Sunday 7 August 2011

Data controllers discovered behaving badly. Again. (Yawn)

Suddenly, it’s gone a bit quiet on the data protection news front. I mean, it has to be quiet when John Leyden of The Register and Kevin Rawlinson of The Independent feel the need to pick up some low hanging fruit by running an ICO press release about the loss of an unencrypted data stick some 5 months ago. Especially when, in this case, the stick was handed in before anyone’s personal details were compromised. Data controllers have been caught behaving badly. Again.

Should we ban the use of unencrypted data sticks? I think we’ve got as much chance of banning them as we have of outlawing the sale of deep fried mars bars.

My current hobby horse, though, is the use of privacy prompts to encourage us to take more seriously the protection of our personal information. I don’t want to write about anything I’m doing at work in this blog, as it’s currently all consuming and potentially high profile and I really have to find something else for my mind to focus on for a while.

So what did I do? I went to my gym.

And another (depressingly familiar) thought dawned, and I gave such a large sigh of despair that I’m sure it could have been heard in the reception area. What was I doing that prompted this sigh?

Actually, all I was doing was changing into my gym kit. Into the gym locker went a nice suit, good shoes, a great watch, my car keys, a wallet, and a phone – items which, when totted-up, were certainly not cheap. And everyone was doing this. And how was I protecting the items while I was to be working out upstairs? By using a combination padlock, bought from the reception desk for £5, along with (almost everyone else). How often had I changed the combination on that padlock? And how many of my fellow gym-goers hadn’t ever changed their default settings? Do we consider it right to protect say £2000 worth of stuff with a padlock costing 0.25% of its value? Or is this actually reckless?

I wondered to myself whether I should have a word with the management, to ask them to consider rolling out a campaign to warn gym goers of the inherent security risks in leaving valuable items in boxes which were only protected with 4 digit pin codes. Should the users not be prompted to change their PINs more regularly (well, at all...)? Should they not be warned of recent attempts to steal stuff from lockers while the gym-goers were mid way through their spinning classes? Could I help by designing a sticker which could be placed inside each locker door to warn, in a light hearted way, of the inherent dangers?

I had a word with a member of the management team as I was leaving. The reply was predictable – one of thanks, nut no thanks. “We tried that after a spate of burglaries a couple of years ago,” I was told. “But are customers aren't interested in the slightest about doing anything that would make it harder for some-one to break into their lockers.” But I was thanked for expressing my concern.

It seems that data subjects can act just as badly as data controllers. Again.

Later, I returned to work to dream up new ways to encourage people to change their engrained behaviours. Feeling fitter, but not really much wiser.