Across the UK we can see unholy alliances of data protection and security consultants, technology salesmen and regulatory lawyers bureaucrats queuing up to “help” Sir Humphrey “protect” our privacy.
On 23rd November the Prime Minister announced a Review of Data Handling procudure in Government . This was to take into account the work being done by Kieren Poynter of PWC into the HMRC data handling procedures and the review being done by the Information Commisioner and Mark Walport on the security of personal data across society as a whole. The interim report indicates how seriously the review is being taken, but also raises concerns that “add-on security” will increase costs and seriously degrade the quality of service to citizens (us and our children and parents) without protecting them any better.
The most serious data breaches have yet to be addressed because they have yet to be publicised, such as laptops going missing from within supposedly secure areas, or even to be detected, as with most data copying by insiders. One chilling report from a penetration operation was that over 80% of its attempts against public sector organisations were successful within four days and over 90% of the organisations were unaware that they had been compromised until the report was submitted.
Meanwhile the vulnerable, particularly chlidren and the elderly and infirm, are suffering and sometimes dying because the services to look after them are not joined up or because the agencies that should protect them have been penetrated by their abusers. They rarely suffer because a computer file has been lost, stolen or copied, let alone because a transaction has been interecepted in transfit.
Central Government has much to learn from Local Government, the Third and Private Sectors. It is perhaps significant that the laptop stolen from a senior Citizens Advice manager was fully encrypted – and such security is routine in well-run financial services operations where the laptop of the “independent financial advisor” may similarly contain the crown jewels of the clients’ information, unavailable from any other single source – not even the home PC.
Rather more importantly, financial services organisation commonly vet all staff with access, direct or otherwise, to personal data.
How many public sector organisations (including central government departments and their agencies) still refuse to do so, because this would be against the “human rights” of their staff or might discriminate against a group on which they need to focus recruitment in order to meet a target mix of ethnic origin and sexual oriention?
Equally serious is the need to check the IT staff for identity and probity as well as competence -because IT departments (particularly technical support, help desks and outsource suppliers) are responsible for more (and more serious) security breaches than marketing (including call centres) or hackers.
EURIM has a meeting later this week to plan a political briefing on lessons from the private sector with regard to high volume, secure information sharing, including across markets and along supply chains.
Meanwhile a position paper from the EURIM Personal Identity and Data Sharing Group on the current state of Information Sharing Protocols in the UK lists over a dozen Act of Parliament which mandate, forbid or enable sharing and over two dozen sources of supposedly authoritative advice.
However, from the large number (certainly hundreds, perhaps even thousands) of attempts to develop protocols over recent years it found very few that were both operational and successful. The good news was that some of these are spreading. To quote John Suffolk, speaking at a recent Modernising Government conference: “Don’t reinvent the wheel: steal with pride”.
Above all don’t throw the baby out with the bath water. “Data Protection” and “Information Security” are not ends in themselves. The objective should be efficient and secure information collection, storage and sharing in the interests of the customer/citizen.
In the private sector that entails encouraging its use as a means of gaining competitbve advantage: “transact through us – we take more care of your data than they do”.
In the public sector that means treating the citizens data as if it was your own.
There should be no special routines for VIPs, whether Ministers or Pop Stars.
Their data is probably at less risk from access by investigative journalists than that of a victim of forced marriage is from access by relatives of their abuser working in local public sector agencies.