Staff supplied spam list

Quarkside’s spam sleuthing helped to identify a person who is no longer employed by the respectable company.  Prompt action was taken and a company wide letter has been sent to all staff reminding of them of their responsibilities under the Data Protection Act.  I hope that the Information Commissioner has been informed.

The list was used to create spam.  How wide this has spread, only time will tell.  It was interesting that the spam led to a company that has “adopted a pioneering approach to the deployment of modern technologies such as MDM, yet couple this with a no-nonsense attitude to advice, governance and analysis.”  If this is a no-nonsense attitude to governance, then their internal processes are worthy of deeper inspection.  No-nonsense should not mean avoiding due diligence on sources of personal information.

 

SCC: Beware of BCC

Recently Surrey County Council was fined £120k for breaching the Data Protection Act. One of the reasons was that the word “Transport” was put into the Blind Copy field on an email – in error for the subject line.
Unfortunately, Transport was also the name of a list with all sorts of people, none of whom were the intended recipients of personal confidential data.

Let this be a warning for all.

Objectives of IG

Information Governance is the setting of Objectives to achieve measurable Outcomes by People using information Assets in a life cycle Process that considers the impact of both Risk and Time.

That’s the one line definition that needs some expansion.  We have to start at at the beginning and decide why we need Information Governance (IG) in the first place.  That is the Objectives of IG.

Quarkside says that the primary objective of Information Governance is to use information, not to prevent its proper use.   Information, from any data source, represents the added value of some data processing activity.  Locking data away, without the ability to use it, only costs money; and may lose the opportunity for delivering additional benefits.

Having said that, information assets need to be held securely and lawfully with access provided to authorised people. In a public library, librarians acquire books, catalogue them and provide access as custodians of the collection.  The librarians have added value when citizens search the catalogue and make use of the service.  Citizens have their own Objectives about why they need to select a book. They obtain access to information Assets within the library governance structure.

Objectives are one of the primary dimensions of the 7 Dimensional Information Governance Framework (7DIG).  The seven primary dimensions (Objectives, Outcomes, People, Assets, Process, Risk and Time) are intended to be MECE (Mutually Exclusive and Collectively Exhaustive).  A typical list of secondary dimensions may not be MECE, being dependent on the context and priorities of any specific IG framework.  For example, seven candidate secondary dimensions of Objectives could be:

• Policy: direction from political leaders in a business area, providing the vision for maximising the value of information held;
• Strategy: medium term initiatives and programmes leading to information sharing;
• Law: over-riding principles, regulations and statutes that must be obeyed; the Data Protection Act, the Freedom of Information Act and lots more;
• Constraints: local conditions, culture and practice that control Information Assurance (IA) and information sharing protocols;
• Scope: range of business area and organisational functions impacted by the IG Process;
• Context: external organisations and conditions interacting with the local IG regime;
• Specifications: definition of things that need to be done, capable of measurement and quality assurance.

Secondary dimensions are just things to think about when establishing an IG Policy, Strategy and Framework. They should not become part of a tick box culture.   Corporate management needs to buy into them at the highest level.

The 7DIG Framework should focus on Outcomes and the value of using information, not purely the protection of information by an IA process. The next blog in the series will illustrate the importance of early consideration of the Outcomes desired by an organisation or partnership.

Cloud Contracts Clobbered

The Cloud is seen as a potential budget saver for public sector computing.  Commoditised processing power and storage with built in scalability and resilience is in everybody’s option list.  However, there are darker clouds that could dampen progress.

Security Soothsayer, David Lacey, has given us some warnings, blogging “I’ve long believed that Cloud computing will not be taken up by large corporate (sic) until much better legal and security assurances are provided. I’d even go as far as to say that we need a brand new security standard and independent assurance process to mitigate the risks to an acceptable level.”

He is right, of course.  Large corporates have lawyers to pay for looking at the small print that we mortals ignore.  ‘Like it or lump it’ seems to be the norm with Web suppliers these days.   It would be so much better if there was some definition of unfair terms and conditions that we could rely on.  Contracts are essential but they must be reasonable, providing legal protection and responsibilities for both parties.

Where I am working, location of cloud facilities is a major concern.  The public sector is paranoid about the implications of the Data Protection Act.  It’s not really the risk of using a trustworthy overseas supplier, but the fear of criticism from the Information Commissioner.