Information Quality is often seen as just another problem in organisations, as is Data Protection. In this presentation, Daragh O Brien of the IAIDQ explains how both issues are closely related and how by taking an "Information Quality Eye" approach to Data Protection you can ensure that your organisation benefits from both better quality and better protection.
3. About Me
Defining & Implementing an
effective Data Quality
Since 2004 Author of
Strategy, Ark Group 2008
(ISBN 978-1-906355-14-2)
Since 2005
Regular contributor to ComputerScope
Magazine, Running Your Business
(Magazine of Irish Small Firms Association) ,
and the IADQ Newsletter
Since 2005 (www.iaid.org/publications)
Since 2008
•Graduate of UCD Faculty of Law (Business & Legal Studies),
•Lecturer in Legal Regulation for Information Systems, European Masters in
Business Informatics, Dublin City University
4. About Me
Winner in 2008 of an Obsessive Blogger award from one of the leading Irish
Blogging Communities for my writing on my personal blog (http://obriend.info)
and elsewhere about Information Quality topics.
5. About this Presentation
Crash course in first principles
Data Protection
European rules… US rules are different and have
over a dozen different discrete State and Federal
laws that tackle specific instances of issues….
Information Quality
Basic principles (very elementary)
Analysis
Relevance of Information Quality to Data Protection
Relevance of Data Protection to Information Quality
Conclusion
A detailed handout is available to accompany these slides.
7. Conclusion
Data Protection and Information Quality are inextricably
linked
Approaching your Data Protection obligations with an
“Information Quality Eye” will ensure improved capability
to comply with regulation while also ensuring information
in your organisation is of the highest possible quality,
ensuring customer satisfaction and avoiding other
regulatory risks.
Viewing Information Quality and Data Protection as two
„silo‟ problems deprives you of the potential to add
greater value to your organisation while managing
privacy/data protection risks.
8. Data Protection
DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE
COUNCIL
SECTION I
PRINCIPLES RELATING TO DATA QUALITY
Article 6
1. Member States shall provide that personal data must be:
(a) processed fairly and lawfully;
(b) collected for specified, explicit and legitimate purposes and not further processed in a
way incompatible with those purposes. Further processing of data for historical,
statistical or scientific purposes shall not be considered as incompatible provided that
Member States provide appropriate safeguards;
(c) adequate, relevant and not excessive in relation to the purposes for which they are
collected and/or further processed;
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken
to ensure that data which are inaccurate or incomplete, having regard to the purposes
for which they were collected or for which they are further processed, are erased or
rectified;
(e) kept in a form which permits identification of data subjects for no longer than is
necessary for the purposes for which the data were collected or for which they are
further processed. Member States shall lay down appropriate safeguards for personal
data stored for longer periods for historical, statistical or scientific use.
2. It shall be for the controller to ensure that paragraph 1 is complied with.
9. Data Protection
DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE
COUNCIL
SECTION I
PRINCIPLES RELATING TO DATA QUALITY
Article 6
1. Member States shall provide that personal data must be:
(a) processed fairly and lawfully;
(b) collected for specified, explicit and legitimate purposes and not further processed in a way
incompatible with those purposes. Further processing of data for historical, statistical or
scientific purposes shall not be considered as incompatible provided that Member States provide
appropriate safeguards;
(c) adequate, relevant and not excessive in relation to the purposes for which they are collected
and/or further processed;
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to
ensure that data which are inaccurate or incomplete, having regard to the purposes for
which they were collected or for which they are further processed, are erased or rectified;
(e) kept in a form which permits identification of data subjects for no longer than is necessary
for the purposes for which the data were collected or for which they are further processed.
Member States shall lay down appropriate safeguards for personal data stored for longer periods
for historical, statistical or scientific use.
