The growing flood of data leak stories means that few, if any, large UK public sector ICT programmes will be progressed until political confidence is rebuilt. That is a major challenge for an industry that has lost touch with reality
One of the last meetings I attended before the party season, was betwen would-be suppliers of identity management systems to HMG and one of their prime target customers. The customer wanted the industry to help it identify the current state of the market – although they could not say it quite like that because the convention is that public sector customers are omniscient – especially after they have spent tens of millions on consultancy, The suppliers wanted the customer to say what it wanted and commit to a procurement – before they would spend more time and effort on top of what they had already spend educating the consultants.
There are tens of billions of pounds of ICT orders, private sector as well as public, that will not be placed until we have rebuilt confidence in the security of on-line files and transactions. That rebuilding exercise needs to learn from those professions which have nearly a thousand years experience of running “trusted systems” for sharing information between those who have never met. The transition of the services provided by the Notaries, Scrivenors and Correspondence Bankers to the on-line world (including via “standards” operations like Identrust and Twist and the services available from organisations like VocaLink, Experian and Equifax) is one of the unsung success stories of the past twenty years.
In my first blog entry I called on ICT professionals to help improve the legal and regulatory frameworks within which we live and do business. In “Big bang is dead: Christmas has been cancelled“, I described the challenges to the sales strategies of many ICT suppliers as politicians become increasingly serious about transforming the way technology is used to support public service delivery. At a recent Christmas Party I heard some of the latest wet dreams of senior Health Service managers to make yet more radical changes to health care delivery, with the enthusiastic support of their would-be suppliers, on the back of unpublicised “consultations”. Neither had yet got the message. No politician will defend “big” or “radical” anything when the Royal Colleges and NHS Trades Unions finally link up with the patient groups and demand public consultation and evidence based policy. This is only one of many sectors where unhappy professionals, whose experience has been ignored, are leaking the e-mails and memos surrounding current semi-covert policy-making to the growing range and variety of “sousveillance” operations.
Those who do not wish the current collapse of trust in the on-line world to trigger an implosion of new business in 2008 have to stop simply leaking and complaining and start actively working together to help rebuild user confidence – based on genuinely secure systems.
One start point is to demonstrate that well-used technology really does enable well-run organisations to deliver the 21st century equivalent of the services provided by the Knights Templars: a combination of travel courier, bodyguard, credit card and correspondence banker. The knights were expected to keep their secrets (passwords et al) unto death, We may not expect call centre staff or NHS receptionists to be trained to lie, convincingly, while dying under torture (albeit part of the Da Vinci Code.was indeed based on history). However, today few on-line security systems even include a routine for indicating “I am making this transaction under duress”. More-over the churn of staff at “head office” means that almost no-one even knows the security processes, let alone monitors whether they are followed by employees or contractors.
If you work in the ICT industry and still want to have a job at the end of 2008, let alone a prosperous New Year, your resolutions should include: “to work through my political party, professional body and trade association to help secure policies and practices for the management of personal identity and sharing of personal information that are fit for purpose.”
When considering what is “fit for purpose” it may be helpful to remember that, to date, many more have suffered and died in the UK because data was not shared when it should have been, than because it was leaked and abused. But the reverse is true in many other parts of the world. Hence, for example, the more robust Continental attitudes towards data protection, despite (perhaps because) of their common acceptence of low security residents’ cards.
My last task, before posting this blog and taking a break, was to approve an invitation to EURIM members to a meeting to consider campaigning for HMG to use only professionally developed, implemented and operated processes and systems in this area.
But what is good professional practice?
Which are the professional bodies that should need to be brought together to agree it?
And who will fund and organise the campaign to get it adopted and enforced?
I feel another EURIM “mapping” exercise coming on. Suggestions as to who should be invited to participate (organisations and contacts) would be gratefully received.
And so, before I switch off – a Happy Christmas and Best Wishes for the New Year to you all.