IG People: Huge gap in skills

Information Governance is the setting of Objectives to achieve measurable Outcomes by People using information Assets in a life cycle Process that considers the impact of both Risk and Time.

People are our greatest asset; thanks to Graham Sadd of PAOGA for promoting this phrase.  It highlights a weakness in the definition above.  In the public service context, consideration has to be given to both the receivers and providers of service. Service receivers are rightly sensitive to, and legally protected for, the sharing of personal data; they have rights. Service providers have roles and responsibilities with respect to processing data about their clients.  Organisations have a duty to administer information Assets securely and use them for improving Outcomes.

People are a primary dimension in the 7DIG Framework. Seven candidate secondary dimensions are:

• Identity: defines a person uniquely. It is essential in every personalised service for both the giver and receiver. Identity Management is a huge topic and beneficially considered as separate subject, however it is inextricably linked with Information Governance. Correct identity is used to establish rights, roles and responsibilities. Correct identity is necessary for information sharing between organisations.
• Rights: Whether enshrined in statute or common law, individual citizens have rights of many kinds. Information collected from and held about citizens is entrusted to public authorities for safe-keeping. Entitlements, such as housing benefits, are personally sensitive and there is a right of privacy.
• Responsibilities: Service delivery staff are charged with administrative duties and may be obliged to follow strict information sharing protocols.
• Organisation: Government agencies and local authorities, not named staff, are usually nominated as the guardians of information. The management structure and hierarchy needs to identify a senior responsible officer who is accountable for Information Governance.
• Roles: People may have several different roles at the same time, depending on the context. A police officer would just be regarded as a parent in a school system.  The Information Governance Processes should be capable of verifying that access to information Assets is only given to appropriate roles.
• Culture: Historically, Information Governance has concentrated on Impact Level Assessment and data protection. Information sharing between agencies is not fully trusted and a Risk-averse culture has a default option not to share. With increasing political demand for many more multi-agency services, reversing this culture may yet take many years.  The new mantra of shared services needs shared information in a trusted environment.
• Education: Information Governance in the widest sense is not high on political or social agenda. There are pockets of good practice in identity management and data protection but not a high skill base for information analysis and maximising the value of data.

To quote a couple of excellent research reports from the Audit Commission, “Is there something I should know?” showed how poor quality of data and analysis processes in public sector organisations can badly impact decision making:

• “Members say they receive lengthy reports but still do not have the relevant information they need. Senior officers are frustrated that powerful data are unexploited.
• Less than 5 per cent of councils have excellent data quality and many acknowledge that their data quality problems are fundamental in nature.
• Almost 80 per cent of councils say a lack of in-depth analysis is a major problem.”

“Nothing but the Truth” was critical of the skills of People, for example:

“The special Joint Area Review of the London Borough of Haringey in November 2008 found that ‘the standard of record keeping on case files across all agencies is inconsistent and often poor… Police and health service files are often poorly organised and individual cases are difficult to follow. Health services files include hand-written notes which are sometimes illegible and do not identify the author. The standard of record- keeping in the health records of looked-after children and young people is poor and some entries are inaccurate’ (Ref. 13). Work by the Commission for Social Care Inspection into the quality of care practice with people experiencing abuse found something similar.“

Some People may be very pleased that such independent scrutiny is disappearing from the local government sector.  Good quality information is critical to the success of both bottom-up and top-down methods of governance.  Big Society needs even better access to information stores.

Different parts of the total Information Governance environment require different skills and different People. Hence it must be a team effort, bringing together service practitioners, managers, lawyers, administrators, computing staff, information analysts and security experts – to say nothing of the input from citizens who are data subjects. Furthermore there is the Information Governance surrounding intelligence, intellectual property and classified data; there are specialists in all these fields.

Quarkside hopes that a simple framework like 7DIG can expose some basic princples that will help understanding of a complex subject area.  Information Assets will be the next to be published.

7DIG Domains

Identity Fallacy – No2UID

This is a tough blog. The ideas started six years ago, when I was battling with solutions for multi-agency information sharing, but they have not gone away. Robin Wilton (@futureidentity) privately reminded me. “I know you’re ahead of your time, but some are finally cottoning on to what you said 5 yrs ago”.

How can I describe it clearly and simply to non-technical politicos, and eventually be accepted by academics and suppliers? It is the non-technical who provide the leadership that could make it happen. In the context of public sector services, I want People in Power to say, in three quarks,

1. A person does not need a Unique Identifier (UID).
2. The Law does not demand a UID.
3. Use just sufficient data to identify a person.

