Daragh O Brien's blog

One of the areas where Information Quality, Data Governance, and Data Protection overlap significantly, with a big business impact, is the area of managing an individual's preferences for direct marketing.

Before I go any further, I think it is important to clarify what is meant by Direct Marketing in this context. Direct Marketing is a communication targetted to a specific individual by any means of communication such as email, snail mail, SMS, fax, or telephone. It could be argued that it also could include Tweets or contact via social networking.

The diagram opposite shows some of the data that an individual has about themselves that they would potentially be sharing with a service provider, in this case a Pizza parlour. Joe (the Data Subject) has a variety of contact points at which he may be contacted. Some of these he may have provided to Bob in Bob's Pizza. He will have provided these pieces of information for a variety of specific purposes.

In an earlier post I wrote about Information Quality being a "measure twice, cut once" type of challenge.

Today I got yet another email from "Karen", a subscription promotions robot at a large international industry publishing company, Information Week. The email (and I get them every few weeks) invites me to sign up for a free subscription to their print magazine because I've subscribed to one or more of their email newsletters. 

The invite reads:

As a valued InformationWeek newsletter subscriber, you’ve been selected to apply for a complimentary subscription to InformationWeek magazine – the source for unique editorial and in-depth analysis for the leading business technology buyers. Others pay for this must-have publication but if you take a few minutes to apply and qualify now, you will NEVER be billed. 

Now I LOVE dead tree publishing. I like being able to read things that won't need to be plugged in if I leave them down and walk away for an hour. And I LOVE industry publications becasue I can clip the good bits and recycle the rest. More than that, as a small business owner, I abso-fricking-lutely ADORE anything that is free.

The Irish Computer Society has released the findings of a survey on attitudes and understanding of Data Protection in Ireland.

The findings are, to say the least, shocking.

The first finding that strikes me is that the respondents (286 of them) were from IT functions within organisations. No offence to my brethern in IT but if Information is an Asset why are we asking plumbers about water quality and leaks? But that is a minor concern.

A more significant concern is the fact that organisations just don't seem to get it. At least not some of them. The fact that the respondents have conflated "Data Protection" with "Data Security" is troubling. For the record: "Safe and Secure" is ONE of EIGHT principles for Data Protection (actually, they're called principles for Data Quality but that is a topic I cover in a full day tutorial so I won't bore you here). There are other principles that need to be respected just as much. As a political party discovered recently, if you haven't obtaine the data fairly (Principle 1) then the fall out from having your systems hacked and data copied is only part of the problem.

Also, respondents seemed to be of the view that compliance with the Data Security Breach Code of Practice was an optional thing. In this context I have to fall back on the words of W.Edwards Deming:

You don't have to do this. Survival is entirely optional.

There are many variations on pithy sayings about assumptions and the risk they present. They are unanimous in their admonitions that to rely just on an assumption when engaged in planning or executing tasks invites failure and headaches. Necessity may be the Mother of Invention but Assumptions are the Mother of all screw ups (diligent readers will recognise that I’ve cleaned that up for easily shocked readers).

The risk of assumption is no less apparent than in the area of Governance, and Information Governance in particular. Patently stupid and damaging decisions are taken every day on the basis of assumptions about information and the controls, regulations, and procedures that need to be in place around its use. For example, organisations assume they can use the PPSN (Ireland’s Social Insurance Number) as a unique identifier for customers, despite the fact that the uses that a PPSN can be put to lawfully (and by whom) are clearly set out in the Social Welfare Acts.

Within organisations seeking to define and execute effective controls over information it is often the case that things are done with data because they always have been done that way and, as a result, people assume that that is the way things should be done. This can result in data being processed or shared without valid lawful reasons (or conversely data not being disclosed where it might lawfully be done because someone assumes it can’t). It can result in a meaning and purpose being associated with a data field or recorded fact because people have assumed that is the case, resulting in confusion and degradation of data quality.

Over the past week I’ve been reminded of one example of Assumption at work in the management of fundamental data and another of Assumption’s influence in fundamental Governance of government…

I’ve written a lot here about the use of outsourced providers when processing personal data electronically but it is important to remember that the Data Protection Acts apply equally to “manual data” – data about an identifiable person that exists in a hard copy form.

The “chain of tools” analogy applies here just as much as it does to the processing of personal data electronically. You need to be sure you have done due diligence and the ‘outsourcee’ (the service provider) needs to understand their obligations re: security and protection of personal data.

A common scenario where personal data is being processed in manual form is when a letter is being sent either by post or by courier.