Information Quality and Data Protection

Two sides of the same coin

Introduction

About me, about the presentation

About Me

Since 2004

Since 2005

Since 2005

Since 2008

• Graduate of UCD Faculty of Law (Business & Legal Studies), • Lecturer in Legal Regulation for Information Systems, European

Masters in Business Informatics, Dublin City University

Author ofDefining & Implementing an effective Data Quality Strategy, Ark Group 2008 (ISBN 978-1-906355-14-2)

Regular contributor to ComputerScope Magazine, Running Your Business (Magazine of Irish Small Firms Association) , and the IADQ Newsletter (www.iaid.org/publications)

About Me

Winner in 2008 of an Obsessive Blogger award from one of the leading Irish Blogging Communities for my writing on my personal blog (http://obriend.info) and elsewhere about Information Quality topics.

About this Presentation Crash course in first principles

Data Protection European rules… US rules are different and

have over a dozen different discrete State and Federal laws that tackle specific instances of issues….

Information Quality Basic principles (very elementary)

Analysis Relevance of Information Quality to Data

Protection Relevance of Data Protection to Information

Quality Conclusion

A detailed handout is available to accompany these slides.

First: Principles

Some fundamentals. Made fun. Not mental.

Conclusion Data Protection and Information Quality are

inextricably linked

Approaching your Data Protection obligations with an “Information Quality Eye” will ensure improved capability to comply with regulation while also ensuring information in your organisation is of the highest possible quality, ensuring customer satisfaction and avoiding other regulatory risks.

Viewing Information Quality and Data Protection as two ‘silo’ problems deprives you of the potential to add greater value to your organisation while managing privacy/data protection risks.

Data Protection

SECTION IPRINCIPLES RELATING TO DATA QUALITYArticle 6 1. Member States shall provide that personal data must be:(a) processed fairly and lawfully;(b) collected for specified, explicit and legitimate purposes and not further processed in a

way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards;

(c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed;

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified;

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use.

2. It shall be for the controller to ensure that paragraph 1 is complied with.

DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Data Protection

SECTION I

PRINCIPLES RELATING TO DATA QUALITY

Article 6

1. Member States shall provide that personal data must be:

(a) processed fairly and lawfully;

(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards;

(c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed;

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified;

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use.

2. It shall be for the controller to ensure that paragraph 1 is complied with.

DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Data ProtectionDIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCILSECTION I

PRINCIPLES RELATING TO DATA QUALITY

Article 6

1. Member States shall provide that personal data must be:

(a) processed fairly and lawfully;

(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards;

(c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed;

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified;

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use.

2. It shall be for the controller to ensure that paragraph 1 is complied with.

Fundamental Data Protection Principles Obtain the information fairly Use only for purposes for which it was

obtained Process it only in ways compatible with the

purposes for which it was given to you initially Keep it safe and secure Ensure that the information is accurate,

relevant, and not excessive Retain it for no longer than is necessary for

the stated purposes Give a copy of the information held by you

relating to them to an individual when requested

Fundamental Data Protection Principles Obtain the information fairly Use only for purposes for which it was

obtained Process it only in ways compatible with the

purposes for which it was given to you initially Keep it safe and secure Ensure that the information is accurate,

relevant, and not excessive Retain it for no longer than is necessary for

the stated purposes Give a copy of the information held by

you relating to them to an individual when requested

Data Protection

SECTION I

PRINCIPLES RELATING TO DATA QUALITY

Article 6

1. Member States shall provide that personal data must be:

(a) processed fairly and lawfully;

(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards;

(c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed;

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified;

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use.

2. It shall be for the controller to ensure that paragraph 1 is complied with.

Give a copy of the information held by you relating to them to an individual when requested

Example of a Bad Data Protection Practice

“Sign up for a

raffle”

Lots of personal data…

Left completely unattended, along with a box full of more sheets like this one…

Data Protection & Information Quality

Mapping the Relationship…

Information Quality

Meeting or exceeding information consumer expectations

Reducing variation around a mean for the performance and perceived value of an information product

Beauty is in the eye of the beholder

Joseph Juran

Information Quality

Data and Information are of high quality if they are fit for their uses

(by customers) in operations, decision-making, and planning.

They are fit for use when they are free of defects and possess the

features needed to complete the operation, make the decision, or

complete the plan.