2. It shall be for the controller to ensure that paragraph 1 is complied with.
10. Data Protection
DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE
COUNCIL
SECTION I
PRINCIPLES RELATING TO DATA QUALITY
Article 6
1. Member States shall provide that personal data must be:
(a) processed fairly and lawfully;
(b) collected for specified, explicit and legitimate purposes and not further processed in a way
incompatible with those purposes. Further processing of data for historical, statistical or
scientific purposes shall not be considered as incompatible provided that Member States provide
appropriate safeguards;
(c) adequate, relevant and not excessive in relation to the purposes for which they are collected
and/or further processed;
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure
that data which are inaccurate or incomplete, having regard to the purposes for which they were
collected or for which they are further processed, are erased or rectified;
(e) kept in a form which permits identification of data subjects for no longer than is necessary
for the purposes for which the data were collected or for which they are further processed.
Member States shall lay down appropriate safeguards for personal data stored for longer periods
for historical, statistical or scientific use.
2. It shall be for the controller to ensure that paragraph 1 is complied with.
11. Fundamental Data Protection Principles
Obtain the information fairly
Use only for purposes for which it was obtained
Process it only in ways compatible with the purposes
for which it was given to you initially
Keep it safe and secure
Ensure that the information is accurate, relevant, and
not excessive
Retain it for no longer than is necessary for the
stated purposes
Give a copy of the information held by you relating to
them to an individual when requested
12. Fundamental Data Protection Principles
Obtain the information fairly
Use only for purposes for which it was obtained
Process it only in ways compatible with the purposes
for which it was given to you initially
Keep it safe and secure
Ensure that the information is accurate, relevant, and
not excessive
Retain it for no longer than is necessary for the
stated purposes
Give a copy of the information held by you
relating to them to an individual when requested
13. Data Protection
SECTION I
PRINCIPLES RELATING TO DATA QUALITY
Article 6
1. Member States shall provide that personal data must be:
(a) processed fairly and lawfully;
(b) collected for specified, explicit and legitimate purposes and not further processed in a way
incompatible with those purposes. Further processing of data for historical, statistical or
scientific purposes shall not be considered as incompatible provided that Member States provide
appropriate safeguards;
(c) adequate, relevant and not excessive in relation to the purposes for which they are collected
and/or further processed;
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure
that data which are inaccurate or incomplete, having regard to the purposes for which they were
collected or for which they are further processed, are erased or rectified;
(e) kept in a form which permits identification of data subjects for no longer than is necessary
for the purposes for which the data were collected or for which they are further processed.
Member States shall lay down appropriate safeguards for personal data stored for longer periods
for historical, statistical or scientific use.
Give a copybe for the controller to ensure by you relating to them to an individual when
2. It shall of the information held that paragraph 1 is complied with.
requested
14. Example of a Bad Data Protection Practice
“Sign up
for a raffle”
Lots of
personal
data…
Left completely unattended, along with a box full of more sheets like this one…
16. Information Quality
Meeting or exceeding information consumer expectations
Reducing variation around a mean for the performance and
perceived value of an information product
Beauty is in the eye of the beholder
17. Information Quality
Data and Information are of high quality
if they are fit for their uses (by
customers) in operations, decision-
making, and planning. They are fit for
use when they are free of defects and
possess the features needed to
complete the operation, make the
decision, or complete the plan.
Joseph Juran
18. Information Quality
What he said… only the view of the customer
needs to be broad enough in your
organisation…
Is having your data lost or stolen a “feature” of
the service you are buying?
Dr Tom Redman
19. Setting & Meeting Expectation
1 Obtain and process the information fairly Setting Expectation
Keep it only for one or more specified and
2 Setting Expectation
lawful purposes
Process it only in ways compatible with the
3 purposes for which it was given to you Meeting Expectation
initially
4 Keep it safe and secure Meeting Expectation
5 Keep it accurate and up to date Meeting Expectation
Ensure information is accurate, relevant and
6 Meeting Expectation
not excessive
Retain information for no longer than is
7 Meeting Expectation
necessary for the stated purposes
Give a copy of the information held by you
8 Meeting Expectation
relating to them to individuals on request
20. Planning to meet expectations
Quality of an asset (product, finance,
people) is achieved through
•Planning
•Control
•Improvement
Joseph Juran
21. Asset Life Cycle – POSMAD Model
Asset Store/Shar
Plan Obtain Maintain Apply Dispose
Life
e
Cycle
What are our Are we using the
What info do I Where/how will Do we have a
How will we get process to info for purposes
need to we store this retention policy
„maintain‟ the
it? identified @
capture? info? for this data?
information? PLAN
How are we
How will we Can we find it Do we work
Questions you might ask
Why do we keeping our Do we retain this
communicate again when with our
need it? information up data at all?
