Select Committee on Home Affairs Written Evidence


APPENDIX 14

Memorandum submitted by Symantec

  1.  Symantec welcomes the opportunity to submit evidence to the Home Affairs Select Committee on issues relating to the growth of, and public concerns regarding, public and private databases and forms of surveillance.

EXECUTIVE SUMMARY

  2.  The pervasive nature of advanced technology has lead to the internet, mobile telephony and communication technology becoming a part of our everyday lives. In this era of technological development, data is the currency of the age. As the network economy continues to grow the amount of personal information being processed, accessed, shared and stored online looks only likely to increase. The development of innovative online services and the future delivery of public services will rely on individuals continued willingness and trust to share information online. Therefore addressing citizens concerns over data security is essential to allay public fears, realise the full benefits and opportunities provided by technology and increase citizens' confidence in the online connected world.

  3.  It is important to recognise however, that data has been collected and surveillance conducted long before the emergence of the database, Internet, mobile telephony or even CCTV. Information communication technology has not caused surveillance to occur. Rather technology is simply a tool that has become prevalent in our everyday lives and has lead to an increase in the provision of goods and services electronically which requires the sharing of information. It could be argued that it is not so much a surveillant society that is emerging but rather a pervasive computing environment within which increased importance must be placed on the responsibility of industry, government and also citizens to protect their personal information.

  4.  In this era of transformational government and online public service delivery an increase in the use of technology is resulting in online data collection and sharing. It is suggested that the introduction of performance related standards and an annual scorecard for government IT systems effectiveness could act as important incentives for departments to introduce effective, efficient and measurable data management and data privacy controls.

  5.  In addition greater understanding and awareness is needed by citizens on the role of existing effective legislation in place to protect data from misuse such as the Data Protection Act. Symantec also believe consideration should be given to the introduction of a data breach notification law currently being considered by the EU. Raising understanding of the positive benefits of database management and technology in protecting information could also have a positive impact on citizen's fears over the power and role of database technology. In particular raising awareness of how the creation of formalised, structured databases can increase the security of data and protect information against unauthorised access and possible misuse.

ACCESS BY PUBLIC AGENCIES TO PRIVATE DATABASES

  6.  Formalised data sharing gateways between the public and private sector enable information to be assessed against data stored on existing databases within a legally agreed framework. Symantec recognise that there are public concerns over the use of data sharing gateways. For example while consumers consent to checks on their identity being conducted when applying for financial services, when similar checks are conducted by public agencies this is regarded as intrusive and leads to privacy fears. Public concern may derive from the fact that while financial organisations require an individual's consent before checks can occur, no such consent is required in a data gateway investigation.

  7.  However, technological safeguards and legal protection are in place can ensure the data provided through data sharing gateways is appropriate and relevant to the purpose for which the data is being sought.

  8.  Data management systems can ensure only the relevant and appropriate data is shared through the gateway. Having a structured approach to database management ensures that the data collected by an organization is caterogrised, stored and protected appropriately. Automated processes mean the relevant data allowed to be shared with a public agency is clearly defined and easily retrievable. This means that only the data legally allowed to be shared is accessed, meaning companies meet legal requirements whilst preventing unlawful processing or unauthorised sharing of data. The alternative to having a structured database solution in place is a fragmented approach where data is held on multiple operating systems, on multiple applications and increasingly across shared networks. This can lead to information being scattered across a number of different platforms or accessible by various partners, resulting in greater insecurity to valuable and sensitive personal information.

  9.  The Data Protection Act (DPA) is an important piece of legislation that outlines the legal requirements for the processing, privacy and disclosure of individual's data. It states that data held securely for one reason cannot be shared, or used, for another purpose. It can be suggested that citizen's fears regarding the privacy of their data may derive from a lack of awareness of their rights under the DPA and the efforts made by the private sector to adhere to these laws. It is suggested that educating citizens on the role of data sharing gateways and the DPA's principles could instill greater confidence and assurance in the role of the data sharing that currently occurs between the private and public sector.

DATA-SHARING BETWEEN GOVERNMENT DEPARTMENTS AND AGENCIES

  10.  Technology enabled transformation of government is a visionary strategy that will improve the quality, efficiency and cost effectiveness of public services. The take-up by citizens of e-government services will rely on having systems and processes in place that can ensure the confidentiality, integrity, availability and privacy of personal data shared with government. However, at the heart of the Transformational Government agenda is a shared services culture; one which will require greater data sharing between and within government departments.

  11.  Citizens' fears over data sharing by government departments presents a major challenge to the future delivery of public services. However having systems in place that can ensure access to particular types of data is only granted to appropriate and authorised individuals in the relevant departments or agencies will be a key factor in preventing unauthorised access to sensitive personal data.

