These should be separated. For example, for many services, all I need is to prove I am a UK citizen, not that I am Ben Laurie.

Or they could change "and" to "or", though that would make the point less clearly. (link)


Missing a requirement for minimality of information collected. (link)


Sweet, so this introduces a requirement for a national database of biometrics. (link)


Footnote 49 is wishful thinking in most cases. (link)


In other words: this makes global surveillance difficult.

Poor babies. (link)


However, these also give correlation across all services unless very carefully done (and no, that doesn't mean stronger privacy rules, it means better crypto). (link)


This whole section totally ignores the possibility of clients proving facts about themselves instead of who they are, such as "I am a UK citizen", "I am a resident of Ealing", "I am over 18". (link)


Once more ignoring enrolment on the basis of facts other than identity. (link)


Well, as I look at this I'll be looking at whether sufficient consideration is given to the dignity and needs of people e-government is meant to serve. (link)


Sorry commenters - that's a footnote that got left in. Pse ignore this & any further such minor irritations. (link)


Ok, so it's a bit like the Highway Code (link)


I enjoy the understatement. But didnt the DTI Trustguide work teach us that people's PCs are unsafe, teh Internet is unsafe, people quickly grasp both these facts and yet they use online services because they're convenient and feel condident about resitution? That's a bit different from suggesting that if they follow the right guidance their machines and networks will be safe. (link)


Why not just make life easy for us and tell us when that was? What happened to that "l" I wonder...odd characters seem to be missing (link)


Well, it says it does. At the same time it squashes and kills off independent initatives with inertia, and skews emerging markets with ill-directed patronage. But that's a different story. (link)


Oh OK. So we havent got version 6 yet. That explains not giving a date earlier. This business about the double Ls becoming single Ls is weird, but I'm trying not to let it bother me. (link)


That seems sensible.

But we'll have lost those hyperlinks in the commentonthis version (link)


...and also, that they don't ask any more information of a person than is strictly necessary for the enquiry in hand. For example, if your road pricing, taking an anonymous payment is sufficient. You dont have to know the reg #, ID number and DNA profile of the driver etc etc (link)


so I think "where necessary and only where necessary" would cover it (link)


This begs a lot of questions and needs to be spelt out. What Liberty, Richard Thomas or Lord Philips would regard as appropriate protection of confidentiality is very different from what most government officials, most members of the government,the police and security services would regard as appropriate. We cant fudge this. We must define what an appropriate level of protaction really is. (link)


If "client" means people here (and not just people's PCs) it's a big step forward that we now recognise the need to change that. Can I respectfully point out that if CSIA had a more embedded culture of openness and readiness to listen and engage with critical friends you would have realised this a great deal earlier, saving a lot of grief and work, and indeed money (eg if similar failures turn out to have undermined public trust in the children's index, NHS records and pland for ID management). (link)


....where the risks aren't so much technical and managerial/procedural but social, chaotic and much less predictable. And you need quite diiferent skills to stay on top of the risks. (link)


Was this done properly for the children's index I wonder? or for ID Management ("The System") (link)


Well yes, but government certainly doesnt take responsibility for people's home PC security and shdnt give the impression it does. Just as we have no legal "right" to walk down the street without being beaten up or's very misleading if government pretends we do and then acts accordingly. There's no liability or comeback in either case. Government just does what it can to help. (link)


As ageneral observation, it's always a mistake to write these "best practice" policy documents in the passive. If you say "something must be done" it overlooks the important matter of who is responsible for doing it, and what the consequences for them are if they dont do it. (link)


fair enough. that seems pretty specific. just a we know who the siro is for current major projects? is that available on-line? (link)


Do we know who all these people are And are their deliberations made public? (link)


OK - clear enough. (link)


I dont quite get this. they may accept a higer level, yes. But they may assign a higher sensitivity to it than government does. Some people are touchy about their birth date. What are out-of-band methods? (link)


I wonder how far this will extend, eg a relative without power of attorney sorting things out for a loved one. Or a PA...The sensible starting point would be to explore how people behave now in helping each other out to do transactions with government. (link)


Well, hang on. Surely the corrupt or incompetent insider is the biggest single risk group. This is considered elsewhere? Where? This is one of the biggest potential obstacles to public trust in e-enabled public services. I really dont think terrorists or foreign powers are going to screw around with my administrative data. But I need reassurance that public servants cant, and that if they manage to they'll be disciplined. (link)


"the NISCC web-site,"

This was merged into the new

Centre for the Protection of the National Infrastructure

on 1st February 2007



So what happened to all the Barring Lists as outlined in the Safeguarding Vulnerable Groups Act 2006 ?



What about the Terrorism Act 2006 section 3 internet website takedown notices ?

Encouragement etc. of terrorism Section 1 Encouragement of terrorism 2 Dissemination of terrorist publications 3 Application of ss. 1 and 2 to internet activity etc. 4 Giving of notices under s. 3 (link)


What about the Control of Substances Hazardous to Health (COSHH) health and safety information under the Terrorism Act 2006 section 6 Training for terrorism ?



What about the Children Act 2005 section 12 Information databases (link)


That should be Children Act 2004 (link)


Try again:

What about the Children Act 2004 section 12 Information databases and subsequent Regulations via Secondary Legislation ?