Hows & whys? needed? suppliers/data
to date?
service
What are the Are we storing How are we
providers to How do we
processes we‟ll
What will we the same data correcting
ensure they dispose of our old
use it for? use to get this many times in errors in our
have adequate data?
info? many places? data?
procedures in
What‟s our plan
Will these Do our staff place to protect
for ensuring Does our data
Who will we processes know how/why the data we
data integrity become
share it with? capture quality we keep info hold on trust?
(relating all our “excessive” over
info? up to date?
records)? time , even if it
Will the
Do our metrics was appropriate
processes Is our data Do we protect
Why would we and processes at the time it
create poor storage copies of data
share it? support this was captured?
quality secure? on laptops etc?
objective?
information?
What
Is our data Can we find it
Am I capturing processes will Is our data
storage when we need
too much info? we have to find disposal secure?
secure? it?
and fix errors?
DP
1,2,3,5,6,7 1.2,3,4,5,6 1.2,3,4,5,6,
1,3,5,6 4,7,8 1,3,5,6,8
Principle
,8 ,8 7
s
22. Example of a Bad Data Protection Practice
“Sign up
for a raffle”
Lots of
personal
data…
Left completely unattended, along with a box full of more sheets like this one…
23. Give a copy of the information held by you
8 Meeting Expectation
relating to them to individuals on request
A needle in a haystack?
Find ALL the data you have about
ONE specific person based just on
their name, address, other identifying
data… not necessarily an account
number or other unique reference.
For example:
Daragh O Brien, 13 Any Street,
Anytown, Ireland.
24. Why did I get into Information Quality (an old
slide, but a good slide)
Daragh
Darragh
Dara
Darra
Daire
Darach
Darrach
Dáire
Daira
Daireach
Gender?
Male or Female SPELLING DOES NOT give a clue
Confusion
Often miskeyed as TARA (definitely female)
Often confused with Darren (male) or Daryl (male or female)
Also confused with Daria (female)
Also confused with Dora (female)
O Brien
NOT O‟Brien (anglicised version of gaelic name)
Also use O Briain (proper Irish language spelling)
Will accept O‟Brien (mainly out of laziness at this stage)
Grew up on “Foxfield St. John”
Data cleansing software often changes this to “Foxfield Street John”
Or “St. John‟s, Foxfield”
25. Give a copy of the information held by you
8 Meeting Expectation
relating to them to individuals on request
Lots of data repositories?
Which haystack?
26. Give a copy of the information held by you
8 Meeting Expectation
relating to them to individuals on request
Potential duplicate records?
Which needle?
28. Conclusion
Information is an asset
Its quality can be managed
and improved just like any
other asset.
It should be protected like
Data Protection and
Information Quality are
inextricably linked
29. Conclusion
Approaching your Data Protection obligations
with an “Information Quality Eye” will ensure
improved capability to comply with regulation
while also ensuring information in your
organisation is of the highest possible quality,
ensuring customer satisfaction and avoiding
other regulatory risks.
Viewing Information Quality and Data Protection
as two „silo‟ problems deprives you of the
potential to add greater value to your
organisation while managing privacy/data
protection risks.
Notas del editor
Data Quality is explicitly referenced in the EU directive which underpins our data protection regulations. They even go so far as to spell out what the attributes of quality they are concerned with are.
Data Quality is explicitly referenced in the EU directive which underpins our data protection regulations. They even go so far as to spell out what the attributes of quality they are concerned with are.