icm2re logo. icm2:re (I Changed My Mind Reviewing Everything) is an 

ongoing web column edited and published by Brunella Longo

This column deals with some aspects of change management processes experienced almost in any industry impacted by the digital revolution: how to select, create, gather, manage, interpret, share data and information either because of internal and usually incremental scope - such learning, educational and re-engineering processes - or because of external forces, like mergers and acquisitions, restructuring goals, new regulations or disruptive technologies.

The title - I Changed My Mind Reviewing Everything - is a tribute to authors and scientists from different disciplinary fields that have illuminated my understanding of intentional change and decision making processes during the last thirty years, explaining how we think - or how we think about the way we think. The logo is a bit of a divertissement, from the latin divertere that means turn in separate ways.

Chronological Index | Subject Index

Save the Safest. Sonia’s discoveries on data falsification

A process engineering case study

How to cite this article?
Longo, Brunella (2017). Save the Safest. Sonia’s discoveries on data falsification. A process engineering case study. icm2re [I Changed my Mind Reviewing Everything ISSN 2059-688X (Print)], 6.1 (January).

How to cite this article?
Longo, Brunella (2017). Save the Safest. Sonia’s discoveries on data falsification. A process engineering case study. icm2re [I Changed my Mind Reviewing Everything ISSN 2059-688X (Print)], 6.1 (January).
Full-text accessible at http://www.brunellalongo.co.uk/

The world we live in today is much more a man-made, or artificial, world than it is a natural world. Almost every element in our environment shows evidence of human artifice. The temperature in which we spend most of our hours is kept artificially at 20 degrees Celsius; the humidity is added to or taken from the air we breathe; and the impurities we inhale are largely produced (and filtered) by man. Moreover for most of us - the white-collared ones - the significant part of the environment consists mostly of strings of artifacts called “symbols” that we receive through eyes and ears in the form of written and spoken language and that we pour out into the environment - as I am now doing - by mounth or hand. The laws that govern these strings of symbols, the laws that govern the occasions on which we emit and receive them, the determinants of their content are all consequences of our collective artifice.
[...] Those things we call artifacts are not apart from nature. They have no dispensation to ignore or violate natural law. At the same time they are adapted to human goals and purposes. They are what they are in order to satisfy our desire to fly or to eat well. As our aims change, so too do our artifacts - and vice versa.
Finally, I thought I began to see in the problem of artificiality an explanation of the difficulty that has been experienced in filling engineering and other professions with empirical and theoretical substance distinct from the substance of their supporting sciences. Engineering, medicine, business, architecture, and painting are concerned not with the necessary but with the contingent - not with how things are but with how things might be - in short, with design. The possibility of creating any science of the artificial. The two possibilities stand or fall together.

H. A. Simon, The Sciences of the Artificial.

Preamble

London, 13 September 2017 - This is an article about an underestimated and often, when rarely acknowledged, understated problem in information and data management that I believe is pivotal for change across different industries and sectors: how to save the identity of professionals from data falsification - in this instance the identity of gas safety engineers.

Data falsification occurs every time specific qualities, properties, aspects of physical or digital objects (what Simon called artifacts in the introduction of his masterpiece work The Science of the Artificial) changes scope. In that, falsification is at the very core of the digital economy because what we all do all the times with data is fundamentally copying them, adding them, multiplying their instances through operations variedly called treatment, processing or reuse, each of which can slightly or hugely alter the original aim for which the data were created or gathered in the first place.

There is no particular evidence, to the best of my knowledge, that a negative meaning associated to the word ‘falsification’ prevails in the public opinion and among scientists or researchers. Perhaps, in terms of default sentiment, is more likely that a positive sentiment it is associated with the word than a negative one. In fact, the concept of data falsification as reproducibility of a process in itself has a great positive role in science, determining what is commonly accepted as scientific truth, pending new falsifications, among people with a formal education at degree level. The whole of the creative sector is permeated with marketing messages that share a possibly biased but surely positive view of falsification as a process leading to more openness, more innovations, more inclusion and participation and so and so forth. Check for instance the colossal sponsorships obtained by a program called The Next Rembrandt, the purpose of which is to obtain technically perfect engineered copies of the original artist’s works. I do not like it, I believe it is extremely engineered in the worst of the word’s meanings, it lacks social intelligence and empathy and no one with an elementary knowledge of or passion for history or the arts could endorse it without a justifying salary, but it is remarkable in the way it has presented the falsification technique to the public, opening up infinite new market opportunities for antiquities’ merchants and their millionaire customers that could be persuaded to buy false and yet perfect copies of masterpieces.

