"PII as a Controlled Substance"
By davew on Dec 24, 2007
Robin reckons that PII should be "treated as a controlled substance", and makes a convincing argument to this effect. However, there's an even deeper truth in his statement that PII should be considered to be like "fissile material, or the kinds of materiel covered by arms limitation agreements during the Cold War".
Just like fissile material, PII has a half-life.
If the infamous HMRC CDs have fallen into the hands of a ne'er-do-well, said ne'er-do-well would be wise to sit on them until the media brouhaha has died down, but not so long that much of the data is no longer accurate.
People die, move house, change their names on getting married and divorced - in short, PII changes. For the amount of PII disclosed by HMRC, the analogy can just about be drawn between loss of accuracy over time, and radioactive decay.
In a hundred years' time, the misplaced HMRC data will be entirely useless to someone who wants to try faking identity. In fact, if you look at it from the perspective of the disclosure state machine I put together, if someone was to try to fake an identity based on a piece of "naturally expired" PII in a few years' time, the "expired" PII could serve as a strong indicator of suspicion that they were in possession of the misplaced HMRC data. I sincerely hope that HMRC has realised this, and has made a reference copy of the as-misplaced database such that a "watch-for" list will come into being inside HMRC and slowly grow, based on updates to the live database resulting in increasing discrepancies with the misplaced records.
Potentially, HMRC could even offer a service to other UK Government departments, to check offered identity information against this watch-for list...
Oh, and a happy Newtonmas to all my readers :-)