The Human Factor

There are some pretty thankless jobs out there, several of which we at Data Grub have experienced directly. And, while it can't match the indignity of chicken sexing or the sheer slog of meter reading, working in a bank comes pretty high up the list of crap jobs.

(Obviously, we're talking about working behind the counter of a high street retail bank. The "master of the universe" type banking jobs - with its private jets, champagne, corporate boxes and complete lack of conscience - sounds quite a laugh.)

What's so bad about working in a bank? Well, aside from the constant pressure to sell massive amounts of debt to the sort of people who shouldn't be trusted with real cutlery, there's also the Data Protection Act to deal with. Banks workers have to watch an achingly-bad training video - which looked dated when it was made in 1998 - about the Act, and how to stay on the right side of the law with regards to customers' data.

No doubt this is a video that'll get dusted down and rewatched by the staff of HSBC, after the bank was fined a mammoth £3 million by the FSA yesterday for taking a laughably cavalier attitude towards customers' personal data.

Another depressingly familiar story of data loss, sure, but it did remind us of that lame old video, in which a harrassed data protection officer pours out his worries about the new Act to a psychiatrist. At one point, the shrink tries to calm him down by saying: "It's really just a matter of common sense."

Quite. Unfortunately, the global supply of common sense has been waning since around 1860, and it's currently rarer than platinum.

But ultimately, it's humans who have the biggest bearing on whether a company successfully fulfills its data protection requirement. With all the talk of encryption, virtual private networks, network and site security, it's easy to forget that technology is only as useful as the human operating it - or forgetting to. Organisations spend time and money communicating their privacy policies; here at Data Grub we'd like to see organisations showing exactly what steps they are taking to ensure that their employees are following best practice at all times. People as a rule are pretty stupid, but when there's a corporate culture of sound data protection processes this cuts regrettable incidents to a minimum. And, with data loss stories in the media almost every week, there's also a business case for having a public and comprehensive data protection policy, in the same way as firms boast about their CSR credentials.

Anything to declare?

Ah, America! The world's brightest beacon of democracy and freedom; the New World of limitless opportunity, where hard work and fair play are rewarded with the fabulous bounties of the American Dream.

And who can forget that America was built upon the exertions and human capital of the millions of immigrants - themselves often refugees from war, slavery and famine?

Modern day arrivals in the USA have a slightly different experience from these pioneering immigrants. Gone are the humiliating medical inspections, where those suspected of illness and physical defects were marked with chalk symbols. Instead, visitors are subjected to a terrifying ordeal of interrogation by customs officials, including such charmingly naive questions as "Is it your intention to overthrow the government of the United States?" (WS Gilbert famously answered: "Sole purpose of visit".)

But now it's not just fearsome feds with sunglasses and ear pieces that travellers have to worry about: they could risk having their personal data compromised, including fingerprints, employment history and credit information.

It all stems from a company called Clear, which used to speed its customers through customs for an annual payment of $200. To do this, they asked their customers for the personal data that customs officials need to know about travellers. A quarter of a million customers signed up to Clear's service and, for a while, enjoyed VIP treatment at US airports, being rushed through customs and immigration while the plebs queued and sweated.

Unfortunately, Clear shut down its operations last week, and the fate of customers' personal data hangs in the balance. What's interesting is that the company says that it will continue to hold onto this sensitive information, which could still be used by another Register Traveller programme. In other words, the data is a business asset that could be parcelled up and sold on to another firm - as long as that company is in the same line of business.

This is proof - if proof be needed - that personal data is no nothing more than another commodity to be bought and sold. It's worth noting that Clear's privacy policy states that "We do not sell or give lists or compilations of the personal information of our members or applicants to any business or non-profit organization." Unless, that is, we go bust.

We've noted before that companies often rely on burying objectionable practices deep within their Terms and Conditions, but if bankruptcy means companies can ignore their own privacy policies, that's a huge blow to data protection. Even if Clear's successor abides by the most stringent data protection policies, the transfer of such large amounts of sensitive information from one organisation to another is a fraudster's paradise, with plenty of opportunity for data to go missing.