It is only when things go wrong, and people discover frauds and crimes behind critical events, that data falsification suddenly emerges as the culpable stage in a process when something has not been managed safely and according to the intended aim, terms of references, principles, legal provisions, expectations.

Falsification of personal data and identity theft falls into this last category of unfortunate circumstances: the public opinion associates the crimes with the rise of e-commerce and internet payments but it is likely that digitisation has only created exponential growth and multiplication of dynamics very well known as the foundations of the grey economy. The problems caused by falsification of professional identity can be exponentially more severe when the false, stolen or misrepresented identity is involved, as an implicit guarantee, in assured processes such as in Health & Safety, leading to disasters like Grenfell Tower.

What it follows is Sonia’s case on the identity of a gas safety engineer. It is a semi-anonymised account of real facts and circumstances. To put into context it is worthwhile to look at some specific information related to the gas safety industry scheme. I will then summarise what I understand are at the moment the possible solutions recently envisaged by the policy-making community in the UK and emerged through discussions with colleagues from IT and information security, policy making, information management and engineering.

The challenging regulatory environment

The existing legislation seems quite effective and fit for purpose in respect of the falsification risk within the gas safety industry and its documentary processes: the offence of forgery, defined by the Forgery and Counterfeiting Act 1981, extends also to the use of a false instrument or a copy of a false instrument, with maximum penalties of 10 years imprisonment.

In the context of the Health and Safety at Work Act 1974 (as modified by the Deregulation Act 2005) the offence of forgeries are defined in section 33 that says It is an offence for a person :
(K) to make a statement which he knows to be false or recklessly to make a statement which is false where the statement is made in purported compliance with a requirement to furnish any information imposed by or under any of the relevant statutory provisions; or
(ii) for the purpose of obtaining the issue of a document under any of the relevant statutory provisions to himself or another person;
(L) intentionally to make a false entry in any register, book, notice or other document required by or under any of the relevant statutory provisions to be kept, served or given or, with intent to deceive, to make use of any such entry which he knows to be false;
(M) with intent to deceive, to forge or use a document issued or authorised to be issued under any of the relevant statutory provisions or required for any purpose thereunder or to make or have in his possession a document so closely resembling any such document as to be calculated to deceive.

And for the avoidance of any doubt, the Gas Safety (Installation and Use) Regulations 1998 defines the qualification and supervision requirement for carrying out work related to gas fitting and servicing, specifying that (3) [...] no employer shall allow any of his employees to carry out any work in relation to a gas fitting or service pipework and no self-employed person shall carry out any such work, unless the employer or self-employed person, as the case may be, is a member of a class of persons approved for the time being by the Health and Safety Executive for the purposes of this paragraph ; even more explicitly it adds that (7) No person shall falsely pretend to be a member of a class of persons required to be approved under paragraph (3) above.

Magistrates Courts (with cases recently reported in Westminster, Bodmin, Darlington) have increasingly found landlords in breach of Gas Safety (Installation and Use) Regulations 1998 and of the Health and Safety at Work etc Act 1974 and sentenced them. Such sentences include for instance not less than 16 weeks imprisonment, 200 hours of unpaid work, fines of not less than £5,000 - plus costs of litigation and compensation. Examples of recent cases are reported by the Health and Safety Executive website, under the news section.

In spite of such adamantine clarity of definitions, the UK Health and Safety regulatory environment and in particular the Gas Safety sector is far from being static and settled once and for all. On the contrary, for the last ten years it has gone through an intense and rapid wave of reorganisations and deregulation initiatives the current episode of which is a major bill that has been put off to 2018-2019, following the Grenfell Tower fire and a passionate motion by Baroness Andrews in the House of Lords on the 13th July 2017 (Deregulation: Public Services and Health and Safety, it is likely that the parliamentary debate will not resume until after the conclusion of the same Grenfell Tower public enquiry).

