For the London Free Press – December 10, 2007

Read this on Canoe

Many serious leaks of personal information result not from the lack of policies and procedures to prevent it, but from the carelessness or lack of thought or understanding by a single employee.

As individuals we must take more care whenever we encounter information about others.

There seems to be a real challenge in getting the privacy protection message to the average employee in a way that they truly understand and think about it during their daily routines.

This is an education and mindset issue. Training and education on these issues competes with the information overload we all face during the workday – but it is a crucial issue we must overcome.

People often recognize when their own privacy is being violated, but will for some reason not recognize when they violate the privacy of others.

The recent loss by a British government agency, revenue and customs, of information on over 25 million individuals who receive child benefits, is a case in point.

Diskettes containing sensitive records were apparently sent by in-house courier across London and were never received.

That action was in violation of several protocols in place to prevent this type of action.

To put the enormity of this in perspective, in a posting on the Canadian Privacy Commissioner’s blog, entitled A complete and utter failure, she stated:

The sheer scale of the data lost is staggering. The fact that a junior official apparently had the access to this information is disturbing — but that official’s apparent disregard for the security of such a vulnerable population is shattering.

The message for governments everywhere is clear: even in an organization clearly aware of the sensitivity of its data holdings, even with management dedicated to organizational efficiency and responsibility, the security of vital personal data cannot be taken for granted.

What frustrates me is that many breaches would never have happened if the employee took a minute to consider their actions.

First, to understand they are touching information that requires protection and is subject to corporate policies.

Second, that what they are about to do could betray the trust and stewardship they hold in that information, and cause serous consequences and exposure to countless individuals

If that happened, they wouldn’t put that data on a disk and mail it, or wouldn’t throw that paper in the dumpster.

No matter what security systems, policies and controls business or organizations put in place, the human factor is always present. Employees must be trained to understand privacy and security issues both in the abstract, and in the context of their daily routines.

Most privacy aware employers have training and education programs in place for their employees, and most employees are responsible when it comes to these issues.

But it only takes one slip by one unthinking employee to cause a privacy leak disaster.

There is no easy fix for this. Employers, governments, privacy advocates, and the media must continue to use every available opportunity to promote the message.