“I’m from the government and I’m here to help.” The former US President Ronald Reagan famously said these were the “nine most terrible words in the English language” that anyone could expect to hear.
We can accept, generally speaking, governments want to do the best for their people. They are, by and large, well-intentioned, but from time to time government policies are misconceived or unintentionally destructive. It’s a fact of life that governments make mistakes and sometimes these mistakes happen because of a failure to properly think through the risks of a policy, process or system.
From a privacy perspective, one such area of concern is how governments collect and store the personal information of millions of their citizens. Can people have trust and confidence in the security of that information and who gets access to it?
There have been a number of recent data breaches overseas which offer salutary lessons on how information held by governments is not necessarily as secure as it should be and how this can be harmful for individual citizens.
The Swedish government is currently scrambling to contain a data breach in which an outsourced government IT project may have caused the large-scale disclosure of citizens’ sensitive personal information. The breach may also have revealed the identities of people working undercover for the Swedish police and the country’s intelligence services. Two government ministers have since resigned over the data loss.
You might wonder why the information of 3.7 million voters was kept on laptops. This became a privacy ordeal for the Hong Kong government and the focus of an investigation by the city’s Privacy Commissioner earlier this year when thieves stole laptops containing the information from a convention centre hosting the election of Hong Kong’s chief executive. The stolen data included the ID card numbers, addresses and the mobile phone numbers of all of Hong Kong’s voters. At least, the data was encrypted.
The Philippines last year suffered its worst-ever government data breach when hackers stole voter information from the Philippines Commission on the Elections. The hackers obtained the personal information of 70 million people, including their fingerprint data and passport information, prompting a warning from the cybersecurity firm, Trend Micro, that every registered Filipino voter was now susceptible to fraud and other identity risks.
Turkey’s entire citizenship database was hacked last year. In what appeared to be a politically motivated hack, the personal information of over 49 million people was published online, including that of the Turkish President, Tayyip Erdogan. Until the Philippines voter records breach, this was regarded the biggest governmental privacy breach by number of records ever.
Australia’s government found itself in the firing line again after a Guardian investigation last month revealed hacked or leaked Medicare details of Australians were being sold on the darknet. It’s the latest episode involving government agencies to heightened concern over the use and storage of personal information, following scandals involving Centrelink and changes to the country’s census methodology.
In 2015, the personal information of over 21 million US federal employees was breached at the US Office of Personnel Management. The hackers targeted personally identifiable information such as Social Security numbers, as well as names, dates and places of birth, and addresses. It transpired that the Office of Personnel Management had been warned multiple times of its security vulnerabilities and soon after the breach was reported, the agency’s director resigned.
Getting it right first time
You might be interested in viewing this handy infographic tool to find these and other significant data breaches around the world. If you use the tool's filter you can see the biggest recorded government breaches.
Each of the breaches we've highlighted here show the importance of getting data protection right when designing a new system, service or product in the first place. Take a precautionary approach; use tools such as privacy impact assessments; undertake a security analysis of the data you hold; and use encryption. These techniques help agencies ensure their information management systems have the best possible protection.
Privacy impact assessments, for example, help agencies identify potential risks arising from the collection, use or handling of personal information. Doing one helps flush out issues that might harm an agency’s ability to meet its security and legal obligations.
The problem for governments is that near enough is not good enough. Governments must get the privacy basics right. Otherwise all it takes is one serious breach to make a lie of the line “I’m from the government and I’m here to help”.
Image credit: The Great Wave off Kanagawa by Katsushika Hokusai (circa 1829-1833)