-20 09:51 · Score: 3, Informative
  
  You want worse than that? Take a step back... If 25 million records were lost and the entire population of the UK is 60 million, that means darn near half the population is "on the dole."
  
  It's Child Benefit, not 'the dole'. Child Benefit is paid to the primary carer of all children in the UK, and is not means tested. According to the article, 7.5 million families are affected, which from the figure of 25 million people, results in an average of 3.3333 people's details per family.
7. Re:Three times! by Cassius+Corodes · 2007-11-20 11:00 · Score: 3, Insightful
  
  You are completely right sir! We shouldn't let the incompetent government near us! Lets put all our services in the hands of model corporations like Enron. They are never inefficient!
  
  --
  Control is an illusion, order our comforting lie. From chaos, through chaos, into chaos we fly
Oh please. by Harold+Halloway · 2007-11-20 04:59 · Score: 4, Insightful

"The Chancellor will try to evade responsibility..." In what way could be held responsible? The data was copied and sent in clear breach of the agency's (and the Government's) rules. The last time I checked, it wasn't the Chancellor's responsibility to monitor personally all packages sent by Government agencies. Had the security breach happened due to actions which did NOT breach any rules then I might agree with you, however this is not the case here. Put it this way: If ministerial resignation (and that is what you are implying should happen) is to follow every breach of security then that is a green light to every ne'er-do-well and Tory malcontent working in Government to start posting confidential data left, right and centre.
Re:Listen up, Brits by Anonymous Coward · 2007-11-20 05:00 · Score: 4, Funny

Not offended old bean, we were more than pleased to get rid
of that bunch of God-bothering homophobic nutjobs. Enjoy the
Turkey.

Toodle pip!
Re:Of course by RegularFry · 2007-11-20 05:10 · Score: 2, Insightful

Why are UK government IT projects always doomed to failure?

Because civil servants have no idea how to protect themselves from getting shafted by software suppliers, and no financial incentive to learn, essentially. Also, the government has an extreme aversion to suing its suppliers, so the same suppliers do the same thing every time.

--
Reality is the ultimate Rorschach.
Just wait till it's our DNA and Fingerprints by MrSteveSD · 2007-11-20 05:33 · Score: 2, Informative

At some point, if the UK government gets its way, everyone will have their DNA and fingerprints stored in a central database. How long will it be before some backup hard drive goes missing with all the data?
Just trying to help by ZorbaTHut · 2007-11-20 05:40 · Score: 4, Funny

Did they look behind the couch?

That's where I always lose things.

They might be there.

--
Breaking Into the Industry - A development log about starting a game studio.
For crying out loud by Colin+Smith · 2007-11-20 07:02 · Score: 2, Informative

heres what vince cable had to say:

"As we stand at present, every taxpayer in Britain has something approaching £900 of their money at stake[1] in this small mortgage bank following the £24 billion loan (which excludes the less controversial £18 billion in deposit guarantees). You and Vince Cable need to go learn where money comes from.

It's a bank loan from the central bank. Not a penny of money you have paid in tax has been given to Northern Rock. Not a penny of government borrowing has been given to Northern Rock.

[1]I'm a LibDem supporter and I don't like Fractional Reserve Banking but this is just complete bollocks. Vince clearly has no clue where this money comes from, which I find almost as worrying as the fact that the Chancellor of the Exchequer also continually refers to this money as "taxpayers money". This 24 billion pounds worth of money and the taxpayer have never crossed paths. Vince is in theory highly qualified as an economist. I'm beginning to wonder just how bad the education at Cambridge and Glasgow Universities really are.

--
Deleted
Thankyou please to send password by jammo · 2007-11-20 07:04 · Score: 2, Funny

Thankyou for responding to my the very generous proposal. The money will be put into your bank accounts very soon, but please to be sending password for this 'zip file' which you have sent. Or please to be sending me the sum of $30 for a shareware for opening this files. I await your happy response with great anticipations and to look forward to putting the monies into bank accounts. Yours, Mr Ongbgudgbu Bungongdgogi
More to this than incompetence by CtrlShiftEsc · 2007-11-20 07:56 · Score: 2

Although this is a monumental cock-up, I am not that surprised. HMRC is a recent merge of two big heavyweight Government agencies - Inland Revenue and Customs and Excise. If that wasn't hard enough to deal with, during the last year or so, the Government has decided that there are too many civil servants (might well be true) but has simply decided to lay off huge numbers of employees with little consultation of forethought as to how the work would continue under the same pressures and targets. Let's not even talk about the implementation of the IT systems which far from helping automate or compliment the workload, it has generally increased it. I find it hard to believe that in 2007, an agency like HMRC continues to correspond with other Government agencies by courier when we are talking about such sensitive and massive quantities of UK citizen data. Even if it were sent by secure FTP or something, it wouldn't have been very much trouble to do. It's a dark day for everything British.
Re:As someone who's worked in the public sector... by jesterzog · 2007-11-20 08:14 · Score: 2, Interesting

Thanks for pointing this out, which I entirely agree with. I also agree with the first response to your post, which is that it's like this all through the private sector, too. The difference is that government organisations actually have to be directly accountable to people sooner or later, and in that sense they have a much harder time. It's not really a surprise that a lot of people don't want to work for them.
Lately I've been doing IT work for a government department (in New Zealand in my case) which is actually run well. The entire government sector here was overhauled in the early 1980s with the Official Information Act, which has had at least one really good review from over the Tasman. The law says that anyone can request any information from any department at any time, and the department has to provide it within a specific timeframe (about twenty-something working days), or it'll get into a lot of trouble. The only exceptions are if the request is unreasonably complex, or if there's a good reason to withhold it (such as privacy, etc), in which case the department has to explain why it's withholding the info, and often convince an external auditor that it's justifiable to do so.
After 25 years of working with it, the whole government sector has adapted. We have a full time team of people which is specifically dedicated to receiving official information requests from the public and journalists, delegating them to appropriate managers or other staff, and then making sure the queries actually get answered appropriately.
Everyone knows they could be accountable at any time, any they take it seriously, and contrary to what it sounds like your experiences have been, the management actually supports the whole thing, which as an employee is very encouraging. It's not perfect and people do make mistakes, but the whole system does seem to be a lot more accountable than what I've heard of something like the US Federal Government, for instance.
Why refuse to tell if it was encrypted or not? by ewhenn · 2007-11-20 11:50 · Score: 2, Informative

Look... It's not going to help prevent authorized access by keeping it secret.

If it's not encrypted, when the files are opened it will look like (or something really obvious):
Joe Public DOB: xx-xx-xxxx 12345 Main Street .... balh blah blah..

If it is encrypted it will look like:
982n5o39y8h5014u9m9p!#$`15235098h14n12#$!@3476bwfSFR2387rn@!#12987ksafdkjD

It doesn't take a fucking genious to figure out if a file is encrypted or not. And its not like they are going to told what alog it is encrypted with if it is encrypted. I can see no reason NOT to tell the public if the data is encrypted or not, so the public knows what kind of precautions or steps may be needed to protect their identity.