I hope the IPCC saga would come to an end after the Privacy Commissioner issued his investigation report. However, the report is quite disappointing. It may be said that the Commissioner focused his attention to data privacy issue instead of IT security issue. But in this particular case, IT security issue was at stake. The report did not show that sufficient effort was spent during the investigation in this respect.
The event that was technologically related was the security of the server holding the data. The report took for granted the explanation of the webmaster of the internet service provider that the data was uploaded to a folder which was accessible to the public. I think even friends using the free web services such as Yahoo would know the distinction between such private/public folders. Anything uploaded to a Yahoo account is protected by user name and password, and remains private unless the user specifies it otherwise. Materials uploaded to a personal website are normally open for public access. The IT professional staff engaged in the case must know this simple administration rule. He should be using such service on a regular basis and know the way to keep the data private. Even test data containing the database structure must be kept confidential. Otherwise, it would be a grave professional negligence. On the other hand, there could be a system flaw on the server leading to private folders being exposed. This line of investigation was not pursued.
Other issues are common sense which are not IT related. First, whether the IT staff is employed by the contractor or is sub-contracted was not an issue. The IT staff represents the contractor in this case, no matter what is their relationship. The contractor has precarious responsibility on the outcome. Second, whether there was a specific clause on data security is also not an issue. Under contract, the contractor would be responsible for any damages arising from his negligence. Third, the fact that confidential data was released by the IPCC staff to the contractor was not the result of lack of IT training. It is common sense that one would not let unauthorized persons see a confidential pink file. On the other hand, contractor of an IT system could be considered being authorized to access data of the system.
Given the high profile of the case, it is no wonder that the Privacy Commissioner considered that there was a breach to the Data Protection Principles. However, the case has a surprising ending that it was the Privacy Commissioner Roderick Woo and IPCC Chairman Ronny Wong who put up a final show of crossing swords. I call it a shame seeing the Commissioner and the Chairman defending themselves and denying responsibility in front of the television camera. The press called it the clash of the legal profession, given their previous disagreement on other issues.
It calls up another general issue: what are the role and responsibilities of the un-official members of government boards and committees? As Ronny Wong boldly said, un-official members are doing volunteer work; they should not be held responsible for administrative matters which are handled by civil servants. However, isn’t the work of IPCC done by civil servants in the first instance. The secretariat of all boards, committees, councils are part and parcel of the institutions, or I may say so, the body of the institutions. The un-official members can call themselves the soul or otherwise. But it definitely has a responsibility, be it precarious responsibility. Afterall, being an un-official member has all its benefits, first in fame, and then in fortune (in kind may be). At least the title looks good in name cards and CVs.