Memorandum submitted by Symantec
1. Symantec welcomes the opportunity to
submit evidence to the Home Affairs Select Committee on issues
relating to the growth of, and public concerns regarding, public
and private databases and forms of surveillance.
2. The pervasive nature of advanced technology
has lead to the internet, mobile telephony and communication technology
becoming a part of our everyday lives. In this era of technological
development, data is the currency of the age. As the network economy
continues to grow the amount of personal information being processed,
accessed, shared and stored online looks only likely to increase.
The development of innovative online services and the future delivery
of public services will rely on individuals continued willingness
and trust to share information online. Therefore addressing citizens
concerns over data security is essential to allay public fears,
realise the full benefits and opportunities provided by technology
and increase citizens' confidence in the online connected world.
3. It is important to recognise however,
that data has been collected and surveillance conducted long before
the emergence of the database, Internet, mobile telephony or even
CCTV. Information communication technology has not caused surveillance
to occur. Rather technology is simply a tool that has become prevalent
in our everyday lives and has lead to an increase in the provision
of goods and services electronically which requires the sharing
of information. It could be argued that it is not so much a surveillant
society that is emerging but rather a pervasive computing environment
within which increased importance must be placed on the responsibility
of industry, government and also citizens to protect their personal
4. In this era of transformational government
and online public service delivery an increase in the use of technology
is resulting in online data collection and sharing. It is suggested
that the introduction of performance related standards and an
annual scorecard for government IT systems effectiveness could
act as important incentives for departments to introduce effective,
efficient and measurable data management and data privacy controls.
5. In addition greater understanding and
awareness is needed by citizens on the role of existing effective
legislation in place to protect data from misuse such as the Data
Protection Act. Symantec also believe consideration should be
given to the introduction of a data breach notification law currently
being considered by the EU. Raising understanding of the positive
benefits of database management and technology in protecting information
could also have a positive impact on citizen's fears over the
power and role of database technology. In particular raising awareness
of how the creation of formalised, structured databases can increase
the security of data and protect information against unauthorised
access and possible misuse.
6. Formalised data sharing gateways between
the public and private sector enable information to be assessed
against data stored on existing databases within a legally agreed
framework. Symantec recognise that there are public concerns over
the use of data sharing gateways. For example while consumers
consent to checks on their identity being conducted when applying
for financial services, when similar checks are conducted by public
agencies this is regarded as intrusive and leads to privacy fears.
Public concern may derive from the fact that while financial organisations
require an individual's consent before checks can occur, no such
consent is required in a data gateway investigation.
7. However, technological safeguards and
legal protection are in place can ensure the data provided through
data sharing gateways is appropriate and relevant to the purpose
for which the data is being sought.
8. Data management systems can ensure only
the relevant and appropriate data is shared through the gateway.
Having a structured approach to database management ensures that
the data collected by an organization is caterogrised, stored
and protected appropriately. Automated processes mean the relevant
data allowed to be shared with a public agency is clearly defined
and easily retrievable. This means that only the data legally
allowed to be shared is accessed, meaning companies meet legal
requirements whilst preventing unlawful processing or unauthorised
sharing of data. The alternative to having a structured database
solution in place is a fragmented approach where data is held
on multiple operating systems, on multiple applications and increasingly
across shared networks. This can lead to information being scattered
across a number of different platforms or accessible by various
partners, resulting in greater insecurity to valuable and sensitive
9. The Data Protection Act (DPA) is an important
piece of legislation that outlines the legal requirements for
the processing, privacy and disclosure of individual's data. It
states that data held securely for one reason cannot be shared,
or used, for another purpose. It can be suggested that citizen's
fears regarding the privacy of their data may derive from a lack
of awareness of their rights under the DPA and the efforts made
by the private sector to adhere to these laws. It is suggested
that educating citizens on the role of data sharing gateways and
the DPA's principles could instill greater confidence and assurance
in the role of the data sharing that currently occurs between
the private and public sector.
10. Technology enabled transformation of
government is a visionary strategy that will improve the quality,
efficiency and cost effectiveness of public services. The take-up
by citizens of e-government services will rely on having systems
and processes in place that can ensure the confidentiality, integrity,
availability and privacy of personal data shared with government.
However, at the heart of the Transformational Government agenda
is a shared services culture; one which will require greater data
sharing between and within government departments.
11. Citizens' fears over data sharing by
government departments presents a major challenge to the future
delivery of public services. However having systems in place that
can ensure access to particular types of data is only granted
to appropriate and authorised individuals in the relevant departments
or agencies will be a key factor in preventing unauthorised access
to sensitive personal data.
12. Standard policies, procedures and requirements
for data management means access levels can be allocated to particular
types and levels of data by government departments and bodies.
