Escape the data management minefield

The public sector's data management is looking increasingly like Swiss cheese - full of holes. Paul Bentham explains how this is not just about malicious hacking and has more to do with systems design and process.

silicon.com Public Sector

Get the latest public sector news straight to your inbox. Sign up for the PS newsletter today!

The report from the Information Commissioner's Office out last month highlighted that public sector organisations are still not taking the Data Protection Act (DPA) seriously enough. After nine years it's hardly a new law. And at a time of extreme data sensitivity, with identity theft and fraud rife, you'd think its importance would have sunk in.

But it seems there have been problem after problem. Reports of data breaches are all too common. In a recent case Newcastle City Council's computer systems allowed the download of 54,000 customer credit card records.

And this flaw wasn't caused by an errant employee with a grudge or a hacker on a mission. The information was simply placed on an open server instead of a secure network, a completely preventable and inexcusable error.

Again, there was the recent breach on the NHS MTAS recruitment system where personal details of job applicants were available for everyone to see. These are only the latest examples in a long list of public sector data security failures.

There is no denying that ensuring data security in a public sector organisation is a nightmarish task. And one that is getting increasingly difficult as more and more services go online and more data is stored.

But that doesn't mean that with a greater focus, individual organisations can't batten down the hatches and adhere closely to standards and regulations outlined in the DPA to prevent massive data security breaches and the resulting large fines and damage to reputation.

This increased volume of data coupled with a growing pressure to share services is simply part of the joined-up government ethos. Asking consumers to provide the same information time and time again for different government agencies can cause mass duplication of effort and is confusing for the public. For example, registering your details for council tax and then having to register again for the electoral register.

Keeping all these data sources bang up to date is nigh on impossible. Hence the need for joined-up government. But although sharing data makes sense for most public sector organisations, it means securing data is akin to holding water in a sieve - when multiple agencies have access to it, the chances of a data breach increase significantly. Regardless of the difficulties, it's a must and organisations have to do it carefully, and within the confines of the law.

Yet recent reports saw Home Secretary Jacqui Smith flouting Data Protection (1998) laws by letting the Metropolitan Police use automatic number plate recognition (ANPR) data for crime-fighting purposes.

You could argue that bending the rules is justifiable when it helps combat crime. However, this highlights two key problems for organisations trying to adhere to the DPA. One concerns technology glitches that cause data security breaches. The other concerns confusion over the public sector's interpretation of the DPA and how it should be applied.

The solution to this confusion is a more thorough approach to knowledge and education - some organisations simply don't know where they stand and what applies to them. The Information Commissioner's Office guide will help organisations feel their way through the requirements and comply so that no inadvertent breaches occur.

Solving the second issue is more challenging. There are myriad public sector technology projects and a good percentage of these are bound to have problems that can ultimately cause lapses in data security. Poorly designed or managed systems, unsecured data, poor password procedures and ubiquitous access are some of the key culprits.

Assuming these process are in place is simply not enough and brushing any weaknesses under the carpet is not an option. An oversight of this nature recently stung UK bank Nationwide, which was fined nearly £1m over a laptop theft that was reported almost three weeks after the incident.

This punishment serves as a stark reminder to organisations in all sectors to be extremely careful about how they deal with data security breaches and to have stringent processes in place to ensure that data is as secure as possible. Processes need to be checked, approved and audited time and time again.

Another major factor is that almost all these huge technology projects are implemented through outsourced suppliers. That's not to say the blame lies solely with them - any supplier relationship should be a partnership - but organisations need to choose a partner that can carefully supply the consultancy and services needed.

If dealing with sensitive data, organisations need to be given strategic advice about the data security policies they implement and there needs to be unambiguous advice about where the responsibility for security lies. This needs to be carefully meted out in the contract.

Lapses in quality assurance and testing can also lead to security breaches. Often a system is fully functioning until a change is made, such as the application of a security patch or integration of a new piece of software. This type of activity can trigger defects in the system causing downtime or the exposure of data.

Data owners, regardless of whether they operate in the private or public sectors, have a responsibility to ensure the information is safe and secure. Public sector organisations are more accountable than ever to the public and they expect to be able to trust them.

If public sector organisations fail in their data protection responsibilities, it can damage their reputations and the public's confidence in their ability to do a good job. Ultimately it is in their interest to get it right.

Paul Bentham is the public sector expert and partner in the technology and outsourcing group at Addleshaw Goddard www.addleshawgoddard.com