Privacy controls need to be integrated into IT design

The Royal Academy of Engineering has reported on how engineering can of help protect personal data

Privacy controls need to be built into IT applications and systems to ensure that personal data is properly protected, according to a new report from the Royal Academy of Engineering.

The report, entitled Dilemmas of Privacy and Surveillance – Challenges of Technological Change, outlines the threats posed by identity management, surveillance and data capture technologies, and details ways that engineering can help to avoid these risks.

Web 2.0 development was highlighted as a key area requiring integrated privacy controls because it facilitates individuals posting up large quantities of personal data. The report called for Web 2.0 applications to include controls that would automatically destroy data after a certain period of time and would delay material going live to offer a “cooling-off” period between posting and publication.

Databases were another area targeted by the report as being “vulnerable to a wide range of failures”. These include the potential for sensitive data leaks if an unauthorised user acquired access to the database; the misuse of data by somebody with legitimate access to the information; and errors caused by mistakes at the data-entry level.

The report set out a series of principles that should be followed when running a database, including never storing data in unencrypted form and checking data regularly with the source to maintain accuracy.

The Royal Academy of Engineering also recommended changes to data protection rules to ensure firms complied with best practice. It argued that the Information Commissioner’s Office (ICO) should be given greater powers to perform audits or appoint third-party auditors, to ensure firms were processing data in accordance with the Data Protection Act. Penalties for compliance breaches should also be increased to include the possibility of a prison sentence.

The report also called for organisations to be held liable for failing to properly protect user data. Reports of the latest of these incidents surfaced this week, when a laptop containing data on 11,000 children was stolen from a Nottinghamshire hospital. In cases such as these, where personal data is made vulnerable, the report argued that organisations should be forced to directly apologise to individuals and offer appropriate compensation.