The burden of looking after personal information

If it is important for us to properly protect people's information, then we need to behave as if we mean it. That's sort of a truism, but we suspect that the reality is more patchy. What would happen if you could go to prison if you screwed things up? Discuss...

The Ministry of Justice (MoJ) have put a consultation into the field around the introduction of custodial sentences for particular offences under the Data Protection Act (DPA). The short version of a complex and involved argument is that this could mean prison for an IT professional who behaves recklessly with people’s personal information. That’s despite this being aimed primarily at people who deliberately for their own gain misuse personal information. For the long version, and the opportunity to contribute to the consultation, do visit the BCS Members Network (network.bcs.org) and the BCS Consultations group.

This is a tricky one. The idea that BCS, the Chartered Institute for IT, would potentially be in favour of IT practitioners going to prison may at first glance seem odd. However, the Institute is there for the benefit of the public, and Members are part of a public profession with public responsibilities. Fundamentally the idea is not to send people to prison, but to change behaviour.

At the heart of this is the question of how important the protection of personal information really is. Of course, it is a matter of degree. My name and address is not as sensitive as my bank details, and they aren't as sensitive as my health records. Yet when there have been government data losses in the recent past – and in some cases of highly sensitive personal information – there has been a great public outcry but little or no punitive action.

Clearly, you'd have to do something pretty spectacularly wrong in order to be thrown in prison. However, I suspect there's a lot of practice out there that – under a microscope – looks spectacularly wrong, especially from the point of view of the subject of the information. That is speculative, as I don’t believe BCS have ever done a survey into atrocious behaviour, but I’m sure there are many who can testify to some pretty awful practice found 'in the wild'.

On the one hand, society rightfully wants to encourage those behaving like idiots with other people's information to do things more professionally. On the other hand, it suddenly becomes quite important for a professional who acts properly to demonstrate that they did. Unfortunately, it is possible to have acted appropriately using good practice and having appraised, mitigated and eliminated all known risks...and still suffer a breach. In those circumstances it needs to be easy to demonstrate innocence. I know...'innocent until proven guilty'...but on the whole it is better to be in a position to show investigators that there is no case to answer than to have the prosecution fail in court.

For me this is all about the maturation of the profession; something the BCS is actively working to accelerate. For those at the IT coal face – particularly in sectors where practice ain't always top notch – this could result in pandemonium.

If you've got a view, do share it in the comments below – or come and take a look at the draft response posted on the Member Network that is there to be pulled to pieces...

About the author

Thoughts on membership, the profession, and the occasional pseudo-random topic from the BCS Policy and Community Director.

See all posts by David Evans
June 2018
M
T
W
T
F
S
S
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

Search this blog