Information Quality And Data Protection

Information Quality and Data Protection Two sides of the same coin

Introduction About me, about the presentation

About Me Defining & Implementing an effective Data Quality Since 2004 Author of Strategy, Ark Group 2008 (ISBN 978-1-906355-14-2) Since 2005 Regular contributor to ComputerScope Magazine, Running Your Business (Magazine of Irish Small Firms Association) , and the IADQ Newsletter Since 2005 (www.iaid.org/publications) Since 2008 •Graduate of UCD Faculty of Law (Business & Legal Studies), •Lecturer in Legal Regulation for Information Systems, European Masters in Business Informatics, Dublin City University

About Me Winner in 2008 of an Obsessive Blogger award from one of the leading Irish Blogging Communities for my writing on my personal blog (http://obriend.info) and elsewhere about Information Quality topics.

About this Presentation Crash course in first principles  Data Protection   European rules… US rules are different and have over a dozen different discrete State and Federal laws that tackle specific instances of issues…. Information Quality  Basic principles (very elementary)  Analysis  Relevance of Information Quality to Data Protection  Relevance of Data Protection to Information Quality  Conclusion  A detailed handout is available to accompany these slides.

First: Principles Some fundamentals. Made fun. Not mental.

Conclusion Data Protection and Information Quality are inextricably  linked Approaching your Data Protection obligations with an  “Information Quality Eye” will ensure improved capability to comply with regulation while also ensuring information in your organisation is of the highest possible quality, ensuring customer satisfaction and avoiding other regulatory risks. Viewing Information Quality and Data Protection as two  „silo‟ problems deprives you of the potential to add greater value to your organisation while managing privacy/data protection risks.

Data Protection DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL SECTION I PRINCIPLES RELATING TO DATA QUALITY Article 6 1. Member States shall provide that personal data must be: (a) processed fairly and lawfully; (b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards; (c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed; (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified; (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use. 2. It shall be for the controller to ensure that paragraph 1 is complied with.

Fundamental Data Protection Principles Obtain the information fairly  Use only for purposes for which it was obtained  Process it only in ways compatible with the purposes  for which it was given to you initially Keep it safe and secure  Ensure that the information is accurate, relevant, and  not excessive Retain it for no longer than is necessary for the  stated purposes Give a copy of the information held by you relating to  them to an individual when requested

Fundamental Data Protection Principles Obtain the information fairly  Use only for purposes for which it was obtained  Process it only in ways compatible with the purposes  for which it was given to you initially Keep it safe and secure  Ensure that the information is accurate, relevant, and  not excessive Retain it for no longer than is necessary for the  stated purposes Give a copy of the information held by you  relating to them to an individual when requested

Data Protection SECTION I PRINCIPLES RELATING TO DATA QUALITY Article 6 1. Member States shall provide that personal data must be: (a) processed fairly and lawfully; (b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards; (c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed; (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified; (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use. Give a copybe for the controller to ensure by you relating to them to an individual when 2. It shall of the information held that paragraph 1 is complied with. requested

Example of a Bad Data Protection Practice “Sign up for a raffle” Lots of personal data… Left completely unattended, along with a box full of more sheets like this one…

Data Protection & Information Quality Mapping the Relationship…

Information Quality Meeting or exceeding information consumer expectations Reducing variation around a mean for the performance and perceived value of an information product Beauty is in the eye of the beholder

Information Quality Data and Information are of high quality if they are fit for their uses (by customers) in operations, decision- making, and planning. They are fit for use when they are free of defects and possess the features needed to complete the operation, make the decision, or complete the plan. Joseph Juran

Information Quality What he said… only the view of the customer needs to be broad enough in your organisation… Is having your data lost or stolen a “feature” of the service you are buying? Dr Tom Redman

Setting & Meeting Expectation 1 Obtain and process the information fairly Setting Expectation Keep it only for one or more specified and 2 Setting Expectation lawful purposes Process it only in ways compatible with the 3 purposes for which it was given to you Meeting Expectation initially 4 Keep it safe and secure Meeting Expectation 5 Keep it accurate and up to date Meeting Expectation Ensure information is accurate, relevant and 6 Meeting Expectation not excessive Retain information for no longer than is 7 Meeting Expectation necessary for the stated purposes Give a copy of the information held by you 8 Meeting Expectation relating to them to individuals on request

