No computer system is unhackable, and yet this simple reality often seems to be forgotten. The results can be seen everywhere around us, in the frequent headlines and reports about data breaches in private and public sectors alike.
Organisations naïve enough to state that “Security doesn’t matter, get over it” would hopefully not survive for long. Yet some seem happy to say “Privacy doesn’t matter” as they gobble up increasing quantities of our personal information.
The continuing existence of poorly designed information systems holding sensitive personal data produces the very opposite outcome of that intended – the so-called “law of unintended consequences”. A recent report, for example, found that the use of electronic health records has made healthcare systems particularly vulnerable to security breaches. And Wikipedia founder Jimmy Wales called the draft Communications Data Bill, with its ambition to obtain and hold a wealth of personal data about our daily online communications, “technologically incompetent”.
In the UK, there have been multiple attempts, under various political administrations, to create ever more comprehensive databases of our personal information, undermining rather than protecting both our security and privacy on a national scale.
Ensuring that governments get this right matters to us all: the trust ecosystem spills across both private and public sectors and across digital and analogue boundaries. Governments’ behaviour can improve or degrade the entire environment: it must tread carefully to balance its need for improved operational efficiency and productivity with security and privacy. Achieving that balance means letting the citizen play an active and equal role.
As part of the programme of ‘digital by default’ public services, the UK government is already moving to place the user at the centre of design. This is a welcome move towards a model where control of personal information rests where it more naturally belongs – with individual citizens able to monitor and maintain their own personal data. Other governments, such as Estonia, are already well ahead of us here, letting citizens review and maintain their own data online, as well as being able to check and hold to account those officials who have accessed and used their personal information.
While no information system will ever be unhackable, at least by placing the user at the centre of design, control of our personal data will be handed back to where it rightly belongs: us.