Information Quality

What he said… only the view of the customer needs to be broad enough in

your organisation… Is having your data lost or stolen a

“feature” of the service you are buying? Dr Tom Redman

Setting & Meeting Expectation1

2

3

4

5

6

7

8

Obtain and process the information fairly

Keep it only for one or more specified and lawful purposesProcess it only in ways compatible with the purposes for which it was given to you initially

Keep it safe and secure

Keep it accurate and up to date

Ensure information is accurate, relevant and not excessive

Retain information for no longer than is necessary for the stated purposesGive a copy of the information held by you relating to them to individuals on request

Setting Expectation

Setting Expectation

Meeting Expectation

Meeting Expectation

Meeting Expectation

Meeting Expectation

Meeting Expectation

Meeting Expectation

Planning to meet expectations

Joseph Juran

Quality of an asset (product, finance, people) is achieved through• Planning• Control• Improvement

Asset Life Cycle – POSMAD ModelQ

uest

ion

s you m

ight

ask

What info do I need to capture?

Plan Obtain Store/Share DisposeApplyMaintain

Why do we need it?

What will we use it for?

Who will we share it with?

Why would we share it?

Am I capturing too much info?

How will we get it?

How will we communicate Hows & whys?

What are the processes we’ll use to get this info?

Will these processes capture quality info?Will the processes create poor quality information?What processes will we have to find and fix errors?

Where/how will we store this info?

Can we find it again when needed?Are we storing the same data many times in many places?What’s our plan for ensuring data integrity (relating all our records)?Is our data storage secure?

Is our data storage secure?

1,2,3,5,6,7,8

DP Principl

es

Asset Life

Cycle

1,3,5,6 4,7,8

What are our process to ‘maintain’ the information?How are we keeping our information up to date?

How are we correcting errors in our data?Do our staff know how/why we keep info up to date?Do our metrics and processes support this objective?

1,3,5,6,8

Are we using the info for purposes identified @ PLANDo we work with our suppliers/data service providers to ensure they have adequate procedures in place to protect the data we hold on trust?Do we protect copies of data on laptops etc?

Can we find it when we need it?

1.2,3,4,5,6,8

Do we have a retention policy for this data?

Do we retain this data at all?

How do we dispose of our old data?

Does our data become “excessive” over time , even if it was appropriate at the time it was captured?

Is our data disposal secure?

1.2,3,4,5,6,7

Example of a Bad Data Protection Practice

“Sign up for a

raffle”

Lots of personal data…

Left completely unattended, along with a box full of more sheets like this one…

8Give a copy of the information held by you relating to them to individuals on request

Meeting Expectation

A needle in a haystack?

Find ALL the data you have about ONE specific person based just on their name, address, other identifying data… not necessarily an account number or other unique reference.For example:Daragh O Brien, 13 Any Street, Anytown, Ireland.

Why did I get into Information Quality (an old slide, but a good slide)

Daragh Darragh Dara Darra Daire Darach Darrach Dáire Daira Daireach

Gender? Male or Female SPELLING DOES NOT give a clue

Confusion Often miskeyed as TARA (definitely female) Often confused with Darren (male) or Daryl (male or female) Also confused with Daria (female) Also confused with Dora (female)

O Brien NOT O’Brien (anglicised version of gaelic name) Also use O Briain (proper Irish language spelling) Will accept O’Brien (mainly out of laziness at this stage)

Grew up on “Foxfield St. John” Data cleansing software often changes this to “Foxfield Street John” Or “St. John’s, Foxfield”

8Give a copy of the information held by you relating to them to individuals on request

Meeting Expectation

Which haystack?Lots of data repositories?

8Give a copy of the information held by you relating to them to individuals on request

Meeting Expectation

Which needle?Potential duplicate records?

Conclusion

Conclusion

Information is an assetIts quality can be managed and improved just like any other asset.

It should be protected like Data Protection and Information Quality are inextricably linked

Conclusion Approaching your Data Protection

obligations with an “Information Quality Eye” will ensure improved capability to comply with regulation while also ensuring information in your organisation is of the highest possible quality, ensuring customer satisfaction and avoiding other regulatory risks.

Viewing Information Quality and Data Protection as two ‘silo’ problems deprives you of the potential to add greater value to your organisation while managing privacy/data protection risks.