Public sector organisations have unique information security challenges. Trusted to legitimately gather and use citizens’ private information, they are also required to adhere to standards of openness and transparency in everything they do. It’s a tough line to walk, as the Scottish Council of Dumfries and Galloway recently discovered, when it accidentally published the personal details of almost 900 employees – in response to a Freedom of Information (FoI) request.
Among the data made public: names, dates of birth and salaries. All up on the council’s web site for over two months before people noticed and complained.
The difficulties of being both transparent and secure were underscored by the Information Commission’s Ken MacDonald, who said that “Being open about council pay is a fundamental way that citizens can hold local authorities to account, but that should never be at the expense of upholding individuals’ privacy rights.” MacDonald added that the council was now reviewing its procedures in light of the lessons learned and that appropriate checks to ensure that personal data is handled in compliance with the Data Protection Act were put in place.
On this occasion, the council avoided a financial penalty, but the incident serves to highlight the difficulties faced by public sector organisations in fulfilling their mandate to serve citizens while protecting their privacy. There’s an inherent risk in sharing information online that can only be mitigated by putting the right security procedures and controls in place – and enforcing them.
A key component of this is education and the creation of visible, flexible policies that take into account the real-world communications needs of any workforce while underlining why such policies are necessary. At a time when purse strings are tight, those charged with delivering public sector data security must increasingly look to solutions that enable them to unite technology with strong policy and people, striking a balance between compliance, risk and work requirements. Fortunately for public sector organisations and businesses alike, the guidelines are already out there. That’s half the battle – the really important thing is to ensure that they’re adhered to. By making security policies relevant to all users, organisations can support productivity and transparency while ensuring private data remains private.
Richard Turner
No comments:
Post a Comment