  12.  Standard policies, procedures and requirements for data management means access levels can be allocated to particular types and levels of data by government departments and bodies. For example the introduction of common access controls across the NHS IT systems could ensure only designated NHS personnel have the right to access patients sensitive information; reassuring citizens that their data is not vulnerable to unauthorized access or misuse. The access given to NHS staff could be monitored and audit trails produced, providing additional reassurance to patients that the confidentially of their data is being maintained. Access levels can also be used to dictate the information that can be shared outside an organization for example to another NHS body or even to an insurance company's private database.

  13.  Another example of this approach is the new Management of Police Information (MOPI) database; part of the Impact program which is aimed at improving the way UK police forces manage and share information. It is understood that MOPI will introduce standard procedures to ensure only authorised personnel can obtain and record information on the system. In addition rules for authorised sharing of information among police services and agencies will also be put in place which all forces will be required to implement and follow by December 2010.

  14.  However, MOPI is currently one of many projects being developed that focus on the need to co-ordinate data across multiple criminal justice organisations. As we move forward Symantec believe, where possible, consideration should be given to how these information related projects might be brought together. This would ensure projects do not become isolated and create duplicate databases and procedures for access to information which could challenge the standardised approach being implemented under MOPI.

  15.  The introduction of effective access levels across all government departments would require common data management procedures and practices to be developed and implemented. The latest version of the CSIA eGovernment framework for information assurance introduces much needed guidelines on the standardisation of processes, terminology and procedures for the secure access, authentication and management of data within and across government departments; essential as the development of automation and reliance on shared services increases. The framework document provides government departments with the information needed to take a proactive approach to protecting information assets, understand their duties and responsibilities for ensuring the systems underpinning online services are secure and above all how to implement existing best practice in Information Assurance. Symantec believes that trust in electronic services is best achieved through Information Assurance and welcomes the approach being taken by the CSIA.

EXISTING SAFEGUARDS FOR DATA USE AND WHETHER THEY ARE STRONG ENOUGH

  16.  The European Commission is currently conducting a Review of the EU regulatory framework for electronic communications networks and services. As part of this review amendments to legislation are being considered to require network operators and Internet Service Providers (ISPs) to notify customers, and national regulatory authorities, when a security breach has occurred leading to the loss, alteration, and unauthorized disclosure and access of data. Symantec has welcomed the requirements proposed which would introduce an important incentive for ISPs to increase the safeguards and levels of security for data stored online.

  17.  A data breach notification law could help raise greater awareness, reassurance and trust amongst individuals on how their personal data is protected on-line and what recourse they may have in case that data is disclosed without authorisation. Symantec believes that the scope of the data breach notification should not be limited just to ISPs and electronic communication service providers but to all sectors that process sensitive personal information on-line. For example this could include retailers and financial institutions.

  18.  When considering the introduction of a data breach requirement however, it will be important to define the breadth of the disclosure requirements and also ensure providers that take adequate steps to protect data and suffer a breach are not held liable. It will be important to determine whether information on a breach that has occurred should be reported on a confidential basis or circulated publicly. For example, breach information could be given to the National Regulatory Agency (the Information Commissioner's Office in the UK) which could then disseminate relevant information to the public. Alternatively information could be openly disclosed to all those individuals involved. Given the possible negative impact on users' confidence in both public and private sector online services, the issue around the confidentially of data breach information is an area that will require further consideration and discussion going forward.

  19.  Finally ensuring that electronic communication service providers that have demonstrated adequate levels of security, but do suffer a data breach, are relieved from liability for the breach will be important also. As it would act as an important incentive for providers to ensure security measures are kept up to date and can protect data at the required levels.

THE MONITORING OF ABUSES

  20.  Real time monitoring of databases for possible abuses may invoke connotations of a survellant society. However, it is an example of how technology enabled surveillance can protect individual's personal information. Monitoring technology provides automated analysis of databases which can provide alerts to unauthorised activity such as access to sensitive data or intrusion from an unknown source. The use of such technology can ensure abuses of information are identified and dealt with quickly and effectively.

  21.  Having in place effective oversight mechanisms for the legislation and regulation relating to the use of data is important for ensuring those involved are held accountable and sufficient penalties for misuse of data exist. The Information Commissioners Office plays a vital role in ensuring the legislation for the privacy of data in the UK are enforced, abuses identified and prosecuted accordingly. However, Symantec believe an urgent review of the Information Commissioner's Office powers is required in order to remove any existing limitations on the ICO's ability to investigate possible misuse of data and increase the legal and financial penalties for offences. Consideration should also be given to the staff and resources currently allocated to the Information Commissioner to ensure the ICO's continued effectiveness.

POTENTIAL ABUSE OF PRIVATE DATABASES BY CRIMINALS

  22.  Data is one the most important assets of any organization and a valuable target for attackers. Identity related information is becoming a valuable asset to criminals, resulting in both public and private sector databases containing sensitive information increasingly vulnerable to attack.

