I was recently reviewing an article which argued that in the
absence of a clearly defined set of confidentiality requirements
one should apply the
concept of "need-to-know". Indeed it recommended this approach
as following best practice!
The question is while this may often be a good approach is it
always the right approach?
To start with, there is a clear distinction between
"need-to-know" and "need-to-protect". Just because I do not have
the "need-to-know" something, does not necessarily imply that there
would be any harm in my knowing. To protect that which does not
need protecting may incur a cost both in terms of time and money.
Furthermore, there may well be some business advantage to making
such information available, because information controls can strike
at the very heart of business agility.
The reality is that we often pull together disparate data items
to generate useful business data, and what those data items are is
not always clear to us when we initiate the process, let alone be
determinable in advance by a third party. The road to
business intelligence is often strewn with surprises and an
overzealous application of access controls will often compromise
information availability.
This begs the question: who determines what one needs to know,
in what context and on what basis? Are they suitably qualified, do
they really understand your work, do they understand the business
value of the data or the context in which the decision is applied?
In summary, are they in a position to make an informed judgement?
And how is this determination maintained over time? The short
answer is to say that the decision should lie with the business
owner, but even so this is not an easy question for them to
answer.
In some companies, for instance, the need-to-know principle is
applied to employee salary details. This is deemed personal
sensitive information and in consequence need-to-know is rigorously
enforced. In other companies employee salaries are openly published
as it is deemed that the employees have a right-to-know what their
colleagues earn in accordance with a policy of openness. The
distinction is a matter of company culture, business environment
and legal framework. The impact of the Freedom of Information Act
on data protection is a clear case in point.
This challenge may be further compounded by our common instinct
to default "deny" and hence to over-protect when in any doubt as to
someone's "need-to-have". You only have to look at the historic
overzealous application of protective markings by Her Majesty's
Government for evidence of this trait, something the Manual of
Protective Security makes quite clear one should avoid.
In conclusion, there are many situations where principles such
as need-to-know and need-to-have are sound principles and should be
applied. But this should be done based on business need and
implemented with careful consideration. Do not apply it blindly on
the mantra of best practice! One person's best practice is another
person's dogma or cop out. But that's another story.