William Heath asks “what happened to the Crosby review” in his “Ideal Government” blog (a must for those of you who want to keep abreast of the thinking among the e-government movers and shakers). However, while I always find William’s insights most perceptive and his blog most informative I think he is on the wrong tack. I think that Crosby has put issues into the wider perspective and the result is even more challenging, across the whole of Whitehall, not just Home Office, than William speculates. Hence some of the drafting of the Public Service Agreement to which I referred in my entry on delivering the Transformation of Government.
Ninety years ago, in 1917, when HMG was seeking to conscript the entire population, male and fenale, for war work, the Registrar General outlined ideas for a permanent system of population registration. Twelve years later, in 1929, his thinking had moved on and he proposed continuously updated local registers to accurately identify every individual to ensure they "fulfilled their obligations to the community", "secured their rights as citizens" and to provide better statistics.
The arguments over information sharing in the public sector have not moved on much since then:
To give the extremes on both sides.
Benefit recipients or patients can suffer or even die if their information is not available and shared when needed. But battered wives and children can similarly suffer or even be killed if their abuser gains access to their new identity - and we can all be at risk if our employers’ payroll file or similar files containing our personal details are stolen, sold or otherwise “leaked”.
Meanwhile the private sector has very much more experience with sharing high value information than has government.
Nearly a thousand years ago the Knights Templar combined courier, bodyguard and credit card in a seamless service from the Orkneys to Jerusalem. And they really did trade with the enemy. Their network inter-operated not only with those of the Lombards and the Venetians but with those of the Jewish and Islamic families operating from Baghdad to Mumbai.
And there are some very simple lessons from the private sectors’ thousand years of practical experience.
First - Trust is earned by those who accept responsibility. To be credible the routines for sharing must be built around clear liabilities for when things go wrong.
In the private sector it is – who do we sue?
In the public sector it is – who does the Minister blame when it appears in the Daily Mail?
And by “going wrong” – I include people dying or being killed because information was not shared or was because it was shared with the wrong person, not just because the file was lost, sold or sent by mistake to the wrong address.
The second lesson is that those with access to information must know with whom they are expected to share it - and who to consult when some-one outside that circle requests information. And that includes what to do if some-one claims it is an emergency and there is, supposedly, no time to consult …
At the technical level it is not difficult to embed such guidance in on-line information systems.
The problem comes with the slew of legislation, regulation and mythology that surrounds any given application – some it dating back to well before 1917.
Hence the need for clear guidance for those in the call-centre or on the help-desk.
Major financial services operations not only provide such guidance, they train all staff and contractors in their security processes and do not allow them to log on to the system until they have passed the test.
And those whose reputation is most risk from a leak of data, like Experian, vet ALL staff, and I do mean ALL, including the contractors and cleaners.
The need for clear penalties for abuse are obvious, but these must also be tailored to the realities of the public sector and apply to those who put the vulnerabilities there in the first place, not just those on the help-desk when the mistake was made – and they also need to apply to those who cause avoidable pain and suffering by failing to pass information to those to whom they should.
That leads me back to liabilities and responsibilities because unless these are clear and transparent, as with the private sector standards for information exchange developed by groups like Identrust and TWIST, the temptation to fudge the need to follow good practice at all levels, including at the top, is too great for any manager, let alone any politician to resist.
And if the Crosby report raises such issues. then little wonder that publication has been delayed pending progress with the wide ranging reviews of information assurance that have been launched since the review of the independent assessor was completed in July.
Interestingly, the summary of his findings is no longer available.