How can this document not mention the Identity Cards Act 2006 ?



What about the Human Tissue Act 2004, which deals with exceedingly personal data from consensual and non-consensual DNA analysis ?



these comments have also been posted to the Kable board.

I honestly don't know how worthwhile this is. it often feels - to be frank - that comment in spaces like this is a complete waste of time. please feel free to convince me otherwise, but we try yet again ....

here goes ... why are no 'web people' being asked for their feedback?

I suppose this is an advance on yet another letter just to the chief exec that disappears into the ether but really 'IT and IT security Managers, senior managers with responsibility for IT and information assurance, departmental security officers, IT security vendors and service providers'? what da heck's wrong with web managers!

this seems to be a consistent theme with feedback requests from whitehall, forget to ask the web people.

and really, the utter frustration is that I think we have a very. very and yeah I say very real 'transformational' contribution to make as:

a/ we are very much in touch with the actual user experience of 'information assurance' b/ we certainly can comment on the role that 'trust' plays in our collective web position and consequently the impact of our web-based initiatives! (as well as how we can ***k up that 'trust'!)

especially when a stated aim for this doc is 'promoting public confidence in e-Government services'.

the web provides unique opportunities to back up our positions and reinforce public trust perceptions. are you going to learn more about that through just talking to IT managers?

think, for example, about how reputation management is handled on the web by large companies. this is the big picture which affects how trust in service provision impacts. how does this doc address that?

another thing ignored in the doc is the web reality that we face of our information being 'repurposed' by others, sometimes commercially. this is beginning here and one glance at the american experience shows our future.

the entire ediface is predicated on our control of information provison and the control by us of the presentation of the security of that information (the 'sell), which is far from assurable - even with things you'd assume to have no commercial value and within the wider context of web content being 'scraped', already. (Do the commissioners have any notion of what 'scraped' means?).

why, with a review of this scale, is this 2007 basic web reality, which anyone with any web nounce could tell you about, completely ignored? frankly, my (young) junior staff get this better than whitehall appears to do? never mind some vision about predictable web developments?! I just don't believe that I'm personally way ahead of the game here vis a vis whitehall. so I'd love to know (really) why this practical reality is (actually) consistently ignored?!

and I'll say why. it affects me. when I have to convince management about web realities, the whitehall 'take' has real meaning. whitehall's attitude filters down to my day-to-day frontline web reality. and I know it's not just me who's reality i'm describing.

I have just been through an exercise with news about our authority going around the world and ending up on lots of blogs and consequently google etc. results. explaining this 2007 reality was nothing but a shock to lgov people but probably wouldn't surprise most commercial CEOs. google certain terms about us and you hear things we'd rather you didn't. this panics lgov people IME and what does whitehall say about what we could do? zip. [ref:]

this negative stuff stays there permanently online without active intervention and affects our reputation and hence users attitudes to our information and the assurance of our services. how do we deal with this sort of attack on our 'information assurance'? no answer. no planning.

to be precise and defined - how do we deal with, for example, the online, active anti-parking enforcement lobby which spreads lies about our service provision? this doc doesn't give any answers. it just blathers on about the 'success' of initiatives. this is not useful!

all this stuff we're doing/planning under the transformational agenda ends up interfacing with the public through the web. so 'web people' therefore are important/vital to get involved. doh! and double doh!

who do I mean by 'web people'? straightforwardly, those of us who have the depth and breath of experience and are *not distorted by commercial perspectives. there are lots of us in lgov.

you are never going to get a useful strategy out of just consulting someone like siemens or nomensa who - for example - will never promote discount testing as it ain't commercially advantageous for them and in my xperience have no interest in suggesting simple, cheap solutions which *anybody can do without involving them.

'reputation mangement', for example, can't apparently be done without employing an agency. not true! whitehall could give us guidance and leads. where is it? despite the desperate need for us to do things like discount testing and participate in the blogosphere, would big commercial suppliers ever say this? why would they?

that whitehall consults companies and not us? how do you think this makes us feel about whitehall's attitude to us?

so what's going on? why aren't we in these consultation job title arrays? are we scary? are we the 'awkward squad'? what is going on here?

us at the frontline who have a serious contribution to make would appreciate knowing why we're being consistently ignored. because, believe me, this is the impression that this one - amongst countless other whitehall consultations - is creating.

I, for one, get the strong impression that whitehall sees us 'web people' as raising uncomfortable truths which they'd rather shuffle bureaucratically into the ether. maybe this isn't the intention but this is the impression. and, of course, my point is that none of thsi ultimately helps the public: our customers. convince me otherwise.

please excuse the apparent rant but that people with far more resources to hand than me get this consistently cock-eyed is b****y frustrating. (link)


No its not a bit like the Highway Code, its more like making the Construction and Use Regulations for motor vehicles optional. If, because the IA framework isn't followed in the design and operation of a service that I use, and there is as a result a failure of the service, of confidentiality, etc, its no use to me that there might later be an inquiry. Adherence to this framework must be made mandatory, and therefore the changes in business processes, contracts, etc, must be funded - "administrative process re-engineering" (a term that I first heard from Prof Ohyama of Japan's METI). (link)


Back to source document.