The selected file /tmp/file1rrPTv could not be uploaded, because the destination sites/default/files/js/js_ba6e7f03cf5bc3e65c085865ce5da17b.js is not properly configured.

governance

ICS Data Protection Survey

Submitted by Daragh O Brien on February 18, 2011 - 20:49

The Irish Computer Society has released the findings of a survey on attitudes and understanding of Data Protection in Ireland.

The findings are, to say the least, shocking.

The first finding that strikes me is that the respondents (286 of them) were from IT functions within organisations. No offence to my brethern in IT but if Information is an Asset why are we asking plumbers about water quality and leaks? But that is a minor concern.

A more significant concern is the fact that organisations just don't seem to get it. At least not some of them. The fact that the respondents have conflated "Data Protection" with "Data Security" is troubling. For the record: "Safe and Secure" is ONE of EIGHT principles for Data Protection (actually, they're called principles for Data Quality but that is a topic I cover in a full day tutorial so I won't bore you here). There are other principles that need to be respected just as much. As a political party discovered recently, if you haven't obtaine the data fairly (Principle 1) then the fall out from having your systems hacked and data copied is only part of the problem.

Also, respondents seemed to be of the view that compliance with the Data Security Breach Code of Practice was an optional thing. In this context I have to fall back on the words of W.Edwards Deming:

You don't have to do this. Survival is entirely optional.

Good Governance means spanning silos

Submitted by Daragh O Brien on January 25, 2011 - 12:25

I've been doing some work with a client recently looking at how they are currently managing their information assets. What I'm bringing to the table with this client is a wealth of experience seeing what happens when you silo problems or issues or objectives into neat little stove pipes that can be managed along the vertical of an organisation's traditional hierarchy, as well as experience of what happens when you turn things on their side and start managing horizontally.

Because Information is a wonderful asset that has magical properties that allow it to span an organisation, it is essential that organisations who are looking to tackle Information Quality, Data Protection, or Data Governance issues start to think along the Horizontal and build coherent teams that break down barriers to people doing good work. 

In fact, that is one of W. Edward's Deming's 14 Points for Management Transformation.

So, having done all this good work with my clients I was a bit dismayed to read about the forthcoming Finance Bill (very soon to become the Finance No.1 Act 2011) which contains sections which replicate (imperfectly and incompletely) the provisions of the Data Protection Acts 1988 and 2003. By bolting in provisions like this into a piece of legislation, the Government (and the Opposition) are adding yet more fudge and confusion to the management and governance of Data Protection in Ireland. Rossa McMahon, an Irish lawyer with an interest in Data Protection has written a critique of the legislation on his blog.

Compliance = Policy and Action aligned!

Submitted by Daragh O Brien on January 7, 2011 - 17:51

I've written on this topic here before.

Effective "Large C" Compliance and "Big G" governance, particularly with regard to the processing of personal data, is all about ensuring that an organisation has the capability to draw a clear and unbroken line between what they say they'll do with data and what actually happens to it.

That's why simply copying a Privacy Statement either from a boiler plate template, from your old website, or from a website that has one that you think is cool is a risky undertaking. You need to invest the time and effort into your public statement of your goals, intent, controls, and governance of a mission critical asset otherwise you'll risk a potentially damaging disconnect between what you say and what you actually do. That is as bad as, or possibly worse then, NOT having a privacy statement.

  • Not having one shows you didn't think about your duties
  • Having one that doesn't actually match what is actually happening with the information shows you care, but just not that much.  

ScalesUltimately, the objective of the Privacy Statement is to redress the balance between Data Controller and Data Subject by requiring the Controller to share some information in order to get some.

 

For that reason it is not a static document that you write once and set aside. It needs to be kept under regular review, particularly when you are changing systems or processes which will affect the nature and extent of your processing of personal data.

What you say you should must match what you actually do or your Privacy Statement will not be worth the ether it is written on.

 

Small Print, Big Headache

Submitted by Daragh O Brien on July 29, 2010 - 18:10

Over the past few months I've been involved in a number of events related to Cloud Computing and have had countless conversations about the pros and cons of outsourcing, as well has having studied a number of business arrangements that boiled down to someone being a Data Processor for someone else, a Data Controller.

I have found that my message in each of these apparently disparate situations can now be boiled down to:

 

  • It's the Information, Stupid and
  • The Fine Print can feck you up frustrate your intent and
  • If you can't find who is responsible for the thing, then it is you who is responsible.
These mantras span the domains of Data Protection, Data Governance, and Information Quality, but for the purposes of this post I'll be using examples from the Data Protection sphere.
Syndicate content