Upload
castlebridge-associates
View
2.999
Download
0
Embed Size (px)
DESCRIPTION
Information Quality is often seen as just another problem in organisations, as is Data Protection. In this presentation, Daragh O Brien of the IAIDQ explains how both issues are closely related and how by taking an "Information Quality Eye" approach to Data Protection you can ensure that your organisation benefits from both better quality and better protection.
Citation preview
Information Quality and Data Protection
Two sides of the same coin
Introduction
About me, about the presentation
About Me
Since 2004
Since 2005
Since 2005
Since 2008
• Graduate of UCD Faculty of Law (Business & Legal Studies), • Lecturer in Legal Regulation for Information Systems, European
Masters in Business Informatics, Dublin City University
Author ofDefining & Implementing an effective Data Quality Strategy, Ark Group 2008 (ISBN 978-1-906355-14-2)
Regular contributor to ComputerScope Magazine, Running Your Business (Magazine of Irish Small Firms Association) , and the IADQ Newsletter (www.iaid.org/publications)
About Me
Winner in 2008 of an Obsessive Blogger award from one of the leading Irish Blogging Communities for my writing on my personal blog (http://obriend.info) and elsewhere about Information Quality topics.
About this Presentation Crash course in first principles
Data Protection European rules… US rules are different and
have over a dozen different discrete State and Federal laws that tackle specific instances of issues….
Information Quality Basic principles (very elementary)
Analysis Relevance of Information Quality to Data
Protection Relevance of Data Protection to Information
Quality Conclusion
A detailed handout is available to accompany these slides.
First: Principles
Some fundamentals. Made fun. Not mental.
Conclusion Data Protection and Information Quality are
inextricably linked
Approaching your Data Protection obligations with an “Information Quality Eye” will ensure improved capability to comply with regulation while also ensuring information in your organisation is of the highest possible quality, ensuring customer satisfaction and avoiding other regulatory risks.
Viewing Information Quality and Data Protection as two ‘silo’ problems deprives you of the potential to add greater value to your organisation while managing privacy/data protection risks.
Data Protection
SECTION IPRINCIPLES RELATING TO DATA QUALITYArticle 6 1. Member States shall provide that personal data must be:(a) processed fairly and lawfully;(b) collected for specified, explicit and legitimate purposes and not further processed in a
way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards;
(c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed;
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified;
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use.
2. It shall be for the controller to ensure that paragraph 1 is complied with.
DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
Data Protection
SECTION I
PRINCIPLES RELATING TO DATA QUALITY
Article 6
1. Member States shall provide that personal data must be:
(a) processed fairly and lawfully;
(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards;
(c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed;
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified;
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use.
2. It shall be for the controller to ensure that paragraph 1 is complied with.
DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
Data ProtectionDIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCILSECTION I
PRINCIPLES RELATING TO DATA QUALITY
Article 6
1. Member States shall provide that personal data must be:
(a) processed fairly and lawfully;
(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards;
(c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed;
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified;
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use.
2. It shall be for the controller to ensure that paragraph 1 is complied with.
Fundamental Data Protection Principles Obtain the information fairly Use only for purposes for which it was
obtained Process it only in ways compatible with the
purposes for which it was given to you initially Keep it safe and secure Ensure that the information is accurate,
relevant, and not excessive Retain it for no longer than is necessary for
the stated purposes Give a copy of the information held by you
relating to them to an individual when requested
Fundamental Data Protection Principles Obtain the information fairly Use only for purposes for which it was
obtained Process it only in ways compatible with the
purposes for which it was given to you initially Keep it safe and secure Ensure that the information is accurate,
relevant, and not excessive Retain it for no longer than is necessary for
the stated purposes Give a copy of the information held by
you relating to them to an individual when requested
Data Protection
SECTION I
PRINCIPLES RELATING TO DATA QUALITY
Article 6
1. Member States shall provide that personal data must be:
(a) processed fairly and lawfully;
(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards;
(c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed;
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified;
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use.
2. It shall be for the controller to ensure that paragraph 1 is complied with.
Give a copy of the information held by you relating to them to an individual when requested
Example of a Bad Data Protection Practice
“Sign up for a
raffle”
Lots of personal data…
Left completely unattended, along with a box full of more sheets like this one…
Data Protection & Information Quality
Mapping the Relationship…
Information Quality
Meeting or exceeding information consumer expectations
Reducing variation around a mean for the performance and perceived value of an information product
Beauty is in the eye of the beholder
Joseph Juran
Information Quality
Data and Information are of high quality if they are fit for their uses
(by customers) in operations, decision-making, and planning.