At the heart of the turmoil is an almost ideological battle between polarised views on the role of health and safety rules and enforcement: one on side are those who believe that standards and technical rules including health and safety regulations are lessons learned from the past that should be constantly kept working and adapted to new technologies and usages. On the other side of the spectrum, the whole matter is considered “red tape” (burden imposed by regulators) and increasingly even “blue tape” (burden imposed mainly by the contract legal and procurement departments of large corporations on their supply chains).

It came therefore as no surprise that the organisation of the regulatory function and industry scheme has seen the abolition of the Health and Safety Commission and the transfer of its regulatory function to the NDPB (Non­ Departmental Public Body) Health and Safety Executive in 2008, upon a call for more efficiency. This squeezing of functions has also led in 2010 to the outsourcing of the day by day management and maintenance of the Gas Safety Register (formerly CORGI register) to Capita on the grounds of a ten years contract.

The legislation, processes and procedures the gas safety scheme relies on have been originated in the 1970s and 1980s when there was no internet and no need to ensure technical documentation from an exponential, systemic risk of digital forgery. And yet, it seems almost unbelievable that the start up of the Gas Safety Register managed by Capita was advertised boosting a registration procedure that would cut red tape and formalities, with no need to sign the registration form and with the possibility to complete the whole procedure online, paying the fees by credit or debit card. Renewing an existing registration is even faster and easier.

It looks like the re-tendering specification has resumed the idea of face to face inspections of the whole of the gas safety engineers registered every five years.

The skills and the professionals bodies

The idea that the same technical people expert in the field do not like “red tape” and turn against an “excess” (always left undefined) of their own know how and standards has been circulating for a while and yet I can hardly believe it is belonging to a fit, skilled and healthy workforce.

The stressful dichotomy existing between the legislation and public expectations on one side and the practical organisation of industry and professional controls and law enforcement on the other takes it tall in terms of professionalism, skills and conduct of gas safety engineers because of other factors, like the business organisation of gas safety engineers’ services. Once upon a time, they were the face of the regulator, messengers with an expertise that saved lives in the mines as well as in private houses. Today they can be entrapped in compliance “tick boxes” minutia that create risks of litigations, inefficiencies, more operational costs to safeguard public interests nobody wants to pay for. It may be another tragedy of the commons after all.

I haven’t thoroughly investigated these aspects, but for what I could see the workforce operating the Gas Industry Scheme is increasingly ageing. Gas safety engineers enter the labour market through apprenticeships, they do not have particular motivations to continuous professional development goals and tends to be overwhelmed, as in other sectors, by key performance indicators and efficiency targets that have nothing to do neither with their own long term career goals nor with the essential purpose of the same scheme.

The lack of accuracy (or in other terms the dominance of a “good enough accuracy” nobody is really happy with) is sadly very evident at any level of the educational and developmental chain for gas safety engineers. It does not infuse more trust in younger generations: for instance, somebody reported to me a situation that actually ridicules the role of apprenticeship when the young person is sent to do the work with the customer and is told what to do over the phone by an older colleague. And as far as the theory is concerned, I wanted to check a textbook for the Engineering Technologies Level 3 qualification (authored by Mike Tooley and published by Routledge in 2017) and guess what? the book quotes the regulatory framework as it was in 2008, before the Health and Safety Commission was dissolved. It is really difficult not to conclude “God, Save the Safest!”

Perhaps, restoration and maintenance of trust in the right professional practices and up to date, fit for purpose, technical standards is something for which both the public and the professionals should turn to professional bodies?

Sonia’s discoveries on data falsification

Sonia worked for over 20 years in the Corporate Affairs and Legal Department of a big group in the construction sector. In that position she liaised with consultants and civil servants. Her professional status would not have any relevance for the story but for being at the very origin of her housing situation. In fact, following the fatal injury of a colleague she lost her job and is likely that she has been blacklisted because she has been unable to find whatsoever other job in the sector since then in spite of being absolutely brilliant and with an extraordinary emphatic personality. She had to move house and it was for that reason that I happened to get in touch with her. We sympathised with each other’s circumstances. It seemed that the invisible helpful hand of some former professional contacts working at or with the Cabinet Office might have helped Sonia to enter a 12 months assured shorthold tenancy agreement for a small flat with a letting agent, property manager and landlord she then recommended to me.

