Governments forget at their peril that they must nowadays guard their citizens’ data as carefully as they guard their physical safety.
It’s hard to believe that a government could be threatened with collapse because of the way it dealt with driving licences. But that is what has been happening in Sweden in the last week, and the story shows just how vulnerable and delicate the integrity of personal identity is once everything about everyone is recorded in a database somewhere. The story started in the recesses of the bureaucratic state: the transport agency, a branch of the civil service which has to keep records of every car, boat and aeroplane in the country. Since some of these vehicles are military and some of the drivers are people whose identity the state protects with special zeal from criminals, either because they are witnesses or spies, there are rules that state this can only be seen and altered by Swedish citizens who have been cleared by the security services.
In 2015, the incoming director general, Maria Ågren, discovered that this work was to be outsourced to IBM. That was part of a wider pattern which has seen both the left and right of Swedish politics privatise large parts of the old welfare state this century. The law said this couldn’t happen unless IBM’s data handlers had all had security clearance. Her own department told her that couldn’t be done in time. So she decided to ignore the law. IBM, in turn, had the work done in Serbia and elsewhere in eastern Europe. Complaints about security from within the organisation – and, later, from the security police – were ignored. The defence minister and the interior minister knew in the spring of last year but could not find the time to tell the prime minister until January this year, when Ms Ågren was quietly sacked and, later, fined. The government hoped that any potential scandal would disappear along with her.
It almost worked. The affair was only brought to light by the determined digging of journalists at the Stockholm paper Dagens Nyheter. Once the story was out in the open, the Social Democratic prime minister, Stefan Löfven, who heads a weak minority coalition, sacked two of the ministers responsible, but stood by his defence minister, Peter Hultqvist. The opposition parties propose a vote of no confidence in him when parliament returns in September. This they can easily win with the help of the far-right Sweden Democrats, whom all the other parties normally shun.
This is a case that has implications far outside the vicious intricacies of Swedish domestic politics. Sweden is often, rightly, praised for its transparency. But opening data to everyone can be as harmful as suppressing it. The care of citizens’ private data is now one of the tasks that any modern state must perform. In the Swedish case, applications for a driving licence can require a doctor’s certificate, which, being electronic, implies access to medical records. It is not enough to point to rules and procedures. The rules were all present in the Swedish case. They were simply ignored, and with no consequences, for far too long. What’s needed are robust methods of enforcing privacy protections, and institutional cultures that take them seriously. The more of our lives we trust to the databases of authority, and the more these are interlinked, the more power we give away to people who might mean us harm. Privacy and security have to take precedence over administrative convenience wherever governments deal with personal information.