Personal data loss will always be an emotive subject, so researchers shouldn't be surprised if they've noticed that clients have given data security a higher priority over recent months.
Why? Well, since the Prime Minister commissioned a Review of Data Handling Within Government (after two HM Revenue and Customs computer discs containing child benefit records went astray) a set of mandatory measures has been introduced across government aimed at securing data and improving accountability and scrutiny of the way it manages citizens' data in its care.
Government, however, does not work in isolation so we have to ensure that our suppliers — where they handle personal data on its behalf — adhere to the same measures. Hence the need for agencies to move data security up the 'priority' ladder.
Researcher and agency tasks
COI wrote to all suppliers on its current roster around Christmas, asking them to confirm that they were following a series of guidelines in this area. These encompassed such obvious measures as encryption, ensuring that PCs are used in a secure environment with properly controlled passwords and that data is securely disposed of when it's no longer needed.
We also asked our suppliers to send in the security plans they have developed so that we could check that their current regime is adequate for the sensitivity of the data they are dealing with. There was, understandably, considerable variation in the responses and we are now in the process of developing a more formal template to help agencies comply. Other government departments will be taking a similar approach and while some of the wording may be different, the principles will be the same.
Pros and cons
We recognise that, until requirements have settled down, this will feel like quite a major pull on resources for everyone but we do need to maintain the public's trust if we are to continue working. Each time an unencrypted laptop or memory stick is found containing even very basic personal data or an email containing such data is accidentally sent to the wrong address, this trust is damaged significantly.
Measures which are put in place should be proportionate to the risk of damage posed by a breach. They should not mean that researching grinds to a halt. We need, nevertheless, to make sure that precautions are robust and maintain a dialogue with our suppliers so that progress is made.
The end result?
We want to carry on working with a diverse range of expert researchers in order to understand the needs and attitudes of citizens and improve lives.
Shredding bills and adding the strongest available virus protection software to our computers have become second nature at home. Given the high professional standard set in the research industry we believe that increased data security will become an essential part of work life too.