So the Press loves a good story and so do we. The Sun’s 9 million readers know what they want and a good headline is what they get. More and more these days the media is filled with IT security scares and interviews with concerned Joe Public about “their” data and the irresponsible activities of industry and Government.

So who’s really to blame?

Well let’s look at the facts.

The Data
Information about us is everywhere and has been for a long time. Historically the only public facts about Joe Public was their name and address. Then banks came along with records of financial transactions and balances, soon followed by phone numbers and phone directories. Government kept records of this information for its own purposes and with the recent technological age we spread this information everywhere.
By itself the data is not that interesting. My name is shared by many people. Multiple people live at my address. My bank account records are just numbers on a page. My email address is just a fancy mailbox. The problem is aggregation. When you put these together you start to build valuable information, such as a name and address, or a name with a bank account number. Usually any two pieces of associated data are of value when brought together.
So have a quick think, how many people know at least two pieces of information about you? Think about your friends, your family, your employer, your favourite website, your Government (Central and local), your health provider, insurance company, hair dresser and your cleaner. You’ll quickly realise how much we all know about each other.

The People
Everyone has data about them, even Sir John Sawers, the Head of MI6 (James Bond’s boss) has a name, photograph and information that is publicly available. And everyone manages data about others, whether it be written down, recorded in a database or just in someone’s brain.

The Perception
There is a view that “industry” or “corporations” or “Government” are irresponsible because they mishandle our data, but these entities are simply collections of people bound together by an employment contract and a set of organisational processes. If any of us have read our contracts, especially those who have read clauses related to the Data Protection Act (UK) and non-disclosure of information, we know the guidelines and the rules on how to handle others’ data. But if data is indeed being “mishandled” then it’s either the processes or the people following them that are causing the problem, not the organisation. And who writes the processes? The people. So ultimately it all comes back to us.

If we are to expect a high level of data protection from organisations then we should start by securing the information we personally watch over.

Before you think you’re in the clear, have a look at the following questions:

1) Do you tell your hairdresser/stylist/barber what your profession is, when and where you’re going on holiday, leave your name and phone number when making an appointment and pay an unknown girl on the front desk with a credit card?
2) Do you shred all of your correspondence such as bank statements and credit card applications before they go in the bin/trash?
3) How many websites do you have a login account with? Do you know the password/pin for each one and are they all different? Do they all use the same email address to contact you with?
4) Are the passwords and pins you use for websites, credit cards and other forms of access easily guessable? Are they written down on a post-it note under the keyboard?
5) Is all your information stored on paper in a well organised, unlocked filing cabinet in your house? Does anyone work/come to your house that you don’t completely trust? Do those people (such as babysitters) ever bring people to your house that you don’t completely trust? Could these people access your paper records?

That’s a lot of topics to think about but some relatively easy ways to improve the situation.

1) Think how much information you’re disclosing to people you don’t completely trust.
2) Get a cross-cut shredder and shred any paper/cards that contains personal information. (Note, old style shredders which cut into long strips are of little value since the paper can be relatively easily reconstructed)
3) Have different passwords for each website account you have, or at least different passwords for different website types such as banking or email. Make sure the password on your primary email address is unique and NEVER disclosed.
4) Passwords and pins should not be guessable. The more random the better, with a mix of upper and lower case letters, symbols and numbers. (This will be discussed further in a future post).
5) Lock up your paper records in a lockable filing cabinet or ideally a safe. This won’t necessarily prevent theft but will deter prying eyes.

This is just the start and there are many more areas we all can improve on, but if we treat our own data with more respect then protecting others’ will become second nature.