Time for a National Privacy Card scheme
By Dave Birch posted Apr 2 2009 at 9:21 PM[Dave Birch] There was a bit of media attention around the recent report on government databases from the Joseph Rowntree Foundation (the authors include Forum friends William Heath and Angela Sasse) but I'm not sure that the government was listening. The report was quite strong on the extent of the problem within government:
A quarter of all government databases are illegal and should be scrapped or redesigned, according to a report.
[From BBC NEWS | UK | Call to scrap 'illegal databases']
The way to protect personal data most effectively, particularly in large organisations such as the government, is not to store it in the first place. This may seem unworldly. After all, I want Tesco to provide me with a good service, so why shouldn't I give up some of my personal data in order to get it? Setting aside the issue of whether what I bought in Tesco yesterday is "my" data or not, I am perfectly happy to have, and wield, my Tesco Clubcard. After all, it's not in my real name and Tesco never ask me for data I don't want to give them, so I'm more than happy for them to record what I buy. And, to their credit, I can say with hand on heart that I have never once received junk mail, spam or unsolicited phone calls for the imaginary alter-ego who shares my home, from which I deduce that Tesco have kept to their side of the bargain and not disclosed "my" data to a third party. So why am I concerned about the government having big databases of stuff about me?
Well, for one thing, I have no expectation of redress should the database become compromised. My day-to-day experience as a citizen is that if I buy a chicken from Tesco and when I get home find that they chicken is rotten, they will give me another one. When I complained about British Airways "BA Miles" redemption on Twitter I got a letter from them offering a compromise. When the Volvo dealer couldn't finish fixing my car in the time they promised, then gave me another car to use for the day. Thus, I have an expectation of redress which makes me confident: sure, BA lose a bag from time to time, but they find the bag and send it to my hotel and give me a prepaid Visa card in compensation. I do not expect them to be perfect and don't imagine that it might be economically feasible to construct a baggage system that would never, ever put a bag on the wrong flight. But that's OK, because BA will fix it: there will be redress. But I cannot see any equivalent redress, or expectation of redress, for government databases. Remember the recent case of the government's National Identity Register database, the CIS:
And some council staff have already been using the CIS to check the data it holds on their friends and relatives... The £72m Customer Information System is an Oracle database being built by Accenture for the Department for Work and Pensions. It will hold a wide variety of data on nearly all UK citizens.
[From ID Cards insider: scheme is "largest , most complex and sensitive undertaking in Government" (Tony Collins's IT Projects Blog)]
Uh oh. The government hasn't even finished building the National Identity Register and it has already been compromised. And that's just by people who are messing about, not people who are on the dark side. If my brother-in-law finds out how much I earn from a mate at the council, it's hard to value my loss and even harder to imagine the council doing anything about it. And that's just people playing around. There are far more sinister reasons for the bad guys to access government databases rsther than Tesco databases.
A corrupt police officer planned to make more than £2 million by using confidential details to blackmail registered sex offenders and sell information to wealthy criminals, a court heard yesterday. Using intelligence from a police internal computer system Amerdeep Johal, 29, wrote letters to ten convicted sex offenders and one suspected offender, demanding that they pay him up to £31,000 or he would expose them to their families, neighbours and employers, the Old Bailey was told.
[From Officer Amerdeep Johal 'used police files to find blackmail targets' - Times Online]
Notice here that the blackmail extended to suspects, not only people convicted of an offence. What would you do if someone threatened to update your PNC record to flag you up as a suspected sex offender unless you paid them ten grand? For civil servants to think that their databases are a bit like retailer databases or magazine databases is just mad. For the e-nabled, transformational government future, this wrong perspective is a real problem. I'm convinced that we need to change the problem from database sharing and joined-up government to that of identity infrastructure, and we need to start the infrastructure off with a different mindset. Clearly, simply changing the words isn't going to be enough (!), but it's time to start the campaign for a National Privacy Card instead of a National Identity Card (note: this idea popped up a couple of weeks ago and I mentioned it on Radio 4 last week, so I'm hoping for some feedback!).
These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]
Comments