For example the introduction of common access controls across
the NHS IT systems could ensure only designated NHS personnel
have the right to access patients sensitive information; reassuring
citizens that their data is not vulnerable to unauthorized access
or misuse. The access given to NHS staff could be monitored and
audit trails produced, providing additional reassurance to patients
that the confidentially of their data is being maintained. Access
levels can also be used to dictate the information that can be
shared outside an organization for example to another NHS body
or even to an insurance company's private database.
13. Another example of this approach is
the new Management of Police Information (MOPI) database; part
of the Impact program which is aimed at improving the way UK police
forces manage and share information. It is understood that MOPI
will introduce standard procedures to ensure only authorised personnel
can obtain and record information on the system. In addition rules
for authorised sharing of information among police services and
agencies will also be put in place which all forces will be required
to implement and follow by December 2010.
14. However, MOPI is currently one of many
projects being developed that focus on the need to co-ordinate
data across multiple criminal justice organisations. As we move
forward Symantec believe, where possible, consideration should
be given to how these information related projects might be brought
together. This would ensure projects do not become isolated and
create duplicate databases and procedures for access to information
which could challenge the standardised approach being implemented
15. The introduction of effective access
levels across all government departments would require common
data management procedures and practices to be developed and implemented.
The latest version of the CSIA eGovernment framework for information
assurance introduces much needed guidelines on the standardisation
of processes, terminology and procedures for the secure access,
authentication and management of data within and across government
departments; essential as the development of automation and reliance
on shared services increases. The framework document provides
government departments with the information needed to take a proactive
approach to protecting information assets, understand their duties
and responsibilities for ensuring the systems underpinning online
services are secure and above all how to implement existing best
practice in Information Assurance. Symantec believes that trust
in electronic services is best achieved through Information Assurance
and welcomes the approach being taken by the CSIA.
16. The European Commission is currently
conducting a Review of the EU regulatory framework for electronic
communications networks and services. As part of this review amendments
to legislation are being considered to require network operators
and Internet Service Providers (ISPs) to notify customers, and
national regulatory authorities, when a security breach has occurred
leading to the loss, alteration, and unauthorized disclosure and
access of data. Symantec has welcomed the requirements proposed
which would introduce an important incentive for ISPs to increase
the safeguards and levels of security for data stored online.
17. A data breach notification law could
help raise greater awareness, reassurance and trust amongst individuals
on how their personal data is protected on-line and what recourse
they may have in case that data is disclosed without authorisation.
Symantec believes that the scope of the data breach notification
should not be limited just to ISPs and electronic communication
service providers but to all sectors that process sensitive personal
information on-line. For example this could include retailers
and financial institutions.
18. When considering the introduction of
a data breach requirement however, it will be important to define
the breadth of the disclosure requirements and also ensure providers
that take adequate steps to protect data and suffer a breach are
not held liable. It will be important to determine whether information
on a breach that has occurred should be reported on a confidential
basis or circulated publicly. For example, breach information
could be given to the National Regulatory Agency (the Information
Commissioner's Office in the UK) which could then disseminate
relevant information to the public. Alternatively information
could be openly disclosed to all those individuals involved. Given
the possible negative impact on users' confidence in both public
and private sector online services, the issue around the confidentially
of data breach information is an area that will require further
consideration and discussion going forward.
19. Finally ensuring that electronic communication
service providers that have demonstrated adequate levels of security,
but do suffer a data breach, are relieved from liability for the
breach will be important also. As it would act as an important
incentive for providers to ensure security measures are kept up
to date and can protect data at the required levels.
20. Real time monitoring of databases for
possible abuses may invoke connotations of a survellant society.
However, it is an example of how technology enabled surveillance
can protect individual's personal information. Monitoring technology
provides automated analysis of databases which can provide alerts
to unauthorised activity such as access to sensitive data or intrusion
from an unknown source. The use of such technology can ensure
abuses of information are identified and dealt with quickly and
21. Having in place effective oversight
mechanisms for the legislation and regulation relating to the
use of data is important for ensuring those involved are held
accountable and sufficient penalties for misuse of data exist.
The Information Commissioners Office plays a vital role in ensuring
the legislation for the privacy of data in the UK are enforced,
abuses identified and prosecuted accordingly. However, Symantec
believe an urgent review of the Information Commissioner's Office
powers is required in order to remove any existing limitations
on the ICO's ability to investigate possible misuse of data and
increase the legal and financial penalties for offences. Consideration
should also be given to the staff and resources currently allocated
to the Information Commissioner to ensure the ICO's continued
22. Data is one the most important assets
of any organization and a valuable target for attackers. Identity
related information is becoming a valuable asset to criminals,
resulting in both public and private sector databases containing
sensitive information increasingly vulnerable to attack.
