opendemocracy on "The value of information"

opendemocracy — Sun, 25 Nov 2007 20:16:42 +0000

I'd go further than Luca - Sandra Bell's analysis suggests that we should move to "information Subsidiarity". This would say something like: - have the information kept at the level at which it is most valuable (within confines of general legality) - have that level be made aware of every legally mandated access to it - have that level give permission for every non-legally mandated level I would love it if actions such as these led to a system where most personal information was held by the individual; where mandatory access was possible but not without notification; and where individuals could lock down any non-mandatory requests. Don't destroy the data - distribute the database. Tony

luca on "The value of information"

luca — Sat, 24 Nov 2007 14:02:08 +0000

Have I missed something or is there a strange inversion of rights taking place here. Is it my data or the state's? As we race towards a networked future, we should stop to consider our rights as "citizens", both physical and virtual, and enshrine in law the principle that all data can only ever be held "in trust" by the state or any other agency and organisation but can only ever "belong" to the individual. And any state data project should acknowledge the right of any individual to opt in or out of any proposed data exchange (call this an old-fashioned "vote", if you must). It would also guarantee that no-one dealing with the data of others could ever justify choosing the less secure option on the basis of cost, because it would be illegal to do so. The fact that after the data loss by the British state, the onus for following up on the status of their information was left to the victims of this blunder says volumes about where the citizen's rights come in this virtual pecking order. Each person affected should have been granted immediate access to their data and offered a clear method of updating it -- the only way to guarantee the lost disks would prove useless to any potential fraudster.

The value of information, Sandra Bell

Fri, 23 Nov 2007 15:57:28 +0000

The loss in the post of two unencrypted compact discs containing sensitive personal data of 25 million British citizens by Her Majesty's Revenue and Customs (HMRC) has sparked a major debate on information assurance. However, this debate is long overdue and it is regrettable that it has taken a mistake of this proportion to bring the issue to the fore.

The current emphasis is, quite rightly, being placed on damage limitation and ensuring the same error does not happen again. However, this problem runs much deeper than making sure procedures are followed. The fundamental problem is that there is no common agreement on the value of the information we hold on one another. Until we have such a common agreement then misjudgments such as this will continue to occur.

The risk vacuum

We instinctively protect things that are of value to us. Conversely we are more prone to take risks when the consequences of failure are low. However, information, unlike gold bars or hard currency, is worth different things to different people.

Sandra Bell is senior research fellow for homeland security and resilience in the Royal United Services InstituteThe hapless individual who burnt the entire child-benefit database onto two compact discs and then sent them by post to the National Audit Office (NAO) is probably only now beginning to understand that what he thought was worthless was in fact very valuable - but to someone else and for different reasons. We can all point the finger of blame and claim, with hindsight, that we would not take such risks ourselves. But if we do not have a culture that values information uniformly then how can we expect people to calculate correctly the risks they take with it?

HM Revenue and Customs is responsible for collecting the bulk of tax revenue, as well as paying tax-credits and child-benefits, and strengthening the United Kingdom's frontiers. A colossal amount of money passes through HMRC for a whole variety of reasons every year and child-support payments account for a relatively small proportion of that total. This means, purely in business terms, that the data and the database have relatively low intrinsic value to the HMRC. This value is diminished still further as the onus is on the parent to work out what they are entitled to and then provide information to allow HMRC to distribute the funds. HMRC are not tasked with ensuring that every parent receives benefit - but simply to make sure that all those that claim get what they are entitled to. The personal information is required to ascertain entitlement and enable the logistics of payment. The HMRC therefore feel no ownership of the information and receive no direct benefit from the personal information held on the child-benefit database.

In the same way, the National Audit Office receives no direct benefit from the personal data contained in the database. Its job is to check that "public good" services that are provided to the citizen by the state are done so in a fair and efficient manner (see "HMRC's lost Child Benefit data...", PublicTechnology.net, 22 November 2007). It wanted a small proportion of what was contained on the discs in order to audit the HMRC against one of their agreed targets. However, just as child benefit is a small proportion of what the HMRC does, auditing the HMRC against their performance of child-benefit payments is also a small part of what the NAO does.

Therefore, from the perspective of the HMRC and the NAO the communication method used for low-value correspondence could seem entirely appropriate. That the official chose to download the entire database rather than extract the desired data is being attributed not to the technical ease of this procedure but to the requirements of the NAO (see Tony Collins, "HMRC data loss: NAO request evidence", Computer Weekly, 23 November 2007). In any case, if the extra information seemed of no additional value than that requested to both sender and receiver then it would not be unreasonable to assume that the same communication method would be appropriate.

However, viewed from the perspective of a parent, a child or an identity-fraudster the data is very valuable indeed.

The tools of judgment

As information becomes an integral part of modern life we need to be able to value it - and that means understanding what it means to one another. There is a plethora of information-assurance initiatives and an equal number of expert opinions, but each seem to be driven by a different set of values of the information.

The public sector demonstrates perhaps the widest extremes, as either assurance is very high (because of national security) or very low (to enable the transformational-government agenda). Private-sector business tends to take the middle ground driven by anti-fraud, liability and customer-relationship management. And the citizen level is patchy due to the absence of leadership and standards in this area.

Until we reach a common understanding of the value of information and implement proportionate-assurance methods, then each one of us should think long and hard before hitting the send button on an email or dispatching information through the post. What may seem worthless and innocuous to us may be very valuable in the wrong hands - and we are just not equipped with the right tools to make that judgment.

Today it was some junior official in the HMRC, whose action in turn exposes the department's senior managers and operating systems to scrutiny. Tomorrow it may be you.

Average rating

(3 votes)

open Democracy News Analysis - The value of information, Sandra Bell - Comments

opendemocracy on "The value of information"

luca on "The value of information"

The value of information, Sandra Bell