Governments operate on information. They keep track of when you’re hatched, matched and dispatched, through birth certificates, marriage licences, divorce decrees and death certificates. They use the data to collect taxes, send rebates, issue drivers’ licences amd confirm social insurance numbers.
Keeping all that material on file is a massive undertaking. And keeping it secure is even more daunting – now more than ever. Government departments at all levels often need to share information. Think of situations like the SARS outbreak or the ongoing mad cow concern, where multiple jurisdiction overlapped. Data on these cases had to be shared between various government levels and among different ministries at each level. Having all that information on the loose heightens the risk of security leaks.
Today, an additional impetus for securing information comes from the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA rolled out provisions covering information security gradually. The first stage, which took effect Jan. 1, 2001, applied to personal data (except personal health information) collected by federal departments and federally regulated businesses such as banks and telephone companies. A year later, personal health information, defined as data on a person’s mental or physical health such as services provided and information on tests and examinations, fell under PIPEDA.
This January, the conditions of the Act widened. What previously had been limited to federal agencies and the handful of industries under their control now applied across the board.
“The Act extends to the collection, use or disclosure of personal information in the course of any commercial activity within a province,” advises the office of Privacy Commissioner Jennifer Stoddart. “However, the federal government may exempt organizations and/or activities in provinces that have adopted substantially similar privacy legislation. The Act will also apply to all personal information in all interprovincial and international transactions by all organizations subject to the Act in the course of their commercial activities.”
There are a handful of exemptions to the bill, but none of major consequence. Companies may readily hand out an employee’s name, title, business address and work phone number, for example. Currently only Quebec has laws dealing with personal information pertaining to one’s job, although other provinces and territories are studying the issue.
In making these moves, Canada is catching up with other international players. The European Union, for example, has had rules requiring personal information security since the mid-1990s. In the U.S., the Sarbanes-Oxley Act has also imposed conditions on the protection of personal data.
One of the leading providers of data storage is YottaYotta, based in Edmonton. Wayne Karpoff, chief technology officer of the four-year-old company, says a major challenge for governments is how to make material available to several users and protect privacy, while at the same time amortizing the cost of the infrastructure. He compares his process to the system employed by banks and other financial institutions.
“I give my hard-earned money to some stranger that I don’t really know and he’s going to put it in his vault with 100 other guys that I may not even like,” Karpoff says. “And he’s going to provide me this guarantee that he’s going to keep it all separate . . . and what’s more, I can go to any branch to get it out any time I want. A fire in one branch isn’t going to take it down.
“How do I build that bank-type of infrastructure so that I can amortize the cost of multiple departments that auditably must be kept separate – but I still want to amortize the infrastructure costs across multiple users?” The proliferation of data is inevitable, Karpoff says.
He cites the example of three different government departments that may require the same information for three different reasons. That data will float around in three separate silos and end up in the backup systems of each ministry. The privacy legislation is supposed to address that, but comes with its own set of problems. “There’s now very definite guidelines in terms of how long we’re allowed to retain that data,” says Karpoff. “That actually becomes a really hard problem in the context of all the other things because it affects lots of things. What do you do with your backup tapes? Tape technologies and stuff like that, which are sequential? “I have to do all of that in the context of protecting the data from disaster, in the context of ballooning sizes of data, and in the context of not creating separate islands of infrastructure to protect the data.”
Governments and industry have of course built up huge volumes of data for years, resulting in many silos with similar details on people’s lives. Many network owners would like to tear down the silos, in the interests of greater efficiency and cost savings. Privacy advocates counter that silos keep material under lock and key and make it difficult for hackers to get to it. The goal is to eliminate the islands of storage currently in place, replacing them with pools of storage that can be accessed responsibly.
Says Karpoff: “In order to be able to do that, to get a little more technical, you’ve got to be able to do more than not just implement things like virtualization and back-end encryption and things like that. You also potentially have to be able to provide front end security for access into those systems. “So you have to think about it as a storage system that’s behaving almost like a firewall unto itself, with multiple ports of access coming into it but restricting who gets what data based on how it’s being accessed. . . .”
While consumers may be happy that their data is protected, industry must be more vigilant in its applications. That’s not necessarily a bad thing; surveys regularly show that consumers are worried about privacy and security issues and thus shun online purchases and e-banking. Establishing safe data storage will do a great deal to reassure wary clients. Beginning that process with government departments and agencies can only solidify the reputation of companies.
