I was recently reviewing an article which argued that in the absence of a clearly defined set of confidentiality requirements one should apply the concept of "need-to-know". Indeed it recommended this approach as following best practice!
The question is while this may often be a good approach is it always the right approach?
To start with, there is a clear distinction between "need-to-know" and "need-to-protect". Just because I do not have the "need-to-know" something, does not necessarily imply that there would be any harm in my knowing. To protect that which does not need protecting may incur a cost both in terms of time and money. Furthermore, there may well be some business advantage to making such information available, because information controls can strike at the very heart of business agility.
The reality is that we often pull together disparate data items to generate useful business data, and what those data items are is not always clear to us when we initiate the process, let alone be determinable in advance by a third party. The road to business intelligence is often strewn with surprises and an overzealous application of access controls will often compromise information availability.
This begs the question: who determines what one needs to know, in what context and on what basis? Are they suitably qualified, do they really understand your work, do they understand the business value of the data or the context in which the decision is applied? In summary, are they in a position to make an informed judgement? And how is this determination maintained over time? The short answer is to say that the decision should lie with the business owner, but even so this is not an easy question for them to answer.
In some companies, for instance, the need-to-know principle is applied to employee salary details. This is deemed personal sensitive information and in consequence need-to-know is rigorously enforced. In other companies employee salaries are openly published as it is deemed that the employees have a right-to-know what their colleagues earn in accordance with a policy of openness. The distinction is a matter of company culture, business environment and legal framework. The impact of the Freedom of Information Act on data protection is a clear case in point.
This challenge may be further compounded by our common instinct to default "deny" and hence to over-protect when in any doubt as to someone's "need-to-have". You only have to look at the historic overzealous application of protective markings by Her Majesty's Government for evidence of this trait, something the Manual of Protective Security makes quite clear one should avoid.
In conclusion, there are many situations where principles such as need-to-know and need-to-have are sound principles and should be applied. But this should be done based on business need and implemented with careful consideration. Do not apply it blindly on the mantra of best practice! One person's best practice is another person's dogma or cop out. But that's another story.
This was first published in October 2008