23. According to the latest Symantec Internet
Security Report, between July and December 2006 the government
sector was the highest for data breaches, accounting for 25% of
all breaches leading to the loss of identity related information.
The report found that 28% of these breaches were caused by insecure
policy such as a failure to develop, implement, and comply with
an adequate security policy. It can therefore be suggested that
most breaches of this type are avoidable.
24. The Symantec report identified the development
of malicious computer code and programs designed specifically
to expose confidential information. These threats can expose sensitive
data such as confidential data files and can also give a remote
attacker complete control over a compromised computer. In the
last six months of 2006, threats to confidential information made
up 66% of the volume of top 50 malicious code reported to Symantec;
an increase over the 48% reported in the first half of 2006. Threats
that allowed remote access, such as back doors, made up 84% of
confidential information threats while keystroke logging threats
made up 79% of all confidential information threats.
25. Regulatory Impact Assessments (RIAs)
play an important role in providing an independent evaluation
of the possible impact, side effects and costs involved in the
introduction of proposed government legislation. The introduction
of Privacy Impact Assessments (PIAs) is a suggestion that warrants
further consideration and discussion. Having in place an opportunity
for independent assessment of the possible impact of government
legislation on the privacy of individuals data could be a useful
tool for allaying public concerns over the safety of their information;
particularly as we move towards an era of data sharing. However,
further consideration would need to be given to the remit, scope
and particular areas the PIA would consider when making an evaluation.
For example, it would be important that PIA's take into consideration
the existence of current technological tools and solutions available
to address privacy or data security issues when assessing and
determining if legislation should be introduced.
26. It is important that privacy concerns,
which could be addressed by the development of innovative software
solutions, should not be used as the sole argument for not introducing
legislation. Further consideration should be given to how PIA's
would be developed to ensure the use of PIA's does not inhibit
competition or the development of diversity in the software industry
to address data security and privacy concerns, or prevent data
security solutions being developed to meet a particular requirement
by either the public or private sector.
27. As we move forward with the transformational
government agenda and increased data sharing consideration should
also be given to assessing the ongoing effectiveness of government
IT systems to protect individual's data. For example, in the United
States the Federal Information Security Management Act (FISMA)
mandates auditable procedures and policies to ensure the ongoing
security of the IT systems used by US government departments and
contract partners. Under FISMA government systems undergo regular
monitoring and an annual audit resulting in each department receiving
a grade which is published in an annual government scorecard.
28. The introduction of performance related
standards and an annual scorecard outlining the ability and effectiveness
of UK government IT systems to protect information, could act
as an important incentive for departments to adopt effective policy
management procedures, processes and controls that can assure
data privacy and prove the quality of IT systems. Such a requirement
could also drive those private sector partners connected to government
systems to address their data security issues and implement effective
data access and privacy measures.
29. The market offers a number of technologies
solutions and tools suitable for different environments and different
user-sophistication that can afford adequate level of security
and protection for personal sensitive information. The information
security industry continues to develop innovative solutions that
can ensure the security and privacy of individual's information
in the evolving threat landscape.
30. Easy to install and manage integrated
security solutions are available that can provide critical security
technological, such as firewall, content filtering, antivirus
and intrusion detection. However, technology alone cannot be relied
upon to protect information assets. Symantec believe a multi-layered
approach to protect information assets is required that includes
having appropriate technology in place, effective policies and
procedures for data access and education and training on the importance
of ensuring data security and privacy.
31. In the current global competitive marketplace,
being able to respond to customers needs, quickly and effectively
is a key competitive advantage. Email and the internet are integral
tools in enabling companies to communicate effectively with customers
and customize the goods and services offered to individuals.
32. Customer Relationship Management (CRM)
database systems enable firms to provide personalised, value-added
services that meet consumers growing demands both quickly and
effectively. The use of such systems however rely on individuals
agreeing to personal information being processed, stored and shared
online by giving their informed consent. While consumers may feel
that the use of CRM's system to tailor information to consumer
may be intrusive, the e-Privacy Regulations allows businesses
to use an individual's personal information where there is an
existing customer relationship to provide information on similar
33. By having in place an effective database
structure enables companies to comply with requirements under
the e-Privacy Regulations by sending information only to customers
that have provided their consent. It can be suggested that individuals
will only be receiving information from legitimate firms because
they have provided their consent but may have simply forgotten.
Individuals also have a responsibility to ensure that their data
is shared appropriately and securely with online partners.
Symantec is a world leader in providing solutions
to help individuals and enterprises assure the security, availability,
and integrity of their information. Headquartered in Cupertino,
California. Symantec has operations in more than 40 countries.
Further information can be found at www.symantec.com.