Whose data is it anyway?

The loss of two CDs containing the data of 25 million people by HMRC has thrown a spotlight on the government's approach to handling personal data. Eric Woods looks at the possible impact of this debacle on the broader government IT agenda and asks if a new approach to citizen data might emerge.

I had originally intended to look at public sector opportunities for the greater use of business intelligence and other information management and analysis tools. But the loss of millions of data files by HMRC suggests it was not the best time to be making an argument for how the public sector could and should be doing more with the information it collects.

This in itself points to one of the possible secondary consequences of the mistakes made at HMRC - a general loss of faith in the potential of IT in the public sector.

silicon.com's Full Disclosure campaign - what we are asking for...

silicon.com wants the government to review its data protection legislation and improve the reporting of information security breaches in the public and private sectors.

We are calling for greater public debate and for the government to consider legislation that would require organisations that suffer information security breaches to alert their customers if there is a chance the breach has put individuals' sensitive personal data at risk.

We want to hear your views about this campaign and the issues it raises. Make your voice heard by leaving a Reader Comment below or emailing us at editorial@silicon.com.

A number of commentators have cast doubts not only over projects such as ID cards or the children's database but also on the transformational government strategy in general. There can be no doubt that there are broader implications in terms of the government's IT agenda, public trust and the attitude of the government to citizens' information.

The seriousness of the errors made at HMRC should not be underestimated. But there is a danger that with too many fingers pointing in too many directions, we miss identifying the immediate security and process changes that need to be made and the longer term implications.

As far as what needs to be done to make sure the stable door is shut there has been plenty of after-the-fact advice to the government. A useful perspective uninfluenced by hindsight can be found in a report published in March by The Royal Academy of Engineering (RAE).

Dilemmas of Privacy and Surveillance: Challenges of Technological Change makes sober reading in the light of recent events but it also offers a series of sensible recommendations spanning systems design, risk analysis, regulation, auditing and recognition of privacy rights.

As would be expected, the clear and common-sense message is that we need to design our systems from the beginning so that they address privacy and data security concerns adequately. In the light of recent events, no one would argue against the need for a review of the security principles that run through every aspect of data handling within the public sector.

We also need independent auditing of how data is being used - greater power for the Information Commission was another of the RAE's recommendations that has belatedly been accepted.

However, there is another aspect to the issue of data privacy that goes to the heart of how government has to change if it is to realise the potential for data sharing and customer service in the network age. The RAE touches on this point in its final recommendation: "Data collection and use systems should be designed so that there is reciprocity between data subjects and owners of the system".

Government, and indeed the private sector, needs to start thinking of citizen data as our data. Whether it is biometrics stored for ID cards, electronic patient records or the details needed to pay child benefit, we are asked to trust the government's ability to keep sensitive information secure and at the same time, make it available to various agencies to support public service operations.

Sharing information across government may well make those operations more efficient, improve the health and safety of citizens and make our lives easier. But government will not win over citizens if its only argument is that 'we know best' - when patently it has shown that in many cases it doesn't. The way around this issue is to give citizens more stake in the process itself and in the control of our data.

We may accept the need to provide siloed departments with the information they require. We understand why we need to give data to the tax office, a hospital or the police. But that does not mean there is a mandate for government to take additional control of our data for other purposes. This is a case it has to make - and I would say needs to make if we are to get the real benefits of an effective e-government programme.

There are very good reasons why I may want a broader range of organisations to have a consistent view of my details. But I want to feel some control over that use and I want to be involved in the decision about what will be done with that data, either through personal choice or through the democratic process and the voice of my elected representatives or via an independent watchdog - such as the ICO - with real teeth.

Government should have to make a clear case about what it wants to do with my data, why, the security and restrictions of use and what it will do in the case of security failure. Government itself needs to be clear about these issues, which in the case of ID cards arguably it hasn't been.

Government should also start an open dialogue with the public much earlier in the process, as could have been done with electronic patient records. It must enable debate over scope of use and the balance of risk versus benefit - for example, in relation to the children's database. The government must seek to enable the citizen to define the range of authorities that can use their data.

We will need a clear statement of citizens' rights over their data. The e-Citizen Charter proposed in The Netherlands might offer a good starting point. The UK famously lacks a clear constitutional statement of citizens' rights - a charter of digital rights might be one step to filling that gap.

Eric Woods is government practice director at Ovum