Features: January 17th, 2014

The Government collects a vast amount of data and much of it is now available for public use. In this article Graeme Stewart explains the benefits open data can bring. He also describes the challenges that must be met including addressing concerns about maintaining security.

The UK is a world leader in open government data. The Government has made a virtue of making data available for use, and it is reported that there are now almost 17,000 datasets available on the data.gov.uk website. The benefits of sharing data with the public are obvious. According to the Open Data Institute, it has the potential to increase custom for services and products, ease information sharing with other organisations, reduce maintenance cost and encourage innovation. It also paves the way for unprecedented transparency and accountability in the public sector. As a result, open data is predicted to deliver a £2bn boost to the UK economy in the short term, with a further £6-7bn further down the line. However, the initiative requires caution and a change in attitude.

Open data is about making data useful – yet simply declaring data public does not automatically make it practical or meaningful. Instead a number of questions should be considered up-front. What data is useful in the first place? How should it be made available? What tools and skills will be necessary to make sense of the vast amounts of big data? Who is ultimately responsible for implementing the project? And will legislation catch up quickly enough to avoid a compliance chaos?

Protecting sensitive information

At the same time, demands placed on Local Government to open up yet more data to the public could leave huge amounts of sensitive information – such as patient records, payment details or personally identifiable information (PII) – at risk of breaches and misuse. As a result the Government is facing a delicate balancing act as it attempts to find a solution that protects the privacy rights of the individual while at the same time providing organisations with valuable data. Too much or too little security could render a project useless.

In order to address this issue the ICO published a code of practice which enforced the anonymisation of all personal data that is made publicly available – at the risk of heavy fines. However, even anonymisation of data does not provide a guarantee the data will not be compromised. Snippets of publicly available data could provide the missing jigsaw puzzle pieces cyber criminals need to compromise a victim’s identity, steal confidential information or gain access to a network.

In an age where state sponsored attacks are a reality, hackers are organised and relentless in their efforts to access highly sensitive and valuable information from governments around the world. Last November, it was revealed that Anonymous secretly hacked US government computers and stole sensitive information in a campaign that lasted an entire year. Providing global public access to data on the entire nation via the use of APIs and cloud based interfaces doesn’t just open up data – it also opens up new threat vectors to be exploited by those with malicious intent.

As the number of threats and datasets is increasing, the Government is deliberating how best to ensure this wealth of information can be protected. Just last month, the Cabinet Office announced that Government suppliers face vetting on cyber security as part of a range of measures to better prepare UK businesses against the growing threat of online attack from criminals and foreign organisations. However, the key to securing open data – while at the same time making it useable – has to lie in a unified, streamlined and transparent approach. Securing open data is about more than just technology – people, processes and infrastructure have to be integrated and users need to be educated in how to access, make use of and store data in a responsible manner. They need to be given tools that monitor, analyse and mitigate attacks reliably without restricting – or complicating – access to data.

Need for caution in deciding what data to release

Estonia is often cited as a best practice use case for opening up data in a secure fashion. By using a digital ID for any interaction with the government, the data itself is far more protected and as processes are in place to trace who is accessing what, from where and why. However having built the platform from scratch about 10 years ago, Estonia does not face the same legacy IT systems scalability challenges as the UK.

Perhaps the most important point to consider in our rush to share information is just what data should be released in the first place. If we compare open data to the current measures in place to gain access to the information government holds on the nation, it is clear to see that extrapolation is far easier and less controlled than processing a FOI request. If there is public interest in a set of data, should it be made generally available? Every copy that leaves the government’s servers poses an additional security risk – once in the public domain it is impossible to ever truly regain control over it as it is copied and shared across the web. If data is released it has to be done in a secure, sensible fashion – and while the Government does not have the technology and regulations in place that will guarantee protection the most sensitive data should be kept under lock and key.

Graeme Stewart is responsible for UK Public Sector Strategy at McAfee.