Day 1. Sonia signs the tenancy agreement, gets the keys of her new flat and the same day she is given a landlord gas safety certificate (LGSC), and energy performance certificate (EPC) and other prescribed documents she does not pay particular attention to.

Day 2. After the first night in the flat she notices that there is no hot water and it seems the boiler does not work. She asks the letting agency how to operate the boiler. She is given a response via email suggesting she should check with the boiler manual or pay for the visit of a service engineer. The weird reply makes her suspicious that she might have overlooked the LGSC. In fact, this, as well as the EPC, turns out to be older than the prescribed date: they have been produced by a gas safety engineer and by an energy assessor that are unreachable on their given telephone numbers, with the EPC assessment company dissolved two years earlier and the gas safety engineer being evidently out of business in Surrey or a possible copycat of a similar business existing in another County (Hampshire).

Day 3. Sonia tries to get a new, up to date LGSC from her landlord agent so that the boiler issue can be considered all together with the necessary periodic maintenance check up. The landlord instead accuses her of making things up, because - they say - she was given a perfectly valid LGSC, produced by the same engineer Anwar S. within the 12 months before the start of her tenancy, copy of which she is now sent also via email. This new LGSC is the valid one and as far as the old LGSC is concerned, the landlord says Sonia might have found it in the flat. So they are not going to pay for any additional service. Sonia has no other choice than to call in an engineer at her own expenses, for the service of the boiler, for a new LGSC and for some safety advice related to the gas pipes she passes to the landlord agent together with a disbursement notice, according to a specific clause of the tenancy agreement that allows her to do so.

Day 4. Few months later, the landlord agent serves Sonia with a Section 21 notice to quit. Sonia does not have another home so she does not move out. The landlord starts legal proceedings using the accelerated procedure. Sonia gets some basic legal advice that points her attention to the fact the landlord did not give her a valid LGSC produced in the 12 months before the start of the tenancy so that according to the new Housing legislation (introduced with the Deregulation Act 2015) the landlord cannot use the accelerated procedure to evict her.

Day 5. Sonia need to prepare her defence and tries to contact the engineer via phone and even in person at his address: she does not find any trace of him. She talks with his neighbours, with shops around his registered address: nobody knows him, they have never seen a gas safety engineer living at that residential address or buying any plumbing and heating supply locally for the last thirty years.

Day 6. Sonia thinks the Gas Safety Register should act and inspect the engineer address without hesitation, especially because between her first search about the registration number (Day 2) and Day 6 the record has changed in a sort of mockery way, showing up now even a picture of the engineer “for identification purpose”. And the picture is resembling her landlord, just younger or photoshopped. She first tries to rise a concern or to post a complaint online, using the form available on the same website of the Gas Safety Register and following the advice available on the HSE website. But the complaint procedure has been designed on the assumption that the customer has something to report in respect of a job done. There is no way to complain about the fact that an existing record does not correspond to an existing gas safety engineer in the Register.

Day 7. She decides she has to speak with either the Gas Safety Register or the company that operates it (Capita) or the regulator, HSE, but at any attempt she is treated as an unsound minded person who does not understand how to use the website of the Gas Safety Register, or the text messaging validation service, to just verify and assess the identity of Anwar S, registered under number 1***** of [omissis address in Surrey]. Yes, this engineer is registered, they keep on saying to her.

Day 8. She goes to the local police station but again she is told that the Police does not investigate identity of gas safety engineers for which she should call the Gas Safety Register instead.

Day 9. After having exhausted all the possible ways to escalate her complaint, Sonia speaks with me. She recalls the Cabinet Office colleague she met before we both found new rented accommodations and asks me if it is not the case to report back to that person what she has found in respect of the LGSC and the Gas Safety Register. I discourage her from wasting time because if they wanted somebody to test if the regulated self assurance idea works or not as intended by the Deregulation Act 2015 the only thing to do is going through the legal process. I try to talk about Sonia’s discoveries with Capita’s Chief Executive or Managing Director but I do not get anything more than an email acknowledgment, possibly prepared by a Personal Assistant, inviting me to put forward my CV in case they need to recruit a consultant in the future.

