Jill Kirby: The agencies handling confidential information are still failing to take privacy seriously
Yesterday's report from Big Brother Watch, on the loss of sensitive personal personal data by local authorities, shows the extent to which the agencies handling confidential information are still failing to take privacy seriously. Only last month the Justice select committee called for harsher penalties for data breaches and expressed concern at the lack of powers available to the Information Commissioner to enforce data protection. Such powers are urgently needed.
We've seen a massive expansion in electronic data collection and sharing over the last ten years. It has been accompanied by astonishing technical advances – a memory stick the size of a 10p coin can now hold as much data as your average desktop computer. But these advances have run ahead of the stringent safety measures required to protect the information held. Agencies, especially (although not exclusively) in the public sector, do not seem able to grasp the cultural changes that should have taken place, in training, procedures and enforcement. In the days when personal information was confined to paper folders, mostly locked away in filing cabinets, the scope for losing information (or having it stolen) was both limited and easily detectable. Now that thousands of items of pupil, patient or child protection data can be stored on a single memory stick and passed between home and office computers, security is wholly dependent on the rigid use and enforcement of encryption.
Many of us will admit to being pretty casual about our own internet security. Remembering multiple passwords is boring and time consuming, we like to get hold of information fast and too often we take risks. Perhaps it's not surprising then that teachers, doctors, social workers and/or their clerical or support staff are sometimes rather lax about encrypting, anonymising and decoding data. But such complacency is dangerous and heavy penalties should be imposed. Big Brother Watch gives numerous instances of information about vulnerable children being mislaid in unencrypted form: in Renfrewshire, eight separate data pens containing social work data were lost; in Durham a memory stick containing highly confidential data regarding children in care was left in the street by a former social worker.
Surely it's also time to ask whether this kind of information should be put on a such a tiny item of portable hardware in the first place? As Big Brother Watch points out, security on home computers and laptops will often be at a much lower level than office systems, so it's questionable whether staff should be permitted to download and carry around data sets. Would it not be better to limit the use of certain types of information to desktop computers within a secure system, so that the risk of individual carelessness is minimised?
Perhaps we should also be asking some much bigger questions, such as whether an increasing flow of information into electronic data sets is always inevitable? Whilst it's neither desirable nor possible to return to paper filing, the fact that we can now collect and distribute masses of material doesn't necessarily mean that we should – or that we need to. It's certain that government agencies are storing superfluous data, failing to delete material that is no longer needed, and often failing to distinguish between the two. As we all know from our overflowing inboxes, it's very easy to pass round information indiscriminately, leaving the recipient the task of deciding whether the information is useful. For non-confidential material the habit might be time-wasting but is usually harmless. For sensitive information, the failure to discriminate carries unnecessary risks.
Some may consider it ironic that Big Brother Watch is able to produce its report by collecting data from councils under the Freedom of Information Act. Thus transparency is used as a tool to detect breaches of privacy. As the Coalition releases more public data online, in its bid to increase government accountability and improve choice for the users of public services, striking the right balance between transparency and privacy becomes more critical than ever. The security breaches exposed by Big Brother Watch suggest that local government has not yet got the balance right. I hope that central government departments, as they prepare to release anonymised pupil and patient records, will show a much more rigorous attitude to safeguarding our privacy.