22/08/2019
Manasseh’s Contract for Sale Documentary - The Information Security and Data Protection Perspective
[The principles of need-to-know and data minimization]
Every investigative expose presents some lessons. Even the abysmal performance of the Ghana Black Stars presents us with some lessons. Whereas these lessons learnt are more individual based, I, in my professional opinion thinks that organizations are not picking up the lessons. An individual may be affected but the entire organization the individual represents suffers the consequences.
It is therefore necessary that organizations bring to the awareness of their staff the lessons from these continuous scandals in order to prevent or minimize the impact wrong actions that could bring the name of their organizations into disrepute.
If I mention companies like Facebook, Cambridge Analytica, GFA, PDS, ECG, etc. what resonates in your mind? Talk of individuals like Osama bin Laden, Kwasi Nyantakyi, Alfred Agbesi Woyome, and now Adjenim Boateng Adjei? Each company or individual’s name mentioned brings something spectacular to mind.
I have watched Manasseh Awuni Azure’s investigative piece: Contracts for Sale. From the video I picked up some few lessons which I have attempted to relate it to the field of information security and data privacy. Organizations needs to educate and train their staff to handle data or information in their possession or information they are privileged to have access to or are privy to by virtue of their position, association or tasks.
If Thomas Amoah was aware of some basic information security and data privacy issues, I think Manasseh’s expose could have been a very different story all together.
Now let me share with you some few issues from the video that relates to information security and data protection issues of which organizations can take some lessons from. Personally, the lessons could be very useful to you as well.
Let me introduce you to two basic principles; the principle of need-to-know and the principle of data minimization.
The principle of need-to-know describes the restriction of access to data or information which is considered very sensitive. Under need-to-know restrictions, even if one has all the necessary approval to access certain data or information, one would not be given access to such information, unless one has a specific need-to-know; that is, access to the data or information must be necessary for one to conduct one's official duties only.
The principle of data minimisation. According to this principle, personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Essentially, it means that data cannot be processed unless it is needed to process them in order achieve the intended purposes. [GDPR Art. 5(1c)].
Although, these principles relate to information security and the collection of personal data, their application is very much useful in the collection, storage, processing and dissemination of an organization’s information to people and most especially strangers and guest on companies’ premises or places where one represents the company.
In the Contracts for Sale expose, Thomas Amoah gave too much information on other contracts which. In information security and data protection, the principle of need-to-know and data minimisation were not adhered to or put to use if I may say.
Companies or entities must limit personal data collection, storage, processing and usage of data that is relevant, adequate, and absolutely necessary for carrying out the purpose for which the data is processed. People should give very little information that is needed for the specified transactions or business only. Richard Kamagra [representing K-DRAH ENTERPRISE] sought to purchase a particular contract; and yet Thomas Amoah ended up giving details of other contracts yet-to-be-awarded to the TDL Group. The exact contract sums involved were accurately divulged. Too much information was given which were not related to the very contract Richard Kamagra was after. Well, arguing from the marketing and a salesman’s perspective, Thomas Amoah could be doing the right thing. But in the area of information security and data privacy, this is absolutely a breach of the principle of need-to-know and data minimization.
A serious breach of these two principles could lead to unauthorized access, wrongful possession, and breach of privacy just to name a few. This could lead to very hefty fines by authorities and complete shutdown of a legitimate business venture.
What could have been the story if every conversation between Thomas Amoah and Richard Kamagra were centered and limited to the very contract Richard Kamagra came to negotiate for?
With my professional eyes opened on my visit to companies, churches, schools and other entities reveals serious lapses that clearly puts these organizations in a very dangerous position regarding these two basic principles in information security and data privacy. Some of the problems is partly due to the I don’t care attitude of most senior managers in organizations. They seem not to acknowledge the importance of educating their staff in the areas of information security and data protection. They constantly don’t see any good reasons why they should spend some budget on training their staff in these areas. Well, I believe by now, if Adjenim Boateng Adjei had known that training Thomas Amoah could have averted this professional tragedy, paying me GHC 50,000.00 to educate and train Thomas Amoah for just two hours will not be any issue at all.
My point here is that, a lot of organizations in the name of limited resources and budgetary constraints fail to give their employees the right training and they end up paying dearly for it when it is already too late. Managers are always worried about the cost of doing or implementation. They have always failed to look at the cost and implications of not doing or implementing.
Emmanuel K. Gadasu
[Information Security and Data Protection Expert]
[email protected]
DISCLAIMER: This write up represents my personal professional opinion and does not relate to any organization or group that I am affiliated to. I take personal responsibilities including errors for this piece of writing.
