It’d be hard to claim that things haven’t moved on in the field of e-participation since we started out all those years ago. People now get what it’s about, realise it’s not just about ‘young people’, and are even getting over the fallacy that it’s only a small number of people using the web, or that doing so is exclusionary.
That said though, issues that get in the way of it moving forward even further emerge from time to time, and I think we may have found a new one in the last week.
It’s a classic ‘old practice meets new practice’ issue, and it centres around internet security.
Classically, any data held online, or in any digital form, must be held securely and in accordance with the Data Protection Act, which is pretty explicit on this area. I remember even in GCSE IT lessons back in the day, the safety and ownership of data held digitally was a major point of discussion.
All well and good, and the law speaks as much sense now as it did back then. That said, what about when this data security rubs up against the newer trend of online data freedom?
We’ve found two interesting examples of this in the last week that are worth considering.
First of all, we’re getting our e-consultation platform fully security tested at the moment. The company who are doing the testing have done a bang up job of going over the system so far, and we’re happy to say they haven’t found any notable issues.
They were looking at the system with a fresh pair of eyes though, with little context on what it does or what it’s for, and so have flagged up the fact that our consultation database allows users, whether public or administrators, to download an entire list of the consultations held in the system in a .csv file at any time, start dates, end dates, contact details, the lot.
Now, we’ve put this in because administrators often need it for monitoring purposes, and since anyone could request it under FOI requirements anyway, we made that functionality public. So we’re happy with it not being a security concern, but you can see how, from a security perspective, it may seem odd to open up system data like that and thus see doing so as a concern.
On another project we’re working on, our Dialogue App is getting security reviewed. As those who have seen the App will know, it generally works best when it doesn’t ask for much in the way of personal data from participants, generally just a username, password and possibly a demographic question or two work fine. As a result, most of the data it collects is publicly visible, as any user can see any other participants username and ideas they have submitted into the site, we only hide the password, email and any demographics answers. It’s a public dialogue after all.
The thing is, we’re running into concerns about making sure the data collected is held in absolute security. Now of course the data shouldn’t be able to be accessed through the backend database, or even worse edited through that either. Nor should people’s personal details such as email address or demographics be able to be accessed by anyone but a nominated data handler. That’s all fine.
But there is a tension here, that a lot of attention is being paid to making sure that data cannot be accessed through the web, when the vast majority of this data is publicly readable due to the very nature of the project itself.
In both cases, there seems to be a tension between the amount of security that is right and proper, and a degree of security paranoia that has crept beyond its original intended boundaries, into worries about keeping all data private at all times, regardless of what it is.
Security concerns are right and proper, public trust cannot be built without paying real attention to them. But I think we’re going to see them increasingly come into tension with openness about government data over the coming year or two. Perhaps we could all give it some thought, and nip this tension in the bud sooner rather than later?
