Another day, another data loss: Which culture must we change?

The recent loss of offender data shows how the cultural malaise regarding other people’s data pervades the ICT profession, not just government bureaucracies. But the need is to protect people not their data. So which culture is it that we need to change?   

We hear a great deal about “trust” and “confidence”. Meanwhile centuries of experience is ignored by those seeking to promote the use of electronic technologies to support the interweaving of confidentiality, authentication and authorisation in the service of centralised bureaucracies structured in ways that avoid personal liability for incompetance or carelessness – provided the “process” has been followed.

Meanwhile organisations have been sharing data on-line for decades without serious breach and without processes of the kind now being mandated by government and regulators. It is not only financial services organisaitons with serious budgets. Cash-strapped voluntary organisations like Barnado’s, Citizens Advice or the Salvation Army provide security for the information needed to help some of the most vulnerable in society that is considerably more robust than that of those with whom they are expected to deal in the public sector – regardless of the nominal accreditations of the latter.

In May I chaired a session at the European Commission High-Level Workshop on Ethics and e-Inclusion where we concluded that it was unethical for governments to demand information from citizens that they could not keep secure and confidential.

But everything is a matter of balance. Data that is not regularly used quickly becomes out of date and worthless. And it cannot be used without risk. We need to refocus attention on risk analysis, how to better manage choice and consent and the governance mechanisms appropriate where these are to be over-ridden – as with the needs of law enforcement.

We need to reset the Information Governance Agenda around processes that lead to security by default, inherent to the way the organisation works, where this important. We also need to stop giving the illusion of security where this is unnecessary and gets in the way of efficient customer service. Both require listening to staff and customers in ways that fell out of fashion a decade or so ago. They also require major change to the ways we select, monitor and motivate those in positions of trust. And that may require reversing the 20-year trend towards outsourcing, alias the demolition of corporate loyalty.    

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

The Justice Ministry data was lost by PA because it was there to be lost, i.e. downloadable.

The real question remains: Why should such sensitive data be removed in the first place?

Home Office Minister Tony McNulty was promptly trotted out to expiate departmental responsibility for this latest evidence of appalling lack of security.

According to McNulty, the Home Office “protocols” intended to prevent data loss had been breached by downloading the data to an unencrypted USB stick.

It’s time Government Ministers woke up and smelled the coffee. Relying on protocols to protect data is folly. Sensitive data needs active protection.

The Justice Ministry lost the data because it could be lost, period.

The only way to protect data effectively is to instigate real security measures that actually prevent such downloading.

Why can’t HMG apply the same handling rules for databases that they apply to printed documents in secure registries?

After all, would the Home Office let anyone walk into a building and freely photocopy the contents of a secure document registry?

Encryption of downloaded data is a sideshow issue because I am not convinced that losing sensitive data on an encrypted device is really any better than losing unencrypted data, the principle of neglect remains.

The latest debacle is symptomatic of a shoddy attitude/ ignorance when it comes to securing sensitive information.