Computing comment- a blog from computing.co.uk

Thursday, 17 July 2008

Law update is only half the battle

When the anonymous civil servants who drafted the Data Protection Act (DPA) in 1998 set about their work, they were smart enough to realise that the world of computers was likely to evolve considerably.

Keeping the law up to speed with the pace of technological change was always going to be a challenge, and the principles-based approach that underpins the DPA has worked well. Precedents set through case law have allowed the Act to encompass technical developments although Marks & Spencer’s challenge to the Information Commissioner’s enforcement of laptop encryption represents a new test.

But even such legal foresight was unlikely to have taken into consideration the internet, cheap storage, USB drives, broadband, social networking and all the data-intensive applications upon which modern business life depends.

So it is right to heed the calls for a review of the DPA that will see it through its next decade.

But today, law enforcement is not enough to securely protect data. A new DPA needs to go hand in hand with best practice IT management.

When the DPA came into force in March 2000, the article in Computing concentrated on the specifics of the new law and the challenges it posed for IT departments.

Any similar feature now would cover the legal aspects in just a few lines. The complexity of the IT protecting people’s personal information has increased exponentially. And with it, the awareness of identity theft and the potential for misuse of our data has grown in parallel.

Self-regulation and self-discipline are now just as important as legislation.

Every employee needs to be constantly reminded to protect corporate data as if it were their own. And processes such as information lifecycle management need to sit alongside all the security procedures necessary to treat our information with the care we each wish it to be handled.

A review of the law is timely. The review of your IT management practices should be constant.

Posted at 10:24 AM in government, regulation, security, strategy | Permalink | Comments (0) | TrackBack (0)

Thursday, 08 May 2008

Time we stopped passing the buck

The realisation is growing that data protection is not somebody else’s responsibility.

Moves to make individuals liable for the loss or disclosure of personal information held by public sector bodies or by companies are an inevitable response to the data loss scandals we have seen in recent months.

Until now, the Data Protection Act has focused responsibility on senior executives of an organisation, who are held to task for failures of staff under their charge. But the reality is that those workers are rarely motivated by the need to protect their bosses or their employer’s reputation.

When someone else takes the blame, why should you care if you make a mistake?

The most common concern of IT leaders looking to introduce data protection or risk management policies is how to create a culture that supports the rules and regulations put in place. Having a policy is one thing making staff buy into it can be quite another. Ultimately, a culture exists only in the collective hearts and minds of a group of individuals, it cannot be imposed from above or through a set of rules.

From a government perspective then, legislation appears to be the only answer.

But no law will be effective other than in increasing the prison population without education to go alongside it.

Data privacy is perhaps the biggest single challenge facing the technology industry. Information security is not the issue technical controls exist to secure the vast volumes of electronic data being generated but the access to, and authorisation of the use of that data is about people, not technology.

For every government employee who inappropriately accesses citizen records (see www.computing.co.uk/2215705), how many would protest if someone did the same to their personal details?

People need to realise the impact on others of their actions, and to be given training and advice to ensure they are aware of their responsibilities. The best way to do that is to ask the question: What if it were you?

Posted at 10:42 AM in government, regulation, security, skills | Permalink | Comments (0) | TrackBack (0)

Thursday, 01 May 2008

Politics is stuck in the dark ages

Government has been wholeheartedly – if not always successfully – embracing the potential for technology to improve services to citizens, but the politicians have some way to go.

As local councils across the country go to the polls today, few candidates can claim to have turned to the internet to boost their appeal to voters.

The leaflet pushers have been as active as ever – the tree count for all the paper thrown straight into voters’ rubbish bins in the past month must be huge – but this new-fangled computer stuff seems to have passed our potential representatives by.

In London, where the highest-profile election is taking place, none of the candidates looked at the possibility, for example, of using social networking to engage with voters; nor have they made much mention of IT’s potential in improving the citizens’ lot. Ken Livingstone’s jocular anticipation of chips in our heads may not win him another term as mayor, but his Tory rival Boris Johnson can hardly claim to represent the internet generation either.

How different things are in the US, where the battling Democrat candidates, Hillary Clinton and Barack Obama, have put the web at the centre of their campaigns. The forthcoming presidential elections will be the most internet-enabled we have seen.

Perhaps part of the problem lies in the culture of secrecy surrounding technology in parliament.

Only now, after a series of data protection scandals, has the Information Commissioner been given the go-ahead to spot-check Whitehall departments for compliance. And MPs want to improve transparency by gaining access to departments’ management information systems instead of having to wait for annual paper-based reports.

The internet ethos is built on openness – not a quality often associated with politicians. If our elected representatives could grasp how IT can connect them with citizens, not only would they be closer to our tech-enabled culture, but perhaps more open with us all.

Posted at 11:24 AM in government, regulation, security, skills, strategy | Permalink | Comments (0) | TrackBack (0)

Thursday, 11 October 2007

Too many cooks will spoil ID fraud broth

Calls for an ID tsar to tackle the growing problem of identity fraud are misjudged.

The idea is being proposed by an all-party committee of MPs to provide a fulcrum for a problem that touches such a wide range of issues. So far, so good.

But in reality, the high-tech crime arena already suffers from too many, rather than too few, focal points.

It is an impressive list: the Serious Fraud Office, the Information Commissioner, the former National Hi-Tech Crime Unit (NHCTU) now absorbed into the Serious Organised Crime Agency, the fledgling National eCrime Co-ordination Unit being set up at the Metropolitan Police to replace the management aspect of NHCTU’s role.

