Mike Small FBCS, from the London Chapter ISACA Security Advisory Group looks at what we can learn in terms of privacy and information governance from the News of the World situation.
On Sunday 10 July 2011 the News of the World published its last edition. This paper had been publishing for 168 years and was the top selling Sunday newspaper in the UK. The closure came following revelations of how the newspaper had allegedly obtained personal information using illegal methods such as phone hacking. What does this teach us about privacy and information governance?
The News of the World had a long history of exposing corruption in business and politics as well as the personal scandals of celebrities. It had been very effective at finding and revealing many stories of wrongdoing and corruption with a genuine public interest. However, the events leading up to the closure began in 2005 when the News of the World published details of Prince William’s health.
These details could only have originated from mobile phone messages having been intercepted and this led to a police investigation. Two years later, a reporter working for the newspaper and a private investigator were sent to prison for phone hacking. It was reported that the pair were considered to have been acting alone, and the investigation ended.
Over a period of time it emerged that the phones of further prominent people had been hacked. Then there were allegations that the lists of phone numbers included those of victims of crime and including victims of the 7/7 London bombing.
Gordon Brown, the former prime minister, has accused the News International, owners of the News of the World, the Sun and the Sunday Times, of using known criminals to find stories. In 2006, the Sun published a story about the medical condition of Mr Brown’s son Fraser. Mr Brown says that only his family and medical staff had access to this information.
What is privacy and why does it matter? Privacy is the capability for people to prevent information about themselves from being made available to other people. There is no universal agreement on what information is considered private. However, privacy is a balance of the rights of an individual against the good of society. For example it should not be possible for people to keep criminal activities secret using the right to privacy as an excuse.
The European Convention on Human Rights (1950) guarantees a right to privacy and this convention forms the basis for privacy legislation in the EU. This Convention emerged from the aftermath of the Second World War and was intended to prevent oppressive actions by states, bugging and late night knocks on the door by secret police. In particular Article 8 of this convention guarantees a right to privacy is extracted here:
'Everyone has the right for his private and family life, his home and his correspondence.
There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.
During the 1990s it was recognised that cross border trade required free movement of information and this was vital to create strong EU. This led to the EU directives on privacy that were intended to enable free interchange of personal information around Europe while protecting the privacy of individuals.
There are two principal EU directives which cover privacy: 95/46/EC on personal data processing, and 2002/58/EC on privacy of electronic communications. While these directives provide a common approach, laws vary in detail from country to country.
Firstly it is difficult to understand how obtaining the information described above can be explained as being in the public interest. Secondly the fact that reporters and investigators were able to get hold of some of the information raises the question of how well the information was being cared for. So the problem is one of information governance.
When an organisation in the UK obtains personal information about individuals it should do this with the consent of the individual and for a clearly defined purpose. If the information is held on a computer it should register the fact with the Information Commissioner. It should allow individuals to have copies of the information that it holds on them and it should correct errors. It should use appropriate techniques and technology to secure the information from misuse.
If an organisation obtains or holds information about individuals but does not know that this is happening, there is a clear failure of information governance. Equally if an organisation holds information about individuals and discloses this information to unauthorised people then that is also a failure of information governance.
Now it may be argued that the news media are a special case and there is some merit in this argument. If the objective of an organisation is to penetrate criminal gangs and corrupt enterprises in order to reveal the wrongdoing it can hardly be expected to act like a retail marketing organisation. However, we will have to await the results of the new police investigation to find out whether or not the law has been broken.
The ease with which it was able to obtain some of the information raises the question of how well this information was being managed by the individuals and organizations holding it. It is alleged that that mobile phones did not have voicemail security codes set, and that reporters were able to 'blag' information by calling organisations holding information and pretending to have a legitimate right to the information. (Even though this may be difficult to believe by anyone who has attempted to negotiate the questions posed by call centres in the name of data protection).
So what is the solution to this problem? Balancing the rights of individual privacy against the need for a free press is not easy and we will have to wait to see what emerges from these events. However, organisations need to take care of the information they hold and ensure that they comply with laws and best practice.
The best approach for organisations is one of information governance. Information governance sets the policies, procedures, practices and organisational structures that ensure that information is properly managed. Good governance ensures that there is a consistent approach to risks and compliance across different lines of business and multiple laws and regulations. It can reduce costs by avoiding multiple, ad hoc, approaches to compliance and risk management.
Organisations with good information governance will know what information they hold and will have a process for training staff on how to keep this information secure. This training should include securing voicemail and how to detect and resist attempts to blag the information.
Most blagging is based on the exploitation of human rather than technology weaknesses. For example the blagger will pretend to be someone in authority or will ask for help. The strongest defence against blagging is to ensure that you have registered an agreed point of contact with the individual (for example a phone number). Then if there is any suspicion to insist that will only provide the information via that point.
Privacy is a balance between individual rights and public interest. Organisations that collect information on individuals, even the news media, need to make sure that they comply with privacy legislation. Organisations that hold information on individuals need to take care that this information is handled properly and that staff are trained to detect and resist unauthorised attempts to get hold of this information. Basically it is down to good information governance.