There was an interesting piece in the Financial Times yesterday (registration/payment required, unfortunately) about the topic of information security/data protection within the heart of the UK government.
It seems as though politicians and civil servants got a little bit tetchy back in 2004, just before the then Labour government introduced the Freedom of Information Act.
Coincidentally, or as a consequence – it’s not clear which – the email system running on Downing Street computers was changed so that emails would no longer be archived indefinitely. Instead, all emailed communication was set up to be automatically deleted after three months, unless specifically saved by one of the individuals involved in the electronic exchange.
The Financial Times says the Cabinet Office suggested other departments should also adopt the same policy, though not when emails related to policy development or ministerial advice.
An unnamed official said the timing of the system change was unplanned and based upon advice from the National Archives on “best records management”.
While it goes without saying that some emails should probably not be archived for evermore, on the grounds of security, the fairly blanket approach to purging nigh on everything proved to be “hugely frustrating,” according to one aide who spoke to the FT.
Sean Kemp, a former aide to Nick Clegg, claimed the system made people in government extremely nervous about saying anything of substance in emails, adding that:
Some people delete their emails on an almost daily basis, others just try to avoid putting anything potentially interesting in an email in the first place.
So, what are the consequences of such a system?
On the positive side, there is the fact that nothing of value to an outsider is likely to be sitting on an email server in the heart of government. At least for not too long. We hope.
But on the flip side, as the Financial Times article suggests, the whole system was actually counter-productive, forcing people away from the convenience afforded by the email system and back into old-fashioned forms of communication, away from prying eyes, where no witnesses could log what was being discussed and few participants could ever fully recall what was said.
Even more curiously, the article also alludes to the fact that at least one permanent secretary was unaware of the system in the first place, assuming that disappearing emails was a feature of his BlackBerry phone… so I guess we can also conclude that security training (anyone care to teach Mr Cameron about encryption?) and awareness are an issue within government too perhaps?
How does your organisation compare with the highest administrative body in the land?
Are you protecting your information adequately? Or are you maybe being a tad over-zealous in your security measures?
Just like the UK government, you have to assess what needs protecting and what doesn’t. It’s a question of risk and appetite.