Data Governance

One of the areas where Information Quality, Data Governance, and Data Protection overlap significantly, with a big business impact, is the area of managing an individual's preferences for direct marketing.

Before I go any further, I think it is important to clarify what is meant by Direct Marketing in this context. Direct Marketing is a communication targetted to a specific individual by any means of communication such as email, snail mail, SMS, fax, or telephone. It could be argued that it also could include Tweets or contact via social networking.

The diagram opposite shows some of the data that an individual has about themselves that they would potentially be sharing with a service provider, in this case a Pizza parlour. Joe (the Data Subject) has a variety of contact points at which he may be contacted. Some of these he may have provided to Bob in Bob's Pizza. He will have provided these pieces of information for a variety of specific purposes.

I've been reading a lot of interesting blog posts in a variety of places about the importance and value of metrics for data quality and the potential for misunderstood measurements to drive misunderstood (or just plain wrong) decisions.

At the simplest level, this is yet another iteration of the age old "Carpenter's Rule" - Measure twice, cut once.

But carpenters have it easy. Irrespective of your level of experience in carpentry and woodwork you intuitively know that the measures that matter to you are length, width/breadth, and height. All of those are ultimately different dimensions of the same metric (width is length from a different perspective after all). The key challenge for the carpenter is to make sure that they are measuring in the same units of measure (inches, feet, metres, centimetres). And if they are working with other carpenters they need to make sure that they have agreement on what unit of measure they are using.

The Irish Computer Society has released the findings of a survey on attitudes and understanding of Data Protection in Ireland.

The findings are, to say the least, shocking.

The first finding that strikes me is that the respondents (286 of them) were from IT functions within organisations. No offence to my brethern in IT but if Information is an Asset why are we asking plumbers about water quality and leaks? But that is a minor concern.

A more significant concern is the fact that organisations just don't seem to get it. At least not some of them. The fact that the respondents have conflated "Data Protection" with "Data Security" is troubling. For the record: "Safe and Secure" is ONE of EIGHT principles for Data Protection (actually, they're called principles for Data Quality but that is a topic I cover in a full day tutorial so I won't bore you here). There are other principles that need to be respected just as much. As a political party discovered recently, if you haven't obtaine the data fairly (Principle 1) then the fall out from having your systems hacked and data copied is only part of the problem.

Also, respondents seemed to be of the view that compliance with the Data Security Breach Code of Practice was an optional thing. In this context I have to fall back on the words of W.Edwards Deming:

You don't have to do this. Survival is entirely optional.

There are many variations on pithy sayings about assumptions and the risk they present. They are unanimous in their admonitions that to rely just on an assumption when engaged in planning or executing tasks invites failure and headaches. Necessity may be the Mother of Invention but Assumptions are the Mother of all screw ups (diligent readers will recognise that I’ve cleaned that up for easily shocked readers).

The risk of assumption is no less apparent than in the area of Governance, and Information Governance in particular. Patently stupid and damaging decisions are taken every day on the basis of assumptions about information and the controls, regulations, and procedures that need to be in place around its use. For example, organisations assume they can use the PPSN (Ireland’s Social Insurance Number) as a unique identifier for customers, despite the fact that the uses that a PPSN can be put to lawfully (and by whom) are clearly set out in the Social Welfare Acts.

Within organisations seeking to define and execute effective controls over information it is often the case that things are done with data because they always have been done that way and, as a result, people assume that that is the way things should be done. This can result in data being processed or shared without valid lawful reasons (or conversely data not being disclosed where it might lawfully be done because someone assumes it can’t). It can result in a meaning and purpose being associated with a data field or recorded fact because people have assumed that is the case, resulting in confusion and degradation of data quality.

Over the past week I’ve been reminded of one example of Assumption at work in the management of fundamental data and another of Assumption’s influence in fundamental Governance of government…

Organisations who are making use of outsourced service providers to process personal data, (e.g. cloud-based applications, web-hosting, data analysis/data management services) need to be wary of what I call the "Chain of Tools" which you need to do some due diligence on and have appropriate controls in place for.

 Ultimately, the Data Controller carries the full weight of liability for any breach of the Data Protection Acts, both criminal (i.e. prosecution by the Data Protection Commissioner) and Civil (i.e. litigation for breach of the Duty of Care created by the Acts) unless they can demonstrate that they have taken all reasonable steps to ensure that the chain of personal data protection is unbroken.