Death by Data Protection

Those who believe in the benefits of the on-line world must act rapidly and effectively to turn the current backlash against its perceived insecurity into well-informed votes of customer confidence in those who practice, not just preach, secure information sharing.

Suppliers and users, both public and private sector, have to work together to rebuild confidence that the proper use of ICT to support good “people systems” really does enable improvements in customer service and patient care at the same time as reducing opportunities for abuse. It will cost them all of them (and their shareholder and taxpayers) dear if they fail to do so

Which causes you more concern? that fragmented public sector systems would still not pick up children at risk like Victoria Climbie, that insecure centralised systems could put even more children at risk or that major organisations appear incapable of applying decades of experience in using ICT to help trusted professionals who have never met to securely share information?

On Wednesday evening a group convened by the ISSA (with representatives from the BCS, CMA, IAAC, IISP, IMIS, ISC2 , the Jericho Forum and WCIT agreed to try to produce a short: “External Directors Guide to Information Risk Management” (or similar title).

Why “External Directors”?

Because they are commonly the only ones in a position to put security policies into overall business and social perspective before they are agreed. They are also, of course, also personally liable for the consequences if they do not check that the policies are indeed implemented, followed and updated as necessary, over time.

We are about to hear the sound of regulatory and compliance stable doors being closed and bolted across the country, followed by the slow starvation of those horses which have not already escaped, as the naysayers move into overkill.

The economic and social consequences could be profound if we do not use the opportunity to move rapidly to establish the ground rules for secure information sharing.

There is plenty of good and relevant material around covering Information Assurance, including that produced over the years by IAAC. The need is to put it into overall business context: “the exploitation of opportunities to improve profitability, competitiveness and efficiency while ensuring that these are not put at unnecessary risk.”

If you know of other good material in this space please let me know and I will pass it on – or post a comment with the necessary references.

The ISSA group would like to hear from anyone who will bring relevant experience and/or resources to the table. The representives of the professional bodies already include the Chief Information Security Officers of a couple of large UK London-based multinationals whose own systems are trusted by users around the world but which have long had concerns over the security of their customers and suppliers – let alone of the end-users with whom they increasingly wish to transact on-line.

On Monday afternoon I am due to meet with the chairman of the EURIM Personal Identity and Data Sharing Group to discuss his business plans for the year ahead. The EURIM group already includes representatives from most of the suppliers of secure information and identity management systems to both governments and private sector in the western world as well as from most of the professional organisation in the ISSA group.

Ten days ago one of the EURIM Corporate members hosted a small brainstorming to discuss the need to promote holistic approaches to data protection and identity information management which build on all that has been learned by the private and “voluntary” sectors in over a thousand years of organising trusted transactions between those who have never met: incluidng the Knights Templar (remember the Da Vinci Code) who were indeed trained (quite brutally) to be able to lie under torture rather than reveal the shared secrets on which their correspondence banking network depended.

That EURIM programme has acquired a new urgency and a new objective – to restore trust.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Philip - I hope you have invited some people who actually understand cryptography and the potential of Privacy Enhancing Technologies (PETs) to build real public trust in information systems.

As someone who works in local government the message I would send is that many civil servants I deal with seem to feel that data protection just doesnt apply to them. They demand person identifiable information for research purposes & are furious if we expect them to follow proper ethical procedures; they then demand the same information for "audit" purposes without proper security or planning.

They send forms to their customers without proper DP declarations.

They send person identifiable data to "partner" organisations without consent to share that information.

And then our "partners" in the NHS fail to manage data protection the other way: they refuse to release information to social care organisations from hospital systems, resulting in vulnerable adults being placed at risk.

I wouldnt claim that the department I work in gets it right every time but we are encouraged to think before we look at data: how would we feel if someone looked at our data in these circumstances? Do we have the customers' consent to do this? If not is the situation really one that grants us exemption from the rules?

It's developing that kind of culture at all levels in an organisation that protects privacy.


I fear you may consider me one of the "naysayers" about to "move into overkill", but here goes anyway:

My proposed ground-rules for information-sharing are that the information I give to government and private sector organisations about me, belongs to me. These organisations shall be permitted to use it only for the specific purposes notified when I give it to them. There shall be no sharing whatsoever of that information with other organisations or (in the case of government, other government departments) without my express permission.

Others can give government and private industry permission to share their personal data if they wish to, and I have no right to prevent them. However, I shall never give permission for my data to be shared across departments and organisations, and I demand that this right be honoured.

As ever, we need to have a few exceptions to rules like this for law-enforcement etc. However, I would like to see only case-by-case exceptions for specific investigations, and certainly not blanket data-sharing "just in case it could prevent a crime taking place". I see you cite the Victoria Climbie case as one of these "prevent a crime" scenarios, despite very considerable doubts that the ContactPoint data-sharing initiative could have saved Climbie.

