data protection

Following the revelation of yet more utter incompetence in government data handling the BBC asks...

Well, I posited a suggestion ten years ago now when I was on the Lib Dems' Civil Liberties Policy Working Group. At the time ID cards were but an evil glint in Liar, Liar, Tony Bliar's eyes but there was a clear feeling that they were pushing in that direction. But it was mainly in response to issues such as Regulation of Investigatory Powers Act and government wanting more and more surreptitious access to data already held about us and our activities.

My suggestion was that if government felt the need to keep all this data on us, the very least they could do would be to put us in charge of how and when it was accessed. We could all have an encryption key - it need not even be supplied by government - you could purchase one perhaps from Thawte or someone like that if, when, you decided you could not trust the government.

Two encryption keys would be required any time any bureaucrat or official decided they wanted to take a peek at any data the government held identifying you as the subject. A bit like a "nuclear key" where you need two people to turn the key for anything to work, the official would have their own key which would identify them as the person trying to access the data and check they were authorized to do so, and they would have to be in contact with the data subject, you, and, like a bank call centre does when they phone you would have to authenticate they were dealing with the real you by getting you to enter some of your PIN or similar before they'd get access.

Every government database system that held any data on individuals could have to go through an annual independent audit to ensure there was no inbuilt mechanism for bypassing such a security measure or, for example, copying data en masse with personal identifiers in. The system could be extended, voluntarily, to any organization that holds personal data - such as banks - if they felt it was more effective than creating their own, and the whole principle could be embedded in Data Protection legislation (not that the presence of Data Protection legislation stops the government currently breaking their own laws).

Remember, it's not so very long ago that when you submitted your tax return each part of it, or schedule, would be dealt with by a different official so that no one person could actually gain a picture of what you were worth. We need to return to that culture. Modern technology is great stuff, or it can be. But at the moment the culture seems to be to assume that systems ought to be intrusive rather than actively looking for ways as part of systems specifications to maintain the benefits of fast modern communications and data (for there are many) whilst not being intrusive. Witness the debate about road pricing - "eye in the sky spies" or "black box" systems that don't need to transfer data about your movements, only about your overall journey for the purpose of billing.

Would it grind government to a halt? Perhaps, though in saying that the former tax regime was entirely paper based and so much more troublesome and it didn't exactly collapse then and banks and other large data processing organizations use similar technology and still operate reasonably efficiently. Would government grinding to a halt be a terribly bad thing in any case I wonder?

But, whether the data is about criminals, child benefit recipients or recruits to the armed forces, this current government has proven itself utterly incapable of managing data, or perhaps just contemptuous of our rights. Personally, I doubt any other party's government would be doing much better - contempt for the citizen is embedded in Whitehall and Westminster, but Straw and Smith should resign over this latest data loss immediately. Resign and be tried as any data controller be would with such brazen data losses under their watch. Enough is enough. These bastards need to get out of our lives, or perhaps some day we will collectively decide we need to make them butt out, forcibly.

UPDATE:  My boss just pointed me to this article in Computer Weekly about Lib Dems calling for data commissioners to protect data about the public.  I'm not sure it's anywhere near adequate.  The liberal response should be, of course, to reduce the quantities of data first by being ruthless about who needs to store any data about us, but I can't see a data commissioner, even one for every database, will be any more effective than the current DPA regime of a responsible Data Owner who can be prosecuted for failure to comply with the act.  Clealry government departments need to be held responsible in the courts, with individuals answerable, just as they are in other organizations.  And at the top of the tree comes the minister concerned.  It is not technology that is at fault but a lax attitude to how that technology should be used that matters.  We need to change the culture such that databases are designed from the bottom up toassume, essentially, that the data subject is the one who by default has access not the data owners.