Recently I heard highly respected technical advisers saying in Eurim Identity Governance meetings. “You must have a root identity.” I contest this statement if it equates to, “You must have a UID on some central database”.   No2ID are right as far as they go, but do not take the argument to the next logical stage – what to do next. Looking at the Quarkside principles for Process, Governance and Technology, this emerges:

• Citizens and officials understand their own requirements and can agree an acceptable set of processes.
• Governance, rights, responsibilities and constraints must apply within the Law.
• Technology looks simple if Process and Governance are agreed – trusted public sector credentials are an objective.

Public Jobsworths always quark three questions when somebody presents themselves for a service: “Who are you? What do you want? What are your entitlements?”  Jobsworth refuses service if he is not satisfied with the answers to any of the three. This blog only considers “Who are you?”, assuming the existence of the other two questions.

Quark 1: A person does not need a Unique Identifier (UID)

“Who are you?” equates narrowly to Identity. It is only Identity at a sufficient level of trust the meet the requirements of a specific entitlement. In the simplest case, the person can be completely anonymous; in a municipal car park, only the ability to pay makes sense. However, they may keep a record of your car registration number. Requests for Housing Benefits are at the other end of the scale. The identity offered does not need a unique code.

It must be the right person, who must not use false documents as evidence of identity. Identity evidence has to be fit for purpose. To repeat; you do not need a UID.

Quark 2: The Law does not demand a UID

Requests for evidence of Identity are necessary in most circumstances.  A National Id Card might have been useful, but the maintenance of a National Identity Register is effectively outlawed.  No2ID and others mounted a most successful campaign; Id Cards will not re-appear any time soon. However, the Identity Documents Bill 2010-2011 has sanctions against people using false identities and Clause 10, according to No2ID, “creates much broader data-sharing powers than the parallel ones in the 2006 Act.”

I have argued against reliance on central Identity registers for many years, in many forums. The overwhelming evidence is that allocating UIDs leads to errors, duplication, inconsistency and incompatibility. Take the revered National Insurance Number (NINO), it does not cover every person in the UK who might be entitled to a public service, children if you want an example. There are restrictions on where NINOs can be used and re-purposed.  Look at the governance problems engendered by the defunct ContactPoint.  The Data Protection Act permits cross-referencing of computer files when fraud or a  crime is suspected.  Individual voter registration can use both local and central government databases to verify identities.

Nowhere is there a reference to a UID.  UIDs are technologists’ shorthand for a key that identifies a record in a data store, it does not identify a person.  It identifies a computer record.

Quark 3:  Use just sufficient data to identify a person

This is the point of the debate – looking to the future. Only a combination of evidence from several sources can be used to identify a person accurately. This reflects life as it is. People legitimately have choice of names and addresses without breaking any law. People possess credentials for each of their chosen identities; stage names, maiden names, peers, protected witnesses and many more.

Administrative computer systems need to be interoperable for efficiency and accuracy of bureaucratic processes. Poor interoperability is the current norm because of unjustified reliance on poor quality UIDs. The alternative to failed and failing UID processing is to use Linked IDs (LIDs).

LIDs map between entities on disconnected data stores, such as databases, managed by different public sector bodies.  Mapping between identities is embraced in the ISO standards for systems interoperability (ISO 18876). They should be engineered to comply with Kim Cameron’s Laws of Identity.

The technical architecture builds on the rights of a person to manage their own identity data, like Mydex and PAOGA, plus the ability for officials to add assertions of identity from other sources. These assertions can be graded and ranked, within the law.

If this blog raises any interest, I have lots of old material that could be resurrected as a starting point for some innovative technology.  My proposal, made five years ago, was based on properties of Google. Not Google, but cloud based technology that permits intelligent searching of linked data, leading to identifying the right person.  The user interface does not expose any more detail than a citizen is prepared to give as evidence of identity. It is also analogous to credit reference checking, where a strength of identity can be given rather than a credit limit. I hope that it won’t take another five years before the hegemony of UIDs and root identities can be broken.

I want to put a LID on the idiotic and wasteful pursuit of UIDs in the public sector.  No2UID.

Personal Data Overload

The Mydex white paper on “The Case for Personal Information Empowerment” advocates personal data stores.

Personal Data Stores are a service to the individual. With a Personal Data Store, the data sits on the side of the individual under the individual’s control; data is collected and stored in the individual’s own database to be managed and controlled by that individual for the individual’s purposes.

Personal data stores are what I have been advocating for years. I even went to the extent of visiting the offices of PAOGA.  However, I don’t yet fully trust solutions that rely on servers that are reputedly uncrackable. I certainly don’t trust my ability to provide a secure database on my own machine. What if my antiphishing protection is one or two steps behind the hacking industry. I might be happy with something on a physical storage device in my pocket (encrypted, of course). Maybe mobile devices need that little bit extra.

For a bit more of background have a look at this blog.  It has a lot more techie background than I can handle.  Paul Trevithick must be a wise guy – he picked the same WordPress theme as me.