Some solutions

The solutions identified so far to data falsification problems seem to me belonging to two categories. The first consists in a major development of the “nudging” approach to public policies, increasing the type and number of outcome-controls, putting more earned recognition on consumers and businesses, at their own risks, while keeping high the commitment for regulated self-assurance. That means relying on the construct that if and when things go wrong because it has not been possible to prevent fatalities, casualties, human errors etc etc, there should be a redress.

In that respect, the Deregulation Act 2015 provision that deprives landlords of the Section 21 accelerated procedure for repossession if they do not comply with the Health and Safety at Work Act 1974 and with the Gas Safety (Installations and Use) Regulations 1988 seems the perfect example. And yet, the burden of proof and the costs of litigations transferred onto private individuals, families, businesses and communities can be very high, as people can find themselves suddenly required to be responsible for policing and exposing rogue landlords and potentially serious organised criminals without having a clue neither of whistleblowing policies and legislation, nor on data management nor on forensic science or the law of evidence - in sum, even admitting that in many wicked cases and circumstances the uncertainty about the behaviours of the parts is so high that outcome - controls are the only pragmatical way forward, this does not seem a fair nor a convenient and realistic route for many as it can simply derail into and increase social frictions, litigations and conflicts.

The second line of actions consists in increasing the chances of “connected intelligence”, with more opportunities to prevent and spot falsification of data by way of “just” sharing public registers, databases and archives of factual information within different government departments and authorities, so that data related to individuals or assets used for a process are cross referenced with data potentially belonging to the same individuals or asset held for other processes in other departments. Being this second strand of solutions useful to verify and validate data in a low cost, more passive and more automated way, sharing data seems quite simple and less demanding in terms of human engagement, although there is no implicit assurance that opening up and sharing data picking them up and transferring them through cheap technologies (such as APIs) does not make a favour to the guys the plans of whom we would instead like to undermine! A good rule of thumb approach could be to design carefully the interactions, transactions and what data are we trying to access and reuse for what purpose but, again, this would make the whole big data or machine learning approach instantly less attractive and more costly as it would require more human cognitive and specific efforts to be put into the system.

In sum, there is not a Holy Grail and the digital revolution has not happened at all.

On the positive side, all the possible solutions to the data falsification problem seem converging on a sort of holistic approach, recognising there is an overarching issue of process engineering to be taken into account. It sounds like we have reached a point of inconclusive but robust understanding - at least among internet pioneers, e-commerce early adopters and IT veterans - that in this digital world a string pulled around the laptop of a dodgy student in Malaysia can have huge repercussions in Washington DC. And yet, the predominant approach to communication strategies on a global scale still tends to rely on easy “people” aspects, leveraging on emotional traits, populism, easily polarised views, blaming the hyper-rational or insensitive profit-let processes.

How we design processes matters, a lot. Psychology of scams and other contiguous fields of research have demonstrated that cyber-criminals exploit human trust in human-computer interactions and in computer mediated communications. All our personal details risk to become assets in the arsenal of cyber-criminals that use false and stolen identities as the first block of their puppets’ socially engineered games. No one could be considered responsible of anything wrong if everybody just follows their own remits, job descriptions or codes of conduct and along the journey they end falling straight-away into a deadly road pothole.

What seems to me not perfectly understood within the policy-making community is the need of keeping the design and maintenance of the artificial clean from copycats and from god-games that are indeed the potholes of our digital highways. We cannot defeat fraudsters at their own game, designing journeys that should unmask and use data about the potholes in the public interest. Instead we urgently need to make digital potholes reviews and produce better regulations specifically addressing the problem of law enforcement for the digital environment.

Brainstorming and Discussions

Sonia’s case has generated a lot of disconcerted engagement among the colleagues I shared the story with before writing it here, and not only because it came at a time in which there is a great sensitiveness on Health and Safety Legislation in London following the Grenfell Tower Fire, something that has been defined as a gigantic failure in government. Sonia’s story sends a strong signal about our general over confidence in regulatory processes that have not been designed for the digital age and yet we heavily rely on, assuming that the authenticity and integrity of personal data of the professionals involved or that pretend to be involved is unquestionable.

The opinions and positions I collected cover a whole range of sentiments and resolutions but they can possibly be clustered into just these following three essential categories: