So, last week we had the latest in a long line of data loss incidents: a member of Atos Origin’s staff left user and password data for the Government Gateway in a pub car park. I look forward to hearing confirmation that both the individual concerned and the individual responsible for management of the project have both been asked to revise their career aspirations. But this was in the same week that the Minister responsible – Work and Pensions Secretary James Purnell MP – had to apologise for leaving confidential documents on a train. Are the two cases really so different, and can future incidents be avoided using the same controls?
There’s little doubt that the technology age has simplified the process of losing vast amounts of personal data – after all, you try losing 25 million paper records. You’re going to notice them missing pretty quickly, and will probably be rather easy to find again. But when CDs and memory sticks go missing, it’s often blamed on ‘junior clerical staff’ or ‘junior officers’ – easy whipping boys who can be given the blame for either a) making a genuine mistake, b) making a stupid mistake whilst under the influence, or c) acting under orders. Our problem here is that the shabby compliance regimes that allow these incidents to happen are invariably established and run by much older people, and in the case of the IT industry, it’s a sad fact that they’re too often male (not a desirable state of affairs, since things would probably run much better with more senior female managers – but that’s another blog).
The old men mandate the systems and the processes around them. They control the governance and audit regimes. They claim to be responsible for overall management, although they rarely accept accountability. But all too many of them don’t actually understand the technology they’re responsible for.
After all, how many of us have to provide IT support for our elderly relatives? My father, for example, is an accomplished and highly skilled engineer who has designed brakes on racing Ferraris, managed the build of massive cement works, and rebuilt a pre-war sports car from the ground up, manufacturing many of the components from scratch in his workshop. He’s an intelligent, practical and capable man. But put him in front of a computer, and he’s almost immediately reduced to a burbling wreck who phones me regularly with complaints such as “where’s the thingy, the number thingy, you know, where’s that gone?”.
I’ve had several bosses over the past fifteen years who have their secretaries print out all their emails. They hand write a response on the bottom. Then the secretary types it in. And these are people who claim to be masters of technology, with responsibility for huge technology projects. I appreciate that their experience and detachment from the day-to-day minutiae is invaluable, but how are they meant to understand what the risks are, and what the appropriate controls might be, if they can’t master Outlook?
So, the real decisions that affect the security and integrity of our personal information are being made by people who struggle to programme a VCR and don’t really understand what technology can or cannot do (a case in point is ContactPoint – the Children’s Index – where the solution to security problems dictated by these old men to their secretaries is “don’t put our kids’ data in it”). We desperately need to refocus our efforts on training and supporting the most senior levels of management, whilst simultaneously holding them accountable for their decisions.
And I have a solution that will make it happen. Send them on a training course to give them a proper grounding in modern technology, and whilst they’re out of the office, take away their secretaries. Take away their pens, and their paper. And swap them out for laptops (properly encrypted and protected in accordance with best practice, of course). Make them live in the real world of technology, make them understand what it can do, and make them suffer when it fails, just as the rest of us do. And make sure their personal information is the first to be entered into every sensitive database out there, so that they can be sure to be the first to suffer if they get it wrong. That should focus their attention on what matters.
Oh, and every once in a while we’ll swap their laptops for Etch-a-Sketches. Anyone who fails to notice should get the sack immediately – they can stand in line behind the Atos employee…