Speaking at an identity management summit in Sydney on "how to stuff up an identity management program," Johnston said she has seen so much money wasted on projects driven by technology providers and politicians.
"Politicians and CEOs like to cut the ribbon on new projects," Johnston said. "There's no point in proceeding if there is no point."
In the case of identity management, Johnston said anything from a "human problem" to poor design, legal noncompliance, and lack of transparency can contribute to a failed project.
"Lesson one is to check you have a need for technology and that it cannot be solved another way [and] don't use a sledgehammer to crack a nut," she said. "If you are in government or business and have the responsibility to do identity management projects, you need to step back and see if there is a key business driver. See if technology is the answer [or whether] investing in staff may be a better answer."
Johnston said avoid poor design by ensuring the data-checking systems well designed to start with, not just the technology.
"To get it right you will need to [discuss it] with people across the organization, including HR and marketing," said Johnston, who is also a director of privacy consulting at Salinger & Co. "Most breaches of privacy and security come from your own staff. The most secure technology can't protect you from lazy, accident-prone, or corrupt staff."
No longer surprised at how many people write passwords on post-it notes, Johnston cited one case where an executive would shout out to a secretary "what's my username and password" and the secretary, in an open-plan office would shout it back.
"If you're in charge of data security in your organization you should be very afraid of your most helpful staff," she said, adding her favorite story is of a police officer who accidentally left DNA evidence on a train on the way to a hearing and as a result the charges were dropped.
"There is no technology system that can compensate for human frailties. You need good people and data protection must encompass hard copies of data."
Rather than telling employees you need to prove their identity because of terrorists or the Privacy Act, Johnston recommends being open with staff about what the information will be used for.
For IT managers considering biometrics as part of an identity management project, Johnston recommends familiarizing themselves with the regulatory environment first.
"There are health privacy laws in NSW [so] if you are considering using a biometric or conducting drug testing you are collecting health information," she said, adding health information includes a person's donor status on their driver's licence.
"You need to comply with the specialist compliance laws in addition to the national laws. If your ID management includes RFID (radio frequency identification), you'll need to check compliance as well."
Johnston believes there is little understanding about privacy law, because it is "very complex" in Australia and a growing area.
"There is less awareness of state laws," she said. "Unfortunately in NSW the government hasn't put any money into education programs. So there are not many free, publicly available resources for businesses to get their head around the laws, let alone comply with them."