Barely a month goes by when privacy breaches – by mostly government agencies like ACC, the Earthquake Commission and DHBs – aren’t in the headlines, but the gap is unlikely to be plugged so long as decision makers look to technology for the whole solution.
Chief Executive of New Zealand IT consulting and software development company Designertech, Ray Delany, says today that headlines like ‘ACC privacy breach probed’, ‘DHB acts to protect patient privacy’ and ‘IT policies threaten pupils' privacy’ may actually be prevented with low tech human solutions
Delany believes part of the problem is that the overwhelming focus of IT is on efficiency even when, in some cases, efficiency is not necessarily a good thing.
“Most of the privacy breaches have been very kitchen sink level from an IT perspective," he says. "For example, somebody sends an email somewhere they shouldn’t. That’s the equivalent of turning on the wrong switch at the kitchen stove.
“More often than not, organisations think of technology in terms of how to improve efficiencies and increase productivity, when they might be better served by an understanding of their own priorities. For example, when client privacy is more important than efficiency.”
Delany believes three factors are critical to safeguarding client privacy:
· The culture of the organisation
· IT governance and policies
· Technology based checks and balances
“In terms of the culture of an organisation, we regularly encounter a fairly recent set of naïve beliefs that people hold, such as the perception that all email is miraculously private," he adds.
"It’s one thing to do something deliberately, but in most instances people are doing things without having the faintest idea that it is a risk.”
A review by Government chief information officer Colin MacDonald released last year found that 73 per cent of agencies did not have formal security standards and procedures in place.
“Don’t for one moment think it is only Government that has this problem – it’s just as widespread in the private sector," Delany says.
"Technology is evolving so fast and people are working under increasing time pressures and workloads, so it’s inevitable that privacy breaches will continue.
“A good governance structure is critical, but so is having those policies and procedures deeply embedded in the thinking people and their workplaces, particularly where an organisation is used to shifting large quantities of data around on email.”
Delany believes one solution is to learn from the workplace safety industry.
“For example, simple signage and education programmes similar to those used by workplace safety officers can help change thinking about privacy," he adds.
“What is certain is that the overall governance of information management and strategy should no longer be neglected or relegated behind productivity because it is perceived as a cost rather than a profit activity.
“Companies and government organisations are learning the painful lesson that focusing on the human element is as much IT related as hardware, and also the more cost effective approach. Training people is cheaper than spending half a million on IT infrastructure,” he said.
Technology solutions that may be implemented are by no means fool proof, but can be designed to work in sync with human behaviour.
For example, some organisations could consider configuring rules into the IT system that prohibit the attachment of certain types of files to emails, as well as specifying certain file types or instituting a ten minute delay before an email goes.
“It is not difficult to come up with easy and cost effective solutions that force people to think before they act, or which undo actions before any consequence or errors occur," he adds. "Knowing that, there is no excuse for privacy breaches."