By Eric Woods, 17 December 2007 11:11
COMMENT
The loss of two CDs containing the data of 25 million people by HMRC has thrown a spotlight on the government's approach to handling personal data. Eric Woods looks at the possible impact of this debacle on the broader government IT agenda and asks if a new approach to citizen data might emerge.
I had originally intended to look at public sector opportunities for the greater use of business intelligence and other information management and analysis tools. But the loss of millions of data files by HMRC suggests it was not the best time to be making an argument for how the public sector could and should be doing more with the information it collects.
This in itself points to one of the possible secondary consequences of the mistakes made at HMRC - a general loss of faith in the potential of IT in the public sector.
silicon.com's Full Disclosure campaign - what we are asking for...
silicon.com wants the government to review its data protection legislation and improve the reporting of information security breaches in the public and private sectors.
We are calling for greater public debate and for the government to consider legislation that would require organisations that suffer information security breaches to alert their customers if there is a chance the breach has put individuals' sensitive personal data at risk.
We want to hear your views about this campaign and the issues it raises. Make your voice heard by leaving a Reader Comment below or emailing us at editorial@silicon.com.
A number of commentators have cast doubts not only over projects such as ID cards or the children's database but also on the transformational government strategy in general. There can be no doubt that there are broader implications in terms of the government's IT agenda, public trust and the attitude of the government to citizens' information.
The seriousness of the errors made at HMRC should not be underestimated. But there is a danger that with too many fingers pointing in too many directions, we miss identifying the immediate security and process changes that need to be made and the longer term implications.
As far as what needs to be done to make sure the stable door is shut there has been plenty of after-the-fact advice to the government. A useful perspective uninfluenced by hindsight can be found in a report published in March by The Royal Academy of Engineering (RAE).
Dilemmas of Privacy and Surveillance: Challenges of Technological Change makes sober reading in the light of recent events but it also offers a series of sensible recommendations spanning systems design, risk analysis, regulation, auditing and recognition of privacy rights.
As would be expected, the clear and common-sense message is that we need to design our systems from the beginning so that they address privacy and data security concerns adequately. In the light of recent events, no one would argue against the need for a review of the security principles that run through every aspect of data handling within the public sector.
We also need independent auditing of how data is being used - greater power for the Information Commission was another of the RAE's recommendations that has belatedly been accepted.
However, there is another aspect to the issue of data privacy that goes to the heart of how government has to change if it is to realise the potential for data sharing and customer service in the network age. The RAE touches on this point in its final recommendation: "Data collection and use systems should be designed so that there is reciprocity between data subjects and owners of the system".
Government, and indeed the private sector, needs to start thinking of citizen data as our data. Whether it is biometrics stored for ID cards, electronic patient records or the details needed to pay child benefit, we are asked to trust the government's ability to keep sensitive information secure and at the same time, make it available to various agencies to support public service operations.
Sharing information across government may well make those operations more efficient, improve the health and safety of citizens and make our lives easier. But government will not win over citizens if its only argument is that 'we know best' - when patently it has shown that in many cases it doesn't. The way around this issue is to give citizens more stake in the process itself and in the control of our data.
We may accept the need to provide siloed departments with the information they require. We understand why we need to give data to the tax office, a hospital or the police. But that does not mean there is a mandate for government to take additional control of our data for other purposes. This is a case it has to make - and I would say needs to make if we are to get the real benefits of an effective e-government programme.
There are very good reasons why I may want a broader range of organisations to have a consistent view of my details. But I want to feel some control over that use and I want to be involved in the decision about what will be done with that data, either through personal choice or through the democratic process and the voice of my elected representatives or via an independent watchdog - such as the ICO - with real teeth.
Government should have to make a clear case about what it wants to do with my data, why, the security and restrictions of use and what it will do in the case of security failure. Government itself needs to be clear about these issues, which in the case of ID cards arguably it hasn't been.
Government should also start an open dialogue with the public much earlier in the process, as could have been done with electronic patient records. It must enable debate over scope of use and the balance of risk versus benefit - for example, in relation to the children's database. The government must seek to enable the citizen to define the range of authorities that can use their data.
