Thursday, 9 April 2015

Doing Porridge for your Data?



During an election campaign it is probably natural to ask ourselves what a government is for? And the answer is to govern...to conduct the policy, actions and affairs of a state, organisation or people with authority...to quote a dictionary definition. Obviously quite a complicated business but when it comes down to it I believe it amounts to setting boundaries.

That is what laws are. You can do this but you cannot do that, and if you do we will punish you. In an ideal world, any government’s legislation should leave its people in no doubt as to how they are expected to behave, everything should be black and white, and we should therefore understand the consequences of our actions.

Data security is regulated but the legal boundaries are anything but clear. Not to the vast majority of people. If you sat your average business manager in a room and asked him what he was supposed to do with the data within his control, he would not have a clue.

To a certain extent that is our own fault. Not many people have ‘check the data protection act and how it applies to my role’ on their to-do list. But they should of course. It would make things so much easier in the long run, especially if the information available was written so that anyone not related to Steven Hawking had a chance of understanding it.

Here’s a thing. An example of what I mean. When you dispose of an old Business PC, you are being governed (that word again) by two sets of legislation...WEEE and Data Protection. One classifies your old PC as waste and therefore it must be moved under a waste transfer note, by a licensed carrier and all that jazz. Not very exciting and we could have a debate about when it becomes waste, but essentially it is, so there, live with it and get a waste transfer note. It is better than a fine.

But the data stuff is trickier. According to the law you are not throwing out an old PC, you are giving away your data. From the moment it leaves your possession, your risk is running around outside of your control and protection and legally you need to show a duty of care towards its security. If you have not and it all goes a bit Pete Tong you are in the firing line of a £500k fine. Very soon you would be opening up the doors of the Scrubs and heading for a six month stretch standing nervously with your back to the wall!

Make no mistake about it; the penalties are serious and getting worse. The misuse of data is taken very seriously in Brussels and Westminster. Mess up through negligence or criminal intent and you can expect to feel the full force of the law and the Daily Mail, not necessarily in that order.

The law is often an ass but in this case it is not. It may not be educating us in how to stay on the right side of it enough for my liking but this idea that you are transporting data is good sense. People disposing of an old piece of kit do not see the data, they see the hardware. They are well used to passwords and network security and they don’t really think about what is on the hard drive. So the law is trying to say ‘hey stupid, remember what’s on there.’

The law is trying to protect everyone. Any data a business holds will involve someone else. It may just be name, address and phone number but in many if not most cases it will include sensitive stuff like bank details, medical records, financial information or even criminal records. So the law reminds you to take care.

Hence the existence of some 800 recycling businesses in this country who will deal with IT or data-bearing equipment. Or at least say they will deal with it. And this is where I get worried about the laws. The fact is they make suggestions without defining what they mean. They say use a specialist partner to make sure but they do not help with that choice. There are no British standards, no Kitemark for data erasure or destruction.

That in itself is not unusual. There are many sectors that have no government standards and quite often the sector gets together to try and set its own. The Press Complaints Commission would be a recognisable example of an industry regulating itself. In our case ADISA or the Asset Disposition and Information Security Alliance, which is an independent body certifying members and setting standards, in conjunction with the government, who do work around the edges.

However of those 800 business less than 40 are certified by ADISA. And only 3 are approved by DIPCOG to work in the MoD/Government space. Now this does not make the other 760 or the other 797 bad of course. It just suggests that in the absence of a national standard they do not see the value of playing the game.

That is a shame. The waters are muddy enough and we could do with some clarity. Because without it, who your data walks out of the door with is rather left to chance. And it is you who will pay the fine, not them. In a few months, when the new European laws get ratified, it could be you, or one of your directors, who gets to do the porridge.