Another day, another data loss: Which culture must we change?

The recent loss of offender data shows how the cultural malaise regarding other people’s data pervades the ICT profession, not just government bureaucracies. But the need is to protect people not their data. So which culture is it that we need to change?   

We hear a great deal about “trust” and “confidence”. Meanwhile centuries of experience is ignored by those seeking to promote the use of electronic technologies to support the interweaving of confidentiality, authentication and authorisation in the service of centralised bureaucracies structured in ways that avoid personal liability for incompetance or carelessness – provided the “process” has been followed.

Meanwhile organisations have been sharing data on-line for decades without serious breach and without processes of the kind now being mandated by government and regulators. It is not only financial services organisaitons with serious budgets. Cash-strapped voluntary organisations like Barnado’s, Citizens Advice or the Salvation Army provide security for the information needed to help some of the most vulnerable in society that is considerably more robust than that of those with whom they are expected to deal in the public sector – regardless of the nominal accreditations of the latter.

In May I chaired a session at the European Commission High-Level Workshop on Ethics and e-Inclusion where we concluded that it was unethical for governments to demand information from citizens that they could not keep secure and confidential.

But everything is a matter of balance. Data that is not regularly used quickly becomes out of date and worthless. And it cannot be used without risk. We need to refocus attention on risk analysis, how to better manage choice and consent and the governance mechanisms appropriate where these are to be over-ridden – as with the needs of law enforcement.

We need to reset the Information Governance Agenda around processes that lead to security by default, inherent to the way the organisation works, where this important. We also need to stop giving the illusion of security where this is unnecessary and gets in the way of efficient customer service. Both require listening to staff and customers in ways that fell out of fashion a decade or so ago. They also require major change to the ways we select, monitor and motivate those in positions of trust. And that may require reversing the 20-year trend towards outsourcing, alias the demolition of corporate loyalty.