The major wakeup call for the protection of data was the terrorist attacks of Sept. 11, 2001. A few months after the assult, Sun Microsystems sent its exeuctive vice-president of global sales operations to discuss network security at a symposium in Ottawa. Masood Jabbar pointed out a specific place where information should have been made available.
“If the FBI had records on this terrorist, how would they have shared this information?” he asked at the time. “The airline reservation system knew who this person was, the FBI didn’t. There was a parting that took place that should have been recognized, that didn’t get recognized because the systems didn’t talk to each other, services didn’t talk to each other. And had they talked to each other, (the terrorists) would have been met at the gate.” Jabbar also advised his audience to store information away from the area in which it is initially gathered. Many companies in downtown New York kept their backup storage facilities a few blocks from their network service sites. Had the World Trade Center fire spread throughout the downtown core, much essential data would have been lost.
Karpoff agrees: “In the U.S. – and we’re looking at that same type of legislation bubbling up into Canada – there’s a need post-Sept. 11 to protect data in real time so that we’re not vulnerable to loss of data centres or data sites or even municipal-level failures.”
Even less catastrophic disasters have raised concerns. Two years ago, confidential data from a computer belonging to the government of Saskatchewan leaked out to people who were not authorized to see it. Police in Regina have been slowed in their investigation because the courts want to ensure that subpoenaed information can be seen without jeopardizing personal privilege. Corporate IT spending – including government expenditures – has been around much longer than consumer IT spending. That gives firms a wealth of expertise to draw from. But it also risks lagging behind innovations in the marketplace. Companies that wish to compete must constantly keep upgrading software to stay ahead of the curve.
The first great wave of spending on storage occurred around the end of the 20th century. It leveled off, especially after Sept. 11, but Karpoff predicts another upturn. “There was a big splurge in spending on storage in 1999-2000, which has been identified by organizations like IDC as a fallout of Y2K preparedness,” he says. “We got through these three-year things. There’s about to be a boom.”
Karpoff cites a recent Gartner study that projects that two-thirds of IT budgets will be devoted to storage and data management. Data is ballooning as we become a “data-centric society”, in Karpoff’s phrase. Rick Belluzzo, CEO of Quantum, a data storage firm in San Jose, recently told CNET that tape is improving in terms of both system-availability features and in price.
Governments want to be able to protect their information from employees who should be denied access to it and from hackers who try to break into the networks. Advances in databases, data mining and knowledge transfer help in that regard. But data must be protected during that transfer. Encryption and password protection is vital at this stage of the process. Companies selling their services to governments must be able to guarantee that they can provide the technical efficiency required with the sensitivity to private information demanded by the new laws. It’s a balancing act that can be achieved to the satisfaction of all involved.
Paul Park ([email protected]) is an editor and writer with Decima Publishing in Ottawa, publishers of newsletters covering communications industries.
A privacy primer
With the final provisions of the Personal Information Protection and Electronic Documents Act (PIPEDA) taking effect this year, all data is expected to remain secure. Although most identity theft is accomplished through methods other than computer chicanery, authorities warn that network security cannot be ignored. The Act says that any complaints about violation of personal information privacy are to be handled by the Privacy Commissioner of Canada, whose office has issued the following suggestions on how to keep private data private:
Protect personal information against loss or theft;
Safeguard the information from unauthorized access, disclosure, copying, use or modification;
Protect personal information regardless of the format in which it is held. How to fulfil these responsibilities:
Develop and implement a security policy to protect personal information;
Use appropriate security safeguards to provide necessary protection:
physical measures (locked filing cabinets, restricting access to offices, alarm systems)
technological tools (passwords, encryption, firewalls, anonymizing software)
organizational controls (security clearances, limiting access on a need-to-know basis, staff training, confidentiality agreements;
Make your employees aware of the importance of maintaining the security and confidentiality of personal information;
Ensure staff awareness by holding regular staff training on security safeguards;
The following factors should be considered in selecting appropriate safeguards:
sensitivity of the information
amount of information
extent of distribution
format of the information (electronic, paper, etc.)
type of storage
Review and update security measures regularly:
Make sure personal information that has no relevance to the transaction is either removed or masked when providing copies of information to others;
Keep sensitive information files in a secure area or computer system and limit access to individuals on a need-to-know basis only.
For more information on PIPEDA and its effect on information, contact the Privacy Commissioner of Canada, 112 Kent Street, Ottawa, Ontario K1A 1H3; 1-613-995-8210, Toll-free 1-800-282-1376, Fax 1-613-947-6850, TTY 1-613-992-9190; [email protected]; www.privcom.gc.ca.