I’m concerned with the University’s data – primarily the “corporate” or “enterprise” data, but some of the concerns carry over to research data too. Suppose someone would like access to some data. Or that someone wants to package up some data and give it to somebody else. Are they allowed to? To what extent is the data up to date and accurate? What does the data represent? What does it mean? Will the person requesting it understand it?
We want a process that is readily available, easy to use, transparent, and auditable.
Confidentiality – in progress by CISO Openness – OER policy is nearest to this Data Stewards – approach agreed by CMG
Responsive to requests Centrally defined process for handling requests and providing access Mechanism for handling queries about the data
Proactive Process to agree licence Define update policy? Central mechanism for publishing data? No support for queries?
Open data who decides?
Open data: Who decides?
Dave Berry, Enterprise Architect
• Security and Control • Openness & Sharing
Unrestricted Published (e.g. the web site)
Anything covered by FOI
Information we want to make public, or
don’t mind becoming public, including
everything under FOI
Restricted Personal (Data Protection)
The “normal” level for information that
needs to be kept securely.
Confidential Sensitive personal (Data Protection)
Exam papers (before the exam)
Commercial in confidence
Information that requires extra security
controls of some sort.
• Policy to be decided ;-)
• But let’s conjecture…
• The data steward specifies the confidentiality level
• Down to the attribute level, if necessary
• Also by population, if necessary
• Assisted by Enterprise Architecture
• CISO and Records Management review this
• Data Steward approves release
• Ensures that data is documented
“Security & Control” world
“Openness & Sharing” world
Publishes ReadsLog of
(Highly provisional) protocol for requesting
access to unrestricted data
• The data must not be modified, amended or altered. Any data
changes must be actioned within the Golden Copy.
• Describe what the data will be used for and by whom it will be used.
• Nominate an individual responsible for the receiving system and the
data it contains.
• Declare if the data will be supplied to any other system.
• Define a retention schedule for the data in this system and confirm
that the data will be permanently deleted when no longer needed.
Questions for the open community
• Does the data need to be kept up to date?
• How should errors be reported?
• What if someone modifies the data set and re-releases it?
• E.g. reputational damage
• Can we track who is using the data?
• And what they are using it for?