This is a presentation I delivered to the Irish Computer Society Data Protection Conference in February 2011 and again on a webinar for dataqualitypro.com in March 2011.
It looks (for what I believe was the first time) at the relationship between Information Quality and Data Governance principles and practices and the objectives of Data Protection/Privacy compliance. it includes my first version of the mapping of the 8 Data Protection principles to the POSMAD Information Life Cycle referred to by McGilvray and others in the IQ/DQ fields.
8. Peter Drucker
“So far, for 50 years, the information
revolution has centered on data - their
collection, storage, transmission, analysis,
and presentation.
It has centered on the "T" in IT.
The next information revolution asks, what
is the MEANING of information, and what is
its PURPOSE?”
10. Data Protection Rules
1. Personal data which is being processed must be fairly obtained
and processed
2. Personal Data shall be kept accurate and complete and, where
necessary, kept up to date
3. Personal Data shall be obtained for a Specified and Lawful
Purpose
4. Personal Data shall not be processed in a manner incompatible
with the specified purpose.
11. Data Protection Rules
5.
Data processed must be adequate, relevant and not
excessive
6.
Personal data should not be kept for longer than necessary
for the specified purpose or purposes
7.
Personal Data should be kept Safe & Secure
8.
Data Subjects have a right of Access.
13. Linking to Data Quality
EU Directive 95/46/EC defines “Data Protection”
principles as
“Data Quality Principles”.
14. What is “Information Quality”?
The degree to which information and data can
be a trusted source for any or all required uses.
The degree to which data and information
meets the specific needs of specific customers.
Consistently meeting or exceeding knowledge
worker/end customer expectations.
16. Information Chains
Information Flow
Some Output
Some
Input
Some Output
Some Action
Some Action
Some Action
By someone
By someone
By someone
That becomes
an Input
That becomes
an Input
Some
Output
22. If you can't describe what
you are doing as a
process...
... You don’t know what you
are doing.
W. Edwards Deming
23. THIS IS NOT A PROCESS Map or
Info Chain Description
•
•
•
•
•
•
We do this.
Then Martin in Accounts does that.
Then Betty in Receivables does this other thing
Then it comes back to us
Then something else happens.
4th Thursday of month the Jaberwock audits.
24. If I had wanted to
know what you did
on your holidays,
I’d have asked
.
Process Improvement Lead, Telco industry
25. The Info Asset Life Cycle
Plan
What resource do we need? What do we need it for? What
attributes/characteristics should this resource have? Are we
prepared for this resource?
Obtain
How will we get this resource? Where will we get it?
Store/
Share
How will we accommodate/store this resource? How (if necessary)
will it be shared amongst functions in the business?
Maintain
Apply
Dispose
How will we maintain and develop this resource to ensure maximum
utility and value?
How will we use this resource? How will the resource be used to
generate net cash inflows or support the delivery of services?
How will we reduce our volumes of this asset when it no longer
serves a valuable purpose? What conditions will indicate that an
asset is no longer serving a valuable purpose?
29. Only
1
in 10 companies performed some form of
data profiling on their datasets,
affecting risk assessment on data
migrations and other initiatives.
Source: Bloor Research 2007
30. Summary (of Theory)
Data Protection & Information
Quality are closely linked disciplines
Understanding your Processes is key
Quality has to be built in
Inspecting defects out is not Quality
POSMAD
Information Life Cycle gives context
You can measure Quality of Information
(across many characteristics)
32. Disclaimer:
The case study described here is a composite of a
number of projects that I have either worked on directly or
studied in direct contact with the project sponsors and
project managers involved.
This has been done to preserve anonymity of the
organisation(s) involved
Not all the projects were “Data Protection” focussed.
However the application of Information Quality and Data
Governance best practices resulted in opportunities for
Data Protection supports being identified and seized.
.
34. The Project
•
•
•
•
•
•
Sales Force Automation.
Single View of Customer
Master Data Management
“e-Nable” traditional paperbased processes
Outsource some Call
Centre/Field Sales operations
E-billing for customers
37. The First Mistake
Focus on IT Architecture and systems infrastructure
Process Definition & Data Quality issues “descoped”
Plans became based on “Systems”
Project teams became siloed
Focus on “Data Subject” lost
39. Couldn’t handle
Consumer customer
with >1 billing account.
Interim Solution:
Needed “Customer Name” as
<title><firstname><lastname>
Interim Solution:
All customer names in Single View of
Customer database parsed using an
MS Access Database on a laptop each
week
40. Third Mistake
Personal Data was being
captured that wasn’t actually
being used anywhere or whose
use was unclear
41. First name
Last name
Address 1
Address 2
Address 3
Address 4
PPSN
Age
Gender
Junk Mail
Bank A/C details/Credit Card
Yes/No
Acct Number
Branch Code
Credit Card Number
Contact Telephone
Mother’s Maiden Name
Details of any Medical Conditions
Household Demographics
Services you are interested in
Marital Status
Married
Single
Separated
Divorced
Cohabiting
Number of Children
Partner’s Name
Service 1
Service 2
Service 3
Service 4
Mock up of the paper form that had historically been used
48. Plan
Processes were mapped
Timing of data needs identified
Relevance of Data was documented
Critical Quality Measures picked
Meaning of Data clearly defined
Purpose of Data clearly understood
50. The down stream processes were age-sensitive. Just
capturing AGE at a point in time meant customer
services could not be delivered reliably
51. Maintain
Key metrics defined for Information
Processes defined for Maintaining data
… by the customer (self service)
… by the organisation
… in response to leading indicators
59. Apply
• Right Data to Right place at Right
time for Right Reason
• Right Risk Assessment, Right Security,
Right controls.
• Less cost of rework and worry
63. Information Value
Chains are the
Missing Link
A.K.A. Processes
A.K.A. “CyCles”
A.K.A. SIPOC
A.K.A. Workflow
If you can't describe
what you are doing as a
process...
... you don’t know what you
are doing.
64. Information has a life cycle.
That life cycle gives important
CONTEXT
68. Perspective is important...
The Project did not set out to address
Data Protection per se.
But deliverables supported proactive
Data Protection Management
73. What is your
Data Protection Scorecard?
How does it translate to your
bottom line?
Notes de l'éditeur
While the Bloor Research study was looking at planning for data migrations, the fact that only 1 in 10 companies who responded to the survey had done any data profiling as part of planning their data migrations is a statistic that backs up the anecdotal stories from Risk Management consultants that the biggest problem in Risk Audits or Risk Reviews is that people don’t have information to make informed decisions, and for the information they do have, they are not always in a position to stand over the accuracy of it.