Electoral Commission’s Data Protection Policies In Question

The UK Electoral Commission has admitted that it does not have the capability to monitor the activities of users who access the electoral registers.

The news came to light after log management and security expert, LogLogic submitted a number of questions under the Freedom of Information (FOI) Act to check that sensitive voter data was being properly protected and monitored.

No Monitoring

“Back in March 2010 we submitted six key questions under the Freedom of Information Act to the UK Electoral Commission. We wanted to find out how they are protecting eligible voter information and monitoring access to the Registers,” said Guy Churchward, CEO at LogLogic.

“Initially we asked whether they had a product in place which allowed them to monitor and log access and changes to information on the electoral roll register/database. They replied stating that they don’t.”

According to the Electoral Commission, local authorities manage their own electoral registers, which means that there is no central point of control at all.

“[The Commission is] sent secure updates on a monthly basis by each individual local authority – how this is done (over email, USB etc.) wasn’t stated,” said Churchward. “The Commission did not divulge details on whether each local authority had a product in place to monitor and log access either.”

LogLogic also asked how many people had access to the Registers. The electoral register information is apparently only accessed on a need to know basis, and access permissions are controlled by the ICT team.

Earlier this year, British companies were warned to tighten up their security systems, after the Information Commissioner’s Office (ICO) was given the power to issue large fines for any serious data breaches. Companies that fall foul of the data breach laws now risk a maximum fine of £500,000.

Checks Done Once A Year

The Commission also said that all its information assets, including the electoral rolls, are reviewed annually to ensure that they are handled and used appropriately. Ad hoc checks are apparently carried out throughout the year if there is an indication that this may be necessary or as part of an audit.

It also reviews permissions to access the electoral registers each time there is a change in staff.

Spider Sense

“Whilst this sounds reassuring it is important to note that procedures and policies are great – but only if they are followed to the letter,” said Churchward. “And who is checking that? We would have (hopefully) assumed that privileged users were also being electronically monitored regarding their activities on the registers as a backup, but the answer to that question was no.

“They do not currently have automated systems in place to monitor the activities of users whilst accessing the electoral registers,” he added.

“My ‘Spider Sense’ went off,” said Churchward. “Yes, the Commission’s security measures conform to ‘data handling in government’ guidelines, but they aren’t tracking users electronically and subsequently don’t have any way of generating real time security alerts.”

Churchward feels that the Commission needs to be able to monitor the digital footprint of staff in order to preserve the confidentiality and integrity of data, and to catch any irregular activities. He also believes that monitoring privileged user activity is extremely important – especially with sensitive public sector information.

“It’s very disappointing,” said Churchward. “I’m hoping that each local authority is a little sharper and is electronically managing and monitoring access to its databases – it’s certainly something we should be asking our councils about.”