Nostalgia washed over me the other evening. A speaker at the DataIQ Financial Services reception was running through the history of data management technologies. On screen he showed a data centre from the 1970s - you know the sort of thing, all big boxes with blinking lights and a man in a white coat carrying a huge magnetic tape reel.
It was a scene my father knew well during his 30-year career working for NCR. In the early 70s, companies were just starting to adopt data management to help support their businesses and turned to a handful of mainframe vendors to supply the technology. Slow and cumbersome as the processes may seem now, they were cutting edge at the time.
As a boy, my interests four decades ago were simpler, like railway modelling. I was busy making trackside buildings and my father used to bring home fistfuls of the multi-coloured punchcards which drove much of the data processing at NCR’s headquarters in London. They were useful - and free - raw material for my hobby.
Each of those cards represented a piece of data - probably just one name, account number or product per card, of course. To process a full set of accounts would have involved stacks of the things. Once done with, they were just waste material, so my father helped himself in order to help me out.
So, unwittingly, he was a data thief. Those were simpler times, in many respects, and nobody considered what he was doing to have any data security implications. After all, to extract the data which those cards held you would have to have access to one of those data centres. That was highly unlikely for anybody with a criminal intention towards the data, so the risk was minimal. Security around the centres themselves was high to protect those expensive mainframes.
Nowadays, the technology has become so commoditised that hackers and criminals can compete on nearly equal terms with all but the biggest and most sophisticated data operations. It is data which has increased in value and is now carefully protected, rather than the machines used to process it.
So does that mean the sort of casual treatment of data my father engaged in is no longer possible? Far from it. Paper records still exist across much of the information management lifecycle and their protection and secure disposal are still often the gaps in even the best data governance processes.
Consider the case of Scottish Borders Council. It used a third-party to dispose of paper records of its employees, but the contractor appears to have stuffed them into a recycling bin in a supermarket car park, rather than using any kind of secure shredding or burning. That led to a £250,000 fine from the ICO (subsequently overturned on appeal, which is a matter for another time).
If your business uses paper to capture personal information, such as customer satisfaction surveys, competition entries or enquiry/order forms, it means you have a physical data security requirement. You may be relying on a business partner to do the data capture and record disposal on your behalf, but if you are the data controller, the responsibility rests with you. And these days, you can’t assume that the man taking home a bagful of customer records is just using them as scrap for his kids to play with.