Name: 
Accountability in IT
A couple of days ago I sat in a state of open-mouthed incredulity as I read the Daily WTF’s account of how the Oklahoma Department of Correction provides access to sensitive personal information. Not only were they allowing any semi-knowledgeable visitor unrestricted access to names, addresses and social security numbers but, if I’m understanding the situation correctly, it would have been possible to modify the data and add an innocent person to the sex offenders’ register
Elsewhere, a man had his life wrecked by false accusations of purchasing child pornography because an online store failed to protect his credit card details. Meanwhile, there remains no trace of the CDs containing the personal information (including, in some cases, bank account details) of 25 million British people (that’s over 40% of the entire population).
These stories and others like them demonstrate wide-spread ignorance and negligence when it comes to managing sensitive personal information. In the Oklahoma case the defect was primarily a technical one, whereas in the case of Her Majesty’s Revenue and Customs it was procedural (I’m sure at the time it seemed entirely sensible to burn 25 million people’s lives to CD without encryption and then send them via unregistered post).
As more and more of our personal information finds its way into databases around the world, these incidents become ever more likely. There is of course legislation such as the UK’s Data Protection Act and its equivalents in other EU countries. One of the eight principles of the UK act is that data should be held securely to prevent unauthorised access or misuse. The punishment for an offence under the act is a fine for the company or individual found guilty. As far as I am aware, nobody has been punished for the HMRC fiasco (except of course for Top Gear host Jeremy Clarkson).
I’m starting to think that I would like to see some kind of accreditation for IT professionals (programmers, managers and network admins) who work with people’s sensitive information. Perhaps not for private sector projects - at least we get to choose which companies we give our details to - but certainly for public sector projects. If a government wants to invest carefully in huge databases of private information, then they should be forced to work only with suppliers who have demonstrated their competence in dealing with the issues involved.
If I wanted to perform appendectomies I would first have to prove my competence and obtain the necessary medical licence. If I botch an operation I will face a malpractice suit and the prospect of being struck-off (the system prevents me from stuffing up twice). And if I’m really reckless I could end up in prison.
Maybe something analagous in IT would be beneficial? There needs to be real accountability. If you negligently put millions of people at risk, you should be held responsible. Maybe the Oklahoma Department of Correction has room for a few errant coders? The rehabilitation could involve building a secure website for their hosts. Now that’s synergy.
Or perhaps we’re happy to leave the unaccountable, self-declared “IT professionals” to ride the government gravy train and hope nothing bad happens to our data?