Interview: Louise Bennett
In a frank interview with SC Magazine, Bennett explains why "blinkered" politicians must get to grips with citizens' personal data, how trust can be built in e-government services and why creating over-sized Government databases - such as the planned amalgamation of every user's phone and internet records - could unleash a hatful of errors.
Q: I understand that the British Computer Society has been producing a number of papers on security. What exactly have you been working on?
A: We have just produced a report on Trustworthy e-Government, which we have been working on for 18 months.
Q: Why did you choose that subject?
A: We produced the report to capture the agreed position of the BCS, other professional bodies like the IET (Institution of Engineering and Technology) and the Royal Academy of Engineering, NGOs like Liberty and the Information Commissioner's Office on how to build trust in e-government services, so that we would all be speaking with one voice, promulgate our view and initiate actions to improve trust in e-services in general.
Q: What do you hope to achieve through this report?
A: There are four things. Firstly, an informed public debate on the guardianship of personal data in the electronic age. Secondly, support for mandatory, published, privacy impact assessments in the public sector which take into account the risks to individuals of failures to secure their personal data. Three, pragmatic advice, education and training in the public sector on the importance of information stewardship. And four, an extension of the Data Protection Act principles to cover concerns raised by widespread data sharing. The Act came in 10 years ago when information was held in silos. It would be great if they were extended and the spirit of them followed. If the underlying principles were extended, you would get much better security of personal data. We are pushing very hard for that to happen now.
Q: Have you won support within Government for this?
A: The Information Commissioner has said he's 100% onside with it, and it's been seen by people in the Cabinet Office. We're currently lobbying John Suffolk, who is responsible for delivering transformational Government. We are ensuring there is a public debate on this.
Q: After the succession of large public sector data breaches, do you have concerns with the way the Government is handling data at the moment?
A: I think the major problem is in the assumption of data sharing in the Transformational Government Agenda, which is leading to new legislation with catch-all phrases like: 'This data will be used for the purposes of this Act and the more efficient running of government'. This effectively bypasses individual consent for personal data to be used for purposes other than that for which it was originally collected - and therefore is against the spirit of the second DPA [Data Protection Act] principle. I also think that government continues to see data protection as a "techie" concern and not as the responsibility of departmental board members and ministers.
Q: The House of Lords last year released a stinging report on personal internet security, and the Lords' spokesman for the report, the Earl of Erroll, has in the past been pretty critical of the Government's security efforts. Who is right here?
A: Both and neither. I think the Government is being really blinkered in what it's doing. They don't understand the technology and how difficult it is to do the things they are saying.
Q: Why don't they understand the technology?
A: The majority of MPs haven't done a real job in the real world. They're professional MPs. An enormous amount of regulation goes through on the nod because they're not quite sure. The over-riding view in Government departments has been to see big IT systems as a means to cut costs and cut bodies.
Q: Last month, the Government hinted at plans that it would combine records of all phone calls and internet usage in one central database, for which it has been heavily criticised by some parties. Are you supportive of such plans?
A: Like with Connecting for Health, I don't know why the Government is fixated with central databases. With current computing, it makes sense to leave databases where they are, and link them. You have a problem with names when you merge databases: for example with maiden names. You don't need to copy it all to one humungous database. How would you ensure the integrity of that database? A lot of data is preservation intense - you might need to keep it for 10 years or more. The issue is to be absolutely certain that you need the data in the first place. Lots of people tend to collect data because they think it might be useful. Disposal is something people tend to forget about.
Q: Government ministers have suggested recently that they will fund a dedicated e-crime unit, countering concerns that it is not doing enough to address crime on the internet. Are you supportive of these plans?
A: E-crime is a growing area of crime. It hasn't been looked after properly. It's as important as physical burglary, but they're not given the same status. It's hard for each separate police force to do that. A lot of it is difficult to police because it can be international and you have to prove intent. You need to be clear on who you can go to and that those people are competent to deal with it. That would ease some of the frustration among businesses that e-crime has not been taken seriously.
Q: Besides the trustworthy e-government report, what else is the BCS working on?
A: With regards to internet security, we are looking at where responsibilities lie between all the parties. The ISPs have some responsibility, the police have some, legislators have some. At the moment, there is a lot of jockeying for position. We need accountability of who has responsibility for what: without that you either have duplicated efforts, or things fall between the lines. The Government is saying that ISPs should be responsible for anything that has any criminal overtones, but that is a very suspect thing to do.
Q: Who do you think should take responsibility for offensive internet content?
A: I think it's very complicated. If we knew the answer, we wouldn't be investigating it. ISPs have been very responsible over child pornography. I think it's very important for them to take full responsibility for everything. But as users, we also need to take responsibility.
Q: Do you think businesses should assume some responsibility as well?
A: Businesses need to have a policy for themselves. Most businesses are quite clear that if a user accesses porn, it's a dismissable offence. A lot of companies have problems with social networking sites. It's important to have a policy and be rigid about imposing it.
Q: Do you think there are any other weaknesses in the private sector?
A: Businesses have to realise that information management is a board-level issue - it's not a techie issue. It has to make it into the annual report.
Biography - Dr Louise Bennett
Louise Bennett is the chairman of the British Computer Society's Security Forum Strategic Panel and also a member of the society's government relations group. She moved into the private sector as an IT director in the late 1980s, after an initial career as a government scientist in overseas aid and the MoD.
Over the last twenty years she has worked at board level in both the private and public sectors. She has worked on various government advisory bodies including the Police IT Organisation.
In her consulting work she focuses on all aspects of strategic and corporate governance, particularly the exploitation of new technology and risk management. She also specialises in the ethical dimensions of governance.