by Allan Norman
I took part in an opinion poll recently, where I was asked questions about who I would trust with my data. Banks? The Health Service? The local authority? Education institutions? The government? My answer was, "none". My answer to the follow up question was that I was most likely to trust a small local business or organisation. To put it another way, it seems that my levels of trust are inversely related to the chances of the organisation in question having a detailed Data Protection Policy.
It is, of course, the loss of a data stick containing details of the prison population that prompted these reflections. I have commented on data protection before, how willing we are to understand that it encompasses and regulates whether we tell people things they need to know. How did we come to lose sight of the fact that Data Protection also encompasses protecting data on data sticks?
The most obvious point that hasn't been overlooked by commentators is the obligation to keep data secure. My take on this is that of "absolutely no excuse", for the company concerned. Excellent security is available in the form of free open source software that can be downloaded among other things to encrypt and password protect data on a data stick - even allowing you to use a keyfile, that requires the stick to locate an encrypted file on the host computer so it only works in the right machine.
But security isn't the only apparent breach. The Data Protection Act also requires that information is "adequate, relevant, and not excessive". Or, as the Caldicott principles better express it:
- Principle 3 - Use the minimum necessary personally-identifiable information. Where use of personally identifiable information is considered to be essential, each individual item of information should be justified with the aim of reducing identifiably.
- Principle 4 - Access to personally-identifiable information should be on a strict need-to-know basis. Only those individuals who need access to personally identifiable information should have access to it, and they should only have access to the information items that they need to see.
The whole database? How can that conceivably have been the minimum necessary, and not excessive?
Now that we're moving into a world where such a database no longer requires a computer the size of a small office to house it, but only a disc the size of a thumbnail, it seems the temptation is all too easy, and we just don't know how many complete databases are around, not because they should be, but because it's too easy and we're too lazy.
Of course, most of us will be shocked by the security breach. But many of us will also be actively involved in a project to create and implement a universal children's database. Which carries all the same security risks, both the temptation to carry around data in an unsecure fashion, and to keep vastly more information than the immediate need dictates. And all the same probabilities that we will treat the Caldicott principles in a cavalier fashion.
Indeed, quite apart from the risk to security, the documented probability that informational overload can actually decrease our ability to work effectively provides quite a separate reason to be concerned about a trend which Nigel Parton (British Journal of Social Work 2008 38(2):253-269) has described as a move from 'social' to 'informational' work.
Allan Norman is Principal Social Worker & Solicitor at Celtic Knot (www.celticknot.org.uk), an independent law firm and social work practice.
Leave a comment