Outsourcing data processing may deliver lower costs and increased efficiency, but what are the long-term effects to UK government departments and its security, asks Kerry Davies.
Your personal details are held in a database in the Philippines, China has your NHS information and India controls the electricity supply. It may not be real life yet, but given the government's willingness to place potentially critical, and certainly sensitive, information offshore, it is a scenario that could be coming our way soon.
This might be no bad thing since it will deliver lower costs, increased efficiency and improved competitiveness. But there are inherent dangers in this globalisation of government information.
Some issues have already been acknowledged. Ministers have recognised the potential threat to UK employment and have commissioned research into the effects of exporting thousands of jobs overseas. What they don't seem to have considered are the security implications.
Government departments are among the biggest users of data processing companies which outsource their work to lower-cost countries where information centres may not be adequately protected. Under the Data Protection Act, sensitive data cannot be transferred to countries outside the European Economic Area without ensuring adequate protection. But what constitutes "adequate" and "sensitive"?
At the time the Act became law, the then data protection registrar said the only way an organisation could demonstrate that it had taken adequate technical and procedural measures to protect the security of sensitive data, was by achieving the British Standard on information security management BS7799. To date some 700 organisations worldwide have achieved formal certification to the standard.
Given that some of our sensitive data is being sent to countries outside Europe to be processed, shouldn't we be demanding that it is protected by the standard? This would start to address concerns about the potential damage which could be caused by organised crime syndicates exploiting offshore arrangements.
But what would happen if parts of our critical national infrastructure relied on data processing centres in countries that became hostile because of the actions of the UK government? Would service level agreements ensure that the workers continued to operate diligently in the UK's best interest? Could they threaten to turn off benefit payments from the Department for Work and Pensions?
If a relatively small group of drivers demonstrating outside fuel depots about the price of petrol can delay tax increases, then an organised assault on the outsourced data processing interests of the UK government could bring about anarchy.
The US is already grappling with the issue, with measures to restrict the outsourcing of federal public sector work. And here, there are indications that in some sensitive areas, government departments are insisting contractors process the data in the UK. It is time all government departments scrutinised the security of their outsourcing operations.
Kerry Davies is managing director at information security specialist Echelon Consulting