Outsourcing data processing may deliver lower costs and
increased efficiency, but what are the long-term effects to UK
government departments and its security, asks Kerry
Davies.
Your personal details are held in a database in the
Philippines, China has your NHS information and India controls the
electricity supply. It may not be real life yet, but given the
government's willingness to place potentially critical, and
certainly sensitive, information offshore, it is a scenario that
could be coming our way soon.
This might be no bad thing since it will deliver lower costs,
increased efficiency and improved competitiveness. But there are
inherent dangers in this globalisation of government
information.
Some issues have already been acknowledged. Ministers have
recognised the potential threat to UK employment and have
commissioned research into the effects of exporting thousands of
jobs overseas. What they don't seem to have considered are the
security implications.
Government departments are among the biggest users of data
processing companies which outsource their work to lower-cost
countries where information centres may not be adequately
protected. Under the Data Protection Act, sensitive data cannot be
transferred to countries outside the European Economic Area without
ensuring adequate protection. But what constitutes "adequate" and
"sensitive"?
At the time the Act became law, the then data protection registrar
said the only way an organisation could demonstrate that it had
taken adequate technical and procedural measures to protect the
security of sensitive data, was by achieving the British Standard
on information security management BS7799. To date some 700
organisations worldwide have achieved formal certification to the
standard.
Given that some of our sensitive data is being sent to countries
outside Europe to be processed, shouldn't we be demanding that it
is protected by the standard? This would start to address concerns
about the potential damage which could be caused by organised crime
syndicates exploiting offshore arrangements.
But what would happen if parts of our critical national
infrastructure relied on data processing centres in countries that
became hostile because of the actions of the UK government? Would
service level agreements ensure that the workers continued to
operate diligently in the UK's best interest? Could they threaten
to turn off benefit payments from the Department for Work and
Pensions?
If a relatively small group of drivers demonstrating outside fuel
depots about the price of petrol can delay tax increases, then an
organised assault on the outsourced data processing interests of
the UK government could bring about anarchy.
The US is already grappling with the issue, with measures to
restrict the outsourcing of federal public sector work. And here,
there are indications that in some sensitive areas, government
departments are insisting contractors process the data in the UK.
It is time all government departments scrutinised the security of
their outsourcing operations.
Kerry Davies is managing director at
information security specialist Echelon Consulting