They are fit for use when they are free of defects and possess the
features needed to complete the operation, make the decision, or
complete the plan.
Information Quality
What he said… only the view of the customer needs to be broad enough in
your organisation… Is having your data lost or stolen a
“feature” of the service you are buying? Dr Tom Redman
Setting & Meeting Expectation1
2
3
4
5
6
7
8
Obtain and process the information fairly
Keep it only for one or more specified and lawful purposesProcess it only in ways compatible with the purposes for which it was given to you initially
Keep it safe and secure
Keep it accurate and up to date
Ensure information is accurate, relevant and not excessive
Retain information for no longer than is necessary for the stated purposesGive a copy of the information held by you relating to them to individuals on request
Setting Expectation
Setting Expectation
Meeting Expectation
Meeting Expectation
Meeting Expectation
Meeting Expectation
Meeting Expectation
Meeting Expectation
Planning to meet expectations
Joseph Juran
Quality of an asset (product, finance, people) is achieved through• Planning• Control• Improvement
Asset Life Cycle – POSMAD ModelQ
uest
ion
s you m
ight
ask
What info do I need to capture?
Plan Obtain Store/Share DisposeApplyMaintain
Why do we need it?
What will we use it for?
Who will we share it with?
Why would we share it?
Am I capturing too much info?
How will we get it?
How will we communicate Hows & whys?
What are the processes we’ll use to get this info?
Will these processes capture quality info?Will the processes create poor quality information?What processes will we have to find and fix errors?
Where/how will we store this info?
Can we find it again when needed?Are we storing the same data many times in many places?What’s our plan for ensuring data integrity (relating all our records)?Is our data storage secure?
Is our data storage secure?
1,2,3,5,6,7,8
DP Principl
es
Asset Life
Cycle
1,3,5,6 4,7,8
What are our process to ‘maintain’ the information?How are we keeping our information up to date?
How are we correcting errors in our data?Do our staff know how/why we keep info up to date?Do our metrics and processes support this objective?
1,3,5,6,8
Are we using the info for purposes identified @ PLANDo we work with our suppliers/data service providers to ensure they have adequate procedures in place to protect the data we hold on trust?Do we protect copies of data on laptops etc?
Can we find it when we need it?
1.2,3,4,5,6,8
Do we have a retention policy for this data?
Do we retain this data at all?
How do we dispose of our old data?
Does our data become “excessive” over time , even if it was appropriate at the time it was captured?
Is our data disposal secure?
1.2,3,4,5,6,7
Example of a Bad Data Protection Practice
“Sign up for a
raffle”
Lots of personal data…
Left completely unattended, along with a box full of more sheets like this one…
8Give a copy of the information held by you relating to them to individuals on request
Meeting Expectation
A needle in a haystack?
Find ALL the data you have about ONE specific person based just on their name, address, other identifying data… not necessarily an account number or other unique reference.For example:Daragh O Brien, 13 Any Street, Anytown, Ireland.
Why did I get into Information Quality (an old slide, but a good slide)
Daragh Darragh Dara Darra Daire Darach Darrach Dáire Daira Daireach
Gender? Male or Female SPELLING DOES NOT give a clue
Confusion Often miskeyed as TARA (definitely female) Often confused with Darren (male) or Daryl (male or female) Also confused with Daria (female) Also confused with Dora (female)
O Brien NOT O’Brien (anglicised version of gaelic name) Also use O Briain (proper Irish language spelling) Will accept O’Brien (mainly out of laziness at this stage)
Grew up on “Foxfield St. John” Data cleansing software often changes this to “Foxfield Street John” Or “St. John’s, Foxfield”
8Give a copy of the information held by you relating to them to individuals on request
Meeting Expectation
Which haystack?Lots of data repositories?
8Give a copy of the information held by you relating to them to individuals on request
Meeting Expectation
Which needle?Potential duplicate records?
Conclusion
Conclusion
Information is an assetIts quality can be managed and improved just like any other asset.
It should be protected like Data Protection and Information Quality are inextricably linked
Conclusion Approaching your Data Protection
obligations with an “Information Quality Eye” will ensure improved capability to comply with regulation while also ensuring information in your organisation is of the highest possible quality, ensuring customer satisfaction and avoiding other regulatory risks.
Viewing Information Quality and Data Protection as two ‘silo’ problems deprives you of the potential to add greater value to your organisation while managing privacy/data protection risks.