Planning to meet expectations Quality of an asset (product, finance, people) is achieved through •Planning •Control •Improvement Joseph Juran

Asset Life Cycle – POSMAD Model Asset Store/Shar Plan Obtain Maintain Apply Dispose Life e Cycle What are our Are we using the What info do I Where/how will Do we have a How will we get process to info for purposes need to we store this retention policy „maintain‟ the it? identified @ capture? info? for this data? information? PLAN How are we How will we Can we find it Do we work Questions you might ask Why do we keeping our Do we retain this communicate again when with our need it? information up data at all? Hows & whys? needed? suppliers/data to date? service What are the Are we storing How are we providers to How do we processes we‟ll What will we the same data correcting ensure they dispose of our old use it for? use to get this many times in errors in our have adequate data? info? many places? data? procedures in What‟s our plan Will these Do our staff place to protect for ensuring Does our data Who will we processes know how/why the data we data integrity become share it with? capture quality we keep info hold on trust? (relating all our “excessive” over info? up to date? records)? time , even if it Will the Do our metrics was appropriate processes Is our data Do we protect Why would we and processes at the time it create poor storage copies of data share it? support this was captured? quality secure? on laptops etc? objective? information? What Is our data Can we find it Am I capturing processes will Is our data storage when we need too much info? we have to find disposal secure? secure? it? and fix errors? DP 1,2,3,5,6,7 1.2,3,4,5,6 1.2,3,4,5,6, 1,3,5,6 4,7,8 1,3,5,6,8 Principle ,8 ,8 7 s

Example of a Bad Data Protection Practice “Sign up for a raffle” Lots of personal data… Left completely unattended, along with a box full of more sheets like this one…

Give a copy of the information held by you 8 Meeting Expectation relating to them to individuals on request A needle in a haystack? Find ALL the data you have about ONE specific person based just on their name, address, other identifying data… not necessarily an account number or other unique reference. For example: Daragh O Brien, 13 Any Street, Anytown, Ireland.

Why did I get into Information Quality (an old slide, but a good slide) Daragh  Darragh  Dara  Darra  Daire  Darach  Darrach  Dáire  Daira  Daireach  Gender?  Male or Female  SPELLING DOES NOT give a clue  Confusion  Often miskeyed as TARA (definitely female)  Often confused with Darren (male) or Daryl (male or female)  Also confused with Daria (female)  Also confused with Dora (female)  O Brien  NOT O‟Brien (anglicised version of gaelic name)  Also use O Briain (proper Irish language spelling)  Will accept O‟Brien (mainly out of laziness at this stage)  Grew up on “Foxfield St. John”  Data cleansing software often changes this to “Foxfield Street John”  Or “St. John‟s, Foxfield” 

Give a copy of the information held by you 8 Meeting Expectation relating to them to individuals on request Lots of data repositories? Which haystack?

Give a copy of the information held by you 8 Meeting Expectation relating to them to individuals on request Potential duplicate records? Which needle?

Conclusion

Conclusion  Information is an asset  Its quality can be managed and improved just like any other asset.  It should be protected like  Data Protection and Information Quality are inextricably linked

Conclusion Approaching your Data Protection obligations  with an “Information Quality Eye” will ensure improved capability to comply with regulation while also ensuring information in your organisation is of the highest possible quality, ensuring customer satisfaction and avoiding other regulatory risks. Viewing Information Quality and Data Protection  as two „silo‟ problems deprives you of the potential to add greater value to your organisation while managing privacy/data protection risks.

https://twimg0-a.akamaihd.net	39
http://www.slideshare.net	6
http://localhost	1
http://obriend.info	1
http://www.lmodules.com	1
http://translate.googleusercontent.com	1
http://a0.twimg.com	1

Information Quality And Data Protection

by Castlebridge Associates on Mar 13, 2009

Accessibility

Categories

Tags

Upload Details

Usage Rights

7 Embeds 50

Statistics

Information Quality And Data Protection — Presentation Transcript