How does Santa comply with Data Protection Laws?

As a father, I'm naturally keen to protect the Personally Identifiable Information (PII) of my children. Not long after the birth of my son was the infamous incident when Her Majesty's Revenue and Customs (HMRC) lost the PII of every family in the UK with a child under the age of 16... Not a great start.

Another organisation with data on my children is the large North-pole based company run by Santa Claus. Given that he has lists of who has been naughty and nice, and in the assumption that this is a binary definition where everyone falls onto one list or the other, with no scope to fall into a neutral category in-between, these lists must contain the personal data on all children in the world. A further assumption is that the data includes obviously names and addresses of the kids in order to label and subsequently deliver their presents. Data gathered on children in order to put them on one list or the other must include habits and activities throughout the preceding year as well as personal gift preferences in case they ultimately end up on the "nice" list by Christmas Eve.

Data held by Santa on children from the UK is subject to legislation including the UK Data Protection Act 1998. Given that International Law dictates that the North Pole does not fall into the jurisdiction of any one country, Santa is required to demonstrate that appropriate controls are in place to protect this information as it is exported out of the EU. The lack of any national jurisdiction over Santa's organisation also means that he is not subject to any specific local legislation and the onus is therefore entirely on him to put the appropriate controls in place to protect the data.

Data aggregation and data destruction are issues here. Given the PII of every child is held by Santa, the exposure of one or both lists in their entirety would be a significant breach, as demonstrated in the video "Santa gets hacked!". Does Santa keep multiple lists, perhaps segregated by country or ideally smaller geographical areas, to reduce the risk of exposing all data in one go? On the data destruction side, one must presume that once a belief in Santa has gone then a presence on either list is no longer required. The Data Protection Act requires that PII is only held for as long as it is needed, although the aforementioned video suggests that adults and children alike might be affected by a data breach of this kind. I would like assurances that my own data is not only no longer on Santa's systems, but that any logical and physical storage media is appropriately disposed of when no longer needed.

Given my understanding that the storage and processing of this data is all performed at the north-pole and not outsourced or off-shored to another organisation or country, the storage and processing of the data is less of a concern than the transmission and transport of it, particularly around Christmas.

Firstly, the delivery mechanisms for the letters to Santa are somewhat varied. Although the postal service is an acceptable mechanism for delivering this information, the destination address seems quite hazy and the risk of loss mid-delivery is therefore quite high. For those who choose to post their lists by placing them up their chimney stack and using special Santa-magic for transmission, I have concerns over the unknown elements of that delivery mechanism and what controls are in place to protect the data en route. Given that these lists are subsequently found still up the chimney 100 years later, more current data could be exposed in the same way.

Secondly, on Christmas eve Santa sets off with this sleigh and the delivery list. Does this list contain only the information required to deliver the correct presents to the appropriate households or is he taking all the PII around with him? As he enters each house, does he take the list with him or leave it in the sleigh? If the latter, he's leaving himself open to data theft while he's casually downing the latest mince pie and glass of sherry. He may think that the list is safe on the roof, but people got up there to set-up the inflatable Santa and light-up sleigh, so there must be access of some sort.

Finally, is it fair to assume that Santa is moving with the times and now takes the list with him on a smart phone or tablet? The risk of losing a device like this is surely greater than the risk of losing paper records of millions of children. Does he link up to the North Pole to get last minute list updates about those children who won't go to bed on Christmas Eve, moving them from the "nice" list to the "naughty" list during his travels... and is he doing it over your wifi?!? What policies around the use of mobile devices is in place and how are communications between the sleigh and Santa HQ protected? Encrypting the data and doing so from every country he delivers to might create further problems around cryptographic export controls and he may have instead opted for the easier life of sending it in the clear!

Anyway, that's enough from me for this year... I need to get my Freedom of Information request over to the North Pole before tomorrow night. Have a Merry Christmas and a Happy New Year.

Image: luigi diamanti / FreeDigitalPhotos.net

Stable systems leave us unprepared for incidents

Many years ago I worked on the shop floor of a national retailer. When the tills failed for one reason or another, there was a manual process that had to be quickly rolled out. Out came the pocket calculators, hand-written receipts and manual credit-card imprinters. At the time, this was not an uncommon occurrence and all the staff consequently knew what they had to do. The process took a bit longer but we were quite sleek at keeping the traffic moving through the shop, even the time it happened the Saturday before Christmas

Nearly 20 years on and I'm not sure that this would necessarily still be the case. As the IT supporting these services becomes more stable, the instances of outages happen less often and there is less working knowledge of what needs to be done when a failure occurs. Only through training and practice can businesses be sure that their staff know what to do in the event of an incident. Without this, organisations risk losing business due to not being able to sell their goods and services at the time when people want to buy them. The expectations of customers to be able to buy what they want when they want to and be processed as fast as possible are certainly far greater now than they were in the early nineties, and there are more alternative options now for them to make their purchase.

It was an article in The Register which made me consider this as a topic to cover. Although not a recent finding, the article comments on the outcome of the investigation into the crash of Air France flight 447 in 2009 which concluded that after a failure of the autopilot, the pilots did not have sufficient skills and experience to fly the plane manually. This issue resulted in the fight plunging into the Atlantic ocean with the tragic loss of all 228 people on board. The report highlights that as pilots become so dependent on the autopilot, using it for many of the tasks in the flight, that when it is suddenly and unexpectedly not available to them that skills to pilot a plane the "old fashioned" way, may be somewhat rusty.

This highlights the importance of incident training and business continuity exercising. A business continuity event or crisis is something that no business wants to think will happen to it but as I've mentioned in previous posts, there are many external and uncontrollable factors that can introduce this scenario. Don't just test IT failover or run the generators... Test and exercise the people who will be expected to take the reigns, assume "manual control" and make difficult decisions in a short time-frame that may ultimately save costs, reputation and in many cases... lives.

Image: bk images / FreeDigitalPhotos.net