Don't blame it on the database
The national media has, unsurprisingly, been full of politicians and commentators calling for the identity cards and NHS electronic records programmes to be reviewed or even scrapped, in light of the outbreaks of “lost” data caused by the missing HM Revenue and Customs CDs.
Shadow home secretary David Davis wrote in The Sunday Times that “we need serious restrictions on the transfer and sharing of such information. The current casual and careless practice is intolerable.”
There is no doubt that Davis is right on this point of principle, and the debate over the security of government databases is a vital one.
But let’s think carefully about some of the facts. Patient records were lost by nine NHS trusts each of which no doubt had different IT and processes in place to cater for data protection. In one case, the records lost were paper-based.
The problem with the lost 25 million child benefit records is not with the database, it was that technology was not better used to protect it.
Secure file transfer and encryption are available the problem was the lack of management controls and processes over the use of that data.
There is a strong technical counter argument to the anti-database cries most of these issues have come as a result of a lack of management control and a patchwork of unco-ordinated databases.
And as we spend more time online, a standardised system for electronic personal identity management in our dealings with government and even the private sector is surely inevitable, whatever form it takes.
The goal is a system that gives each of us the ability to personally manage our electronic identity an individual firewall around all the data that matters to you. That technology does not yet exist in the mainstream, but offers a vision of a secure future. Whatever the government does now should be seen as steps on that path.
The political rights and wrongs of ID cards or electronic patient records is a different debate.
The argument must not be about whether databases should exist. The objective is to make sure that secure, better managed and well-controlled databases exist.
It is the fault of the databases. If they didn’t exist there would be no problem. Just because it is convenient for the government to hold these massive databases and that ‘we spend more time online’ does not justify them. As for ‘electronic personal identity management’ this is just mumbo jumbo. Nothing is inevitable and the public ultimately or at least in a democracy, should decide if these massive databases exist. The public are becoming more aware of the fallibility of these systems. The main justification for these databases is the huge profits to be made by the IT suppliers and consultancy firms and it seems that Computing is falling into line with editorials like this. In the case the of the NHS and ID databases they must be scrapped regardless of the loss of face to the government and its cronies. One only has to look at the list of applicants for ID contracts, arms suppliers and all, to know that something is amiss.
Posted by: Peter Stearn | Thursday, 10 January 2008 at 09:46 AM
Bryan Glick (Don't blame it on the database, 10th January 2007) is right to point to the facts behind the recent spate of public sector data breaches, which so many have failed to do when busy playing the blame game. The focus now needs to lie on using the lessons learnt from these occurrences to improve public sector data management for the future. While Glick looks to electronic personal identity management as a way forward, public sector bodies still need to encourage a culture where information management lies at the core, and where information is valued, nutured and used and shared appropriately. We also need to remember that no technology is perfect, especially where human interaction is involved and therefore more fail safe processes need to be put in place when dealing with ID sensitive information.
While restoring public confidence may be a key objective for the sector amid the torrent of media speculation, I believe that the sector is working to implement more efficient and stringent information management processes to ensure that heightened data security is achieved.
Peter Dorrington, Public Sector Strategy Manager, SAS UK
Posted by: Peter Dorrington | Tuesday, 15 January 2008 at 12:27 PM