[OPINION | Data Matters] Learning from DFA's passport data fiasco
Since everybody including their mothers weighed in on Foreign Secretary Teddyboy Locsin's rather colorful statement that the past passport contractor has "made off" with our passport data, I could not help but join the fray myself to help make sense of the issue.
I will focus on these points: (1) what we know; (2) what we don't know; (3) what could be problematic; and (4) what can be done in relation to the Department of Foreign Affairs (DFA) data fiasco.
First off, I am calling this a fiasco because it is not a leak – at least not yet. In the world of data and information management, a leak happens when somebody who has no access authority gains access to data.
This is what happened in the case of Comeleak, where a hacker gained access to the personal data of registered voters and decided to post it online for everybody to download. (READ: Experts fear identity theft, scams due to Comelec leak)
It does not seem to be the case here (yet) because the passport contractor was precisely that: an entity that was – for a particular period – contractually allowed to access and process data on behalf of the DFA.
In fact, Locsin himself said the data is "useless" to the contractor.
I am hoping that this means there is a clause at least in the contract between the DFA and that contractor which restricts the latter's use of that data purely to the purpose they were contracted for.
If that is the case, people who applied for passports during the period they were working with DFA are at least protected from having their personal data suddenly peddled in the black market, where the voter registration data also reportedly ended.
In any case we already have a data privacy law in place that precisely outlaws such an activity. (READ: PH privacy commission to probe passport data loss)
Further, if you are a self-respecting professionally-managed private IT organization that thinks strategically, you will not want a data leak on your record. Not if you want other contracts in the future.
So, I may be wrong, but I am guessing that the contractor here probably has at least some legal grounds for not giving DFA the data back.
The only reason why this became an issue, to begin with, is because people who applied for passports under the old systems will need to bring their birth certificates again to apply for passport renewal.
This means that while the contractor cannot legally use the data for other purposes, DFA unfortunately also could not use the data the contractor collected.
This could be because (a) there is no clause in the contract that obliges that entity to turn over the data; or (b) the data is sitting in a defunct server somewhere but nothing requires the contractor to make it available to the DFA in a format that allows importing to another system.
I highlight option b above because we really don't know much yet beyond Locsin's rather colorful but vague public conversations on Twitter with his underling Elmer Cato. (READ: Locsin blames 'Yellows' for passport data loss)
I am not a lawyer but I have examined quite a number of contracts involving use of data. And "made off with the data" is not a term you usually use in data contracts. It is also not something IT persons would generally use when describing the status of data sets.
I would be interested to hear what the DFA's IT department leads have to say about what actually happened and what the status of affairs are. It is entirely possible that they do have the data in some format in some defunct systems or servers but it is probably in a proprietary format.
In my quest for various public interest-imbued data sets from various government agencies, I have come across instances when this precisely happened.
Why does it happen? Lack of foresight for one. Some negotiator on government's behalf failed to consider exit scenarios. People forget all the time na walang forever (there is no forever). You may be happy with a service now but at some point you may want a better system, or a cheaper one.
If you fail to prepare for that eventuality, you're screwed.
It's like putting all your eggs (data and workflows) in Apple's proprietary systems and realizing later that this means you are stuck with outdated technology. (Or closed systems that Apple controls so that they can sell you more products.)
Which brings me to my final points. How do you prevent these things from happening again?
First off, if this has not happened yet, key agencies seriously need to come together to come up with standards. The Department of Information and Communications Technology (DICT) should be leading this effort. By the way, this is also why you need to make sure that the DICT secretary has expertise on the latest information technologies. (READ: DICT no more? Sotto hints Honasan may be appointed to another agency)
This is essential because it is not just the DFA that houses data about the public. There's Philhealth, SSS, GSIS, PSA. The list goes on. Heaven help us if our pension records get hostaged in a defunct, unusable system somewhere or stuck in litigation over contractual disputes.
Provisions for exit scenarios should be in the bid requirements for outsourced data services from the get go.
If it is not, maybe this is something legislators will need to consider legislating about – just so that the hearings in aid of legislation, that I am almost sure will happen because of the uproar over this fiasco, will come up with something useful.
Government lawyers will need to work closely with experts in the IT sector to craft standard clauses that are required of contracts for government information systems.
Finally, this major oversight is bound to happen in government entities. It is almost inevitable. Why? Because this is a question of competence. I would not go to the point of calling this a corruption case yet.
There are a lot of well-meaning and dedicated people in government. I consider myself fortunate to have met some of them. But dedicated or not, well-meaning or not, many IT people in government lack the skills necessary to implement and negotiate professional IT systems. And I do not mean to say this to disparage them.
Unfortunately, salary structures make it hard for government to retain talent. Ability to do due diligence and appreciate contracts, particularly IT contracts, is a skill. Ability to foresee and plan for exit scenarios is a skill.
Not all lawyers, for instance, would be competent in assessing or drafting contracts that involve data, IT systems, copyright, etc. Even for lawyers, this is also a specialized skill.
When you get to that point where you gain expertise in these specialized skills, demand for your services goes up in the private sector where such skills are valued.
The way things are, government cannot compete with the private sector in this area. So we are left with those who might be well-meaning but are just not familiar with and do not have the skills needed to do what is required.
We need to do something about this if we want to constructively address this issue and prevent future data fiascos from happening.
Threatening to autopsy persons responsible alive will not solve things. Only a thorough examination of problems would.
I am hoping that legislators who have seen fit to comment on this issue will at least consider these before they decide to bore us once again with long-drawn, pointless hearings in aid of legislation. I also hope this guides newcomer executives in government who may not be familiar with IT but – beyond making bombastic statements – sincerely want to fix things. – Rappler.com