The e-governance initiatives that Anderson et al deplored in their Database State report are not, as I've argued previously here in Panopticonic, malicious works of a totalitarian state - they are about deploying information in a timely and accurate manner, about citizens in need of healthcare or social care. The true risk to information security and privacy comes from individuals working to intrude illegitimately into these databases and caches of personal data. I term these individuals, rather abstractly, 'malicious agents.'
E-governance in the UK has been shown by the authors of Database State to be managed ineptly, particularly in terms of cost:
Nick Davies - creator of Flatearthnews - highlights the damage a particularly mercenary individual might do to privacy and sensitive data security - 'blagging' (essentially, brazenly stealing) items of sensitive personal information about notable members of the public from unwary public-sector organisations and their employees. This personal data can be sold to unscrupulous journalists for a profit. Even more maliciously, the information could be used to blackmail or extort - rather than simply expose or inform.
Andrew Pickering - writing a paper for the think-tank Knowledge Politics - notes that it is (in my words) the malicious agent or auteur that threatens the efficacy and security of e-governance initiatives, both politically and in an immediate manner:
We need to protect the people from government, but to some extent the government also needs protecting from the people. Greater public input at all levels carries with it the potential for demagoguery and grandstanding, to the detriment of normal civic participation. For example, various groups might try to hijack online public consultations for their own ends. This is catalysed by the Internet in particular, with its premium on anonymity tending to foster abuse, falsehoods and malicious activities.
Public-sector organisations, and the UK government, know exactly where they stand in relation to the law that regulates the minimum level of security needed to ensure public safety in accessing or engaging with public e-governance. The seventh data-protection principle - found in the UK's Data Protection Act 1998 (c.29) - states that:
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
'Malicious agents' - that is, ostensibly 'bad' people - will always threaten to undo these 'appropriate technical and organisational measures' - so how to reconcile the need to e-governance with the risks that 'malicious agents' represent?
Mary Goulden, again writing for Knowledge Politics, advocates the use of a guiding principle in deploying e-governance - that of 'localism'. If e-governance is limited to a local level - that is, if there are no 'super-databases', only regional ones - individuals acting as malicious agents cannot undermines e-governance on such a huge scale, or pose quite such a massive risk to personal data security.
Great article, Jamie.
We will take your cautions to heart.