The ongoing scandal of lost government data containing our personal records is in reality not an outbreak of security problems but an outbreak of honesty.

Would we have been told about the three million missing learner drivers’ records if HM Revenue and Customs had not confessed to losing CDs containing 25 million child benefits records?

Would the Northern Ireland Driver and Vehicle Licensing Agency have admitted to mislaying CDs containing 6,000 drivers’ details?

Or would Leeds Building Society have made public the missing salary and banking details of 1,000 employees – especially since they were simply ‘unaccounted for’ after an office move from one floor of its building to another? 

The real scandal, if you want to use that word, is that we will never know how many similar instances have taken place in the public and private sectors for years without ever being revealed. 

I was told recently of a major global financial services firm that used to post a CD containing 300,000 people’s personal information inside a jiffy bag, using ordinary post – not even registered post – until the head of IT in the UK found out about the practice and stopped it immediately. 

These sort of incidents happen all the time. 

There will be more calls for a data breach notification law of the kind used in the US, where firms are legally responsible for informing people affected by a security breach. The government’s data sharing review will look for other measures – not least the obvious ones such as encryption and electronic, instead of postal, file transfer. And the debate over identity cards and NHS medical records databases will be cranked up as a result. These are all good things, of course, and recent events have served only to raise the profile of a discussion that would have taken place anyway. 

But what will no doubt also happen is yet more questions about the use of databases – it has almost become a taboo word. 

In all this lost data debate, there is one fact that seems to be overlooked: No database has ever “lost” anything. No IT system has allowed information to be retrieved unless it thought the person doing so was meant to be there. No network ever randomly decided to publish the content of its systems. 

Technology is not the villain here – it is the solution. The problem is human error. The HMRC data would not have gone missing were it not for a human being making a very bad decision. 

Simple, everyday technology exists to make data secure, unreadable and inaccessible. We should not be worried about the government creating a database containing the details of 60 million citizens – we should be worried about the fact that human beings are operating it. (Not that the government is creating a single central ID cards database, nor a single, central NHS medical records database, but the complexity of distributed data management is beyond most national news commentators). 

Some newspaper columnists (well, one in particular) have even suggested a return to remembering data or writing it down on paper and not using IT at all. Great idea – after all, nobody ever forgot information they were told, and nobody ever stole or mislaid a piece of paper, did they? 

So the honesty we are seeing now is welcome, if belated and sadly causing many people a lot of worry about the potential for identity theft. 

But let’s not allow the debate to be dragged down to a simplistic and headline-grabbing “all databases are bad.” Like all IT, it is about people, process and technology – and the technology is the easiest part to get right.

[Thanks to a in-depth conversation with my good friend and Computing features editor Mark Samuels for the inspiration behind this blog entry. Happy now, Mark?]