  23.  According to the latest Symantec Internet Security Report, between July and December 2006 the government sector was the highest for data breaches, accounting for 25% of all breaches leading to the loss of identity related information. The report found that 28% of these breaches were caused by insecure policy such as a failure to develop, implement, and comply with an adequate security policy. It can therefore be suggested that most breaches of this type are avoidable.

  24.  The Symantec report identified the development of malicious computer code and programs designed specifically to expose confidential information. These threats can expose sensitive data such as confidential data files and can also give a remote attacker complete control over a compromised computer. In the last six months of 2006, threats to confidential information made up 66% of the volume of top 50 malicious code reported to Symantec; an increase over the 48% reported in the first half of 2006. Threats that allowed remote access, such as back doors, made up 84% of confidential information threats while keystroke logging threats made up 79% of all confidential information threats.

THE CASE FOR INTRODUCING PRIVACY IMPACT ASSESSMENTS

  25.  Regulatory Impact Assessments (RIAs) play an important role in providing an independent evaluation of the possible impact, side effects and costs involved in the introduction of proposed government legislation. The introduction of Privacy Impact Assessments (PIAs) is a suggestion that warrants further consideration and discussion. Having in place an opportunity for independent assessment of the possible impact of government legislation on the privacy of individuals data could be a useful tool for allaying public concerns over the safety of their information; particularly as we move towards an era of data sharing. However, further consideration would need to be given to the remit, scope and particular areas the PIA would consider when making an evaluation. For example, it would be important that PIA's take into consideration the existence of current technological tools and solutions available to address privacy or data security issues when assessing and determining if legislation should be introduced.

  26.  It is important that privacy concerns, which could be addressed by the development of innovative software solutions, should not be used as the sole argument for not introducing legislation. Further consideration should be given to how PIA's would be developed to ensure the use of PIA's does not inhibit competition or the development of diversity in the software industry to address data security and privacy concerns, or prevent data security solutions being developed to meet a particular requirement by either the public or private sector.

  27.  As we move forward with the transformational government agenda and increased data sharing consideration should also be given to assessing the ongoing effectiveness of government IT systems to protect individual's data. For example, in the United States the Federal Information Security Management Act (FISMA) mandates auditable procedures and policies to ensure the ongoing security of the IT systems used by US government departments and contract partners. Under FISMA government systems undergo regular monitoring and an annual audit resulting in each department receiving a grade which is published in an annual government scorecard.

  28.  The introduction of performance related standards and an annual scorecard outlining the ability and effectiveness of UK government IT systems to protect information, could act as an important incentive for departments to adopt effective policy management procedures, processes and controls that can assure data privacy and prove the quality of IT systems. Such a requirement could also drive those private sector partners connected to government systems to address their data security issues and implement effective data access and privacy measures.

PRIVACY-ENHANCING TECHNOLOGIES

  29.  The market offers a number of technologies solutions and tools suitable for different environments and different user-sophistication that can afford adequate level of security and protection for personal sensitive information. The information security industry continues to develop innovative solutions that can ensure the security and privacy of individual's information in the evolving threat landscape.

  30.  Easy to install and manage integrated security solutions are available that can provide critical security technological, such as firewall, content filtering, antivirus and intrusion detection. However, technology alone cannot be relied upon to protect information assets. Symantec believe a multi-layered approach to protect information assets is required that includes having appropriate technology in place, effective policies and procedures for data access and education and training on the importance of ensuring data security and privacy.

PROFILING

  31.  In the current global competitive marketplace, being able to respond to customers needs, quickly and effectively is a key competitive advantage. Email and the internet are integral tools in enabling companies to communicate effectively with customers and customize the goods and services offered to individuals.

  32.  Customer Relationship Management (CRM) database systems enable firms to provide personalised, value-added services that meet consumers growing demands both quickly and effectively. The use of such systems however rely on individuals agreeing to personal information being processed, stored and shared online by giving their informed consent. While consumers may feel that the use of CRM's system to tailor information to consumer may be intrusive, the e-Privacy Regulations allows businesses to use an individual's personal information where there is an existing customer relationship to provide information on similar products.

  33.  By having in place an effective database structure enables companies to comply with requirements under the e-Privacy Regulations by sending information only to customers that have provided their consent. It can be suggested that individuals will only be receiving information from legitimate firms because they have provided their consent but may have simply forgotten. Individuals also have a responsibility to ensure that their data is shared appropriately and securely with online partners.

ABOUT SYMANTEC

  Symantec is a world leader in providing solutions to help individuals and enterprises assure the security, availability, and integrity of their information. Headquartered in Cupertino, California. Symantec has operations in more than 40 countries. Further information can be found at www.symantec.com.

April 2007





 
previous page contents next page

House of Commons home page Parliament home page House of Lords home page search page enquiries index

© Parliamentary copyright 2008
Prepared 8 June 2008