By most objective measures, 2007 was not a good year for the public perceptions of e-government and ecommerce, or the closely associated causes of privacy and personal data protection.
Beginning in January with the news that hackers had spent two years sampling the personal details of TK Maxx’s 45.7 million payment card holders, hardly a week passed in ‘the year of data loss’ that didn’t feature news of a missing memory stick, laptop or set of compromised bank accounts.
By the end of 2007, according to the Open Security Foundation, there had been 468 reported instances of differing seriousness in the US. Meanwhile in the UK, a year that had already featured the loss of a Ministry of Defence laptop carrying the personal records of 600,000 potential recruits, was completed by the jaw-dropping revelation that Her Majesty’s Revenue and Customs (HMRC) had mailed a complete copy of its child benefit records to the National Audit Office.
When the package failed to arrive, HMRC was forced to admit that the names, addresses, national insurance numbers and bank details of 25 million people had effectively been lost in the post. Fortunately for the private individuals and their families caught up in the affair, the long-term impact of the HMRC’s carelessness has not matched the scale of the data loss involved.
Although the US-based Ponemon Institute recently calculated the average cost of data loss at $202 per compromised record, there is no evidence that HMRC’s data loss has resulted in any kind of fraud or other criminal gain.
Still, that is not to say it has not had a powerful effect. At a time when private and public sector organisations alike are trying to save costs by accelerating the pace at which customers and citizens consume products and services digitally, ‘the year of data loss’ is thought to have already cost government and business significant amounts of something both can ill afford to squander: public trust.
According to David King, chairman of the UK Information Security Awareness Forum (ISAF), although “private and public sector organisations have been haemorraghing personal data for years” without noticeably dampening the public appetite for online services, the events of 2007, and the scale and character of the HMRC incident in particular, did not go unnoticed.
“The reality of it was that the data of about 25 million out of 75 million people in the UK including their children was involved,” King said.
“The possibility of that information falling into the wrong hands has caught people’s imagination in a way nothing else has. It has been a real wake up call.”
There was certainly plenty of evidence that a wake up call was badly needed. PriceWaterhouseCoopers Chairman Kieron Poynter’s report into the HRMC affair painted a predictably damning picture of the state of personal data stewardship at that organisation. However, other research, including Cabinet Secretary Gus O’Donell’s report on government data handling procedures, and the then Information Commissioner Richard Thomas’ Data Sharing Review, showed that HRMC was far from being an exceptional case.
Indeed, when the British Computer Society started to look at how to restore public faith in e-services, it quickly realised that the attitudes to data protection among many UK public and private organisations was fundamentally flawed, says Ian Fish, a member of BCS’ Building Trust in EGovernment working group. “There were problems at all sorts of levels,” says Fish.
“Firstly, and perhaps most importantly ‘the system’ didn’t necessarily care or understand an individual’s rights [to data protection and privacy]. Secondly, the people processing personal data didn’t necessarily know what their remit was and what they should and shouldn’t be doing in terms of collecting and manipulating data. And thirdly, the people at the top had often just abrogated their responsibilities to their data controllers, and personal data protection became just another job given to the company secretary, or someone in HR.”
It is still often assumed by the public and by many business managers that data loss and other data protection incidents are due generally to failures in data security technology.
In reality, as studies such as the Poynter Review have amply demonstrated, “technology is only part of the problem, and it can only be part of the solution” says Fish. “The real challenge, and a big part of the solution, is about changing culture.”
To some extent it’s possible to argue that this much needed cultural transformation is now underway in the UK, both among public and private sector data users and among the consumers whose personal data is at risk. From a legal point of view, for instance, although there has been no change to the principles enshrined in the Data Protection Act of 1998 [see ‘Privacy Guidelines’], the Information Commissioner’s Office has been granted both new powers and, critically, new resources with which to enforce them.
In the past, the likelihood that the ICO would prosecute an organisation for disregarding DPA principles, and the relatively small penalties that might be imposed, gave organisations little incentive to do much more than what they could get away with.
Now, says Fish, “the ICO powers are strengthening. They have been given more weight and more people to do more audits, and the penalties they can impose are more realistic. People won’t be able to say ‘we’ll obey the law but we
won’t go further’.”
Welcome as the information watchdog’s powers may be, however, neither they nor the Act itself can do much to improve data protection at organisations which may not have the knowledge or expertise to turn vague legal prescriptions such as “do what is appropriate”, into a practical and effective information management policy.
New initiatives in Data Protection
This summer, two initiatives have emerged that aim to help fill this gap between what the DPA requires, and what different organisations are capable of delivering: a Personal Data Guardianship Code published jointly by the BCS and ISAF; and a data protection standard from the British Standards Institute.
It is possible that BSI 10012: Data Protection is the first attempt by any standards body to create a formal specification for addressing what some experts, including proponents of BCS Personal Data Guardian Code, say are a set of issues that must inevitably be tailored to meet highly individual circumstances.
