5. Policy: confidentiality
Unrestricted Published (e.g. the web site)
Open licence
Anything covered by FOI
Information we want to make public, or
don’t mind becoming public, including
everything under FOI
Restricted Personal (Data Protection)
Financial
Security
The “normal” level for information that
needs to be kept securely.
Confidential Sensitive personal (Data Protection)
Passwords
Exam papers (before the exam)
Medical
Commercial in confidence
ISO 27001
Information that requires extra security
controls of some sort.
6. Who decides?
• Policy to be decided ;-)
• But let’s conjecture…
• The data steward specifies the confidentiality level
• Down to the attribute level, if necessary
• Also by population, if necessary
• Assisted by Enterprise Architecture
• CISO and Records Management review this
• Data Steward approves release
• Ensures that data is documented
7. “Security & Control” world
RequestorData Steward
Data
Definition
Publishes Reads
Standard
Request
Form
CompletesSubmits
Log of
Requestors
Maintains
Approves
Data
AccessesMaintains
8. “Openness & Sharing” world
RequestorData Steward
Data
Definition
Publishes ReadsLog of
Requestors
Maintains?
Accesses
Standard
Request
Form
Completes?Reads?
Licenses
Data
Maintains?
9. (Highly provisional) protocol for requesting
access to unrestricted data
• The data must not be modified, amended or altered. Any data
changes must be actioned within the Golden Copy.
• Describe what the data will be used for and by whom it will be used.
• Nominate an individual responsible for the receiving system and the
data it contains.
• Declare if the data will be supplied to any other system.
• Define a retention schedule for the data in this system and confirm
that the data will be permanently deleted when no longer needed.
10. Questions for the open community
• Does the data need to be kept up to date?
• How should errors be reported?
• What if someone modifies the data set and re-releases it?
• E.g. reputational damage
• Can we track who is using the data?
• And what they are using it for?
Notes de l'éditeur
I’m concerned with the University’s data – primarily the “corporate” or “enterprise” data, but some of the concerns carry over to research data too.
Suppose someone would like access to some data. Or that someone wants to package up some data and give it to somebody else. Are they allowed to?
To what extent is the data up to date and accurate?
What does the data represent? What does it mean? Will the person requesting it understand it?
We want a process that is readily available, easy to use, transparent, and auditable.
Confidentiality – in progress by CISO
Openness – OER policy is nearest to this
Data Stewards – approach agreed by CMG
Responsive to requests
Centrally defined process for handling requests and providing access
Mechanism for handling queries about the data
Proactive
Process to agree licence
Define update policy?
Central mechanism for publishing data?
No support for queries?