These days, the issue of Security'is given
automatic priority in most IM&T projects, especially those with some
form of public access, such as e-commerce applications. Until recently the same degree of attention
has not been afforded to the issue of Privacy. Are these two issues
related, and what has privacy to do with risk management?
Our advice is that privacy should be high on the
list of issues considered when developing the risk management strategy.
At the federal and state levels, governments have
introduced privacy legislation. We anticipate that with strong lobbying
from various directions, current legislation will only be strengthened over the
Organisations, including government agencies will
be put under increasing pressure to limit their information collection to that
specifically related to the business needs. Already, some states have legislated
requirements for organisations to include privacy information on application
forms, detailing which information is compulsory (and why), what will be done
with the information gathered, and the extent to which this information will be
shared with other organisations.
Penalties are being introduced for non compliance
with legislation, including the improper use of 'private' information. In an
increasingly litigious environment, people and organisations will be
increasingly likely to initiate action for abuse of private information. In
Australia and overseas, there have been some hefty compensation orders against
companies who have been on the receiving end of these lawsuits.
We can only imagine the damage this does to the
organisations reputation, goodwill and eventually, share prices.
While much of this will relate to corporate
governance, and the resulting corporate policies in this regard, Information
Systems also play a significant role. The development of information
systems is most often a complex and costly affair. Information is
captured, stored, processed, and reported in systems of
ever increasing complexity. At the same time, systems which used to be
'contained' within an organisations computer, are increasingly being opened up
to access from outside bodies. A few examples:-
Business to business
Internet / extranet
Either by accident or design, systems can allow
access to information which clients may have a right to consider private and
protected. If so, this could lead to litigation and / or penalties and
consequential impacts on reputation as mentioned earlier. Further, if caused by
inadequate systems design, or failure to provide adequate data security, systems
'enhancements' will almost certainly be required. Depending on the extent
to which the 'faulty' processing is ingrained into the design, the correction
could range from a minor enhancement to a major systems rewrite.
As any good systems designer knows, it is far
more cost effective to design the system right the first time, than to make
changes later. As an analogy, consider the costs of producing a car
compared to the expense encountered when replacing or repairing a fairly minor
component. (I digress to recount a recent personal experience - the price for
replacing both headlight assemblies on an eight year old car was approximately
7-8% of the current value of the car!)
Exposing the organisation to penalties, fines,
litigation, and adverse publicity would constitute an unacceptable outcome in
the opinion of most CEO's. Consequently, we recommend that as a part of
any risk management strategy, organisations consider the potential for the
system being designed to allow access to private information, and whether that
access is legal and reasonable. Consider the potential impact on the
organisation if access to that information is determined to be improper, and
ensure mitigation strategies are in place.
While some strategies are obvious, such as
ensuring adequate data security, we also recommend ensuring a close working
relationship between the IM&T developers and 'information management'