It'll get worse before it gets better

Wednesday, January 13, 2010

This article was published in Public Service

Tight financial constraints threaten to further undermine public confidence in the public sector's ability to safeguard personal data, delegates at Public Service Events' Data Protection conference were told. Mike Lowe reports

Spending pressures are set to exacerbate the public sector's data security problems. The economic recession is driving the sector back to a "compliance-driven market", which is only going to get worse over the next three years, according to Toby Stevens, director of the Enterprise Privacy Group.

"We're going to be asked to achieve more for less and that means we are going to be asked to share more personal data and put less protection on it. We've got to stop this now and get innovative about how we do this," he said, warning of the risk of "making it up as we go along" on data protection.

"We need a way of comparing our work, benchmarking what we're doing, a pan-government framework – not for the Data Protection Act but for protecting privacy. In the absence of that, it is very hard to know whether we have got it right or not," he said.

"Until we actually have something that allows us to at least have a checklist of what needs to be done, how are we meant to know if we have done it? More importantly, how do we tell the auditors we have done it? And how do the auditors assure executive management that we have done it?"

Privacy International director Simon Davies agreed, telling the Data Protection conference that the problem was always money. With budgets being tightened in the public sector, safeguards such as privacy impact assessments (PIA) were not being paid for – even though a PIA for a £1m IT project would cost just £5,000.

Asked if the situation would ever change, Davies said he was asked the same question 20 years ago, and he believed trust in information systems was not going to get any better.

But Davies said giving more time to parliamentary committees to scrutinise privacy issues could make a difference, providing government was willing to make the necessary reforms. He told Public Servant: "Executive authority and ministerial authority have increased enormously and I can't see a way of breaking that genetic pattern which we've seen emerge in the political process."

He said talk of stronger committee scrutiny tended to make political leaders "go white in the face and walk out of the room".

Giving hope of reform in data protection, deputy information commissioner David Smith told the conference that the Information Commissioner's Office (ICO) was no longer a "toothless bulldog". The new powers being made available to the ICO would allow it to be tougher on organisations that got it wrong, Smith said, while it continued to simplify the rules for all those organisations trying to get it right.

But he admitted there was a "never-ending stream of powers that we would like to have".

Smith said: "We were asked by the minister two years ago what two things we would want to make our regulatory role more effective. One was the penalties, the fines, some way to punish those that don't take their responsibilities seriously, and we've got that. If we do come out of [the consultation] with the figure being £500,000 maximum, that is not unreasonable.

"We also said we wanted the powers to do inspections, the power to come in and check, do audits. I think we're halfway there. We've got it on the statute book, we've got it through government departments, but we've got another stage to go before we can actually do that for the rest of the public sector and for the private sector."

Other speakers at the London conference included Belinda Lewis, head of information policy at the Ministry of Justice; Rosemary Jay, national head of information law at law firm Pinsent Masons; Sara Draper, head of knowledge economy at the CBI; Dr Chris Pounder, from Amberhawk; and Robert Guice, executive vice-president with Shred-it, the event's main sponsor.