Dr Dennis Jennings
In the first of these blogs, I highlighted what seemed to me to be two of the major omissions in The Data Sharing and Governance Bill, as published: The lack of a clear and unambiguous statement of what is meant by Data Sharing, and how it will, in principle, be implemented; and a preliminarily section providing the Statement of Principles that guide and underlie the Bill.
In this blog I’d like to highlight two further critically important elements that seem to me to be missing from the Bill:
The first is the Authorisation of public sector individuals to empower them to access elements of the personal data stored by the Public Sector. I presume that not every employee (whether full time, part time, or temporary), and not every contractor, will have access to all the data stored! What are the principles and rules that guide these authorisations: authorisation by individual; by function/role; by seniority; by specific tasks; etc.? It seems to me self-evident that authorisation at the data element, or specific data related query level, is required, and that these authorisations must be carefully created, managed, maintained, and revoked when required.
The second is the Authentication of the public sector individuals and their assigned authorisation. Each and every access to personal data elements by public sector individuals must be authenticated. What identity management system will be used to reliably and securely identify each individual? I presume that some public sector staff services identifier will be used, and secured with a pin, and biometrically, and with multi-factor authentication (I consider typical on-line e-mail/password systems to be inadequate).
I certainly do not want unauthorised, unauthenticated individuals accessing my personal data, or accessing or querying any element of my data that they are not specifically authorised to access.
I don’t expect the Bill to specify the authorisation and authentication systems that will be used, but I do expect that the Bill would categorically state that there will be personal public sector identities and authorisation and authentication management systems, and would provide guidelines, and would state how these systems will be governed, and overseen in practice. Without these, the Bill is dangerously flawed.
Whatever identifier system is used for the 300,000 plus public sector employees, it is also self-evident to me that these identities must also be valid to access their own personal data through the planned Public Services Portal. Having multiple identity systems makes no sense to me.
I look forward to discussing these thoughts further at the Public Affairs Ireland Seminar on the recently published Data Sharing and Governance Bill that will take place on Thursday 29 November. For more information on this event click here
Dr Dennis Jennings
Internet Pioneer, Internet Hall of Fame 2014
Company Director / Mentor & Coach / Angel Investor
Chairman and/or non-executive director of a small number of Irish technology-based companies that address international markets. Member of the Open Data Governance Board of the Department of Public Expenditure & Reform. Chairman of the Board of Governors of the Royal Irish Academy of Music. Served (2007-10) on the Board of Directors of the Internet Corporation for Assigned Names and Numbers (ICANN, ICANN.org), which is responsible for the coordination of the technical identifiers of the global Internet.