What Can the News of the World Teach Us About Privacy and Information Governance?

On 10 July 2011, the News of the World published its last edition. The paper had a 168-year history of exposing corruption in business and politics, and the personal scandals of celebrities.

It had been effective at finding and revealing many stories of wrongdoing and corruption with a genuine public interest; however, the events leading up to its closure began in 2005 when it published details of Prince William's health. This information could only have originated from intercepted mobile-phone messages, which led to a police investigation.

Two years later, a reporter working for the newspaper and a private investigator were sent to prison for phone hacking. It was reported that the pair were considered to have been acting alone, and the investigation ended.

It has since emerged that the phones of further prominent people had been hacked and there have been allegations that the lists of phone numbers included victims of crime, such as those of the 7 / 7 London bombings.

Former UK Prime Minister Gordon Brown has accused News International, owners of the News of the World, The Sun and The Sunday Times, of using known criminals to find stories. In 2006, The Sun published a story about the medical condition of Brown's son Fraser. Brown says that only his family and medical staff had access to this information.

What is privacy and why does it matter?

There is no universal agreement on what information is considered private; however, privacy is a balance of the rights of an individual against the good of society. For example, it shouldn't be possible for people to keep criminal activities secret using the right to privacy as an excuse.

The European Convention on Human Rights guarantees a right to privacy and this convention forms the basis for privacy legislation in the EU. This convention emerged from the aftermath of the Second World War and was intended to prevent oppressive actions by states, bugging and 'late-night knocks on the door' by secret police. In particular, Article 8 of this convention guarantees a right to privacy:

"Everyone has the right for his private and family life, his home and his correspondence. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others."

During the 1990s, it was recognised that cross-border trade required free movement of information and this was vital to create a strong EU. This led to EU directives on privacy, which were intended to enable free interchange of personal information around Europe while protecting the privacy of individuals. There are two principal EU directives covering privacy:

• 95/46/EC on personal data processing
• 2002/58/EC on privacy of electronic communications.

While these directives provide a common approach, laws vary in detail from country to country.

What's the problem?

First, it is difficult to understand how obtaining the information described above can be explained as being in the public interest. Second, the fact reporters and investigators were able to get hold of some of the information raises the question of how well the information was being cared for, so the problem is one of information governance.

When an organisation in the UK obtains personal information about individuals, it should do this with the consent of the individual and for a clearly defined purpose.

If the information is held on a computer it should register the fact with the Information Commissioner. It should allow individuals to have copies of the information that it holds on them and it should correct errors. It should use appropriate techniques and technology to secure the information from misuse.

If an organisation obtains or holds information about individuals that he or she doesn't know about, there's a clear failure of information governance. Equally, if an organisation holds information about individuals and discloses this information to unauthorised people, then that is also a failure of information governance.

It may be argued that news media is a special case, and there is some merit in this argument. If the objective of an organisation is to penetrate criminal gangs and corrupt enterprises in order to reveal wrongdoing, it can hardly be expected to act like a retail marketing organisation.

The ease with which the media was able to obtain information raises the question of how well it was being managed by the individuals and organisations holding it. It's alleged that mobile phones did not have voicemail security codes set, and that reporters were able to 'blag' information by calling organisations holding information and pretending to have a legitimate right to the information.

Information governance

What's the solution? Balancing the rights of individual privacy against the need for a free press is not easy; however, organisations need to take care of the information they hold and ensure that they comply with laws and best practice.

The best approach for organisations is information governance, which sets the policies, procedures, practices and organisational structures that ensure that information is properly managed. Good governance ensures there's a consistent approach to risks and compliance across different lines of business and multiple laws and regulations. It can reduce costs by avoiding multiple ad hoc approaches to compliance and risk management.

Organisations with good information governance will know what information they hold and will have a process to train staff on how to keep this information secure and detect and resist attempts to blag information.

Most blagging is based on the exploitation of human rather than technology weaknesses. The strongest defence against blagging is to ensure that you have registered an agreed point of contact with the individual (for example, a phone number), then, if there is any suspicion, to insist that they will only provide the information via that point.

Privacy is a balance between individual rights and public interest. Organisations that collect information on individuals, even the news media, need to make sure that they comply with privacy legislation. Organisations that hold information on individuals need to take care that this information is handled properly and that staff are trained to detect and resist unauthorised attempts to get hold of this information, and that is good information governance.