Widespread data-sharing is like building a ship with no watertight compartments. One hole, and the entire ship sinks - similarly, if there's widespread data-sharing then one leak in an organisation storing information about me compromises my entire online identity. Preventing data-sharing puts watertight compartments in my identity ship - a single leak compromises only one compartment, and the ship still floats.

(Apologies for all the mataphor-mixing).

Note also that widespread data-sharing encourages global unique person identifiers, like the US Social Security Number. The mere existence of such a widely-used primary database key makes it easy for fraudsters to aggregate information about me, and therefore impersonate me. Global unique identifiers (such as the unique life-long person identifier that the proposed ID card database would use) must therefore be banned.



Comment from Philip Virgo: I think we might have a very good "two bottle argument" on some of your points but would rather see what others have to say. In the mean time I would only say that I not like it to be thought that my original entry implied any support for the argument that "Contact Point" would help prevent future cases like that of Victoria Climbie.

It would seem the IT Security Industry, and Professionals seem to be missing something – either, in the inter-corporation environment, we are tolerating far too much in the way of insecurity - or maybe, we are simply turning a blind eye to accommodate the business mission, to save face, at the expense of our paying user the public and clients (reputation before security – and I have seen this in action close hand). If this is the case in some organisations, I would suggest that, just maybe the incumbent CISO’s, and other Security Management, and Executive who have this attitude, and opinion, just may actually be in the wrong job!

Reporting out insecurities which could have impact on the public, should be a mandatory, and a matter of must do – should we allow all comers to have access to our personal financial, and other related sensitive data, with no expectation of any real governance, or security structure to protect that information. Maybe it’s time for another checkbox on the form when we grant access to our data, which requires, if that data is lost, exposed, then we would require notification, no matter what the internal risk assessment of the possibility and probability of loss may be!

The time would seem to have arrived when the IT Security Industry should remember just what they are employed to do – and that is to serve the security mission, and look to safeguard our community – if we do not start to get a grip, I fear, soon it will be too late.

So, be it the ISSA, ISACA, EURIM, the House of Commons, House of Lords, or whoever – I would ask we start the ball rolling to deploy real security, to accommodate real solutions, and to evolve the perception of what security is, into something tangible that works, to not only safeguard the Public, our Clients interests, but to also the protect the National, and Global Economies.

Philip - can you think of any good reason why an accumulation of personal data on several million UK citizens should be treated any less securely than the sort of information that is routinely classified as SECRET?

If not, then I suggest that a good starting point would be for such databases to be formally classified (at least) SECRET and for the appropriate GCHQ standards to be applied to protect their physical security, vetting of people who have access, transmission, distribution etc.

The normal criminal sanctions for disclosure under the Official Secrets Act would also apply.

Reply from Philip Virgo: I agree - It qualifies under a number of headings, including serious harm to the economic wellbeing of the nation (colleagues will give the precise reference).

But I also think back to my original Royal Naval Reserve training as a "cold war" radio operator. We were taught to treat "Deltext" (communications involving the personal affairs of members of the ships crew) more carefully than "Secret". The "cold war" is over but current RN policy in this space can be found at

More-over, private sector identity and authorisation management organisations like Experian have long operated to such standards as part of the price of doing business.

Pragmatism must prevail rather than "ambulance chasing" - on the one hand, there has been no evidence of a shortage of policy or procedural guidance. On the other, there has been evidence of there having been an unfortunate human error but, as another poster alludes to - the kind that actually is normal everyday behaviour in a lot of public sector organisations.

Those of us working in the industry know this to be the case and are not in the least bit surprised. As ever, the challenge is for senior management to buy into the requirement to apply the appropriate controls required to ensure ongoing reduction in the likelihood of this kind of misfortune happening elsewhere.

Two expected knee jerk reactions are occuring now -

1) the technology industry offering up all the products that it has that could have reduced the impact and/or the event from happening in the first place


2) groups forming to provide yet more guidance. In the case of the latter, there's no shortage of this available AT ALL (for example, the BCS itself has two excellent, practical, easy-to-understand books about implementing the requirements of the 8 principles of the Data Protection Act, which obviously, of necessity, includes addressing the "security principle").

We don't necessarily need YET MORE guidance...... We need for people to have believed those of us who provide this kind of advice already - you wouldn't go to your doctor and out-of-hand choose to ignore his/her recommendation for an antibiotic that could be life saving or at least health improving; so why is it so easy to ignore out of hand the entreaties of those who know best in terms of applying the right medication to reduce likely impact on reputation and maximising protection of critical information assets??

There's a danger in the general public (as well as IT illiterate politicians and senior managers) not being able to differentiate between IT system security and individual actions. Data may be locked away in a highly secure system but an unthinking action on the part of an individual employee (or even a thinking action driven by some cost-saving imperative) can result in massive damage.

Data security is as much, or more, about people having the right understanding and attitudes as it is about 'IT systems' themselves. Until the former is sorted out, the latter is largely irrelevant. Charles Arthur's comments on Guardian Unlimited ( ) make this point very well