With so many co-ordinators already, is there really room, let alone a requirement, for more?

The committee also wants an extension of the Information Commissioner’s powers. Again, the recommendation is superficially sound. Computing has been reporting for years on the limitations of the role, and calls for more clout should be supported.

But creating a tsar with an overlapping remit will cancel out the benefits and leave us back where we started.

Posted at 12:05 PM in government, regulation, security | Permalink | Comments (0) | TrackBack (0)

Thursday, 13 September 2007

The web needs a level playing field

As a general rule, Computing is wary of calls for regulation. But the case of net neutrality could be an exception.

In a nutshell, the take-off of massively high-bandwidth internet content such as voice over IP and video streaming is putting such pressure on internet capacity that service providers could start to charge a premium for web sites with certain types of content.

At one level, the move is little more than the natural balancing of supply and demand.

But there are more worrying implications, and not only for firms such as Google, which relies on surfers’ unfettered access to the thousands of small companies that advertise through its search results.

The internet would not be what it is, were it not open to all. And the result is more than simply a dedicated web page for every person and their cat.

The web has signalled a complete change of the ground rules for business. The cost of entry to many markets has dropped to almost nothing. And firms have sprung up to cater for everything from the worldwide commodity to the ‘long tail’ niche.

A two-tier internet, in contrast, favours companies with deep pockets, entrenches existing dominance,and undermines the very innovation and competition that is the source of the internet’s revolutionary impact.

To an extent, the internet is a victim of its own success. But in the root of the problem also lies the key to its solution.

It is because of explosive growth, fuelled by competitive innovation, that the existing infrastructure is no longer up to the job.

Rather than being sidetracked by worthy philosophical debates about the nature of freedom, the IT community must focus on the nuts and bolts.

The priority is to upgrade the infrastructure so it can cope with the demands placed upon it.

In the meantime, if regulation is the only way to ensure the internet’s playing field remains open, free and fair, then Computing would, in such circumstances, support it. Business has too much to lose.

Posted at 10:01 AM in ecommerce, innovation, regulation | Permalink | Comments (0) | TrackBack (0)

Friday, 02 March 2007

IT validated as economy fillip

Subtle changes to the way the government measures economic productivity do not, at first glance, appear to set the world alight.

But last week’s announcement from the Office of National Statistics (ONS) that the purchase and development of software will in future be recorded as investment rather than consumption is highly significant.

Not only will the changes add a whole percentage point to UK gross domestic product from the 1970s to 2005, they are also a step towards revisions that would, by taking better account of the impact of IT, bring us into the 21st century.

The measurements used to determine the size and growth of the UK economy are based on an outdated model that places manufacturing and heavy industries, rather than services, as the primary engine of wealth creation.

It is an approach that overlooks both the impact of IT within businesses and the growth of new industries, products and technologies.

To form a meaningful picture of our economic situation, and to ensure that the evidence informing policymaking is as valid as possible, the indicators need to be brought up to date.

Understanding of the importance of the issue is undoubtedly growing. The ONS changes on software are a clear step forward. And the Department of Trade and Industry is working on ways of measuring service innovations, which tend to be intangible and are therefore missed by traditional measurement criteria.

But, as always, changes require continued political commitment, informed discussion, and the necessary funding – none of which is easy to secure, least of all on a topic so apparently dry.

Economic measurements are the language in which our business world is described, and in doing so they establish its parameters.

There is little more worth spending money on. It is crucial we get them right, and Computing supports Intellect’s call for a firm commitment from the Treasury.

Posted at 10:05 AM in government, regulation, strategy | Permalink | Comments (0) | TrackBack (0)

Thursday, 22 February 2007

Laws need to be enforced

Seen from this side of the Atlantic, the picture painted by Symantec’s global IT risk survey is a gloomy one. According to the report, twice as many European companies expect a major data loss every year than do their counterparts in the US; only half as many rate their firm’s security training as effective; and 20 per cent fewer think data protection is a critical business issue.

Individually, the figures are interesting. Taken together they show a different corporate culture.

In the first instance, the US has more laws. There are corporate governance requirements – such as the infamous Sarbanes-Oxley. And there are also more regulations specifically targeting security issues – such as California’s breach legislation, now taken up by two-thirds of other states – which requires companies to notify the public about IT security infringements.

But what really catches firms’ attention is that the laws are stringently enforced.

In the UK, it is a different story. We have fewer regulations, less effectively applied. The Data Protection Act (DPA), for example, yielded only 15 successful prosecutions last year, half of which resulted in fines of less than £750. In such a context it is not surprising that data protection compliance is lower on UK agendas.

This is not the first time Computing has called for the Information Commissioner’s Office (ICO) to be given more teeth. The figures on spam – another major ICO responsibility – are equally woeful. Despite hundreds of complaints every year, the ICO has yet to bring a single case to trial.

Last week Nationwide was fined just under £1m for inadequate information security procedures following the theft of an employee laptop. That the case was brought by the Financial Services Authority, rather than the Information Commissioner, underscores the ICO’s secondary standing.

Computing does not want more law. But it is in the interests of business that those we have are rigorously applied. The ICO needs more power to do its job.

Posted at 02:43 PM in government, regulation, security | Permalink | Comments (0) | TrackBack (0)