Roland Perry on 20 June 2006 at 14:14 said:-
> What needs fixing is the lack of robustness in the authentication
> process (a system that relies upon Security by [not very much]
> Obscurity), rather than trying to maintain the elusive obscurity of
> things like SS (or National Insurance) number being regarded as a
> "secret".
I disagree. Disregarding the use of any particular set of personal data for
unintended/illegitimate purposes the root issue appears to be the difference
in real organisational security of personal data against the actual and
potentially diverse individual requirements of customers.
Compare the difference in trust applied to organisations who sustain a high
level of security to data, access to and appropriate use of it, and those
who may not be so good. Bring in achievable financial aspects of maintaining
that security, approaches to managing customer perceptions, existing ethical
approaches to data use along with all the other pertinent issues, and the
mix, although becoming somewhat more complex does largely retain that same
basic factor.
No matter how robust any initial authentication process is, the weakest link
in any chain will determine the actual effectiveness. viz. SS numbers in the
USA where wide use and matching for diverse purposes by diverse
organisations has effectively negated any original benefit. A practical UK
example would be where a probation service network computer server
containing details of all staff and clients, including resident paedophiles
was stolen at a time when politically very sensitive work was underway in
the area regarding the housing of paedophiles. The theft was considered low
risk internally and not worthy of being reported outside the organisation,
even though all security was only reliant upon NTFS (password crackers
freely available on the internet at that time), and the free standing 'safe'
containing the server passwords was also taken during the theft. Obscurity
(and hope) at work.
But then organisations have for some time seemed to be rushing into creating
structured secure processes for personal data supported by robust
authentication processes containing what are considered as appropriate
accountability mechanisms. Fitting the resulting processes which are
sometimes rigid to any diversifying customer base or changing environment
can sometimes appear to become a problem though.
Ian
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.9.1/369 - Release Date: 6/19/06
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving message please send to the list owner
[log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|