The burden of looking after personal information

If it is important for us to properly protect people's information, then we need to behave as if we mean it. That's sort of a truism, but we suspect that the reality is more patchy. What would happen if you could go to prison if you screwed things up? Discuss...

The Ministry of Justice (MoJ) have put a consultation into the field around the introduction of custodial sentences for particular offences under the Data Protection Act (DPA). The short version of a complex and involved argument is that this could mean prison for an IT professional who behaves recklessly with people’s personal information. That’s despite this being aimed primarily at people who deliberately for their own gain misuse personal information. For the long version, and the opportunity to contribute to the consultation, do visit the BCS Members Network ( and the BCS Consultations group.

This is a tricky one. The idea that BCS, the Chartered Institute for IT, would potentially be in favour of IT practitioners going to prison may at first glance seem odd. However, the Institute is there for the benefit of the public, and Members are part of a public profession with public responsibilities. Fundamentally the idea is not to send people to prison, but to change behaviour.

At the heart of this is the question of how important the protection of personal information really is. Of course, it is a matter of degree. My name and address is not as sensitive as my bank details, and they aren't as sensitive as my health records. Yet when there have been government data losses in the recent past – and in some cases of highly sensitive personal information – there has been a great public outcry but little or no punitive action.

Clearly, you'd have to do something pretty spectacularly wrong in order to be thrown in prison. However, I suspect there's a lot of practice out there that – under a microscope – looks spectacularly wrong, especially from the point of view of the subject of the information. That is speculative, as I don’t believe BCS have ever done a survey into atrocious behaviour, but I’m sure there are many who can testify to some pretty awful practice found 'in the wild'.

On the one hand, society rightfully wants to encourage those behaving like idiots with other people's information to do things more professionally. On the other hand, it suddenly becomes quite important for a professional who acts properly to demonstrate that they did. Unfortunately, it is possible to have acted appropriately using good practice and having appraised, mitigated and eliminated all known risks...and still suffer a breach. In those circumstances it needs to be easy to demonstrate innocence. I know...'innocent until proven guilty'...but on the whole it is better to be in a position to show investigators that there is no case to answer than to have the prosecution fail in court.

For me this is all about the maturation of the profession; something the BCS is actively working to accelerate. For those at the IT coal face – particularly in sectors where practice ain't always top notch – this could result in pandemonium.

If you've got a view, do share it in the comments below – or come and take a look at the draft response posted on the Member Network that is there to be pulled to pieces...

Comments (6)

Leave Comment
  • 1
    David Williams wrote on 27th Nov 2009

    There used to be a time (pre Microsoft) when the onus was on developers to create systems that were safe and secure - yes, I know they failed, but when they did, the cause was apparent and the system was corrected. We seem now to be in a time when we are prepared to put anyone, irrespective of their ability, infront of a keyboard and expect then to take full responsibility for everything they enter and every command they give. The consequence of an inappropriate instruction can be devastating yet the systems we build now are more intent on identifying who gave the wrong instruction rather than applying the rules and blocking it in the first place.

    The place for data is a 'mainframe' or its modern equivalent, being manipulated by software that is inherently safe - not someone's laptop being fiddled with using Word or Excel.

    Report Comment

  • 2
    David Evans wrote on 27th Nov 2009

    Thanks David - you're right, in that systems that rely on people behaving perfectly are doomed. In practice, it's always difficult to balance protection with flexibility. For example, designing a system (in the fullest sense - not just the IT) that makes it easy to put the entire contents in unprotected form on a laptop or USB drive is the issue - as it's likely that the laptop or USB will be lost. You might ding around the ear the person who lost the device, but then hold the professional who designed the system to account. It's highly complex, and currently it is very difficult to identify responsibility. There is a lot of development of process and good practice - and a lot of adoption necessary. Optimistically, custodial sentences could be a good incentive to develop and adopt good practice...

    Report Comment

  • 3
    Frank Morris wrote on 2nd Dec 2009

    Is it just IT professionals that act recklessly with people's personal information? I've been working in a sector that does a lot of work with the Department of Work and Pension. When I joined the company it was common to find customer records printed out and left in the bin; customer CVs left on public computers, copying of entire databases containing personal information and then sending them in the post on unencrypted USB sticks. The reason - no IT department and staff were just doing what they could to get the job done. So are the directors, managers not equally responsible for ensuring that our data is safe?

    On the plus side, the result of certain government departments losing data, I have seen companies in this sector being forced to adopt better security practice when it comes to handling data. DWP are now insisting that organisations in this sector are ISO27001 compliant before they even hand over their data. No security = no data = no contract = no money.

    Report Comment

  • 4
    Rob Lucas wrote on 2nd Dec 2009

    My view on this issue is that it is the consultant’s role to inform and lead by education and not dictation, in simple terms I agree with Frank the managers and directors must be held accountable for not making sure that data is kept safe. In comparison if you were advised by your accountant that moving money from one business to another maybe seen as violating money laundering laws and you do it anyway surely it is not the accountants fault. It is easy to pass the blame when an issue arises, however I have witnessed many cases where the client insists on carrying data on USB drives, storing backups on unencrypted media totally against my professional advice. Stiffer penalties need to be in place (and enforced) for those who believe that their actions hold no consequences. We as IT professionals and consultants already follow a strict code of conduct through the BCS, which must be promoted in the same light as those in the legal and accounting sectors.

    Report Comment

  • 5
    Alex R wrote on 9th Dec 2009

    I fully agree, data must be kept safe and BCS is right to try and take a lead in this:

    My current company (an HR / Payroll provider), tries to ensure all our staff our fully aware of our data protection policy and the data protection act: We have initial joiner data protection training and then annually for all employees (director right down to lowest level): It is surprising how many people don’t fully understand Data Protection and even those with a good grounding often find some useful tips in this annual training in which we re-iterate the fundaments, plus discuss different areas in more details:

    I have been at / involved with other companies where zero or very little training takes place as it is assumed we are all experts: This to me is an issue at the highest level within those companies and where any blame should be partially layed if any breaches

    Report Comment

  • 6
    Russell Fleming wrote on 2nd Feb 2010

    David I have not yet looked at any draft MoJ proposals. Though from the majority of comments made here thus far it appears prima facie that a large proportion of it may rest upon IT systems. How many concern themselves with information passed over telecommunications lines via phone (voice) or fax, not many in my experience.

    As far as company officials are concerned, there are laws already in place that burden with legal accountability, the issue is proving it as always and negligence affects everyone involved in any cock up.

    Report Comment

Post a comment

About the author

Thoughts on membership, the profession, and the occasional pseudo-random topic from the BCS Policy and Community Director.

See all posts by David Evans

Search this blog

February 2018