It is critical organisations like the Electoral Commission implement a central workable and secure solution

10 June 2010

Back in March 2010 we submitted six key questions under the Freedom of Information Act to the UK Electoral Commission. We wanted to find out how they are protecting eligible voter information and monitoring access to the Registers. We have now finally (weeks after the 20 working days deadline) received a reply.

Initially we asked whether they had a product in place which allowed them to monitor and log access and changes to information on the electoral roll register/database. They replied stating that they don’t. Apparently local authorities manage their own electoral registers meaning that there is no central point of control at all. They are sent secure updates on a monthly basis by each individual local authority – how this is done (over email, USB etc.) wasn’t stated. The Commission did not divulge details on whether each local authority had a product in place to monitor and log access either.

We also asked how many people had access to the Registers and whether this was reviewed on a regular basis. The response here was interesting. Within the Commission, a total of 25 staff have access to the electoral registers in the Party and Election Finance team. These documents are stored in restricted folders and can only be accessed by the relevant staff for purposes of checking permissibility of donations to political parties. In addition a number of technical staff (currently 8) in the IT team also have access to the information.

The electoral register information is apparently only accessed on a need to know basis and these access permissions are controlled the ICT team with permission given in line with an agreed policy and procedure after obtaining appropriate authority. All information assets, including the electoral rolls, are reviewed annually (and ad hoc throughout the year if there is an indication that this may be necessary or as part of an audit) to ensure that they are handled and used appropriately. In addition, each time there is a change in staff, permissions to access the electoral registers are reviewed.

Whilst this sounds reassuring it is important to note that procedures and policies are great – but only if they are followed to the letter. And who is checking that? We would have (hopefully) assumed that privileged users were also being electronically monitored regarding their activities on the registers as a backup, but the answer to that question was no. They do not currently have automated systems in place to monitor the activities of users whilst accessing the electoral registers.

My "Spider Sense" went off. Yes, the Commission’s security measures conform to ‘data handling in government’ guidelines, but they aren’t tracking users electronically and subsequently don’t have any way of generating real time security alerts.

The need to monitor the digital footprint of employees in order to preserve the confidentiality and integrity of data and monitor privileged user activity is extremely important – especially with regards to public sector information. It’s very disappointing. I’m hoping that each local authority is a little sharper and are electronically managing and monitoring access to their databases – it’s certainly something we should be asking our councils about.

It is critical organisations like the Electoral Commission implement a central workable and secure solution. They must act upon it, monitor and maintain processes and stay up-to-date with access controls. Well-managed log data can provide them with a vital window on irregular activities. Why wouldn’t they implement it?

Print version | email this to a friend Email to a friend | View other articles