The loss in the post of two unencrypted compact discs containing sensitive personal data of 25 million British citizens by Her Majesty's Revenue and Customs (HMRC) has sparked a major debate on information assurance. However, this debate is long overdue and it is regrettable that it has taken a mistake of this proportion to bring the issue to the fore.
The current emphasis is, quite rightly, being placed on damage limitation and ensuring the same error does not happen again. However, this problem runs much deeper than making sure procedures are followed. The fundamental problem is that there is no common agreement on the value of the information we hold on one another. Until we have such a common agreement then misjudgments such as this will continue to occur.
The risk vacuum
We instinctively protect things that are of value to us. Conversely we are more prone to take risks when the consequences of failure are low. However, information, unlike gold bars or hard currency, is worth different things to different people.
Sandra Bell is senior research fellow for homeland security and resilience in the Royal United Services InstituteThe hapless individual who burnt the entire child-benefit database onto two compact discs and then sent them by post to the National Audit Office (NAO) is probably only now beginning to understand that what he thought was worthless was in fact very valuable - but to someone else and for different reasons. We can all point the finger of blame and claim, with hindsight, that we would not take such risks ourselves. But if we do not have a culture that values information uniformly then how can we expect people to calculate correctly the risks they take with it?
HM Revenue and Customs is responsible for collecting the bulk of tax revenue, as well as paying tax-credits and child-benefits, and strengthening the United Kingdom's frontiers. A colossal amount of money passes through HMRC for a whole variety of reasons every year and child-support payments account for a relatively small proportion of that total. This means, purely in business terms, that the data and the database have relatively low intrinsic value to the HMRC. This value is diminished still further as the onus is on the parent to work out what they are entitled to and then provide information to allow HMRC to distribute the funds. HMRC are not tasked with ensuring that every parent receives benefit - but simply to make sure that all those that claim get what they are entitled to. The personal information is required to ascertain entitlement and enable the logistics of payment. The HMRC therefore feel no ownership of the information and receive no direct benefit from the personal information held on the child-benefit database.
In the same way, the National Audit Office receives no direct benefit from the personal data contained in the database. Its job is to check that "public good" services that are provided to the citizen by the state are done so in a fair and efficient manner (see "HMRC's lost Child Benefit data...", PublicTechnology.net, 22 November 2007). It wanted a small proportion of what was contained on the discs in order to audit the HMRC against one of their agreed targets. However, just as child benefit is a small proportion of what the HMRC does, auditing the HMRC against their performance of child-benefit payments is also a small part of what the NAO does.
Therefore, from the perspective of the HMRC and the NAO the communication method used for low-value correspondence could seem entirely appropriate. That the official chose to download the entire database rather than extract the desired data is being attributed not to the technical ease of this procedure but to the requirements of the NAO (see Tony Collins, "HMRC data loss: NAO request evidence", Computer Weekly, 23 November 2007). In any case, if the extra information seemed of no additional value than that requested to both sender and receiver then it would not be unreasonable to assume that the same communication method would be appropriate.
However, viewed from the perspective of a parent, a child or an identity-fraudster the data is very valuable indeed.
The tools of judgment
As information becomes an integral part of modern life we need to be able to value it - and that means understanding what it means to one another. There is a plethora of information-assurance initiatives and an equal number of expert opinions, but each seem to be driven by a different set of values of the information.
The public sector demonstrates perhaps the widest extremes, as either assurance is very high (because of national security) or very low (to enable the transformational-government agenda). Private-sector business tends to take the middle ground driven by anti-fraud, liability and customer-relationship management. And the citizen level is patchy due to the absence of leadership and standards in this area.
Until we reach a common understanding of the value of information and implement proportionate-assurance methods, then each one of us should think long and hard before hitting the send button on an email or dispatching information through the post. What may seem worthless and innocuous to us may be very valuable in the wrong hands - and we are just not equipped with the right tools to make that judgment.
Today it was some junior official in the HMRC, whose action in turn exposes the department's senior managers and operating systems to scrutiny. Tomorrow it may be you.
