Phil Booth (London, NO2ID): At a conference in Manchester organised by the Information Commissioner twelve months ago, NO2ID raised a wry smile from delegates by handing out pairs of (blank) CDs marked 'HMRC'. A year on, it is no joking matter that so little has been done by the government to address the systemic and policy failures - and internal culture - that led to the worst data breach in UK history.
In fact, government data breaches are on the rise - a 77 per cent increase so far this year - and almost every branch of government is involved: the Home Office, MoD, NHS, DWP, HMRC again (repeatedly), the list goes on and on. Every week there is another story of more people's personal details being mislaid, citizens put at risk by a government that not only can't protect them but which doesn't seem particularly bothered to do so. The scale of the problem 12 months on is so great that the Information Commissioner himself has quipped that his office is being used like a confessional.
This year's ICO conference, on 'Privacy Enhancing Technologies', may have looked like an event for Data Protection and IT geeks - it was anything but. Speakers included Sir Edmund Burton, the man who conducted the inquiry into the first major MoD breach to come to light, Dr Louise Bennett, chair of the British Computer Society's Security Forum Strategic Panel and 'Building Trust in eGovernment Working Party', and Dr Steve Marsh who works at the Cabinet Office, the author of the government's National Information Assurance Strategy published in 2003 (yes, 2003), whose wise words have tragically fallen on deaf ears.
Hearing these people speak it was impossible to conclude that the government's failure is anything other than wilful. It's lack of appropriate action cannot be excused. In pursuing strategies such as 'Transformational Government' it is actively ignoring the advice of people who clearly know what they are talking about, and is breaking fundamental principles in pursuit of a bureaucratic/technocratic fantasy.
Most striking were the consistent themes emerging from their presentations:the problem is imminent and serious; rapid, effective action is required;the solution is not just about IT, it is about people, processes and culture change; people at every level must be aware of the risks, must accept responsibility and actively seek solutions; protecting personal information, valuing and preserving privacy and confidentiality (both essential to trust) should be "HOW you do what you do", not a bolt-on additional task.
And it is imperative that privacy, information security and data protection (and they are NOT the same thing) must be taken seriously at Board level in every organisation - private and public - for unless the people at the top take responsibility and are accountable, how can the necessary culture change take place? As Sir Edmund and others said, this is essentially a leadership issue.
But what sort of leadership is demonstrated by a Prime Minister who says 'we can't promise to keep your information safe'? Who abrogates responsibility for a bankrupt policy (rampant accumulation and 'sharing' of personal data), while continuing to pursue an agenda of state identity control ('ID cards'), mass surveillance (Communications Data database) and centralisation ofsensitive personal records for mere administrative convenience (NHS Care Records and 'Secondary Uses Service' (SUS), ContactPoint, and literally dozens of other initiatives)?
As NO2ID has said: if you can't protect it, don't collect it.
The arrogance to even try to shift all the blame onto human or technical error is staggering. The imperious attitude that says, in essence, 'we, your masters, shall be the arbiters of trust' is chilling. The fear-driven control freakery intent on fingerprinting and tracking every person in the country throughout their entire lives 'just in case' is government out of control.
Literary or recent historical allusions are no longer sufficient. It is cliché to say 'the Nanny State' has tipped over into 'Big Brother' when more young people cast votes in a TV show of that name than turn out in a general election. Comparing our leaders to tyrants is ineffective - these people are not genocidal, their particular dangerousness lies in the fact that they think 'we are the good people' while ignoring or suppressing the negative consequences of their actions.
No wonder that Sir Edmund Burton, when I asked him a question, thoughtfully replied that this was "a Magna Carta moment". It is.
Craig Cockburn (not verified) said:
Fri, 2008-11-28 15:37If the government was serious about leaky data it would do something about the 2m directors details (including name, address and date of birth - all crucial information for ID theft) being openly published on the internet because it is a legal requirement to make this information available. It is NOT a legal requirement to make this information available to ID thieves. Until the government can safeguard where the information could end up, the routine publishing of 2m dates of birth online with absolutely no traceability or control whatsoever as to who is downloading it, why they are downloading it or what purposes it will be used for must be stopped immediately to reduce the risk of ID theft. Hiding behind the legislation is no excuse for data privacy recklessness. If someone legitimately needs to check a company directors details, surely they could go via a similar route for someone who is a private individual/self employed and via a credit reference agency rather than just downloading the data freely online?