As some of you will have seen in today’s Irish Times a laptop containing 171,324 blood donor records was stolen in New York.
” donor records would include details such as name, address, date of birth, gender, blood group and contact phone number. The records on the laptop included any donor details that were updated between July 2nd and October 11th, 2007.”
I’ve spoken to the IBTS, and am expecting a call back later today with some further details. Information they’ve given me so far:
- The information was encrypted with AES 256bit encryption key- anyone’s opinion on the significance of this fact would be welcomed.
- The times reports “The records were in New York, the blood service said, “because we are upgrading the software that we use to analyse our data to provide a better service to donors, patients and the public service”.
The IBTS person, who was just the person on the helpline, said that the person they’d engaged to help them with this asked for some data to test the new system on. Is it best practice to use live data in circumstances like this (leave aside the question as to whether its good practice to fly to New York with it).
I’ve asked did the NY blood service get a copy of these details and whether they were in the Data Protection Safe Harbour programme.
UPDATE: the above was sent to draft instead of being posted.
In the meantime I’ve spoken to the Donor Services Manger.
He told me that the laptop was being carried by an employee of the NY Blood Centre- ie that the NY Blood Centre had been given a copy of the data.
The NY Blood Centre is not on the list from the US Department of Commerce as a member of the Safe Harbour programme.
He’ll come back to me with an answer to the question as to why dummy information couldn’t have been used instead of actual personal data from the IBTS database.
Any other questions which ought to be asked?
More Update: Daragh O’Brien has an excellent expansion of his comment below on best practice in this area on his blog. Daragh is a Vice President of the International Association for Information and Data Quality (IAIDQ), so I’d believe him.
Even More Update: Colm Smyth concurs with many of the things that Daragh said. He also questions whether the encryption used is necessarily as strong as it might be.