We will need a clear statement of citizens' rights over their data. The e-Citizen Charter proposed in The Netherlands might offer a good starting point. The UK famously lacks a clear constitutional statement of citizens' rights - a charter of digital rights might be one step to filling that gap.
Eric Woods is government practice director at Ovum
Comments
There are 4 comments. Join the discussion
1. Karen Challinor
"Government should have to make a clear case about what it wants to do with my data"
- one thing it wants to do with it is sell it to third parties, as this is my data I would like to know which third parties, how much it's being sold for, where my percentage is and I want a veto for third parties I don't want to have my data.
"the security and restrictions of use"
- think "abacus"
"Government should also start an open dialogue with the public much earlier in the process"
- pardon ? hmg *ask the public* ? us plebeian working folk who don't understand long words ? it would cost too much to draft the documents so us thickies would understand, then there's national security issues that can't be discussed .... fullness of time.... taking the long and the short view ... yadda yadda ..... never happen
"We will need a clear statement of citizens' rights over their data"
- important distinction we are "subjects" not "citizens" I invite the reader to find out the difference for themselves
2. anonymous
This is simple, even though so far, we have not treated it this way, in either commercial or government contexts.
The data (information) about me is MINE and I should have absolute control over its use. Further, if the person I have permitted to use it profits from this - I should receive some clearly stated compensation for this use, which grows with their use of it. They should be specifically prohibited from passing on ANY of this information.
We need a debate about what data is inevitably "public domain" - eg the electoral role, with clear exceptions such as this stated, along with the constraints on the use of even this information.
There should be an inescapable duty on the holder to request my permission to continue holding and using the data, in a clear (ie not fine print on page X) form annually, with swinging fines AND embarrassing public visibility for not doing so. This provision to apply equally to commercial and government users.
In the event that government needs to collect and handle information covertly - eg in the case of criminal investigation - there should be (a) the requirement to obtain and renew the permission via a court (b)the absolute requirement to irretrievably delete all information related to anyone NOT convicted at the end of an investigation. This condition to apply to digital and physical records and information. Similarly swinging punishments, organisationally and personally for infringements.
Government departments, in particular, should have the boundaries of what information they may each collect set very closely and there should be 2 specific prohibitions -
- cross correlation of information between departments except with court permission in the event of criminal investigation (and see rule above about this)
- ANY form of even anonymous summary, data mining and predictive analysis of behaviour or future actions, with the single exception of simple demographic information. That to be defined and closely bounded by law.
Some of this may well be what data protection attempts to do today, but it needs teeth - big, strong teeth, and heavy financial and public embarrassment disincentives for commerce and government should they break the rules.
3. anonymous
If we pass responsibility for disclosure to the citizen, whose data we hold it to be, isn't it likely that as with the mass of personal data currently traded and communicated by e.g. the issuers of loyalty cards, most citizens will unwittingly agree to the large scale dissemination of information about them. I keep wondering when I checked the box, or overlooked the need to check the box. When did I agree to all this information about me being circulated?
Passing responsibility back to the data subjects and telling them that they all agreed to disclosure, so its OK, will not solve the problem. It is a blatant cop out of government's responsibility to ensure that only those who genuinely need it, get it
4. John
This all just shows how useless the current Data Protection Act and 'Information Commisioner' really are.
It is all well and good poking fun and aiming complaints at the Government departments that have publicly failed in their duty of care over our information, but let's not forget that many, many organisations have made similar mistakes. But if they come clean, it would hurt their profits. So they keep quiet about it - hence the reason we should have disclosure laws too.
Looking at the D.P. Act, it states that personal information should only be sent to companies in countries that meet our requirements for data protection. That is basically Europe, Canada, Australia, plus U.S. companies that have made 'Safe Harbor' declarations.
This means that all those call centres based in India are being used by companies that are quite happy to hide behind small print allowing them to send our personal data anywhere they like. We should not be allowed to sign away such protections so easily, and companies should not be given such an easy 'get out' mechanism to avoid the intention and application of the Data Protection Act.
As for Govt agencies selling on our data, which they do to a very large degree - surely they should include an 'opt in' box on their paperwork to get our permission for this use of our information, as other companies are supposed to do?
If/when the Govt make money from selling our data, it would be nice to know that this has gone into the coffers and improved the quality of service given to residents of this country, but does that actually happen?