“This is an area where standards aren’t appropriate,” says Fish, “it is about changing attitudes and culture, not about being prescriptive.”
However, even though BSI 10012 does encourage organisations to adopt a formal Personal Information Management System (PIMS) model, the Institute argues that this is not necessarily a bad thing.
On the contrary, for small and medium sized businesses in particular – a third of which find DPA legislation complexand confusing, according to a recent BSI survey – a prescriptive approach that removes the need for
extensive customisation maybe exactly what is needed. BSI is confident that its initiative will be popular with organisations from both the public and private sectors, and is already making plans to offer BS 10012 as the basis for an international standard.
First though, it may have to win the fight for home-based mindshare with the BCS’ Personal Data Guardianship Code.
While there is no reason why an organisation should not adopt both approaches, the BSI’s formal standard and the BCS’ “Highway Code”, it seems likely that most organisations will find it easier, and arguably also more
immediately productive to adopt the latter.
As well as avoiding a prescriptive approach which may well demand investment in new infrastructure, the BCS’ proponents believe the Data Guardianship Code also strikes more directly at the key issue: the need for organisations to refresh old attitudes to data protection and adopt new, more disciplined
approaches to formulating and deploying data protection policies.
Certainly, organisations that have struggled to interpret the principles of the DPA into a coherent information governance policy will find much to reassure them in the Data Guardianship Code. Based on what BCS claims to be ‘best practice’ in data protection, the Guide outlines six key principles for data guardianship [see ‘Privacy Guidelines’], and describes how these principles should be applied to personal data over the term of its life-span.
It completes the picture by offering a further guide to responsibilities of different individuals within an organisation, according to whether they are primarily data handlers, data controllers or senior executives with ultimate
responsibility for data protection.
If nothing else, any organisation that adopts the BCS Code should no longer be able to claim that it is confused by the responsibilities placed on it by the DPA.
And, according to Johnathan Bamford, the assistant Information Commissioner who enthusiastically endorsed its launch last June, those that do adopt it may also discover that there are real business benefits to be had from an approach to data protection which places genuine value on the accuracy and integrity of personal data.
The technology approach to privacy
Security experts agree that data protection is not a problem in desperate need of a technological solution. Nevertheless the growing expectation that data should be shared and accessible, whilst also appropriately, secure is encouraging the adoption of technologies that help to accommodate these conflicting demands.
Data loss prevention (DLP)
Data loss, or data leak prevention technology monitors the flow of potentially sensitive or confidential information in incoming, outgoing or within internal data traffic.
It has been used primarily to prevent the unauthorised export of company confidential information, but is increasingly regarded as potential means of policing the flow of personal data.
Following a major consolidation of the DLP market last year, and the acquisition of pioneer start-ups by established infrastructure players such as CA, market analysts believe that DLP is close to becoming a mature, enterprise-class technology that will increasingly be delivered as part of integrated end-point data protection and access control suites.
Gartner forecasts that by 2011 data protection regulators may regard DLP as a standard part of the “due care” organisations must undertake, and European regulators by 2015.
Privacy enhancement technologies (PETs)
Whilst DLP can be used to prevent inappropriate distribution of personal data, critics contend that it may also be a privacy intrusive technology (PIT) itself, in that it inspects personal communications.
In Europe, there is growing interest in so-called privacy enhancing technologies (PETs) which may be deployed to mitigate the impact of PITs.
Current examples of PETs include cookie managers and spam filters, which provide end users with more control over network traffic.
More sophisticated PETs are emerging that allow individuals to mask or actively disguise their network identity.These offer protection against identity theft or the inappropriate ‘profiling’ of individuals via network activity analysis.
In the UK, the Information Commissioner’s Office has identified pseudonymous PETs as a potentially important means of safeguarding against fraud and protecting personal IDs in payment systems.
Privacy guidelines
Data Protection Act 1998: Eight Principles of Data Protection
Personal data must be:
- Processed fairly and lawfully
- Obtained and used only for specified and lawful purposes
- Adequate, relevant and not excessive
- Accurate, and where necessary, kept up to date
- Kept for no longer than necessary
- Processed in accordance with the individual’s rights
- Kept secure
- Only transferred to countries that offer adequate data protection
The BCS’ Principles of Good Data Governance
Accountability – those holding personal data must follow publicly accessible data governance principles
Visibility – subject to some legal exceptions, data subjects have the right to be informed of and have access to all information held about them
Consent – collection of personal data must be fair, lawful and in accordance with the eight data protection principles
Access – everyone should have a right to know the roles and groups within an organisation that have access to their personal data
Stewardship – those collecting personal data have a duty of care to protect it throughout its lifespan
Responsibilities – all organisations should have an agreed and documented policy on data assurance (security) and data privacy, including compliance with the Data Protection Act.